REPORT DIGEST ILLINOIS STATE BOARD OF EDUCATION FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2024 Release Date: February 4, 2025 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 1 -- 2 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 1 -- 2 FINDINGS LAST AUDIT: 1 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov This digest covers the Agency’s Financial Audit as of and for the year ended June 30, 2024. A digest covering the Agency’s State Compliance Examination for the two years ended June 30, 2024, will be released at a later date. SYNOPSIS • (24-1) The Illinois State Board of Education (Agency) had not implemented adequate controls over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS The Agency had not implemented adequate controls over its service providers. The Agency utilized service providers for hosting services, credit card processing, and software as a service. The auditors tested fourteen service providers and noted: • A documented agreement was not in place for one (7%) service provider. • A requirement for a System and Organization Controls (SOC) report was not outlined in either a contract, or an addendum to a purchase order, for six (43%) service providers. • An appropriate SOC report was not received by the Agency for one (7%) service provider. Thus, an adequate review of the testing performed and conclusions reached by the service provider’s auditor could not be performed. • The Agency did not obtain a complete SOC report for one (7%) service provider. Therefore, an adequate assessment of the SOC report could not be completed. • The period covered by the SOC report and any subsequent bridge letter obtained for seven (50%) service providers did not cover part or all of the audit period. • The Agency did not perform a full review of the subservice organizations for two (14%) service providers. • The Complementary User Entity Controls (CUECs) listed in the SOC report and which were applicable to the Agency were not adequately reviewed by the Agency for one (7%) service provider. • The deviations noted within the SOC report were not adequately reviewed by the Agency for four (29%) service providers. (Finding 1, pages 56-58) The auditors recommended the Agency: • Ensure all service providers have a documented agreement in place. • Develop and implement procedures for ensuring a SOC report requirement is present in a contract or within an addendum to a purchase order. • Obtain and review complete and appropriate SOC reports or conduct independent internal control review at least annually. • Monitor and adequately document the operation of the CUECs and subservice organizations related to the Agency’s operations. • Conduct an analysis to determine the impact of noted deviations to the Agency’s operations. • Develop and implement procedures for ensuring SOC reports and/or corresponding bridge letters cover the entire audit period. The Agency agreed with the finding and stated the employee tasked with reviewing SOC reports has been updated on the lack of adequate controls and will adjust the relevant processes. OTHER FINDING The remaining finding pertains to information technology general controls. We will review the Agency’s progress towards the implementation of our recommendations in our next financial audit. AUDITOR’S OPINIONS The auditors stated the financial statements of the Agency as of and for the year ended June 30, 2024 are fairly stated in all material respects. This financial audit was conducted by Sikich CPA LLC. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:lkw