REPORT DIGEST

OFFICE OF COMPTROLLER – FISCAL OFFICER
RESPONSIBILITIES

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2024

Release Date:  December 19, 2024

FINDINGS THIS AUDIT: 1

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 1 -- 1
Category 2:  0 -- 0 -- 0
Category 3:  0 -- 0 -- 0
TOTAL:  0 -- 1 -- 1

FINDINGS LAST AUDIT: 2

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Office of
Comptroller’s Fiscal Officer’s Financial
Audit as of and for the year ended June 30,
2024. The Office of Comptroller - Fiscal
Officer’s Compliance Examination as of and
for the year ended June 30, 2024 will be
issued in a separate report at a later date.

SYNOPSIS

• (24-1) The Office of Comptroller did not
implement adequate general Information
Technology (IT) controls related to its
environment and applications.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

FAILURE TO IMPLEMENT ADEQUATE INFORMATION
TECHNOLOGY CONTROLS

The Office of Comptroller (Office) did not
implement adequate general Information
Technology (IT) controls related to its
environment and applications.

During testing, we noted the Office was
unable to provide certain requested
information covering the audit period
concerning the network and related security
policies and procedures. In addition, the
Office was unable to provide a complete and
accurate population of network devices for
detailed testing. Due to these conditions,
we were unable to conclude the Office’s
population records were sufficiently precise
and detailed under the Professional
Standards promulgated by the American
Institute of Certified Public Accountants
(AU-C § 500.08).   Despite this limitation,
we performed testing on a sample of network
devices and noted instances where the
network security settings were not current
or properly configured.

Also, during our testing of the Office’s
controls over access provisioning, we noted:
• Three of nine (33%) users had access to
critical applications when their job
descriptions did not require such access.
• The Office had not established a formal
process to periodically review users’ access
to the applications.
• The Office had not conducted periodic
reviews of users’ permissions to the Active
Directory system.

Further, we requested the Office’s
population of changes to its network
environment. However, the Office was unable
to provide a complete and accurate
population of changes. Due to these
conditions, we were unable to conclude the
Office’s population records were
sufficiently precise and detailed under the
Professional Standards promulgated by the
American Institute of Certified Public
Accountants (AU-C § 500.08).  Despite this
limitation, we performed testing on a sample
of network changes and noted documentation
of change approvals were not maintained for
18 of 18 (100%) network changes.

In addition, we tested a sample of
application changes, noting:
• Change requests did not have documentation
of required approvals for 2 of 17 (12%)
changes, and
• Documentation of work-hours was not
maintained for 17 of 24 (71%) changes.
(Finding 1, pages 57-58)  This finding was
first reported in 2022.

We recommended the Office implement adequate
general IT controls related to its
environments and applications.

Office officials accepted the recommendation
and stated the Office must be agile in its
operations to ensure statutory requirements
are met and adapt when conditions change.
Office officials further stated that over
the past year, the Office has worked to
address the items identified by the auditors
and will continue to enhance critical event
avoidance controls.

AUDITOR’S OPINION

The auditors stated the budgetary basis fund
balances at June 30, 2024, and the revenues
and expenditures for the year then ended
relating to the State of Illinois, Office of
Comptroller - Fiscal Officer
Responsibilities’ Traditional Budgetary
Financial Report, are fairly presented in
all material respects.  The auditors noted
the financial statements have been prepared
on a basis of accounting other than
accounting principles generally accepted in
the United States of America.

This financial audit was conducted by Sikich
CPA LLC.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:vrb