REPORT DIGEST RAILSPLITTER TOBACCO SETTLEMENT AUTHORITY FINANCIAL AUDIT FOR THE TWO YEARS ENDED JUNE 30, 2020 Release Date: March 17, 2021 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 0 -- 0 -- 0 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 1 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Railsplitter Tobacco Settlement Authority’s (Authority) Financial Audit as of and for the two years ended June 30, 2020. The Authority’s Compliance Examination covering the two years ended June 30, 2020 will be released under separate cover. SYNOPSIS • (20-1) The Railsplitter Tobacco Settlement Authority did not obtain or conduct an independent internal control review over its service provider. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS The Railsplitter Tobacco Settlement Authority (Authority) did not obtain or conduct an independent internal control review over its service provider. The Authority utilized a service provider to serve as the trustee of the Authority’s funds. The service provider is responsible for making financial transactions on behalf of the Authority. During our testing, we noted the Authority did not obtain a System and Organization Control (SOC) report or conduct an independent internal control review of the service provider. The Authority is responsible for the design, implementation, and maintenance of internal controls related to information systems and transaction processing to assure its critical and confidential data are adequately safeguarded. This responsibility is not limited due to the processes being outsourced. (Finding 1, pages 37-39) We recommended the Authority obtain a SOC report or perform independent reviews of internal controls of service providers at least annually. In addition, upon receipt of a SOC report, the Authority should: • Monitor and document the operation of the Complementary User Entity Controls (CUECs) relevant to operations. • Either obtain and review SOC reports for subservice organizations or perform alternative procedures to satisfy itself the usage of the subservice organizations would not impact the internal control environment. • Document its review of the SOC reports and review all significant issues with subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the Authority, and any compensating controls. The Authority accepted the Auditor’s finding and recommendations. The Authority obtained the Trustee’s SOC 1 report in fiscal year 2021 and will continue to comply with the Auditor’s recommendation by obtaining SOC 1 reports from, or performing independent reviews of internal controls of, its service providers on an annual basis. AUDITOR’S OPINION The auditors stated the financial statements of the Authority as of and for the years ended June 30, 2019, and June 30, 2020, are fairly stated in all material respects. This financial audit was conducted by the Office of the Auditor General’s staff. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:jac