REPORT DIGEST

DEPARTMENT OF HUMAN RIGHTS

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2021

Release Date:  February 2, 2022

FINDINGS THIS AUDIT:  12

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  1 -- 0 -- 1
Category 2:  6 -- 5 -- 11
Category 3:  0 -- 0 -- 0
TOTAL:  7 -- 5 – 12

FINDINGS LAST AUDIT: 8

Category 1: Findings that are material
weaknesses in internal control and/or
a qualification on compliance with
State laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (21-01) The Illinois Department of
Human Rights (Department) had not
implemented adequate internal controls
over its service providers.
• (21-03) The Department did not meet
the procedural time limits set forth
when a charge of a civil rights
violation had been filed and when a
complainant filed a request to opt out
of the Department’s investigation.
• (21-04) The Department failed to
maintain a full-time program of
internal auditing.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

LACK OF ADEQUATE CONTROLS OVER THE
REVIEW OF INTERNAL CONTROLS FOR
SERVICE PROVIDERS

The Illinois Department of Human
Rights (Department) had not
implemented adequate internal controls
over its service providers.

We requested the Department to provide
the population of service providers
utilized to determine if they had
reviewed the internal controls over
their service providers.  In response
to our request, the Department
provided a listing; however, they did
not provide documentation
demonstrating the population was
complete and accurate.

Due to these conditions, we were
unable to conclude whether the
Department’s population records were
sufficiently precise and detailed
under the Professional Standards
promulgated by the American Institute
of Certified Public Accountants (AT-C
§ 205.35).

Even given the population limitations
noted above, we performed testing over
the two service providers identified
by the Department.  During our
testing, we noted the Department had
not obtained a System and Organization
Control (SOC) report or conducted
independent internal control review
for one of the service providers.

In addition, we noted the contract for
one service provider did not contain a
requirement for an independent review
to be completed. (Finding 1, pages
9-10)

We recommended the Department
strengthen its controls in identifying
and documenting all service providers
utilized and obtain SOC reports or
conduct independent internal control
reviews at least annually.  In
addition, we recommended the
Department monitor and document the
operation of the Complementary User
Entity Controls (CUECs) related to the
Department’s operations; either obtain
and review SOC reports for subservice
organizations or perform alternative
procedures to satisfy itself that the
existence of the subservice
organization would not impact its
internal control environment; document
its review of the SOC reports and
review all significant issues with
subservice organizations to ascertain
if a corrective action plan exists and
when it will be implemented, any
impact to the Department, and any
compensating controls, and; ensure
contracts contain requirements for an
independent review.

The Department agreed with our
recommendation and stated they will
work to address needs for policy and
procedure enhancements, verify
documentation of independent review of
SOC reports, and ensure contracts
include language that meets the
requirement of specificity regarding
review documentation.

NONCOMPLIANCE WITH STATUTORILY
MANDATED TIME LIMITS

The Department did not meet the
procedural time limits set forth when
a charge of a civil rights violation
had been filed and when a complainant
filed a request to opt out of the
Department’s investigation.

In our review of 60 employment cases
filed with the Department, we noted
the following:

• In 28 (47%) employment cases tested,
the Department did not serve a copy of
the charge to the respondent within 10
days of the day the charge was filed.
The charges were served to the
respondent from 1 to 124 days late.

• In 28 (47%) employment cases tested,
the Department did not serve a notice
to the complainant of the
complainant’s right to file a
complaint with the Human Rights
Commission or commence a civil action
in the appropriate circuit court
within 10 days of the day the charge
was filed.  These notices were served
to the complainant from 1 to 124 days
late.

• In 28 (47%) employment cases tested,
the Department did not serve a notice
to the respondent of the complainant’s
right to file a complaint with the
Human Rights Commission or commence a
civil action in the appropriate
circuit court within 10 days of the
day the charge was filed.  These
notices were served to the respondent
from 1 to 124 days late.

Additionally, in our testing of 40
employment cases where the
complainants requested to opt out of
the Department’s investigation, the
Department did not issue the required
notice to the parties for 36 (90%)
employment cases within 10 business
days of receipt of the complainants’
request to opt out of the
investigation.  The notices were
issued from 1 to 59 days late.
(Finding 3, pages 14-15)  This finding
has been repeated since 2017.

We recommended the Department timely
notify the appropriate parties as
mandated by the Illinois Human Rights
Act.

The Department agreed with our
recommendation and stated it would
review staffing levels and equipment
and technology needs to ensure
sufficient resources and support are
available to effectuate the mandate.

FAILURE TO MAINTAIN INTERNAL AUDIT
PROGRAM

The Department failed to maintain a
full-time program of internal
auditing.

We noted the Department did not employ
a chief internal auditor or any
internal audit staff during the
examination period.  On August 18,
2017, the Department entered into an
agreement with the Department of
Central Management Services (CMS) to
provide the Department with internal
auditing services.  On August 9, 2019,
the Office of the Attorney General
issued an opinion stating multiple
State agencies may not appoint the
same individual as their chief
internal auditor through an
intergovernmental agreement. (Finding
4, pages 16-17)  This finding has been
repeated since 2017.

We recommended the Department comply
with the required provisions of the
Fiscal Control and Internal Auditing
Act by appointing a chief internal
auditor and implementing a full-time
program of internal auditing.

The Department agreed with our
recommendation and stated it was
attempting to recruit a chief internal
auditor that meets the minimum
qualifications for the position and
possesses necessary State experience.

OTHER FINDINGS

The remaining findings pertain to
weaknesses in cybersecurity programs
and practices, information technology
access weaknesses, noncompliance with
report filing requirements, failure to
evaluate and report on sexual
harassment helpline, inadequate
controls over State property and
equipment, employee performance
evaluations not performed or timely
performed, inaccurate agency workforce
reports, disaster recovery planning
weaknesses, and inadequate controls
over leaves of absence.  We will
review the Department’s progress
towards the implementation of our
recommendations in our next State
compliance examination.

ACCOUNTANT’S OPINION

The accountants conducted a State
compliance examination of the
Department for the two years ended
June 30, 2021, as required by the
Illinois State Auditing Act.  The
accountants qualified their report on
State compliance for Finding 2021-001.
Except for the noncompliance described
in this finding, the accountants
stated the Department complied, in all
material respects, with the
requirements described in the report.

This State compliance examination was
conducted by Roth & Company, LLP.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:dmg