REPORT DIGEST JUDGES’ RETIREMENT SYSTEM COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2017 Release Date: April 26, 2018 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 1 -- 2 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 1 -- 2 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our Compliance Examination of the Judges’ Retirement System for the year ended June 30, 2017. A separate Financial Audit as of and for the year ending June 30, 2017, was previously released on February 8, 2018. In total, this report contains 2 findings, none of which were reported in the Financial Audit. SYNOPSIS • (17-1) The State Retirement System, which administers the Judges’ Retirement System, has weaknesses in their change management procedures. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS CHANGE MANAGEMENT WEAKNESSES The State Retirement System, which administers the Judges’ Retirement System (System), has weaknesses in their change management procedures. The System develops and deploys custom software to manage pension accounts of Illinois members and collects, stores, and processes confidential and protected information related to this mission. The System had established formal change management procedures; however, the procedures did not address migrating changes into the production environment. In addition, programmers developing and making changes to applications had access to the production environment and the capability to implement changes. Furthermore, monitoring tools were not in place to detect unauthorized code migrations. (Finding 1, page 10) We recommended the System continue to update its change management procedures to address specific procedures for migrating changes into the production environment. We also recommended, the procedures include a standard form for requesting a change be moved into production and include user and management approval and ensure programmers are prevented from migrating changes into the production environment. Lastly, we recommended if the Office determines that programmer access is necessary in some situations, it should establish and enforce compensating controls to ensure appropriate and documented management oversight and approval. System officials accepted the auditor’s recommendation and indicated they are working to implement an upgrade to existing software in calendar year 2018 which will remedy the change management weaknesses noted. OTHER FINDING The remaining finding pertains to the System not properly monitoring its contracts during the engagement period. We will review the System’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Judges’ Retirement System for the year ended June 30, 2017, as required by the Illinois State Auditing Act. The accountants stated the System complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by RSM US LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JAF