REPORT DIGEST

ILLINOIS STATE BOARD OF EDUCATION

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2022

Release Date:  June 13, 2023

FINDINGS THIS AUDIT: 15

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  3 -- 3 -- 6
Category 2:  5 -- 4 -- 9
Category 3:  0 -- 0 -- 0
TOTAL:  8 -- 7 -- 15

FINDINGS LAST AUDIT: 26

This digest covers the Illinois State Board of Education’s (Agency) Compliance Examination for the two
years ended June 30, 2023. A separate digest covering the Agency’s financial audit as of and for the year ended June 30, 2022 was previously released on April 18, 2022.  In total, this report contains 15 findings, 3 of which were reported in the Financial Audit.


Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance).
Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations.
Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations.

State of Illinois, Office of the Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov

SYNOPSIS

• (22-05) The Agency did not have adequate internal controls in place to monitor the requirements regarding professional educator license renewal.
• (22-08) The Agency did not implement adequate controls over termination and review of access to its information systems and applications.
• (22-10) The Agency did not comply with the Student Online Personal Protection Act.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS


INSUFFICIENT CONTROLS OVER PROFESSIONAL EDUCATION LICENSURE

The Illinois State Board of Education (Agency) did not have adequate internal controls in place to monitor the requirements regarding professional educator license renewal.

During our testing, we noted:

• The Agency failed to perform random audits of licensees to verify their fulfillment of the professional development hours required to maintain their license.
• The Agency did not track which approved providers were providing professional development activities, and therefore, was not able to identify which approved providers should have submitted annual data to the Agency during the examination period. (Finding 5, pages 25-26) 

We recommended the Agency begin performing random audits of licensees and to continue their work on the PD+ system to ensure all approved providers who perform professional development activities can be adequately tracked and subsequently audited as required by the School Code. 

The Agency agreed with the recommendation and noted it has resumed professional development educator audits and has implemented a new registration and renewal process in the PD+ system to track the providers offering professional development in Illinois.

INSUFFICIENT CONTROLS OVER TERMINATION AND REVIEW OF EMPLOYEE ACCESS

The Agency did not implement adequate controls over termination and review of access to its information systems and applications.

Illinois State Board Web Application Security (IWAS)
The Agency did not perform an annual review of users’ access to the IWAS application for fiscal years 2021 and 2022. 

Further, we noted four of 17 (24%) terminated employees’ access to the IWAS application had not been timely removed after separation. The rights were removed from five to 20 days after separation.

Other applications

During testing of 20 employees, we noted four employees (20%) had administrative rights to the Entity Profile System (EPS), Data Warehouse, Financial Reimbursement Information System (FRIS), and Student Information System (SIS) applications for which they either never utilized or were not aware they had administrative rights.

Security Software IDs

• The Agency did not perform a review of their security software IDs for the Department of Innovation and Technology’s (DoIT) mainframe during the examination period. 

Central Payroll System  

• The Agency did not perform a review of the users with access to Central Payroll System (CPS) during the examination period. 
• Two employees in the Agency’s information technology department had add, change, delete and inquiry rights to the CPS during the examination period. 
• One employee with add, change, delete and inquiry rights to CPS left the Agency during the examination period; however, their permissions were not revoked.
• The Agency did not submit a DoIT service request for the change in the CPS Administrator. (Finding 8, pages 29-30)  

To ensure adequate controls over access to the Agency’s information systems and applications, we recommended the Agency:

• Review users’ access to mainframe and other applications periodically.
• Ensure users’ access is timely terminated upon separation.
• Timely notify DoIT of changes in the Agency’s Administrator for DoIT maintained applications.

The Agency agreed with the recommendation and noted an Application Access Review Policy has been created and a procedure has been established to perform annual reviews of users’ access to the IWAS and the applications hosted within IWAS. The Agency also stated the process to disable IWAS accounts was assigned to additional staff, a new notification system was put in place to ensure timely disablement of accounts, and a process of reviewing security software IDs on a quarterly basis and notifying DoIT in a timely manner with any changes was established. 

NONCOMPLIANCE WITH THE STUDENT ONLINE PERSONAL PROTECTION ACT

The Agency did not comply with the Student Online Personal Protection Act (Act).

During our testing, we noted the Agency failed to publish and maintain on its website a list of all entities or individuals the Agency contracts with or has written agreements with that hold covered information and a copy of each contract or written agreement. (Finding 10, pages 33-34)

We recommend the Agency establish internal controls to determine which entities or individuals the State Board contracts with or has written agreements with that hold covered information and publish a list of those entities along with a copy of each contract or written agreement in accordance with the State law.

The Agency agreed with the finding and stated it has implemented the recommended changes to correct the noncompliance issue as the Research Department has now published the required list on its website and has taken steps to automate this process through its Contract Authorization Form System.    

OTHER FINDINGS

The remaining findings pertain to statutory and reporting responsibilities and information technology controls. We will review the Agency’s progress towards the implementation of our recommendations in our next State compliance examination.

AUDITOR’S OPINIONS

The auditors stated the financial statements of the Agency as of and for the years ended June 30, 2022, and June 30, 2021, are fairly stated in all material respects.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance examination of the Agency for the two years ended June 30, 2022, as required by the Illinois State Auditing Act.  The accountants qualified their report on State compliance for Findings 2022-001, 2022-002, 2022-003, 2022-005, 2022-007, 2022-010.  Except for the noncompliance described in these findings, the accountants stated the Agency complied, in all material respects, with the requirements described in the report.

This State compliance examination was conducted by Kerber, Eck & Braeckel LLP.

JANE CLARK
Division Director

This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:jv