Volume 28, 2022 Annual Edition


Emerging and Potential Audit Issues

Frank J. Mautino, Auditor General



Auditor General’s Message


The purpose of the Illinois Audit Advisory is to share information that may aid state agency operations’ efficiency, effectiveness, and compliance with state laws.


As agency managers and public officials, we have the responsibility to efficiently and effectively use agency resources. To ensure proper use of such resources, a sound system of management controls is of primary importance. Agency management has always been, and continues to be, responsible for ensuring that an adequate system of internal controls has been established within the agency and that the system is properly functioning. However, the Office of the Auditor General is committed to aiding agencies to the extent allowed by auditing standards and independence requirements.


Timeliness of reporting responses and proper internal controls can help to ensure efficiencies in a new technological age. To that end, we have included cyber security audits in compliance audits since 2019. Today’s Audit Advisory will look at and review cyber security findings and opportunities for improvements. We will also review timelines and important dates for agency managers to keep in mind.

I hope you find this issue of the Illinois Audit Advisory helpful. 





Holland Inducted Into NASACT Hall of Fame


Former Illinois Auditor General William G. Holland was recently inducted into the National Association of State Auditors, Comptrollers and Treasurers (NASACT) Hall of Fame. Holland was the State’s longest serving Auditor General holding the position for more than 23 years from August 1, 1992 to December 31, 2015.

Holland began his government career in 1974 as a legislative intern. In 1980, he was appointed the first director of the Illinois General Assembly’s Washington Office. From 1983 to 1992, Holland served as chief of staff for the Illinois Senate President.

During his tenure as Auditor General, Holland’s audits won several national awards and the Office was known for its objectivity and high ethical standards. While Holland was always quick to credit his staff, his leadership made the Office one of the most respected agencies in the State of Illinois.

Holland served as president of both the National State Auditors Association (NSAA) and NASACT. He has also been recognized by his peers for numerous awards including two NASACT President’s Awards and the NSAA William R. Snodgrass Distinguished Leadership Award.







Cybersecurity Reviews


Public Act 100-914 amended the Illinois State Auditing Act (30 ILCS 5/3-2.4 new) to specifically include Cybersecurity as part of our Compliance Examination program with an effective date of January 1, 2019. 

As outlined in the past several Audit Advisories, we incorporated a review of Cybersecurity into the standard compliance examination program and also performed detailed testing at selected agencies in the June 30, 2021 examinations.


We used the following general criteria in our examinations to determine if agencies had:

1.  Established and documented cybersecurity roles and responsibilities.

2.  Established and communicated policies, procedures, and processes to manage and monitor the regulatory, legal, environmental, and operational requirements.

3.  Performed a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information most susceptible to attack.

4.  Classified data to establish the types of information most susceptible to attack to ensure adequate protection.

5.  Ensured all employees annually complete cybersecurity training as outlined in the Data Security on State Computers Act.

6.  Evaluated and implemented appropriate controls to reduce the risk of attack.

We identified significant weaknesses at 35 agencies (from reports released through August 18, 2022) and the table below summarizes our findings.




Deficiencies in Categories as Listed Above









Abraham Lincoln Presidential Library and Museum



Chicago State University






Commission on Government Forecasting & Accountability




Criminal Justice Information Authority



Department of Agriculture




Department of Central Management Services






Department of Healthcare and Family Services




Department of Human Rights




Department of Labor



Department of Lottery




Department of Public Health






Eastern Illinois University



Governors State University



Illinois Arts Council





Illinois Emergency Management Agency



Illinois Finance Authority



Illinois Housing Development Authority





Illinois Mathematics and Science Academy



Illinois State University






Illinois Workers’ Compensation Commission



Legislative Reference Bureau




Liquor Control Commission



Northeastern Illinois University




Office of Executive Inspector General



Office of Governor



Office of Lieutenant Governor



Office of Secretary of State



Southern Illinois University






State Board of Elections




State Universities Retirement System



Supreme Court



Supreme Court Historic Preservation Commission



Teachers’ Retirement System





University of Illinois






Western Illinois University




To promote agencies’ responsibility to ensure that confidential information is protected from accidental or unauthorized disclosure, we generally recommended they ensure that the six areas identified above are adequately addressed.  On small agencies, our primary focus is on the completion of a comprehensive risk assessment to help determine if all of the six areas need to be implemented.

We will continue to emphasize the review of cybersecurity programs and practices in future compliance examinations.





Important Reporting Dates 


Our audit findings reveal that many agencies routinely miss recurring reporting deadlines. While some of these reports are ministerial in nature, failure to comply not only subjects an agency to an audit finding but also suggests a lack of management controls over legal requirements. Additionally, as more agencies struggle to get by with less staff, anticipating and making plans in advance to meet upcoming deadlines becomes more critical.

