REPORT DIGEST GENERAL ASSEMBLY RETIREMENT SYSTEM OF THE STATE OF ILLINOIS COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2021 Release Date: September 8, 2022 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 0 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our Compliance Examination of the General Assembly Retirement System of the State of Illinois (System) for the year ended June 30, 2021. A separate Financial Audit as of and for the year ended June 30, 2021, was previously released on March 10, 2022. This report contains one finding. The Financial Audit report contained no findings. SYNOPSIS • (21-1) The General Assembly Retirement System of the State of Illinois did not have adequate controls in place to document user access reviews to its Information Technology (IT) systems. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE INTERNAL CONTROLS OVER ACCESS TO INFORMATION SYSTEMS The General Assembly Retirement System of the State of Illinois (System) did not have adequate controls in place to document user access reviews to its Information Technology (IT) systems. During the compliance examination, the System utilized a combination of systems administered both internally as well as externally. During a review of both internal and external systems, we noted: • For systems administered internally: — The System did not retain evidence an internal security review was performed during the examination period. — One of two (50%) terminated employees maintained a user account for various internal systems which was not deactivated timely upon their separation from the System. The timing of this deactivation was nine months after termination. • For systems administered externally: — The System did not retain evidence of the results of the annual review of security software IDs. — One of two (50%) terminated employees’ user accounts for one external system was not deactivated timely upon separation from the System. The timing of this deactivation was three months after termination. (Finding 1, page 7) We recommended the System maintain evidence of security reviews completed during the year to support that continued monitoring is being performed and possible changes or updates are being made. In addition, we recommended the System implement controls to ensure all employees’ user access is timely disabled upon separation from the System. The System agreed with the finding. AUDITOR’S OPINION The financial audit report was previously released. The auditors stated the financial statements of the General Assembly Retirement System of the State of Illinois as of and for the year ended June 30, 2021, are fairly stated in all material respects. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the General Assembly Retirement System of the State of Illinois for the year ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants stated the System complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by RSM US LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:dmg