REPORT DIGEST

STATE EMPLOYEES’ RETIREMENT SYSTEM

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2020

Release Date:  May 19, 2021

FINDINGS THIS AUDIT:  3

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 0 -- 0
Category 2:  2 -- 0 -- 2
Category 3:  0 -- 1 -- 1
TOTAL:  2 -- 1 -- 3

FINDINGS LAST AUDIT: 2

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers our Compliance
Examination of the State Employees’
Retirement System for the year ended June
30, 2020.  A separate Financial Audit as
of and for the year ending June 30, 2020,
was previously released on January 27,
2021.  This report contains three
findings.  The Financial Audit report
contained no findings.

SYNOPSIS

• (20-1) The State Employees’ Retirement
System of Illinois has had a vacancy in
one of its Board of Trustees for more
than five years.

• (20-3) The State Employees’ Retirement
System of Illinois did not have adequate
controls in place over user access to its
information technology systems.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

BOARD OF TRUSTEE VACANCY

The State Employees’ Retirement System of
Illinois (System) has had a vacancy in
one of its thirteen required trustees of
the Board for more than five years as of
the end of fieldwork on November 20,
2020.

During the current compliance
examination, the auditors were aware that
a Board member had resigned from the
Board on October 15, 2015. The System’s
Executive Secretary informed the Board of
the first resignation on that same day
and on November 4, 2015 the Executive
Secretary communicated the vacancy to the
Governor’s Office via email requesting
that the vacancy be filled. Throughout
the years and most recently on June 19,
2020, the Executive Secretary followed up
with the Governor’s Office via emails
informing the Governor’s team of the
vacancy. According to System officials
they have not received any official
response from the Governor’s Office as of
the end of fieldwork on November 20,
2020.  (Finding 1, pages 10-11)  This
finding has been repeated since 2016.

We recommended the System continue to
communicate with the Governor’s Office in
order to fill the vacancy in its Board of
Trustees.

The System agreed with the finding and
stated it would continue to communicate
with the Office of the Governor to seek
appointees to the Board.

INADEQUATE INTERNAL CONTROLS OVER ACCESS
TO INFORMATION SYSTEMS

The State Employees’ Retirement System of
Illinois (System) did not have adequate
controls in place over user access to its
Information Technology (IT) systems.

During the compliance examination, the
auditors identified that the System
utilizes a combination of systems
administered internally and systems
administered externally by the Department
of Innovation and Technology (DoIT).
During a review of both internal and
external systems, the auditors noted the
following user access issues:

• For systems administered internally:

– The System did not retain evidence that
an internal active directory review was
performed during the examination period.

– The auditors noted six of seventeen
(35%) terminated employees tested had
user accounts for various internal
systems which were not deactivated timely
upon their separation from employment
with the System. These late deactivations
ranged from one to five months after the
employees’ separated from the System.
Furthermore, for two of the terminations,
appropriate actions were not subsequently
taken to remove access in response to the
System’s semi-annual review of user’s
access.

• For systems administered externally by
DoIT:

– The System maintained a listing of
Resource Access Control Facility (RACF)
identifications and their entitlements,
including security administrators, but
did not retain evidence an annual review
was performed.  (Finding 3, pages 13-14)

We recommended the System maintain
evidence of active directory and RACF
reviews completed during the year to
support monitoring performed and changes
or updates made to system access. In
addition, we recommended the System
implement controls to ensure all
employee’s user access is timely disabled
upon their separation of employment with
the System.

The System agreed with the finding and
stated it is working to implement a new
access control policy and procedures to
remedy this issue.

OTHER FINDING

The remaining finding pertains to failure
to report a motor vehicle accident to the
Department of Central Management
Services.  We will review the State
Employees’ Retirement System’s progress
towards the implementation of our
recommendations in our next compliance
examination.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the State Employees’
Retirement System for the year ended June
30, 2020, as required by the Illinois
State Auditing Act.  The accountants
stated the State Employees’ Retirement
System complied, in all material
respects, with the requirements described
in the report.

This compliance examination was conducted
by RSM US LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:jaf