REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2020 Release Date: June 2, 2021 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 2 -- 0 -- 2 Category 3: 0 -- 0 -- 0 TOTAL: 2 -- 0 -- 2 FINDINGS LAST AUDIT: 0 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (20-01) The Department did not conduct adequate independent internal control reviews over its external service providers’ System and Organization Control (SOC) reports. • (20-02) The Department did have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE REVIEW OF EXTERNAL SERVICE PROVIDERS The Department of Central Management Services (Department) did not conduct adequate independent internal control reviews over its external service providers’ System and Organization Control (SOC) reports. The Department currently receives copies of the SOC reports from 17 different external service providers and performs an independent internal control review of each SOC report to determine whether any areas of concern are noted. In total the Department received 25 SOC reports during the audit period. These service providers provide the Department: • Medical plan coverage and payments • Claims processing • Benefits solutions • Plan administration • Commuter savings program • IT hosting • Software as a Service During testing of the 25 SOC reports, we noted: • Twenty-five of 25 (100%) SOC reports identified Complementary User Entity Controls (CUEC) necessary for the Service Organization’s system which relies on the Department to implement the CUECs in order to achieve the Service Organization’s control objectives. The Department did not perform an assessment to determine if it had implemented the CUECs for each. • Twenty-one of 25 (84%) SOC external service provider reports identified additional subservice organizations used by the service organization that were carved out of the SOC report. These subservice organizations required additional CUECs and the service provider relied on the subservice organizations to implement the CUECs in order to achieve the Service Organization's control objectives. The Department did not perform additional assessments on the subservice organizations to determine if the CUECs had been implemented. • Ten of 25 (40%) SOC reports had qualified opinions due to deficiencies noted by the SOC auditors. The Department did not perform an analysis on whether they could rely on the external service providers’ controls due to the deficiencies noted in the SOC reports with qualified opinions. Through our assessment of the types of deficiencies noted by the SOC auditors, and the substantive testing we performed in other areas of our audit, we were able to rely on the testing and assurance provided by the SOC reports. (Finding 1, pages 63-66) We recommended the Department: • Monitor and document the operation of the CUECs relevant to the Department's operations. • Either obtain and review SOC reports for subservice organizations, if applicable to the Department’s internal control environment, or perform alternative procedures to satisfy itself the usage of the subservice organizations would not impact the Department's internal control environment. Such review and procedures should be documented. • Document its review of the SOC reports and review all significant issues with third-party service providers and subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the Department, and any compensating controls. The Department accepted our recommendation and stated it has worked with the Department of Innovation and Technology and its external service providers to update its SOC Review Process. LACK OF CENSUS DATA RECONCILIATIONS The Department did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. During testing, we noted the Department had not performed an initial complete reconciliation of its census data recorded by both SERS and its Bureau to the personnel records of the Department’s employees to establish a base year of complete and accurate census data. (Finding 2, pages 67-69) We recommended the Department work with both SERS and its Bureau to develop an annual reconciliation process of its active members’ census data from the Department’s underlying personnel records to a report from each plan of census data submitted to the plan’s actuary. The Department accepted our recommendation and stated it will endeavor to perform the reconciliation recommended by the auditors given their available resources. AUDITOR’S OPINION The auditors stated the financial statements of the Department as of and for the year ended June 30, 2020 are fairly stated in all material respects. This financial audit was conducted by Sikich LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:meg