REPORT DIGEST

DEPARTMENT OF INNOVATION AND TECHNOLOGY
INFORMATION TECHNOLOGY HOSTING SERVICES
SYSTEM

SYSTEM AND ORGANIZATION CONTROLS REPORT AND
REPORT REQUIRED UNDER GOVERNMENT AUDITING
STANDARDS
FOR THE TWO YEARS ENDED JUNE 30, 2023

Release Date:  November 7, 2024

FINDINGS THIS AUDIT: 1

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  1 -- 0 -- 1
Category 2:  0 -- 0 -- 0
Category 3:  0 -- 0 -- 0
TOTAL:  1 -- 0 -- 1

FINDINGS LAST AUDIT: 2

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the System and
Organization Controls Report and the Report
Required under Government Auditing Standards
of the Department of Innovation and
Technology, Information Technology Hosting
Services System (Department) for the period
July 1, 2023 to June 30, 2024.

The System and Organization Controls Report
contained a qualified opinion due to
weaknesses associated with the Department’s
suitability of the controls design.  In
addition, the Report Required under
Government Auditing Standards (GAS) contains
one finding.

SYNOPSIS

•  (24-1) The controls related to the trust
services criteria stated in the “State of
Illinois, Department of Innovation and
Technology’s Description of Its Information
Technology Hosting Services System”
(description of system), were not suitably
designed to provide reasonable assurance the
trust services criteria would be achieved.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

CONTROLS WERE NOT SUITABLY DESIGNED

The controls related to the trust services
criteria stated in the “State of Illinois,
Department of Innovation and Technology’s
Description of Its Information Technology
Hosting Services System” (description of
system), as provided by the Department of
Innovation and Technology (Department), were
not suitably designed to provide reasonable
assurance the trust services criteria would
be achieved.

As part of our testing to determine if the
controls were suitably designed, we
requested the Department provide populations
related to unsuccessful backups.  However,
the Department did not provide complete and
accurate populations. Due to these
conditions, we were unable to conclude the
Department’s population records were
sufficiently precise and detailed under the
Attestation Standards promulgated by the
American Institute of Certified Public
Accountants (AT-C § 320.30) to test the
suitable design of the controls. As such, we
could not perform testing.

Additionally, we requested the Department
provide evidence that devices were sanitized
before disposal. However, the Department did
not retain evidence to support the control
activity prior to September 11, 2023. Due to
this condition, we were unable to conclude
on the Department’s compliance with the
control activity prior to September 11,
2023.  (Finding 1, pages 8 of GAS Report)

We recommended the Department ensure the
controls are suitably designed over the
services provided to user agencies.  Also,
we recommended the Department ensure the
documentation of device sanitization before
disposal, is retained for the entire fiscal
year.

Department officials agreed and stated they
were assessing options to capture and retain
reports of alerts from the mainframe log
files and supporting documentation of
sanitization would be attached to the
service ticket.

SERVICE AUDITOR’S OPINION

The System and Organization Controls Report
contained a qualified opinion. Specifically,
the Service Auditors determined, except for
the matters described in the System and
Organization Controls Report, in all
material respects, based on the criteria
described in the State of Illinois,
Department of Innovation and Technology’s
assertion:

a. the description fairly presents  the
State of Illinois, Department of Innovation
and Technology’s Information Technology
Hosting Services  System that was designed
and implemented throughout the period July
1, 2023 to June 30, 2024 in accordance with
the description criteria.

b. the controls stated in the description
were suitably designed throughout the period
July 1, 2023 to June 30, 2024 to provide
reasonable assurance that the Department’s
service commitments and system requirements
would be achieved based on the applicable
trust services criteria, if its controls
operated effectively throughout that period,
and if the subservice organizations and
users entities applied the complementary
controls assumed in the design of the State
of Illinois, Department of Innovation and
Technology’s controls throughout the period
July 1, 2023 to June 30, 2024.

c. the controls stated in the description
operated effectively throughout the period
July 1, 2023 to June 30, 2024, to provide
reasonable assurance that the Department’s
service commitments and system requirements
were achieved based on the applicable trust
services criteria, if complementary
subservice organization controls and
complementary user entity controls assumed
in the design of the State of Illinois,
Department of Innovation and Technology’s
controls operated effectively throughout the
period July 1, 2023 to June 30, 2024.

This System and Organization Controls
Examination was conducted by
CliftonLarsonAllen LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:vrb