REPORT DIGEST REGIONAL OFFICE OF EDUCATION #35: LASALLE, MARSHALL AND PUTNAM COUNTIES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2021 Release Date: December 15, 2021 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 1 -- 2 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 1 -- 2 FINDINGS LAST AUDIT: 1 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (20-1) The Regional Office of Education #35 failed to fully insure and collateralize cash balances. • (20-2) The Regional Office of Education #35 lacked adequate controls over the review of internal controls over external service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS FAILURE TO FULLY INSURE AND COLLATERALIZE CASH BALNCES As of June 30, 2021, the Regional Office of Education #35 (ROE) had three cash and investment accounts with bank balances totaling $296,189 at one financial institution. The Federal Deposit Insurance Corporation (FDIC) covers up to a maximum of $250,000. The ROE did not have depository insurance or collateral for the remaining $46,189. The Public Funds Deposit Act (30 ILCS 225/1) gives the ROE the authorization to request financial institutions to pledge collateral for deposits in excess of the federally insured limit. In addition, prudent business practice requires that all cash and investments held by financial institutions for the ROE be adequately covered by depository insurance or collateral. Regional Office officials indicated that it is unknown why the collateral agreement that had been in place for several years was no longer active. ROE officials indicated the financial institution had staff turnover and the ROE cashed in one of its certificates of deposit during the fiscal year, either of which may have inadvertently caused the collateral agreement to no longer be effective. In addition, the ROE failed to monitor the sufficiency of the pledged securities. (Finding 21-001, pages 11 – 12) The auditors recommended the ROE should monitor the bank balances on all accounts and work with the financial institution to either provide adequate collateral or move to an insured cash sweep account to ensure adequate coverage. ROE Response: The ROE plans to keep in contact with the financial institution regarding the amount of collateralization and pledged securities. The financial institution was contacted and a new irrevocable collateral agreement was signed and put into place. LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER EXTERNAL SERVICE PROVIDERS As part of the audit process, the auditors requested the Regional Office of Education #35 (ROE) to provide a population of the service providers utilized. The ROE was able to identify service providers that provided various hosting and backup services for the ROE; however, the ROE failed to develop a formal process for reviewing its external service providers’ internal controls to ensure the accurate processing and security of information. During testing, the auditors noted the ROE had not: • Developed a formal process for identifying service providers and for either obtaining the Service Organization Controls (SOC) reports from the service providers and related subservice organization or performing alternative procedures to determine the impact of such services on its internal control environment prior to signing an agreement with the service provider. • Documented its review of each of the SOC reports, or performed alternative procedures, to evaluate any issues relevant to the ROE’s internal controls. • Monitored and documented the operation of the Complementary User Entity Controls (CUECs) relevant to the ROE’s operations. The ROE is responsible for the design, implementation, and maintenance of internal controls related to information systems and operations to ensure resources and data are adequately protected from unauthorized or accidental disclosure, modifications, or destruction. This responsibility is not limited due to the process being outsourced. Generally accepted information technology guidance endorses the review and assessment of internal controls related to information systems and operations to assure the accurate processing and security of information. Regional Office officials indicated they understand the importance of a formal process to monitor service providers and did not realize the current process did not address all the issues noted. (Finding 21-002, pages 13 – 14) The auditors recommended the ROE identify all third-party service providers and determine and document if a review of controls is required. If required, the ROE should: • Obtain SOC reports or perform independent reviews of internal controls associated with outsourced systems including service provided by subservice organizations, prior to signing agreements with the providers and annually thereafter. • Document its review of the SOC reports or perform alternative procedures to evaluate all significant issues to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the ROE, and any compensating controls. • Monitor and document the operations of the CUECs relevant to the ROE’s operations. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. ROE Response: The ROE plans to incorporate procedures to make sure to obtain the following information for any third-party service providers as recommended by the auditors: • SOC reports or perform independent reviews of internal controls associated with outsourced systems including services provided by subservice organizations, prior to signing agreements with the providers and annually thereafter. • Document its review of the SOC reports or perform alternative procedures to evaluate all significant issues to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the ROE, and any compensating controls. • Monitor and document the operations of the CUECs relevant to the ROE’s operations. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. AUDITORS’ OPINION Our auditors state the Regional Office of Education #35’s financial statements as of June 30, 2021 are fairly presented in all material respects. This financial audit was conducted by the firm of MCK CPAs & Advisors. JOE BUTCHER Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:BAO