REPORT DIGEST

REGIONAL OFFICE OF EDUCATION #28: BUREAU,
HENRY AND STARK COUNTIES

FINANCIAL AUDIT (IN ACCORDANCE WITH THE
UNIFORM GUIDANCE)
FOR THE YEAR ENDED JUNE 30, 2020

Release Date:  April 14, 2021

FINDINGS THIS AUDIT: 1

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 0 -- 0
Category 2:  1 -- 0 -- 1
Category 3:  0 -- 0 -- 0
TOTAL:  1 -- 0 -- 1

FINDINGS LAST AUDIT: 2

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (20-1) The Regional Office of Education
#28 lacked adequate controls over the
review of internal controls over external
service providers.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

LACK OF ADEQUATE CONTROLS OVER THE REVIEW
OF INTERNAL CONTROLS OVER EXTERNAL
SERVICE PROVIDERS

The Regional Office of Education #28
(ROE) failed to develop a formal process
for reviewing its external service
providers’ internal controls to ensure
the accurate processing and security of
information. As part of the audit
process, auditors requested the ROE to
provide a population of the service
providers utilized. The ROE was able to
identify service providers that provided
hosting and backup services for the ROE.

The ROE is responsible for the design,
implementation, and maintenance of
internal controls, including controls
that are outsourced to service providers,
related to information systems and
operations to ensure resources and data
are adequately protected from
unauthorized or accidental disclosure,
modifications, or destruction.

Generally accepted information technology
guidance endorses the review and
assessment of internal controls related
to information systems and operations to
assure the accurate processing and
security of information.

During testing, the auditors noted the
ROE had not:
• Developed a formal process for
identifying service providers and
obtaining the Service Organization
Controls (SOC) reports from the service
providers on an annual basis.
• Documented its review of the SOC
reports.
• Monitored and documented the operation
of the Complementary User Entity Controls
(CUECs) relevant to the ROE’s operations.
• Obtained and reviewed SOC reports for
subservice organizations or performed
alternative procedures to determine the
impact on its internal control
environment.

Regional Office officials indicated they
understand the importance of a formal
process to monitor service providers;
however, they have not completed a policy
to address the issues due to other
priorities. (Finding 20-001, pages 14 –
15)

The auditors recommended the ROE identify
all third-party service providers and
determine and document if a review of
controls is required. If required, the
ROE should:
• Obtain SOC reports or perform
independent reviews of internal controls
associated with outsourced systems at
least annually.
• Monitor and document the operation of
the CUECs relevant to the ROE’s
operations.
• Either obtain and review SOC reports
for subservice organizations or perform
alternative procedures to satisfy itself
that the existence of the subservice
organization would not impact its
internal control environment.
• Document its review of the SOC reports
and review all significant issues with
subservice organizations to ascertain if
a corrective action plan exists and when
it will be implemented, any impacts to
the ROE, and any compensating controls.
• Review contracts with service providers
to ensure applicable requirements over
the independent review of internal
controls are included.

ROE Response: Third party service
providers with access to the confidential
data of ROE #28 will have their internal
controls reviewed prior to entering into
a purchasing contract. An SOC audit is
the preferred documentation of
appropriate internal controls. In the
event an SOC audit is not available from
a third-party service provider, optional
documentation covering the depth and
breadth of an SOC audit may be
considered. Contracts with third party
service providers will be at the
discretion of the Regional
Superintendent.

AUDITORS’ OPINION

Our auditors state the Regional Office of
Education #28’s financial statements as
of June 30, 2020 are fairly presented in
all material respects.

This financial audit was conducted by the
firm of Adelfia LLC.

JOE BUTCHER
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:RSH