REPORT DIGEST REGIONAL OFFICE OF EDUCATION #53: MASON, TAZEWELL AND WOODFORD COUNTIES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2021 Release Date: April 27, 2022 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 0 -- 1 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 1 -- 1 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (21-1) The Regional Office of Education #53 lacked adequate controls over the review of internal controls over external service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER EXTERNAL SERVICE PROVIDERS Regional Office of Education #53 (ROE) failed to develop a formal process for reviewing its external service providers’ internal controls to ensure the accurate processing and security of information. The ROE is responsible for the design, implementation, and maintenance of internal controls related to information systems and operations to ensure resources and data are adequately protected from unauthorized or accidental disclosure, modifications, or destruction. This responsibility is not limited due to the process being outsourced. Generally accepted information technology guidance endorses the review and assessment of internal controls related to information systems and operations to assure the accurate processing and security of information. During testing, the auditors noted the ROE had not: • Developed a formal process for identifying service providers and for either obtaining the Service Organization Controls (SOC) reports from the service providers and related subservice organization or performing alternative procedures to determine the impact of such services on its internal control environment prior to signing an agreement with the service provider. • Documented its review of each of the SOC reports or performed alternative procedures, to evaluate any issues relevant to the ROE’s internal controls. • Monitored and documented the operation of the Complementary User Entity Controls (CUECs) relevant to the ROE’s operations. Regional Office officials indicated they understand the importance of a formal process to monitor service providers and did not realize the current process was still not adequate to address all the issues noted. (Finding 21-001, pages 11 – 12) The auditors recommended the ROE identify all third-party service providers and determine and document if a review of controls is required. If required, the ROE should: • Obtain SOC reports or perform independent reviews of internal controls associated with outsourced systems including services provided by subservice organizations, prior to signing agreements with the providers and annually thereafter. • Monitor and document the operation of the CUECs relevant to the ROE’s operations. • Document its review of the SOC reports or perform alternative procedures to evaluate all significant issues with subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the ROE, and any compensating controls. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. ROE Response: The ROE will identify all third-party service providers and determine and document if a review of controls is required. If required, the ROE will: • Obtain SOC reports or perform independent review of internal controls associated with outsourced systems at least annually. • Monitor and document the operation of the CUECs relevant to the ROE’s operations. • Either obtain and review SOC reports for subservice organizations or perform alternative procedures to satisfy itself that the existence of the subservice organization would not impact its internal control environment. • Document its review of the SOC reports and review all significant issues with subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the ROE, and any compensating controls. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. AUDITORS’ OPINION Our auditors state the Regional Office of Education #53’s financial statements as of June 30, 2021 are fairly presented in all material respects. This financial audit was conducted by the firm of Adelfia LLC. JOE BUTCHER Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JRB