REPORT DIGEST OFFICE OF THE LIEUTENANT GOVERNOR COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2021 Release Date: February 16, 2022 FINDINGS THIS AUDIT: 3 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 2 -- 1 -- 3 Category 3: 0 -- 0 -- 0 TOTAL: 2 -- 1 – 3 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (21-1) The Office did not comply with certain provisions of statutory mandates related to task forces, councils and boards. • (21-2) The Office had not implemented adequate internal controls related to cybersecurity programs, practices and control of confidential information. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS NONCOMPLIANCE WITH STATUTORY MANDATES The Office did not comply with certain provisions of statutory mandates related to task forces, councils and boards. We noted the following: • The Office could not provide documentation the Lieutenant Governor appointed a member to serve as the chairperson of the Children of Incarcerated Parents Task Force. • The Illinois Council on Women and Girls, which is chaired by the Lieutenant Governor, filed four semi- annual reports on its policy recommendations between 1 and 335 days late. • The Lieutenant Governor failed to appoint two members to the Restore, Reinvest, and Renew Program Board during Fiscal Years 2020 and 2021. Additionally, the Office could not provide documentation the annual report was submitted to the Governor’s Office and the General Assembly. • The Office did not designate a representative of the Office and provided no evidence of actions taken during the examination period to call a meeting of the Tamms Minimum Security Task Force. Neither did the Office provide any evidence of internal correspondence prepared or considerations made during the examination period to ensure the Office’s compliance with their responsibilities under this mandate. (Finding 1, pages 8-9) We recommended the Office implement a system of controls to ensure they timely appoint members, meet responsibilities mandated for boards and task forces as required by State law, and actively participate in mandated committees to help ensure the purpose of such entities is achieved. The Office agreed with the recommendation and stated it recently conducted an internal audit of its requirements under statutes, executive orders, and resolutions and responded it is in the process of creating a calendar to notify responsible parties of all reports due and associated due dates. The Office further noted it is in the process of reviewing the status of all appointments, identifying potential candidates, and scheduling interviews to fill any vacancies. WEAKNESS IN CYBERSECURITY PROGRAMS AND PRACTICES The Office had not implemented adequate internal controls related to cybersecurity programs, practices and control of confidential information. During our examination of the Office’s cybersecurity program, practices and control of confidential information, we noted the Office had not: • Developed a formal, comprehensive, adequate, and communicated security program (including policies, procedures, and processes as well as clearly defined responsibilities over the security of computer programs and data) to manage and monitor the regulatory, legal, environmental and operational requirements. • Developed a risk management methodology, conducted a comprehensive risk assessment, or implemented risk reducing internal controls. • Classified its data to identify and ensure adequate protection of information. (Finding 2, pages 10-11). We recommended the Office: • Develop a formal, comprehensive, adequate, and communicated security program (including policies, procedures, and processes as well as clearly defined responsibilities over the security of computer programs and data) to manage and monitor the regulatory, legal, environmental and operational requirements. • Develop a risk management methodology and perform a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information. • Classify its data to establish the types of information most susceptible to attack to ensure adequate protection. The Office agreed with the recommendations and responded it will work to verify that the Department of Innovation and Technology (DoIT) is completing backups of their applications and database, will work towards timely internal controls review of the DoIT SOC reports and act accordingly, and is working with DoIT to complete the cybersecurity program. OTHER FINDING The remaining finding pertains to inadequate controls over its personal services functions. We will review the Agency’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Office for the two years ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants stated the Agency complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by West & Company, LLC. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:lkw