REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES - TEACHER HEALTH INSURANCE SECURITY FUND FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2025 Release Date: February 5, 2026 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 0 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 0 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Department of Central Management Services (Department), Teacher Health Insurance Security Fund financial audit as of and for the year ended June 30, 2025. SYNOPSIS • (25-1) The Department failed to maintain adequate general information technology controls related to its environment and applications. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS FAILURE TO IMPLEMENT ADEQUATE INFORMATION TECHNOLOGY CONTROLS The Department of Central Management Services (Department) failed to maintain adequate general information technology controls related to its environment and applications. Auditors tested information technology general controls (ITGCs) for seven Department applications assessed to have a material impact to the Department’s financial information. ITGCs help prevent unauthorized access, data breaches, and operational disruptions and include software implementation, user account creation, and data management. Strong ITGCs increase the integrity and reliability of information. Access provisioning steps were performed for each application. Access Provisioning We tested the Department’s access provisioning procedures for a sample of 101 users across seven applications with a material impact to the Department’s financial information. Our sample of 101 users was comprised of 71 existing users, 11 new-hired users, 17 terminated users and 2 administrative users. We noted the following exceptions: • Five of 71 (7%) existing users’ access to the application was not needed to perform their job responsibilities. • Eight of 17 (47%) users had separated from the Department but were still defined as authorized users in the tested application as of June 30, 2025. Lastly, the Department did not perform an annual review of user access for six of seven (86%) applications tested. The Department also did not perform an annual review of the Resource Access Control Facility (RACF) IDs. (Finding 1, pages 26-27) We recommended the Department ensure users’ access to its applications is appropriate based on job responsibilities, timely remove access for users who are no longer with the Department, and ensure user access reviews are performed on an annual basis. We further recommended the Department promptly terminate inappropriate and unnecessary user access and maintain documentation to support timeliness of changes to user access. The Department agreed with the finding and recommendation and outlined a corrective action plan. AUDITOR’S OPINION The auditors stated the financial statements of the Department of Central Management Services, Teacher Health Insurance Security Fund as of and for the year ended June 30, 2025, are fairly stated in all material respects. This financial audit was conducted by Sikich CPA LLC. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:meg