REPORT DIGEST

STATE BOARD OF ELECTIONS

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2019

Release Date:  January 28, 2020

FINDINGS THIS AUDIT:  8

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  1 -- 0 -- 1
Category 2:  5 -- 2 -- 7
Category 3:  0 -- 0 -- 0
TOTAL:  6 -- 2 -- 8

FINDINGS LAST AUDIT: 4

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State laws
and regulations (material noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no internal
control issues but are in noncompliance with
State laws and regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (19-01) The Board did not implement
adequate internal controls related to
cybersecurity programs and practices.
• (19-02) The Board did not comply with
certain requirements of the Election Code
(10 ILCS 5).
• (19-03) The Board could not demonstrate
compliance with all restrictions of the
Raffles and Poker Runs Act (230 ILCS 15)
when granting raffle licenses.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The State Board of Elections (Board) had not
implemented adequate internal controls
related to cybersecurity programs and
practices.

The Illinois State Auditing Act (30 ILCS
5/3-2.4) requires the Auditor General to
review State agencies and their
cybersecurity programs and practices. During
our examination of the Board’s cybersecurity
program, practices, and control of
confidential information, we noted the
Board:
• Had not classified its data to identify
and ensure adequate protection of
information (i.e. confidential or personal
information) most susceptible to attack.
• Had not evaluated and implemented
appropriate controls to reduce the risk of
attack.
• Had not ensured all staff members
completed cybersecurity training upon
employment and annually thereafter.
• Had not developed a formal, comprehensive,
adequate, and communicated security program
(policies, procedures, and processes) to
manage and monitor the regulatory, legal,
environmental and operational requirements.
Although the Board’s Policy Manual included
minimum requirements for acceptable usage of
information technology, the Policy Manual
did not address access provisioning
requirements, security awareness and
training, and data maintenance and
destruction. (Finding 1, pages 9-10)

We recommended the Board perform an
assessment to identify and classify data to
ensure adequate protection of confidential
or personal information most susceptible to
attack, evaluate identified risks and
implement appropriate controls to reduce the
risk, ensure all staff members annually
complete cybersecurity training as outlined
in the Data Security on State Computers Act,
and establish and communicate the Board’s
security program (formal and comprehensive
policies, procedures and processes) to
manage and monitor the regulatory, legal,
environmental and operational requirements.

Board officials partially agreed with the
finding. The Board stated it will analyze
and classify its data and create and
implement a comprehensive security program.
However, the Board stated it believes it has
evaluated and implemented several technical
security controls that have significantly
increased the Board’s security posture and
reduced the threat attack surface. Regarding
cybersecurity training, the Board believes
it is in compliance with statutory
requirements requiring annual cybersecurity
training by staff.

NONCOMPLIANCE WITH ELECTION CODE

The Board did not comply with certain
requirements of the Election Code (10 ILCS
5) (Code) during the examination period.

As of the end of fieldwork, we noted the
Board had not established monitoring
mechanisms to determine whether business
entities were updating their registrations
as needed and, therefore, is not assessing
the requisite civil penalty.  Section
9-35(e) of the Code states the Board shall
impose a civil penalty of $1,000 per
business day for failure to update a
registration by a business entity as
required by Section 20-160 of the Illinois
Procurement Code (30 ILCS 500).

Further, we noted 1 of 9 (11%) Board actions
tested were entered on the Board’s online
database 617 days beyond the 5 business days
after action was taken or the penalty was
imposed on the complaint. In addition, 3 of
the 9 (33%) had no documentation supporting
the date the Board’s online database was
updated after action/penalty was imposed.
Section 9-23.5 of the Code requires the
Board to update its online database of all
complaints filed with the Board within five
business days after action is taken or a
penalty imposed on a complaint. (Finding 2,
pages 11-12)

We recommended the Board comply with the
requirements of the Election Code.  If the
requirements of the Code require monitoring
or enforcement resources beyond the present
capabilities of the Board, we recommended
the Board seek assistance from outside
parties to perform these duties as presently
prescribed in the Election Code.  Otherwise,
we suggested the Board seek legislative
remedies from the requirements.  In
addition, we recommended the Board update
the capabilities of its online database to
ensure its actions and penalties are entered
into its online database within five
business days after action is taken or a
penalty is imposed on a complaint.

