REPORT DIGEST STATE EMPLOYEES’ RETIREMENT SYSTEM OF ILLINOIS COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2021 Release Date: September 8, 2022 FINDINGS THIS AUDIT: 0 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 0 -- 0 Category 2: 4 -- 1 -- 5 Category 3: 0 -- 1 -- 1 TOTAL: 4 --2 -- 6 FINDINGS LAST AUDIT: 3 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our Compliance Examination of the State Employees’ Retirement System of Illinois (System) for the year ended June 30, 2021. A separate Financial Audit as of and for the year ended June 30, 2021, was previously released on June 16, 2022. This report contains six findings. The Financial Audit report contained no findings. SYNOPSIS • (21-2) The State Employees’ Retirement System of Illinois did not have adequate controls in place over user access to its Information Technology (IT) systems. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE INTERNAL CONTROLS OVER ACCESS TO INFORMATION SYSTEMS The State Employees’ Retirement System of Illinois (System) did not have adequate controls in place over user access to its Information Technology (IT) systems. During the compliance examination, the System utilized a combination of systems administered both internally as well as externally. During a review of both internal and external systems, we noted: • For systems administered internally: — The System did not retain evidence an internal security review was performed during the examination period. — Two of fourteen (14%) terminated employees with access to the network and applications which were not deactivated timely upon their separation from the System. The timing of these deactivations ranged from three to four months after termination. — One of fourteen (7%) terminated employees maintained user accounts for various internal systems after network access was deactivated. The timing of the deactivation of the user account was nine months after termination. — For two of the terminations, appropriate actions were not subsequently taken to promptly remove access in response to the System’s semi-annual review of user’s access. • For systems administered externally: — The System did not retain evidence of the results of the annual review of security software IDs. — One of two (50%) terminated employees had user accounts for one external system which was not deactivated timely upon separation from the System. The timing of this deactivation was three months after termination. (Finding 2, pages 11-12) We recommended the System maintain evidence of security reviews completed during the year to support that continued monitoring is being performed and possible changes or updates are being made. In addition, we recommended the System implement controls to ensure all employees’ user access is timely disabled upon separation from the System. The System agreed with the finding. OTHER FINDINGS The remaining findings pertain to a board of trustees vacancy, a lack of adequate controls over the review of internal controls for service providers, weaknesses in cybersecurity programs and practices, disaster recovery planning weaknesses, and lack of agreement to ensure compliance with IT security requirements. We will review the System’s progress towards the implementation of our recommendations in our next compliance examination. AUDITOR’S OPINION The financial audit report was previously released. The auditors stated the financial statements of the State Employees’ Retirement System of Illinois as of and for the year ended June 30, 2021, are fairly stated in all material respects. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the State Employees’ Retirement System of Illinois for the year ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants stated the System complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by RSM US LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:dmg