REPORT DIGEST

DEPARTMENT OF INNOVATION AND
TECHNOLOGY - INFORMATION TECHNOLOGY
SHARED SERVICES

SERVICE AND ORGANIZATION CONTROL
REPORT AND REPORT REQUIRED UNDER
GOVERNMENT AUDITING STANDARDS
FOR THE YEAR ENDED JUNE 30, 2021

Release Date:  AUGUST 12, 2021

FINDINGS THIS AUDIT:  1

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 1 -- 1
Category 2:  0 -- 0 -- 0
Category 3:  0 -- 0 -- 0
TOTAL:  0 -- 1 -- 1

FINDINGS LAST AUDIT: 2

Category 1: Findings that are material
weaknesses in internal control and/or
a qualification on compliance with
State laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers our System and
Organization Control Report and Report
Required Under Government Auditing
Standards of the Department of
Innovation and Technology (Department)
Information Technology Shared Services
for the period from July 1, 2020
through June 30, 2021.

The Department provides information
technology general controls and
application controls for approximately
106 user agencies.

The System and Organization Control
Report contained a modified opinion
due to the weaknesses associated with
the Department’s suitability of
control design and operating
effectiveness of controls. In
addition, the Report Required Under
Government Auditing Standards (GAS)
contains one finding.

SYNOPSIS

• (21-1) The Department did not ensure
its controls over the State’s Shared
Services system operated effectively.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

CONTROLS DID NOT OPERATE EFFECTIVELY

The Department of Innovation and
Technology (Department) did not ensure
its controls over the Information
Technology Shared Services system
operated effectively. The controls
related to the control objectives are
stated in the “Description of the
Information Technology Shared Services
for the Information Technology General
Controls and Application Controls”
(description of system), provided by
the Department.

As part of our testing to determine if
the controls were operating
effectively, we requested the
Department to provide a population of
modifications to employees’ and
contractors’ access to the
Department’s resources.  However, the
Department was unable to provide a
population. As a result of the
Department’s inability to provide the
population, we were unable to conduct
testing to determine if the controls
related to logical access to
applications, data, and the
environment were restricted to
authorized and appropriate users.

Additionally, we requested the
Department provide a population of
modified security software IDs during
the examination period. However, the
Department was unable to provide a
population. As a result of the
Department’s inability to provide the
population, we were unable to conduct
testing to determine if the controls
related to logical access to
applications, data, and the
environment were restricted to
authorized and appropriate users.

Furthermore, during our testing of the
controls related to the control
objectives stated in the description
of system, we noted specific controls
which did not operate effectively.
Specifically, we noted:

Logical Access Provisioning and De-
Provisioning
• The Department did not have a policy
documenting the required timeframe for
revocation of logical access upon
termination.
• The Department did not conduct the
Security Software Annual
Reconciliation.
• New security software accounts were
not approved by the Agency Technology
Service Requestor.
• New security software accounts did
not have an approved Remedy ticket or
Mainframe Access Request Form.
• The Department could not provide
documentation demonstrating separated
individuals’ access rights were
terminated.
• Terminated employees did not have a
Remedy Service Request completed.

Physical Access Provisioning and De-
Provisioning
• The Department was unable to provide
documentation demonstrating the timely
termination of individuals’ access to
the Department’s resources.
• New employee and contractor access
requests were not properly completed.
• Individuals were provided
inappropriate access to Department
facilities.
• Monitoring of cameras at a
Department facility was not conducted.

Application Edits
• One state’s tax rate was incorrect
in the Central Payroll System tax
tables.
• The federal tax rate for head of
household filers was incorrect.

Change Management
• The Remedy on Demand User Guide
contradicted the Change Management
Guide requirements for required
approvals.
• Changes did not always have test
plans, backout plans, or
implementation plans.
• Changes were not approved by the
Change Advisory Committee, Enterprise
Change Manager, or Group Manager.
• Changes classified as ‘No Impact’
were not reviewed monthly.
• Emergency changes did not always
have a Post Implementation Review
conducted.

Network
• Multiple instances where systems
were not up-to-date with the latest
anti-virus software.
• Multiple instances where operating
system patches were not tested or did
not have documentation of testing
prior to being pushed to the general
populations.
• A Network Administrator did not
require administrative rights to the
environment.
• Device configurations were not
backed up for the period of April 15
to April 23, 2021.

Failure to ensure controls operated
effectively to provide reasonable
assurance the control objectives
stated in the description were
achieved resulted in a modified
opinion on the Department’s System and
Organization Control Report related to
the Information Technology Shared
Services.  (Finding 2, pages 8-10 of
GAS Report)

We recommended the Department ensure
its controls operate effectively over
the services provided to user
entities.

Department officials accepted the
recommendation.

DEPARTMENT SECRETARY

During Examination Period:
Jennifer Ricker, Acting (9/5/20 –
Present)
Ron Guerrier (7/1/20 – 9/4/20)

SERVICE AUDITOR’S OPINION

The System and Organization Control
Report contained a modified opinion.
Specifically, the Service Auditors
determined, except for the matters
described in the System and
Organization Control Report, in all
material respects, based on the
criteria described in the State of
Illinois, Department of Innovation and
Technology’s assertion:

• the description fairly presents the
State of Illinois, Department of
Innovation and Technology’s
Information Technology Shared Services
system that was designed and
implemented throughout the period from
July 1, 2020 to June 30, 2021.
• the controls related to the control
objectives stated in the description
were suitably designed to provide
reasonable assurance that the control
objectives would be achieved if the
controls operated effectively
throughout the period from July 1,
2020, to June 30, 2021; and subservice
organizations and user entities
applied complementary controls assumed
in the design of the State of
Illinois, Department of Innovation and
Technology’s control throughout the
period July 1, 2020 to June 30, 2021.
• the controls operated effectively to
provide reasonable assurance that the
control objectives stated in the
description were achieved throughout
the period from July 1, 2020 to June
30, 2021 if complementary subservice
organization and user entity controls
assumed in the design of the State of
Illinois, Department of Innovation and
Technology’s controls operated
effectively throughout the period July
1, 2020 to June 30, 2021.

This System and Organization Control
Examination was conducted by the
Office of the Auditor General’s staff.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:MKL