REPORT DIGEST HUMAN RIGHTS COMMISSION COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2017 Release Date: July 10, 2018 FINDINGS THIS AUDIT: 4 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 0 -- 3 -- 3 Category 3: 1 -- 0 -- 1 TOTAL: 1 -- 3 -- 4 FINDINGS LAST AUDIT: 7 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (17-01) The Commission did not publish its decisions. • (17-02) The Commission had not performed a risk assessment of its computing resources to identify confidential or personal information to ensure such information was protected from unauthorized disclosure. • (17-03) The Commission did not have adequate controls over system access and had an inadequate segregation of duties. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS DECISIONS NOT PUBLISHED The Human Rights Commission (Commission) did not publish its decisions. We tested 40 decisions issued during the examination period and noted they were not published on the Commission’s website. Further, Commission management indicated they have a backlog of unpublished decisions dating back to December 2013. (Finding 1, page 9) This finding has been repeated since 2007. We recommended the Commission comply with the Illinois Human Rights Act and publish all of its decisions within 120 calendar days. Commission officials agreed with the recommendation and stated the Commission has hired a staff member who is responsible for publishing its decisions. (For previous Commission response, see digest footnote #1.) WEAKNESS REGARDING THE SECURITY AND CONTROL OF CONFIDENTIAL INFORMATION The Commission had not performed a risk assessment of its computing resources to identify confidential or personal information to ensure such information was protected from unauthorized disclosure. During our review of the Commission, the following weaknesses were noted in regards to the security and control of confidential information. The Commission had not: • performed a risk assessment of the Commission’s computer resources; • performed its due diligence to ensure Commission data was secure or properly disposed; and, • developed formalized breach of security procedures. (Finding 2, pages 10-11) We recommended the Commission: • perform a comprehensive risk assessment to identify all forms of confidential or personal information and ensure adequate security controls, including adequate physical and logical access restrictions, have been established to safeguard data and resources; • perform its due diligence and review controls to ensure its data is sufficiently secure and properly disposed; and, • develop policies and procedures to ensure timely compliance with the requirements outlined in the Personal Information Protection Act, in the event of a breach of confidential information. Commission officials partially agreed with our recommendation and stated the Department of Innovation and Technology (DoIT) is the lead agency that controls the Commission’s computing resources and management. The Commission also stated they shall continue to work with DoIT as recommended to improve data security at the Commission. INADEQUATE CONTROLS OVER SYSTEM ACCESS AND SEGREGATION OF DUTIES The Commission did not have adequate controls over system access and had an inadequate segregation of duties. The Commission utilized the Accounting Information System (AIS), Central Payroll System (CPS), and the Central Time and Attendance System (CTAS) provided by the Department of Innovation and Technology (DoIT). During testing, we noted: • Three employees had all levels of authority in AIS. These employees could enter and modify voucher payment data, had override authority, and also had agency head approval for vouchers sent to the Office of the State Comptroller. • Two employees had all levels of authority in CPS. Both employees had the ability to inquire, add, change, and delete information within the system. • One employee had all levels of authority in CTAS. This employee had the ability to inquire, add, change, and delete information within the system. This employee also maintained the personnel files. (Finding 3, pages 12-13) We recommended the Commission segregate the duties as much as possible and work with DoIT to ensure employees have appropriate levels of authority within AIS, CPS, and CTAS. Commission officials agreed with the recommendation. OTHER FINDING The remaining finding pertains to vacancies on the Illinois Torture Inquiry and Relief Commission. We will review the Commission’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Commission for the two years ended June 30, 2017, as required by the Illinois State Auditing Act. The accountants stated the Commission complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by the Office of the Auditor General’s staff. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:APA DIGEST FOOTNOTES #1 – DECISIONS NOT PUBLISHED – Previous Commission response 2015: The Commission agrees with this finding, which is the result of inadequate staffing.