Board officials partially agreed with the
finding as it related to Section 9-35(e).
The Board agreed it is not enforcing this
section, but disagreed that it has the
ability to do so.  The Board will continue
to pursue a legislative remedy to this
requirement. Further, Board officials
disagreed with the finding as it related to
Section 9-23.5.  Following the prior
engagement period, the Board implemented new
procedures and protocols to ensure the
database was updated in a timely fashion.
However, it did not apply these changes
retroactively, so one of the complaints
tested occurred prior to the changes and was
not updated.  In addition, the Board
maintains that the database is being updated
timely and in accordance with Section
9-23.5. However, the current system lacks
the means to provide documentation verifying
existing records are subsequently updated.
The time stamp for records in the database
only reflect the date the original entry was
made, not the updates. The Board will
determine if a change to the system is
feasible or practical to address future
requests from auditors.

NONCOMPLIANCE WITH RAFFLES AND POKER RUNS
ACT

The Board could not demonstrate compliance
with all restrictions of the Raffles and
Poker Runs Act (Act) when granting raffle
licenses.

The Act (230 ILCS 15/8.1(c)) restricts the
raffle licenses issued by the Board and
states the following are ineligible entities
for licenses:

i. Any political committee which has an
officer who has been convicted of a felony;

ii. Any political committee which has an
officer who is or has been a professional
gambler or gambling promoter;

iii. Any political committee which has an
officer who is not of good moral character;

iv. Any political committee which has an
officer who is also an officer of a firm or
corporation in which a person defined in
(i), (ii), (iii) has a proprietary,
equitable, or credit interest, or in which
such a person is active or employed;

v. Any political committee in which a person
defined in (i), (ii) or (iii) is an officer,
director, or employee, whether compensated
or not;

vi. Any political committee in which a
person defined in (i), (ii) or (iii) is to
participate in the management or operation
of a raffle as defined in this Section.

We tested 40 raffle applications received
from political action committees and acted
upon by the Board during the examination
period.  We were not able to determine
whether or not the Board issued raffle
licenses during the examination period to
entities ineligible for licenses based upon
the criteria prescribed in the Act because
the Board had not established a monitoring
mechanism to vet this information,
therefore, no information was available to
review. (Finding 3, pages 13-14)

We recommended the Board establish,
implement, and document procedures for
tracking and monitoring raffle licenses to
ensure compliance under the Raffles and
Poker Runs Act.  If those specific
requirements of the Act require monitoring
or enforcement resources beyond the present
capabilities of the Board, we recommended
the Board seek assistance from outside
parties to perform these duties as presently
prescribed in the Act.  Otherwise, we
recommended the Board seek legislative
remedies from the requirement.

Board officials partially agreed with the
finding, in that they are not enforcing the
listed provisions, but disagrees as they do
not believe it is possible to effectively
enforce the section of the Act. Board
officials stated they will continue to
pursue a legislative remedy to this
requirement.

OTHER FINDINGS

The remaining findings pertain to weaknesses
in controls over State property, failure to
enter into agreement with other state
agencies for the transmission of
registration member data, a lack of formal
change management process, inadequate
disaster recovery planning, and a lack of
system development documentation.  We will
review the Board’s progress towards the
implementation of our recommendations in our
next compliance examination.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the Board for the two years
ended June 30, 2019, as required by the
Illinois State Auditing Act.  The
accountants qualified their report on State
compliance for Finding 2019-001.  Except for
the noncompliance described in this finding,
the accountants stated the Board complied,
in all material respects, with the
requirements described in the report.

The compliance examination was conducted by
Sikich LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:jv