REPORT DIGEST REGIONAL OFFICE OF EDUCATION #11: CLARK, COLES, CUMBERLAND, DOUGLAS, EDGAR, MOULTRIE AND SHELBY COUNTIES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2020 Release Date: March 31, 2021 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 0 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 0 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (20-1) The Regional Office of Education #11 lacked adequate controls over the review of internal controls over external service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER EXTERNAL SERVICE PROVIDERS When it began using a service provider to host its accounting data, Regional Office of Education #11 failed to develop a formal process of reviewing the service providers’ internal controls to ensure the accurate processing and security of information. As part of the audit process, auditors held discussions with Regional Office of Education #11 (ROE) personnel regarding the ROE’s change in accounting software. The ROE switched to an accounting software which utilizes a service provider to provide hosting and backup services for the ROE. The ROE is responsible for the design, implementation, and maintenance of internal controls, including the controls that are outsourced to service providers, related to information systems and operations to ensure resources and data are adequately protected from unauthorized or accidental disclosure, modifications, or destruction. Generally accepted information technology guidance endorses the review and assessment of internal controls related to information systems and operations to assure the accurate processing and security of information. During testing, the auditors noted the ROE had not: • Developed a formal process for identifying service providers and for either obtaining the Service Organization Controls (SOC) report from the service provider or performing alternative procedures to determine the impact of such services on its internal control environment prior to signing an agreement with the service provider and annually thereafter. • Documented its review of the SOC report and evaluated any issues relevant to the ROE’s internal controls. • Monitored and documented the operation of the Complementary User Entity Controls (CUECs) relevant to the ROE’s operations. Regional Office management indicated although there were conversations regarding the data security with the third party provider, a formal review process was not documented and implemented during FY20 that assured the external service provider’s internal controls were adequate. (Finding 20-001, pages 10A – 10B) The auditors recommended the ROE identify all third-party service providers and determine and document if a review of controls is required. If required, the ROE should: • Obtain SOC reports or perform independent reviews of internal controls associated with outsourced systems prior to signing agreements with the providers and annually thereafter. • Document its review of the SOC report and evaluate all significant issues to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the ROE, and any compensating controls. • Monitor and document the operation of the CUECs relevant to the ROE’s operations. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. ROE Response: The ROE understands the need for a formal review process to ensure that the third party service provider has adequate internal controls to assure data is protected. AUDITORS’ OPINION Our auditors state the Regional Office of Education #11’s financial statements as of June 30, 2020 are fairly presented in all material respects. This financial audit was conducted by the firm of West & Co. LLC. JOE BUTCHER Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:RSH