REPORT DIGEST DEPARTMENT OF INNOVATION AND TECHNOLOGY - STATE OF ILLINOIS, ENTERPRISE RESOURCE PLANNING SYSTEM SERVICE AND ORGANIZATION CONTROL REPORT AND REPORT REQUIRED UNDER GOVERNMENT AUDITING STANDARDS FOR THE YEAR ENDED JUNE 30, 2021 Release Date: AUGUST 12, 2021 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 1 -- 1 Category 2: 0 -- 0 -- 0 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 1 -- 1 FINDINGS LAST AUDIT: 1 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our System and Organization Control Report and Report Required Under Government Auditing Standards of the Department of Innovation and Technology (Department), State of Illinois, Enterprise Resource Planning System for the period from July 1, 2020 through June 30, 2021. The Enterprise Resource Planning System is utilized by approximately 57 user agencies. The System and Organization Control Report contained a modified opinion due to the weakness associated with the Department’s operating effectiveness of controls. In addition, the Report Required Under Government Auditing Standards (GAS) contains one finding. SYNOPSIS • (21-1) The Department did not ensure its controls over the State’s Enterprise Resource Planning (ERP) System operated effectively. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS CONTROLS DID NOT OPERATE EFFECTIVELY The Department of Innovation and Technology (Department) did not ensure its controls over the State’s Enterprise Resource Planning (ERP) System operated effectively. The controls related to the control objectives are stated in the “Description of the State of Illinois, Enterprise Resource Planning System for the IT General Controls and Application Controls” (description of system), provided by the Department. As part of our testing to determine if the controls were operating effectively, we requested the Department to provide a population of modifications to employees’ and contractors’ access to the Department’s resources. However, the Department was unable to provide a population. As a result of the Department’s inability to provide the population, we were unable to conduct testing to determine if the controls related to logical access to applications, data, and the environment were restricted to authorized and appropriate users. Additionally, during our testing of the controls related to the control objectives stated in the description of system, we noted specific controls which did not operate effectively. Specifically, we noted: Access Provisioning and De- Provisioning • The Department did not have a policy documenting the required timeframe for revocation of logical access upon termination. • The Department could not provide documentation demonstrating separated individuals’ access rights were terminated. • Terminated employees did not have a Remedy Service Request completed. Change Control • Changes did not have support for testing in the various environments. • Changes did not have completed change request forms. • Defects did not have support for testing in the various environments. As a result of the above noted exceptions, the controls were not operating effectively to provide reasonable assurance that the control objectives stated in the description were achieved resulted in a modified opinion on the Department’s System and Organization Control Report related to the State’s ERP System. (Finding 1, pages 7-8 of GAS Report) We recommended the Department ensure its controls operate effectively over the services provided to user agencies. Department officials accepted the recommendation. DEPARTMENT SECRETARY During Examination Period: Jennifer Ricker, Acting (9/5/20 – Present) Ron Guerrier (7/1/20 – 9/4/20) SERVICE AUDITOR’S OPINION The System and Organization Control Report contained a modified opinion. Specifically, the Service Auditors determined, except for the matters described in the System and Organization Control Report, in all material respects, based on the criteria described in the State of Illinois, Department of Innovation and Technology’s assertion: • the description fairly presents the State of Illinois, Enterprise Resource Planning System that was designed and implemented throughout the period from July 1, 2020 to June 30, 2021. • the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period from July 1, 2020, to June 30, 2021; and subservice organizations and user entities applied complementary controls assumed in the design of the State of Illinois, Department of Innovation and Technology’s control throughout the period July 1, 2020 to June 30, 2021. • the controls operated effectively to provide reasonable assurance that the control objectives stated in the description were achieved throughout the period from July 1, 2020 to June 30, 2021 if complementary subservice organization and user entity controls assumed in the design of the State of Illinois, Department of Innovation and Technology’s controls operated effectively throughout the period July 1, 2020 to June 30, 2021. This System and Organization Examination was conducted by the Office of the Auditor General’s staff. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:MKL