REPORT DIGEST STATE BOARD OF ELECTIONS COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2025 Release Date: March 12, 2026 FINDINGS THIS AUDIT: 7 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 2 -- 2 Category 2: 0 -- 5 -- 5 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 7 – 7 FINDINGS LAST AUDIT: 13 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (25-02) The State Board of Elections (Board) had weaknesses in its change management controls. • (25-03) The Board had not implemented adequate internal controls over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS CHANGE CONTROL WEAKNESSES The Board had weaknesses in its change management controls. As a result of the Board’s mission to administer the State of Illinois’ elections laws and campaign laws, the Board maintained several critical, confidential, and/or financial applications, such as the Voter Registration System (IVRS), eCanvass (precinct upload elections data), and Elections app (ballot certification). During testing of 13 system change requests covering IVRS, eCanvass, and Elections App, we noted the Board had not: • properly approved two (15%) system change requests prior to change development, and • established adequate segregation of duties, allowing the same personnel to develop and deploy the system changes for eight (61%) change requests. This finding was first noted during the Compliance Examination for the two years ended June 30, 2019. In the subsequent years, the Board has been unsuccessful in implementing a corrective action plan. (Finding 2, pages 13-14) We recommended the Board ensure change management controls are suitably designed and implemented to protect computer systems and data. The Board disagreed with the finding. The Board stated it has documented change management processes within established project management documentation. The Board believes those processes align with the recommendations presented by the auditors. However, the Board stated it will revise change management procedures to alleviate any future findings regarding change management In an accountant’s comment, we acknowledged the Board’s response regarding its documented change management processes. However, the identified deficiencies, specifically the improper approval of system change requests and inadequate segregation of duties, posed a significant risk to the integrity of the Board’s systems and data. Additionally, based on audit procedures performed, we determined the existing documentation did not fully demonstrate consistent application of change management controls in accordance with established configuration management recommended practices. The auditors acknowledged the Board’s commitment to revising its change management procedures to strengthen controls and mitigate future risks. In addition, Generally Accepted Government Auditing Standards (GAGAS), also known as the Yellow Book, provides the preeminent standards for government auditing. GAGAS (paragraph 7.42) states auditors should include in the examination report all internal control deficiencies, even those communicated early, that are considered to be significant deficiencies or material weaknesses that the auditors identified based on the engagement work performed. INADEQUATE CONTROLS OVER SERVICE PROVIDERS The Board had not implemented adequate internal controls over its service providers. We performed testing on three of the eight service providers identified in the population of service providers provided by the Board. The Board utilized these service providers for software as a service. During our testing, we noted the Board had not: • Entered into an agreement with one (13%) service provider to ensure the roles and responsibilities, and the security, integrity, availability, confidentiality, and privacy controls over the Board’s applications and data of both the Board and service providers, were documented, and • Documented their review of three (100%) service providers’ System and Organization Controls (SOC) reports, including the impact of noted deviations, Complementary User Entity Control, and subservice organizations. This finding was first noted during the Compliance Examination for the two years ended June 20, 2021. In the subsequent years, the Board has been unsuccessful in implementing a corrective action. (Finding 3, pages 15-16) We recommended the Board enter into agreements with service providers to define roles and responsibilities and document the review of SOC reports. The Board agreed with the recommendation. OTHER FINDINGS The remaining findings pertain to inadequate control over voucher and receipt processing, weaknesses in cybersecurity and disaster recovery planning, and statutory noncompliance. We will review the Board’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Board for the two years ended June 30, 2025, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Findings 2025-001 and 2025-002. Except for the noncompliance described in those findings, the accountants stated the Board complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Roth & Co., LLP. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:sdw