REPORT DIGEST JUDGES’ RETIREMENT SYSTEM COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2016 Release Date: May 11, 2017 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 1 -- 2 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 1 -- 2 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our Compliance Examination of the Judges’ Retirement System for the year ended June 30, 2016. A separate Financial Audit as of and for the year ending June 30, 2016, was previously released on January 26, 2017. In total, this report contains 2 findings, 1 of which was also reported in the Financial Audit. SYNOPSIS • (16-2) The State Retirement System, which administers the Judges’ Retirement System, has weaknesses in their change management procedures. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS CHANGE MANAGEMENT WEAKNESSES The State Retirement System, which administers the Judges’ Retirement System (System), has weaknesses in their change management procedures. The System develops and deploys custom software to manage pension accounts of Illinois members and collects, stores, and processes confidential and protected information related to this mission. The System had established formal change management procedures; however, the procedures did not address migrating changes into the production environment. In addition, programmers developing and making changes to applications had access to the production environment and the capability to implement changes. Furthermore, monitoring tools were not in place to detect unauthorized code migrations. (Finding 2, page 10) We recommended the System update its change management procedures to address specific procedures for migrating changes into the production environment. The procedures should include a standard form for requesting a change be moved into production and include user and management approval. In addition, programmers should be prevented from migrating changes into the production environment. If the Office determines that programmer access is necessary in some situations, it should establish and enforce compensating controls to ensure appropriate and documented management oversight and approval. System officials accepted the auditor’s recommendation and indicated a change control process has been implemented for all legacy systems and the State Retirement System IT Division is currently working towards implementing an automated approval and deployment process which it hopes to achieve in calendar year 2017. OTHER FINDINGS The remaining finding pertains to noncompliance with the Fiscal Control and Internal Auditing Act. We will review the System’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the System for the year ended June 30, 2016, as required by the Illinois State Auditing Act. The accountants stated the System complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by RSM US LLP. BRUCE L. BULLARD Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JAF