REPORT DIGEST

DEPARTMENT OF INNOVATION AND
TECHNOLOGY, STATE OF ILLINOIS,
ENTERPRISE RESOURCE PLANNING SYSTEM

SYSTEM AND ORGANIZATION CONTROL REPORT
AND
REPORT REQUIRED UNDER GOVERNMENT
AUDITING STANDARDS
FOR THE YEAR ENDED JUNE 30, 2023

Release Date:  September 7, 2023

FINDINGS THIS AUDIT: 1

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 1 -- 1
Category 2:  0 -- 0 -- 0
Category 3:  0 -- 0 -- 0
TOTAL:  0 -- 1 -- 1

FINDINGS LAST AUDIT: 3

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the System and
Organization Control Report and the
Report Required under Governmental
Auditing Standards of the Department of
Innovation and Technology (Department)
for the period of July 1, 2022 to June
30, 2023.

The System and Organization Control
Report contained a qualified opinion
due to weaknesses associated with the
Department’s description of system,
suitability of the control design and
the operating effectiveness of
controls.  In addition, the Report
Required under Government Auditing
Standards (GAS) contains one finding.

SYNOPSIS

• (23-1)  The controls related to the
control objectives stated in the
“Description of the State of Illinois,
Enterprise Resource Planning System for
the IT General Controls and Application
Controls” were not suitably designed or
did not operate effectively to provide
reasonable assurance the control
objectives would be achieved.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

CONTROLS WERE NOT SUITABLY DESIGNED OR
DID NOT OPERATE EFFECTIVELY

The controls related to the control
objectives stated in the “Description
of the State of Illinois, Enterprise
Resource Planning System for the IT
General Controls and Application
Controls” (description of system),
provided by the Department of
Innovation and Technology (Department),
were not suitably designed or did not
operate effectively to provide
reasonable assurance the control
objectives would be achieved.

As part of our testing to determine if
the controls were suitably designed, we
requested the Department provide
populations related to Active Directory
access requests, modifications, and
terminations.  However, the Department
was unable to provide the populations.
As such, we could not perform testing.

As a result, we were unable to
determine if the controls were suitably
designed or operated effectively.
(Finding 1, page 8 of GAS Report)

We recommended the Department ensure
the controls are suitably designed and
operate effectively over the services
provided to user agencies.

Department officials stated they agreed
and would work to ensure reports with
accurate populations for access
requests, modifications, and
terminations exist.

SERVICE AUDITOR’S OPINION

The System and Organization Control
Report contained a qualified opinion.
Specifically, the Service Auditors
determined, except for the matters
described in the System and
Organization Control Report, in all
material respects, based on the
criteria described in the State of
Illinois, Department of Innovation and
Technology’s assertion:

a. the description fairly presents the
State of Illinois, Enterprise Resource
Planning System that was designed and
implemented throughout the period from
July 1, 2022 to June 30, 2023.
b. the controls related to the control
objectives stated in the description
were suitably designed to provide
reasonable assurance that the control
objectives would be achieved if the
control operated effectively throughout
the period July 1, 2021 to June 30,
2022; and subservice organizations and
users entities applied complementary
controls assumed in the design of the
State of Illinois, Department of
Innovation and Technology’s control
throughout the period July 1, 2022 to
June 30, 2023.
c. the controls operated effectively to
provide reasonable assurance that the
control objectives stated in the
description were achieved throughout
the period from July 1, 2022 to June
30, 2023 if complementary subservice
organizations and user entity controls
assumed in the design of the State of
Illinois, Department of Innovation and
Technology’s controls operated
effectively throughout the period July
1, 2022 to June 30, 2023.

The System and Organization Control
Examination was conducted by the Office
of the Auditor General’s staff.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:mkl