REPORT DIGEST

DEPARTMENT OF INNOVATION AND
TECHNOLOGY, INFORMATION TECHNOLOGY
SHARED SERVICES

SYSTEM AND ORGANIZATION CONTROL REPORT
AND
REPORT REQUIRED UNDER GOVERNMENT
AUDITING STANDARDS
FOR THE YEAR ENDED JUNE 30, 2023

Release Date:  September 7, 2023

FINDINGS THIS AUDIT: 2

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 2 -- 2
Category 2:  0 -- 0 -- 0
Category 3:  0 -- 0 -- 0
TOTAL:  0 -- 2 -- 2

FINDINGS LAST AUDIT: 3

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers our System and
Organization Control Report and Report
Required under Government Auditing
Standards of the Department of
Innovation and Technology Information
Technology Shared Services for the
period from July 1, 2022 through June
30, 2023.

The System and Organization Control
Report contains an adverse opinion due
to weaknesses associated with the
Department’s Description of System,
suitability of the control design and
operating effectiveness of controls. In
addition, the Report Required under
Government Auditing Standards (GAS)
contains two findings.

SYNOPSIS

• (23-1) The controls related to the
control objectives stated in the
Description of the Information
Technology Shared Services System for
the Information Technology General
Controls and Application Controls were
not suitably designed to provide
reasonable assurance the control
objectives would be achieved.
• (23-2) The controls related to the
control objectives stated in the
Description of the Information
Technology Shared Services System for
the Information Technology General
Controls and Application Controls did
not operate effectively.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

CONTROLS WERE NOT SUITABLY DESIGNED

The controls related to the control
objectives stated in the “Description
of the Information Technology Shared
Services System for the Information
Technology General Controls and
Application Controls” (description of
system), provided by the Department of
Innovation and Technology (Department),
were not suitably designed to provide
reasonable assurance the control
objectives would be achieved.

As part of our testing to determine if
the controls were suitably designed, we
requested the Department provide
populations related to:
• New Agency Application Administrator
logical access requests;
• Active Directory access requests,
modifications, and terminations;
• Security Software accounts created,
modified, and revoked;
• New Security Software Administrator
accounts;
• New and terminated physical access
request, including non-State employees;
and
• Changes made to applications.

However, the Department did not provide
complete and accurate populations.  As
such, we could not perform testing.

In addition, the Department did not
respond to our request regarding staff
and vendors with a business need to
access or modify network devices.

Further, our testing noted the
Department did not follow their change
management procedures or processes for
changes to the mainframe operating
system and the network security tool.

Lastly, the Department did not provide
documentation demonstrating they were
monitoring for compliance with the
enterprise information security
policies.

As a result, we were unable to
determine if the controls were suitably
designed.  (Finding 1, pages 8-9 of GAS
Report)

We recommended the Department ensure
the controls are suitably designed over
the services provided to user agencies.

Department officials agreed and stated
they would review the controls in place
and would work to ensure they are
effectively designed.


CONTROLS DID NOT OPERATE EFFECTIVELY

The controls related to the control
objectives stated in the “Description
of the Information Technology Shared
Services System for the Information
Technology General Controls and
Application Controls” (description of
system), provided by the Department of
Innovation and Technology (Department),
did not operate effectively.

During our testing of the controls
related to the control objectives
stated in the description of system, we
noted specific controls which did not
operate effectively.  Specifically, we
noted:

Applications
• A state tax rate was incorrect.

Change Management
• Post Implementation Reviews were not
always completed timely.
• Some changes did not have a test
plan.
• Changes to the environment operating
systems were not always approved.

Physical Security
• A monthly review of the Central
Computing Facility (CCF) secured area
was not completed.
• Individuals were issued temporary
badges with inappropriate access to the
Department’s buildings.

Logical Security
• Security software weekly violation
reports did not document if violations
were followed up on or reviewed.
• The Department did not provide
several proxy agencies a listing of
their security software accounts for
review.
• Security settings did not always
conform to the Department’s or vendor’s
standards.

Security Violations
• Security violation reports did not
document followup actions taken related
to security violations.
• Mainframe monitoring reports were not
always completed and distributed.

Environments
• Several policies and procedures had
not been updated to reflect current
processes.  (Finding 3, pages 10-11 of
GAS Report)  This finding has been
repeated since 2018.

We recommended the Department ensure
its controls operate effectively over
the services provided to user agencies.

Department officials agreed and stated
they would review the controls in place
and would work to ensure they are
operating effectively.

SERVICE AUDITOR’S OPINION

The System and Organization Control
Report contained an adverse opinion.
Specifically, the Service Auditors
determined:

a. the description does not fairly
presents the State of Illinois,
Department of Innovation and
Technology’s Information Shared
Services system that was designed and
implemented throughout the period from
July 1, 2022 to June 30, 2023.

b. the controls related to the control
objectives stated in the description
were not suitably designed to provide
reasonable assurance that the control
objectives would be achieved if the
control operated effectively throughout
the period July 1, 2022 to June 30,
2023.

c. the controls did not operate
effectively to provide reasonable
assurance that the controls stated in
the description were achieved
throughout the period from July 1, 2022
to June 30, 2023.

The System and Organization Control
Examination was conducted by the Office
of the Auditor General’s staff.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:mkl