REPORT DIGEST ILLINOIS STUDENT ASSISTANCE COMMISSION COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2022 Release Date: June 13, 2023 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 – 0 Category 2: 2 -- 0 -- 2 Category 3: 0 -- 0 -- 0 TOTAL: 2 -- 0 -- 2 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Illinois Student Assistance Commission’s (Commission) Compliance Examination for the two years ended June 30, 2022. A separate digest covering the Commission’s Financial Audit as of and for the year ending June 30, 2022 was previously released on April 13, 2023. In total, this report contains two findings, none of which were reported in the financial audit. SYNOPSIS • (22-01) The Commission had not implemented adequate internal controls related to cybersecurity programs and practices. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS Weaknesses in Cybersecurity Programs and Practices The Commission had not implemented adequate internal controls related to cybersecurity programs and practices. The Commission relies on computer systems containing confidential and personal information such as names, addresses, and social security numbers of the citizens of the State for meeting their mission of providing Illinois students with information and assistance to help make education beyond high school accessible and affordable. The Illinois State Auditing Act (30 ILCS 5/3-2.4) requires the Auditor General to review State agencies and their cybersecurity programs and practices. During our examination of the Commission’s cybersecurity program, practices and control of confidential information, we noted the Commission had not: • Ensured policy reviews were defined. • Established a data classification methodology, including specific guidelines addressing classification criteria and security methods related to the various classifications. • Conducted a comprehensive risk assessment. In addition, our testing noted employees had not completed all monthly cybersecurity awareness training. (Finding 1, pages 7-8). We recommended the Commission: • Establish a defined frequency for policy reviews; • Establish a data classification methodology, including specific guidelines addressing classification criteria and security methods related to the various classifications; • Conduct a comprehensive risk assessment; and • Ensure all employee complete the monthly cybersecurity training. The Commission agreed with the finding and stated they will take appropriate actions to remediate the finding. OTHER FINDINGS The remaining finding pertain to lack of adequate controls over monitoring of service providers. We will review the Commission’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Commission for the two years ended June 30, 2022, as required by the Illinois State Auditing Act. The accountants stated the Commission complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Crowe LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JGR