REPORT DIGEST REGIONAL OFFICE OF EDUCATION #3: BOND, CHRISTIAN, EFFINGHAM, FAYETTE, AND MONTGOMERY COUNTIES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2020 Release Date: February 10, 2021 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 0 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 3 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (20-1) The Regional Office of Education #3had a lack of adequate controls over the review of internal controls over external service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER EXTERNAL SERVICE PROVIDERS As part of the audit process, auditors requested the Regional Office of Education #3 provide a population of the service providers utilized. The ROE was able to identify the service provider that provides hosting and backup services for the ROE. The ROE is responsible for the design, implementation, and maintenance of internal controls, including the controls that are outsourced to service providers, related to information systems and operations to ensure resources and data are adequately protected from unauthorized or accidental disclosure, modifications, or destruction. Generally accepted information technology guidance endorses the review and assessment of internal controls related to information system and operations to assure the accurate processing and security of information. During testing, the auditors noted the ROE had not: • Developed a formal process for obtaining the Service Organization Controls (SOC) reports from the service provider on an annual basis. • Documented its review of each of the SOC reports. • Monitored and documented the operation of the Complementary User Entity Controls (CUECs) relevant to the ROE’s operations. • Obtained and reviewed SOC reports for subservice organizations to determine the impact on its internal control environment. Regional Office management indicated they understand the importance of a formal process to monitor service providers; however, they were not reviewing the SOC reports. (Finding20-001, pages 10A–10B) The auditors recommended the ROE document if a review of controls is required for any third-party service providers. If required, the ROE should: • Obtain SOC reports associated with outsourced systems at least annually. • Monitor and document the operation of the CUECs relevant to the ROE’s operations. • Obtain and review SOC reports for subservice organizations to satisfy itself that the existence of the subservice organization would not impact its own internal control environment. • Document its review of the SOC reports and review all significant issues with subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the ROE, and any compensating controls. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. ROE Response: The ROE understands the need to obtain assurance from external providers and their subservice organizations that their internal controls are adequate relative to SOCs and CUECs. Our plan includes: • Obtain SOC reports or perform independent reviews of internal controls associated with outsourced systems at least annually. • Monitor and document the operation of the CUECs relevant to the ROE’s operations. • Either obtain and review SOC reports for subservice organizations or perform alternative procedures to satisfy itself that the existence of the subservice organization would not impact its own internal control environment. • Document its review of the SOC reports and review all significant issues with subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the ROE, and any compensating controls. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. AUDITORS’ OPINION Our auditors state the Regional Office of Education #3’s financial statements as of June 30, 2020 are fairly presented in all material respects. This financial audit was conducted by the firm of Doehring, Winders & Co. LLP. JOE BUTCHER Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JMM