REPORT DIGEST ILLINOIS MATHEMATICS & SCIENCE ACADEMY COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2021 Release Date: March 15, 2022 FINDINGS THIS AUDIT: 4 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 4 -- 0 -- 4 Category 3: 0 -- 0 -- 0 TOTAL: 4 -- 0 – 4 FINDINGS LAST AUDIT: 0 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS INTRODUCTION The Illinois Mathematics and Science Academy (Academy) develops creative, ethical leaders in science, technology, engineering and mathematics. As a teaching and learning laboratory created by the State of Illinois, the Academy enrolls academically talented Illinois students (grades 10-12) in its advanced, residential college preparatory program, and it serves thousands of educators and students in Illinois and beyond through innovative instructional programs that foster imagination and inquiry. This digest covers the Academy’s compliance examination for the year ended June 30, 2021. The Academy’s financial audit for the year ended June 30, 2021 will be released under separate cover. In total, this report includes four findings, none of which were reported in the financial audit. SYNOPSIS • (21-02) The Academy had not implemented adequate internal controls over its service providers. • (21-03) The Academy had not implemented adequate internal controls related to application access and control. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS FOR SERVICE PROVIDERS The Academy had not implemented adequate internal controls over its service providers. The Academy provided a listing of service providers however, they did not provide documentation demonstrating the population was complete and accurate. Due to these conditions, we were unable to conclude the Academy’s population records were sufficiently precise and detailed under the Professional Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.35). Even given the population limitations noted above, we performed testing over the three service providers identified by the Academy. The Academy utilized service providers for payment-related services. During our testing, we noted the Academy had obtained System and Organization Control (SOC) reports; however, they had not reviewed one SOC report and fully analyze the Complementary User Entity Controls (CUECs). In addition, the Academy did not provide the service provider contracts; therefore, we were unable to determine if: • roles and responsibilities were defined; and • requirements for SOC reports outlining the control environment at the service providers were required (Finding 02, pages 11-12) We recommended the Academy strengthen its controls in identifying and documenting all service providers utilized. Further, we recommended the Academy obtain and review all SOC reports and fully review and document their associated controls related to the CUECs within the SOC reports. Lastly, we recommended the Academy ensure contracts define roles and responsibilities and requirements for an independent review. The Academy agreed with the recommendations and stated they will work to develop, release, and enforce service provider procedures and standards that will address these findings. INFORMATION TECHNOLOGY ACCESS WEAKNESSES The Academy had not implemented adequate internal controls related to application access and control. To carry out its mission the Academy maintains several applications. In order to determine if access was appropriate, we requested the Academy provide a population of users; however, the Academy was unable to produce the population. Therefore, we were unable to conduct testing to determine if access was appropriate. (Finding 03, page 13) We recommended the Academy work to develop a mechanism to produce the population of application users. The Academy agreed with the recommendation and stated they will work to develop a cost-effective approach to better demonstrate adequate controls related to application access. OTHER FINDINGS The remaining findings pertain to cybersecurity and disaster recovery. We will review the Academy’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Academy for the year ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants stated the Academy complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Borschnack, Pelletier & Co. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JGR