REPORT DIGEST REGIONAL OFFICE OF EDUCATION #28: BUREAU, HENRY AND STARK COUNTIES FINANCIAL AUDIT (IN ACCORDANCE WITH THE UNIFORM GUIDANCE) FOR THE YEAR ENDED JUNE 30, 2021 Release Date: July 27, 2022 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 0 -- 0 Category 2: 0 -- 1 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 1 -- 1 FINDINGS LAST AUDIT: 1 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (21-1) The Regional Office of Education #28 lacked adequate controls over the review of internal controls over external service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER EXTERNAL SERVICE PROVIDERS As part of the audit process, the auditors requested the Regional Office of Education #28 (ROE) to provide a population of the service providers utilized. The ROE was able to identify service providers that provided various hosting and backup services for the ROE. The ROE lacked adequate controls over the review of internal controls over external service providers. During testing, the auditors noted the ROE had not: • Developed a formal process for identifying service providers and for either obtaining the Service Organization Controls (SOC) reports from the service providers and related subservice organization or performing alternative procedures to determine the impact of such service on its internal control environment on an annual basis. • Documented its review of each of the SOC reports, or performed alternative procedures, to evaluate any issues relevant to the ROE’s internal controls. • Monitored and documented the operation of the Complementary User Entity Controls (CUECs) relevant to the ROE’s operations. The ROE is responsible for the design, implementation, and maintenance of internal controls, including controls that are outsourced to service providers, related to information systems and operations to ensure resources and data are adequately protected from unauthorized or accidental disclosure, modifications, or destruction. Generally accepted information technology guidance endorses the review and assessment of internal controls related to information systems and operations to assure the accurate processing and security of information. Regional Office officials indicated they understand the importance of a formal process to monitor service providers; however, they have not completed a policy to address the issues due to other priorities. (Finding 2021-001, pages 14 – 15) The auditors recommended the ROE develop a formal process to identify all third-party service providers and determine and document if a review of controls is required. If required, the ROE should: • Obtain SOC reports or perform independent reviews of internal controls associated with outsourced systems including services provided by subservice organizations, at least annually. • Monitor and document the operation of the CUECs relevant to the ROE’s operations. • Document its review of the SOC reports or perform alternative procedures to evaluate all significant issues to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the ROE, and any compensating controls. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. ROE Response: Third party service providers with access to the confidential data of ROE #28 will have their internal controls reviewed prior to entering into a purchasing contract. An SOC audit is the preferred documentation of appropriate internal controls. In the event an SOC audit is not available from a third- party service provider, optional documentation covering the depth and breadth of an SOC audit may be considered. Contracts with third party service providers will be at the discretion of the Regional Superintendent. AUDITORS’ OPINION Our auditors state the Regional Office of Education #28’s financial statements as of June 30, 2021 are fairly presented in all material respects. This financial audit was conducted by the firm of Adelfia LLC. JOE BUTCHER Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JMM