REPORT DIGEST OFFICE OF COMPTROLLER – FISCAL OFFICER RESPONSIBILITIES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2023 Release Date: December 21, 2023 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 1 -- 1 Category 2: 0 -- 0 -- 0 Category 3: 0 -- 1 -- 1 TOTAL: 0 – 2 -- 2 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Office of Comptroller’s Fiscal Officer’s Financial Audit as of and for the year ended June 30, 2023. The Office of Comptroller - Fiscal Officer’s Compliance Examination as of and for the year ended June 30, 2023 will be issued in a separate report at a later date. SYNOPSIS • (23-1) The Office of Comptroller did not ensure all statutorily mandated transfers between State funds were made within established timeframes, as required. • (23-2) The Office of Comptroller failed to implement adequate general Information Technology (IT) controls related to its environment and applications. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LATE PAYMENT OF STATUTORILY MANDATED TRANSFERS The Office of Comptroller (Office) did not ensure all statutorily mandated transfers between State funds were made within established timeframes, as required. The Office processed transfers from 31 to 299 days after the mandated transfer date. The late transfers outstanding as of and paid after June 30, 2023 totaled $955 million. The Office also made 182 late transfers, totaling $862 million, between State funds that were made between one and 30 days after the statutorily mandated transfer date. Lastly, we noted 84 late transfers, totaling $525 million, which were still outstanding as of October 30, 2023, relating to fiscal year 2023 and fiscal year 2022. (Finding 1, pages 59-61) This finding was first reported in 2009. We recommended the Office make transfers within timeframes established by applicable statutes. While we realize the lack of available funds in the State Treasury requires prioritization and cash management decisions, we recommended the Office continue in its efforts to make transfers in as timely a manner as possible. Office officials accepted the recommendation and stated the Office will continue in its effort to make the required transfers timely but given all the competing payments from limited resources in the State Treasury there will always be some transfers pending until funds are available, or when needed. Office officials also stated most GRF transfers were made by the end of June 30, 2023 and the few pending GRF transfers were not delayed and the pending non-GRF transfers, especially those for capital obligations, will be processed upon collaboration with the respective state agencies. Office officials further stated the Office staff continues to work together with various State fiscal officers on a regular ongoing basis to manage the processing of such transfers throughout the fiscal year to avoid disruptions in the delivery of State services or programs the delivery of State services or programs. FAILURE TO IMPLEMENT ADEQUATE INFORMATION TECHNOLOGY CONTROLS The Office failed to implement adequate general Information Technology (IT) controls related to its environment and applications. The Office was unable to provide certain requested information covering the audit period concerning the network and related security policies and procedures. In addition, we noted instances where the network and mainframe environments security settings were not current or properly configured. Further, we noted instances where the level of administrative access to the environment did not appear to be appropriate. During our testing of the Office’s controls over access provisioning, we noted the Office: • Had not established policies and procedures documenting requirements for reviewing security reports for the network or all applications. • Had not established policies and procedures documenting the process for terminating external users’ access. • Did not document its review of mainframe security violation reports. • Did not conduct timely reviews of the network and mainframe environments security violation reports. • Did not conduct security logging for all applications. • Did not document approval for users’ access to applications. • Did not timely terminate separated users’ access or have a designated timeframe for which access was to be revoked. • Did not provide documentation demonstrating separated users’ access had been revoked. • Did not conduct a periodic review of users’ access to the network and mainframe environment and applications. Further, our review of the Office’s System Development Methodology, System Request Procedures, and Network Change Authorization Form Procedures, and System Administration Guide noted they were not current and did not reflect the Office’s process for change management and we noted one individual could request and approve changes, without further approval. Also, the Office was unable to provide a complete and accurate population of changes, as the Office did not require all changes to follow the change management process. We tested a sample of application changes, noting: • Documentation was not maintained of the migration dates. • Systems requests were missing documentation of the requestor and required approvals. • Post Implementation Reviews were not completed. Further, in order to determine whether the Office maintained proper segregation of duties our over application changes, we requested the population of developers. In response to our request, the Office provided numerous populations; however, the Office did not provide documentation demonstrating the populations were complete and accurate. Due to these conditions, we were unable to conclude the Office’s population records were sufficiently precise and detailed under the Professional Standards promulgated by the American Institute of Certified Public Accountants (AU-C § 500.08). Even given the population limitations noted above, we tested a sample of application changes to ensure proper segregation of duties. However, the Office did not provide sufficient documentation to determine who conducted the migration. We also noted developers had access to the production environment (Finding 2, pages 62-64) We recommended the Office implement adequate general IT controls related to its environments and applications. Office officials accepted the recommendation and stated the Office must be agile in its operations to ensure statutory requirements are met and adapt when conditions change while continuing to work to update procedures in a timely manner and ensure the required supporting documentation is maintained in accordance with the documented procedures in place, as necessary. AUDITOR’S OPINION The auditors stated the budgetary basis fund balances at June 30, 2023, and the revenues and expenditures for the year then ended relating to the State of Illinois, Office of Comptroller - Fiscal Officer Responsibilities’ Traditional Budgetary Financial Report, are fairly presented in all material respects. The auditors noted the financial statements have been prepared on a basis of accounting other than accounting principles generally accepted in the United States of America. This financial audit was conducted by Sikich LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb