REPORT DIGEST

DEAF AND HARD OF HEARING COMMISSION

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2025

Release Date:  April 14, 2026

FINDINGS THIS AUDIT: 8

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 4 -- 4
Category 2:  0 -- 4 -- 4
Category 3:  0 -- 0 -- 0
TOTAL:  0 -- 8 – 8

FINDINGS LAST AUDIT: 12

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (25-1) The Commission did not maintain
adequate documentation and control over its
state property during the examination
period.
• (25-4) The Commission had not implemented
adequate internal controls related to
cybersecurity programs, practices, and
control of confidential information.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INADEQUATE CONTROLS OVER STATE PROPERTY

The Deaf and Hard of Hearing Commission
(Commission) did not maintain adequate
documentation and control over its state
property during the examination period.

During testing, we noted the property
listing provided by the Commission in
response to audit requests could not be
reconciled with the ending balances
reported in the Form C-15 Reports for the
fourth quarters ended June 30, 2024 and
June 30, 2025 and to the balances reported
in the annual inventory certifications
submitted to the Department of Central
Management Services (CMS). Further, the
property listing did not indicate whether
the equipment was classified as high-theft,
therefore, we could not determine whether
the item was reportable under the C-15
Report.

In addition, 35 equipment items totaling
$21,912 that were purchased as of Fiscal
Year 2025 were not recorded in the property
listing.

Due to these conditions, we were unable to
conclude whether the Commission’s
population of property control records were
sufficiently precise and detailed under
Attestation Standards promulgated by the
American Institute of Certified Public
Accountants (AT-C § 205.36) to test the
Commission’s equipment.

We also noted the following:

• Two of 16 (13%) equipment items, totaling
$4,851, were reported in the Agency
Discrepancy Report for Fiscal Year 2022 as
surplus but had not been removed from the
property listing as of Fiscal Year 2025.
• Seven of 16 (44%) equipment items were
not found in the Annual Inventory
Certification submitted to CMS for Fiscal
Year 2025.  These items could not be traced
to Commission records to identify their
costs.  In addition, one of these items did
not have a tag number.
• One of 8 (13%) Form C-15 Reports was not
submitted timely.  The Form C-15 Report was
submitted three days late.
• 33 equipment items consisting of
projectors, DVD players, and various other
equipment, totaling $20,116, were no longer
used or obsolete.  These assets were not
transferred to CMS or appropriately
disposed.

We also noted the Commission submitted its
Annual Certification of Inventory for
Fiscal Year 2023 to CMS 7 days late.
(Finding 1, pages 9-11).  This finding has
been reported since 2021.

We recommended the Commission strengthen
its controls over property and equipment to
ensure all equipment transactions are
recorded timely and accurately, tag numbers
are properly attached to equipment items,
obsolete or no longer used equipment items
are transferred to CMS or properly
disposed, and Form C-15 Reports and
Certification are timely filed.

The Commission agreed with the
recommendation and management stated they
will implement procedures to strengthen
controls over property and equipment,
ensure equipment transactions are recorded
timely and accurately, tag numbers are
properly affixed, obsolete equipment is
transferred to CMS or properly disposed of,
and Form C-15 Reports and Certifications
are filed timely.

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The Commission had not implemented adequate
internal controls related to cybersecurity
programs, practices, and control of
confidential information.

During our examination, we noted the
Commission had not:
• Developed a formal, comprehensive,
adequate, and communicated security program
to manage and monitor the regulatory,
legal, environmental, and operational
requirements, including:
-- Backup Verification
-- Data Maintenance and Destruction Policy

• Developed a risk management methodology,
conducted a comprehensive risk assessment,
and implemented risk reducing internal
controls.
• Established a data classification
methodology for classifying its data to
ensure adequate protection of the data.
• Established a cybersecurity plan.

In addition, we noted the Commission had
not established a process to review and
ensure security incidents identified by the
Department of Innovation and Technology
(DoIT) involving the applications utilized
by the Commission were fully remediated and
any related control deficiencies were
assessed. (Finding 4, pages 17-19).  This
finding has been reported since 2021.

We recommended the Commission implement
internal controls related to cybersecurity
programs, practices, and control of
confidential information.  Specifically, we
recommended the Commission:
• Develop a formal, comprehensive,
adequate, and communicated security program
to manage and monitor the regulatory,
legal, environmental, and operational
requirements.
• Develop a risk management methodology,
conduct a comprehensive risk assessment,
and implement risk reducing internal
controls.
• Develop a data classification
methodology.
• Establish a cybersecurity plan.
• Establish a process to review and ensure
security incidents identified by DoIT
involving the Commission’s systems or data
are fully remediated and related control
deficiencies are assessed.

The Commission agreed with the
recommendation and management stated they
will implement procedures to strengthen
internal controls related to cybersecurity
programs, practices, and the protection of
confidential information, including
developing and maintaining appropriate
policies, risk management processes, data
classification standards, a cybersecurity
plan, and procedures to review and
remediate security incidents identified by
DoIT.

OTHER FINDINGS

The remaining findings pertain to receipt
processing internal controls, voucher
processing internal controls, information
system contingency planning, personal
services, census data, and internal
controls for service providers.

We will review the Commission’s progress
towards the implementation of our
recommendations in our next State
compliance examination.

ACCOUNTANT’S OPINION

The accountants conducted a State
compliance examination of the Commission
for the two years ended June 30, 2025 as
required by the Illinois State Auditing
Act.  The accountants qualified their
report on State compliance for Findings
2025-001 through 2025-004.  Except for the
noncompliance described in these findings,
the accountants stated the Commission
complied, in all material respects, with
the requirements described in the report.

This State compliance examination was
conducted by Roth & Company, LLP.

COURTNEY DZIERWA
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:EMR