REPORT DIGEST DEPARTMENT OF REVENUE FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2019 Release Date: February 19, 2020 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 1 -- 1 Category 2: 0 -- 0 -- 0 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 1 -- 1 FINDINGS LAST AUDIT: 3 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (19-01) The Department did not have adequate internal controls over access to GenTax. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE INTERNAL CONTROLS OVER ACCESS TO GENTAX The Department of Revenue (Department) did not have adequate internal controls over access to the enterprise tax system (GenTax). During fiscal year 2019, GenTax processed over 13.4 million tax transactions and $48.0 billion in payments from taxpayers for the Department. As part of our audit process, we requested the Department provide the populations of individuals hired and terminated from employment during the audit period. In response to our request, the Department provided the populations; however, they did not provide documentation demonstrating the populations were sufficiently precise and detailed under the Professional Standards promulgated by the American Institute of Certified Public Accountants (AU-C § 330, AU-C § 530). Even given the population limitations noted above, we performed testing and noted: During the audit period, in order to obtain access to GenTax, the Department’s Access Control Procedure stated approvals had to be obtained from Internal Affairs stating a background check was cleared, a “Request for Access to Illinois Department of Revenue Systems” form was to be completed and approved, and an email had to be received from the business process owner documenting and approving the applicable access right to GenTax. During our testing of a sample of GenTax security controls, we noted the following: • 3 of 3 (100%) new users tested did not have a completed "Request for Access to the Illinois Department of Revenue Systems" form. • 6 of 25 (24%) new users tested did not have an email from the business process owner documenting and approving the user access rights to GenTax. Further, during our testing of the 31 users who departed during the fiscal year, we noted that 5 of 31 (16%) user's access were disabled from 2 to 125 days after departure. The Department's Access Control Procedure states access to GenTax is to be disabled upon a user's departure. (Finding 1, pages 70-71) We recommended the Department obtain the required documentation approving each user’s access in accordance with the Access Control Procedure and ensure all Department user’s access is timely disabled upon termination. The Department accepted the recommendation and stated it will take the necessary corrective actions to implement the recommendations in the finding. We will review the Department’s progress towards the implementation of our recommendation in our next financial audit. AUDITOR’S OPINION(S) The auditors stated the financial statements of the Illinois Department of Revenue as of and for the year ended June 30, 2019 are fairly stated in all material respects. This financial audit was conducted by RSM US LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:jv