REPORT DIGEST DEPARTMENT OF INNOVATION AND TECHNOLOGY INFORMATION TECHNOLOGY HOSTING SERVICES SYSTEM SYSTEM AND ORGANIZATION CONTROLS REPORT AND REPORT REQUIRED UNDER GOVERNMENT AUDITING STANDARDS FOR THE YEAR ENDED June 30, 2025 Release Date: October 21, 2025 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 1 -- 0 -- 1 Category 2: 0 -- 0 -- 0 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 1 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION INTRODUCTION This digest covers the System and Organization Controls Report and the Report Required under Government Auditing Standards of the Department of Innovation and Technology, Information Technology Hosting Services System (Department) for the period July 1, 2024 to June 30, 2025. The System and Organization Controls Report contained a qualified opinion due to weaknesses associated with the operating effectiveness of the Department’s controls. In addition, the Report Required under Government Auditing Standards (GAS) contains one finding. SYNOPSIS • (25-1) The controls related to the trust services criteria stated in the description of the Information Technology Hosting Services System did not operate effectively to provide reasonable assurance the trust services criteria would be achieved. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS CONTROLS DID NOT OPERATE EFFECTIVELY The controls related to the trust services criteria stated in the “Management of the State of Illinois, Department of Innovation and Technology’s Description of its Information Technology Hosting Services System” (description), provided by the Department of Innovation and Technology (Department), did not operate effectively to provide reasonable assurance the trust services criteria would be achieved. Control Environment The Department lacked controls to maintain an effective control environment. Specifically, we noted: • Structure and Authority – For 1 of 33 (3%) procured vendor contractors, we were unable to determine whether the vendor contractor was hired based on contract requirements in accordance with the Illinois procurement regulations. • Accountability – Annual performance evaluations were not completed for two of 44 (5%) employees. Logical Access The Department did not implement controls to ensure access to Department resources was authorized and approved. Specifically, access was not revoked by the end of the next business day following the employee’s or contractor’s last day of work for two of 34 (6%) terminated users in accordance with Department procedures. Physical Access During testing, we noted the physical access controls were not operating effectively to ensure physical access to Department facilities was restricted to authorized personnel. Specifically: • Revocation of Access – For seven of 46 (15%) separated/terminated users, the Department could not provide completed badge access removal forms. • Recertification of Access – -- User access for individuals with access to the Central Computing Facility (CCF), Communications Building, and Warehouse was not verified during the first quarter of Fiscal Year 2025 access review in accordance with the Department policy. -- User access for individuals with access to the CCF secured area was not verified for one of three (33%) monthly reviews. (Finding 1, pages 7-9 of GAS Report) We recommended the Department ensure the controls are operating effectively over the services provided to user agencies, specifically involving the control environment and logical and physical access. Department officials agreed and stated they will strengthen controls to ensure its internal control environment is effectively maintained, system access processes are refined, and physical access processes are streamlined with access reviews performed on schedule. SERVICE AUDITOR’S OPINION The System and Organization Controls Report contained a qualified opinion. Specifically, the Service Auditors determined, except for the matters described in the System and Organization Controls Report, in all material respects, based on the criteria described in the State of Illinois, Department of Innovation and Technology’s assertion: a. the description presents the Department’s Information Technology Hosting Services System that was designed and implemented throughout the period July 1, 2024 to June 30, 2025 in accordance with the description criteria. b. the controls stated in the description were suitably designed throughout the period July 1, 2024 to June 30, 2025 to provide reasonable assurance that the Department’s service commitments and system requirements would be achieved based on the applicable trust services criteria, if its controls operated effectively throughout that period, and if the subservice organizations and user entities applied the complementary controls assumed in the design of the Department’s controls throughout the period. c. the controls stated in the description operated effectively throughout the period July 1, 2024 to June 30, 2025, to provide reasonable assurance that the Department’s service commitments and system requirements were achieved based on the applicable trust services criteria, if complementary subservice organization controls and complementary user entity controls assumed in the design of the Department’s controls operated effectively throughout the period. This System and Organization Controls Examination was conducted by Sikich CPA LLC. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb