REPORT DIGEST OFFICE OF THE SECRETARY OF STATE FINANCIAL AUDIT FOR THE TWO YEARS ENDED JUNE 30, 2025 Release Date: May 5, 2026 FINDINGS THIS AUDIT: 13 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 1 -- 2 Category 2: 6 -- 6 -- 12 Category 3: 0 -- 0 -- 0 TOTAL: 6 -- 7 -- 13 FINDINGS LAST AUDIT: 12 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (25-01) The Office of the Secretary of State did not demonstrate adequate control over property and equipment during the engagement period. • (25-05) The Office had not established adequate controls for accessing its computing environment. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS WEAKNESS RELATED TO PROPERTY AND EQUIPMENT The Office of the Secretary of State (Office) did not demonstrate adequate control over property and equipment during the engagement period. Recording and reporting weaknesses were identified during our detailed testing of the Office’s State property as follows: • The Office was not able to reconcile the Form C-15 to the Office’s property listing for Fiscal Years 2024 and 2025. The unreconciled differences as of the end of Fiscal Year 2024 and Fiscal Year 2025 totaled $19,634,760 and $7,465,261, respectively. Due to the condition identified above, we were unable to conclude whether the Office’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36) to test the Office’s controls over property and equipment. Even given the population limitations noted above hindered the ability of the accountants to conclude whether selected samples were representative of the population as a whole, we performed the following tests: • During our testing of 60 property additions, we noted the following: -- Nine of 60 (15%) property additions tested, totaling $136,424, were not added to Office property records timely, ranging from 10 to 204 days late. Items that were not added in a timely manner were vehicles, office equipment and IT equipment. -- Two of 60 (3%) property additions tested, totaling $7,605, did not include the cost of freight to the total cost of the asset in the property records. The unrecorded freight cost totaled to $371. • During our property deletion testing, we noted one of 40 (3%) property deletions tested, amounting to $15,330, was removed from the property records 5 days late. The item that was not removed in a timely manner was a vehicle. • During our floor to list testing of Office equipment items, we noted two of 60 (3%) items tested, totaling $353, were found in a different location than stated in the property records. The two items noted were computer monitors. • During our list to floor testing of Office equipment items, we noted one of 60 (2%) items selected for observation, amounting to $3,612, was not identified and removed from the property records as it was obsolete and no longer used in operations. • During our testing of State property policies, we noted the Office failed to adopt a formal policy that clearly delineates the categories of equipment considered subject to theft. (Finding 1, pages 10-12) This finding has been reported since 2019. We recommended the Office strengthen its internal controls and procedures to ensure its property and equipment are reported and accounted for in a manner which complies with applicable laws, rules, and regulations. In addition, we recommended the Office establish a high-theft policy that clearly delineates the categories of equipment considered subject to theft. The Office accepted the finding. INADEQUATE CONTROLS OVER USER ACCESS The Office had not established adequate controls for accessing its computing environment. During fieldwork, we examined the Office’s general information technology controls over nine significant applications. During our testing, we noted the following: • The Office had not established detailed policies and procedures related to access provisioning, modification, and termination. • For 17 of 35 (49%) sampled new user access requests, the Office did not maintain proper documentation of user access requests and approval prior to granting access. • For 30 of 42 (71%) sampled terminated users, the Office did not remove user access in a timely manner after access was no longer needed. • For 5 of 60 (8%) sampled active user access, users had access rights that did not align with job duties. • The Office did not conduct an annual review of user access rights for 8 of the 9 (89%) significant applications examined. (Finding 5, pages 20-21) This finding has been reported since 2021. We recommended the Office establish policies and procedures, maintain proper documentation of access requests and approval prior to granting access, remove user access timely, and conduct an annual review of user access rights for significant applications. The Office accepted the finding. OTHER FINDINGS The remaining compliance findings are reportedly being given attention by Office management. We will review the Office’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Office for the two years ended June 30, 2025, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2025-001. Except for the noncompliance described in this finding, the accountants stated the Office complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Adelfia LLC. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:sdw