REPORT DIGEST

DEPARTMENT OF THE LOTTERY

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2025

Release Date:  March 5, 2026

FINDINGS THIS AUDIT: 12

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 0 -- 0
Category 2:  4 -- 7 -- 11
Category 3:  0 -- 1 -- 1
TOTAL:  4 -- 8 -- 12

FINDINGS LAST AUDIT: 8

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Department of the
Lottery’s (Department) State Compliance
Examination for the two years ended June
30, 2025. A digest covering the financial
audit of the Department’s State Lottery
Fund as of and for the year ended June 30,
2025, was previously issued on January 13,
2026. In total, this report contains 12
findings, none of which were reported in
the Financial Audit.

SYNOPSIS

• (25-04) The Department did not exercise
adequate controls over its State vehicles.
• (25-07) The Department had not
implemented adequate internal controls
related to cybersecurity programs,
practices, and control of confidential
information.
• (25-08) The Department failed to maintain
adequate general information technology
controls related to its applications and
data.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INADEQUATE CONTROLS OVER STATE VEHICLES

The Department of the Lottery (Department)
did not exercise adequate controls over its
State vehicles.

During our testing, we requested the
Department’s vehicle listing to be used
throughout our operation of automotive
equipment testing. We were provided with
invoices from the Department of Central
Management Services (CMS) to the Department
that listed the Department’s vehicles in
lieu of an internally developed and
maintained listing of vehicles.

Due to these conditions, we were unable to
conclude the Department’s population of
vehicles was sufficiently precise and
detailed under the Professional Standards
promulgated by the American Institute of
Certified Public Accounts (AT-C § 205.36).

Even given the limitations noted above, we
performed testing over vehicle maintenance
records for a sample of vehicles identified
by the Department and noted one of eight
(13%) vehicles tested received an untimely
oil change during the examination period.
The oil change was performed 4,738 miles
beyond the required oil change interval.

In addition, while examining the
Department’s documentation for five
accidents, we noted the Illinois Motorist
Report forms (Form SR-1) for two accidents
(40%) were not timely submitted to CMS. The
Form SR-1s were submitted one and 671 days
late, respectively.

We also noted the Department did not timely
submit the Fiscal Year 2023 CMS Division of
Vehicles Individually Assigned Vehicle form
(IAV Form). The IAV Form should have been
submitted to CMS by November 14, 2024;
however, it was not submitted until
November 22, 2024, eight days late (Finding
4, pages 15-17).  This finding has been
reported since 2019.

We recommended the Department implement
controls to ensure:
1) an internal listing of all vehicles
owned by the Department is created and
maintained;
2) all required maintenance on State
vehicles is performed timely;
3) Form SR-1s are completed and submitted
timely; and,
4) information regarding individually
assigned vehicles is timely reported to
CMS.

Department management accepted the finding
and noted they will develop a comprehensive
vehicle listing going forward and will
continue their efforts to train drivers and
supervisors on the maintenance and
reporting requirements.

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The Department of the Lottery (Department)
had not implemented adequate internal
controls related to cybersecurity programs,
practices, and control of confidential
information.

As part of its mission, the Department
utilizes several environments,
applications, and databases which contain
volumes of confidential and personal
information of citizens.

The Illinois State Auditing Act (30 ILCS
5/3-2.4) requires the Auditor General to
review State agencies and their
cybersecurity programs and practices.
During our examination of the Department’s
cybersecurity program, practices, and
control of confidential information, we
noted the Department had not:

• addressed off-site storage and
configuration management within the
Department’s Information Technology (IT)
policy;

• ensured that data classification
documentation included information related
to data retention and destruction;

• ensured its Risk Management Methodology
addressed specific processes on the
selection of security controls, how those
controls are implemented or assessed, or
how they’re monitored; or,

• included adequate documentation within
the two risk assessments performed during
the period pertaining to the
prioritization, evaluation, and
implementation of risk-reducing controls
for the environment (Finding 7, pages
23-24).  This finding has been reported
since 2019.

We recommended the Department:

• document off-site storage and
configuration management within the
Department’s IT policy;

• include information related to data
retention and destruction in its data
classification documentation;

• ensure its Risk Management Methodology
addresses specific processes on the
selection of security controls, how those
controls are implemented or assessed, and
how they’re monitored; and,

• include adequate documentation within any
risk assessments performed pertaining to
the prioritization, evaluation, and
implementation of risk-reducing controls
for the environment.

Department management accepted the finding
and noted they will continue to evaluate
and implement additional controls as
necessary to address the deficiencies.

INADEQUATE CONTROLS OVER ACCESS TO
APPLICATIONS AND DATA

The Department of the Lottery (Department)
failed to maintain adequate general
information technology controls related to
its applications and data.

We tested information technology general
controls (ITGCs) for six Department
applications assessed to have a material
impact on the Department’s financial
information and/or operations. ITGCs help
prevent unauthorized access, data breaches,
and operational disruptions and include
software implementation, user account
creation, and data management. Strong ITGCs
increase the integrity and reliability of
information.

We tested the Department’s access
provisioning procedures for a sample of 114
users across six applications. Our sample
of 114 users was comprised of 90 existing
users, 13 new-hired users, and 11
terminated users. We noted the following
exceptions:

• Five of 11 (45%) terminated users tested
had separated from the Department but were
still defined as authorized users in the
tested application as of June 30, 2025. The
days past separation for these four
employees ranged from 181 to 516.  However,
four (80%) of these terminated users were
removed from the authorized user listing on
July 1, 2025, while one terminated user
remained on the authorized user listing.

• Four of 11 (36%) terminated users tested
were inactive contractors but were still
defined with access to the Enterprise
Resource Planning System (ERP) per the
Governance, Risk, and Compliance (GRC)
Security Report for the application as of
June 30, 2025.

We also noted the Department did not
perform annual reviews of user access to
one of six (17%) applications tested.
(Finding 8, pages 25-26)


We recommended the Department promptly
terminate inappropriate and unnecessary
user access and maintain documentation to
support the timeliness of changes to user
access. Lastly, we recommended the
Department ensure user access reviews for
all applications are conducted on, at
least, an annual basis.

Department management accepted the finding
and noted they will strengthen their
controls over the timely removal of
relevant application access for terminated
users, including contracted external
auditors.

OTHER FINDINGS

The remaining findings pertain to
inadequate controls over or weaknesses in
personal services, voucher processing,
reporting requirements, disaster recovery
planning, service providers, and receipt
processing; failure to incorporate a
required contractual provision in the
Private Manager Agreement; noncompliance
with the Illinois Lottery Law; and
insufficient number of Lottery Control
Board Members.  We will review the
Department’s progress towards the
implementation of our recommendations in
our next State compliance examination.

AUDITOR’S OPINION

The auditors stated the financial
statements of the State Lottery Fund as of
and for the year ended June 30, 2025, are
fairly stated in all material respects.

ACCOUNTANT’S OPINION

The accountants conducted a State
compliance examination of the Department
for the two years ended June 30, 2025, as
required by the Illinois State Auditing
Act. The accountants stated the Department
complied, in all material respects, with
the requirements described in the report.

This State compliance examination was
conducted by Sikich CPA LLC.

COURTNEY DZIERWA
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.
FRANK J. MAUTINO
Auditor General

FJM:QK