REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES - TEACHER HEALTH INSURANCE SECURITY FUND FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2020 Release Date: June 2, 2021 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 0 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 0 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (20-01) The Department did not conduct adequate independent internal control reviews over its external service providers’ System and Organization Control (SOC) reports utilized by the Teacher Retirement Insurance Program (Program). FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE REVIEW OF EXTERNAL SERVICE PROVIDERS The Department of Central Management Services (Department) did not conduct adequate independent internal control reviews over its external service providers’ System and Organization Control (SOC) reports utilized by the Teacher Retirement Insurance Program (Program). The Department currently receives copies of the SOC reports from nine different external service providers and performs an independent internal control review of each SOC report to determine whether any areas of concern are noted for the Program. In total the Department received 12 SOC reports during the audit period for the Program. These service providers provide: • Medical plan coverage and payments • Claims processing • Benefits solutions • Plan administration • IT hosting During testing of the 12 SOC reports, we noted the following: • Twelve of 12 (100%) SOC reports identified Complementary User Entity Controls (CUEC) necessary for the Service Organization’s system which relies on the Department to implement the CUECs in order to achieve the Service Organization’s control objectives. The Department did not perform an assessment to determine if it had implemented the CUECs for each. • Nine of 12 (75%) SOC external service provider reports identified additional subservice organizations used by the service organization that were carved out of the SOC report. These subservice organizations required additional CUECs and the service provider relied on the subservice organizations to implement the CUECs in order to achieve the Service Organization's control objectives. The Department did not perform additional assessments on the subservice organizations to determine if the CUECs had been implemented • Seven of 12 (58%) SOC reports had qualified opinions due to deficiencies noted by the SOC auditors. The Department did not perform an analysis on whether they could rely on the external service providers’ controls due to the deficiencies noted in the SOC reports with qualified opinions. Through our assessment of the types of deficiencies noted by the SOC auditors, and the substantive testing we performed in other areas of our audit, we were able to rely on the testing and assurance provided by the SOC reports (Finding 1, pages 24-27). We recommended the Department: • Monitor and document the operation of the CUECs relevant to the Department's operations. • Either obtain and review SOC reports for subservice organizations, if applicable to the Department’s internal control environment, or perform alternative procedures to satisfy itself the usage of the subservice organizations would not impact the Department's internal control environment. Such review and procedures should be documented. • Document its review of the SOC reports and review all significant issues with third-party service providers and subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the Department, and any compensating controls. The Department accepted our recommendation and stated it has worked with the Department of Innovation and Technology and its external service providers to update its SOC Review Process. AUDITOR’S OPINION The auditors stated the financial statements of the Department of Central Management Services, Teacher Health Insurance Security Fund as of and for the year ended June 30, 2020, are fairly stated in all material respects. This financial audit was conducted by Sikich LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:meg