REPORT DIGEST DEPARTMENT OF REVENUE FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2018 Release Date: May 23, 2019 FINDINGS THIS AUDIT: 3 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 1 -- 2 Category 2: 0 -- 1 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 2 -- 3 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (18-01) Inadequate controls over changes to GenTax. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CONTROLS OVER CHANGES TO GENTAX The Department of Revenue (IDOR) and the Department of Employment Security (collectively referred to as the “Departments”) did not maintain adequate controls over changes to the enterprise- wide tax system (GenTax). During fiscal year 2018, Gentax processed over 15.3 million transactions and $46.7 billion in payments from taxpayers. As part of the audit process, we requested the Departments provide the population of changes to GenTax. In response, the Departments provided a listing of changes; however, during our testing we noted changes which were not applicable to GenTax. Due to these conditions, we were unable to conclude the Departments’ population of changes to GenTax were sufficiently precise and detailed under the Professional Standards promulgated by the American Institute of Certified Public Accountants (AU-C § 330, AU-C §530, AT-C §205). Even given the population limitations noted above, we performed testing and noted: During the audit period, the Departments had four different change control procedures. In order to test the procedures for compliance, we selected a sample of 137 proposed changes to Gentax made by the Departments’ personnel during the audit period. Out of the 137 proposed changes, only 100 of them were deemed a required and necessary change to Gentax by the Departments’ management and were subsequently made. Out of the 100 required changes to Gentax, we noted the following: • 58 (58%) changes did not contain evidence that testing had been conducted or lacked testing documentation. • 12 (12%) changes were not approved, or approval was by an unauthorized individual during the development stages or migration to the production environment. • 2 (2%) changes did not follow the required change control process. The Departments’ varying iterations of change control procedures required that all changes be tested, with testing documented and approved by authorized individuals throughout the development process and migration. (Finding 1, pages 72-73) We recommended IDOR work with IDES to utilize adequate internal controls over changes to GenTax and maintain documentation to support the processes and procedures utilized to mitigate the applicable risks related to system changes. IDOR accepted the recommendation and stated change control procedures have been revised and an improved tracking solution has been implemented. OTHER FINDINGS The remaining findings pertain to inadequate internal controls over access to Gentax and tax abatements. We will review IDOR’s progress towards the implementation of our recommendations in our next financial audit. AUDITOR’S OPINION(S) The auditors stated the financial statements of the Illinois Department of Revenue as of and for the year ended June 30, 2018 are fairly stated in all material respects. This financial audit was conducted by RSM US LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:jv