State agencies are required to fulfill some requirements on an annual basis but the date for completion is not set in statute. Agencies should establish tickler files to ensure these requirements are met each year:


Annual Requirement

Source of Requirement

DoIT cybersecurity training

Data Security on State Computers Act (20 ILCS 450/25)

Ethics training

State Officials and Employees Ethics Act (5 ILCS 430/5-10 (a))

Evaluation of each employee

Illinois Administrative Code (80 Ill. Adm. Code 302.270 (d))

Harassment and discrimination prevention training

State Officials and Employees Ethics Act (5 ILCS 430/5-10.5 (a-5))

Physical inventory of State equipment to CMS

Illinois Administrative Code (44 Ill. Adm. Code 5010.460)


 Other deadlines are not fixed dates but instead are triggered by an event or occurrence. A sampling of those requirements that our audit experience shows are often missed by agencies follows:


Triggering Event


Source of Requirement

Prior to authorizing travel

Use of private vehicle on State business

Obtain statement from State employee certifying he/she is duly licensed and has statutory minimum insurance coverage

Illinois Vehicle Code (625 ILCS 5/10- 101(b)) and Illinois Administrative Code (80 Ill. Adm. Code 3000.300 (f) (1))

Day of receipt

Any single item of receipt exceeding $10,000

Deposit into the State treasury

State Officers and Employees Money Disposition Act (30 ILCS 230/2)

Within 24 hours

An accumulation of receipts totaling $10,000 or more

Deposit into the State treasury

State Officers and Employees Money Disposition Act (30 ILCS 230/2)

Within 48 hours

An accumulation of receipts exceeding $500 but less than $10,000

Deposit into the State treasury

State Officers and Employees Money Disposition Act (30 ILCS 230/2)

Within 3 days

Accident in State vehicle

File report (Form SR-1) with law enforcement and CMS

Illinois Administrative Code (44 Ill. Adm. Code 5040.520)

No later than 5 calendar days

Award of contract through emergency purchase

Post notice in the online electronic Procurement Bulletin

Illinois Procurement Code (30 ILCS 500/15-25 (c))

Within 5 business days
(21 working days if for a commercial purpose)

Receipt of request for public records

Grant or deny unless timeframe is extended

Freedom of Information Act (5 ILCS 140/3 (d) and 3.1)

Within 10 days

Award of contract through emergency purchase

File statements with Procurement Policy Board, Commission on Equity and Inclusion, and Auditor General

Illinois Procurement Code (30 ILCS 500/20-30 (c))

Within 15 days

Execution of a real property lease

File a copy with the Secretary of State

State Finance Act (30 ILCS 105/9)

Within 30 days

Grant or contract liability greater than $20,000 incurred

File copy with State Comptroller

Illinois Procurement Code (30 ILCS 500/20-80 (b))

Within 30 days

Receipt of vendor bill

Review and approve or deny

State Prompt Payment Act (30 ILCS 540) and Illinois Administrative Code (74 Ill. Adm. Code 900.70)

Within 30 days

New employee hired

Take ethics training

State Officials and Employees Ethics Act (5 ILCS 430/5-10 (c))

Within 30 days

New employee hired

Take harassment and discrimination prevention training

State Officials and Employees Ethics Act (5 ILCS 430/5-10.5 (a-5))

Within 45 days

End of grant period

Receive unused grant funds back from grantee

Grant Funds Recovery Act (30 ILCS 705/)

Within 60 days

Travel expense incurred by State employee

Submit request for reimbursement

Internal Revenue Service Publication 535 and Accounting Bulletins numbers 134, 135 and 137

Within 60 days of month end

Fiscal activity

Perform monthly reconciliation of various reports to the SAMS system

SAMS Procedure 07.30.20

Within 90 days

Acquisition, change, or deletion of equipment

Adjust property records

Illinois Administrative Code (44 Ill. Adm. Code 5010.400)


 From a sampling of recent audits, below are a list of due dates for reports that most State agencies are required to submit:


Due Date


Report Recipient

Source of Requirement

Jan. 1

Agency Workforce

Secretary of State & Governor

State Employment Records Act (5 ILCS 410/20)

Jan. 7

Annual Report


State Finance Act (30 ILCS 105/3)

Jan. 15

Travel Headquarters (TA-2)
(Period from July 1 through December 31)

Legislative Audit Commission

State Finance Act (30 ILCS 105/12-3)

May 1

Evaluation of internal fiscal and administrative controls (FCIAA Certification)

Auditor General

Fiscal Control and Internal Auditing Act (30 ILCS 10/3003)

May 1

Statements of Economic Interests

Secretary of State

Governmental Ethics Act (5 ILCS 420/4A-105)

July 1 –July 31

Proof of driver's license and liability insurance for employees assigned a State vehicle

Agency Director

Illinois Vehicle Code (625 ILCS 5/7-601(c))

July 15

Travel Headquarters (TA-2)
(Period from January 1 through June 30)

Legislative Audit Commission

State Finance Act (30 ILCS 105/12-3)

July 15

Identification of State agency employee responsible for distribution of agency publications

Illinois State Library Government Documents Section

Illinois Administrative Code (23 Ill. Adm. Code 3020.150)

July 31

Annual Real Property Utilization

Central Management Services

State Property Control Act (30 ILCS 605/7.1(b))

Aug. 1

Agency Fee Imposition

State Comptroller

State Comptroller Act (15 ILCS 405/16.2) and SAMS Procedure 33.16.20

Aug. 10 – Aug. 31

General deadline for GAAP reporting packages

State Comptroller

SAMS Procedure 27.10.10

Oct. 15

GAAP basis financial statements (including footnote disclosures)

State Comptroller

SAMS Procedure 27.10.10

Dec. 15

Public Accountability Report

State Comptroller

SAMS Procedure 33.20.20







Contact Information:


Office of the Auditor General

Iles Park Plaza, 740 East Ash Street

Springfield, Illinois 62703-3154


Michael A. Bilandic Building,

160 N. LaSalle Street, Suite S-900

Chicago, Illinois 60601-3109


Phone: 217-782-6046

Fax: 217-785-8222

TTY: 1-888-261-2887

Fraud Hotline: 1-855-217-1895


E-mail:  audgen@illinois.auditor.gov

Website:  www.auditor.illinois.gov