REPORT DIGEST

DEPARTMENT OF INNOVATION AND
INFORMATION TECHNOLOGY SHARED
SERVICES SYSTEM

SYSTEM AND ORGANIZATION CONTROLS
REPORT AND
REPORT REQUIRED UNDER GOVERNMENT
AUDITING STANDARDS
FOR THE YEAR ENDED June 30, 2025

Release Date:  October 21, 2025

FINDINGS THIS AUDIT: 1

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  1 -- 0 -- 1
Category 2:  0 -- 0 -- 0
Category 3:  0 -- 0 -- 0
TOTAL:  1 -- 0 -- 1

FINDINGS LAST AUDIT: 1

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, 400
West Monroe, Suite 306, Springfield,
IL 62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report
are also available on the worldwide
web at www.auditor.illinois.gov

INTRODUCTION

This digest covers our System and
Organization Controls Report and
Report Required under Government
Auditing Standards of the Department
of Innovation and Technology,
Information Technology Shared
Services System (Department) for the
period from July 1, 2024 through June
30, 2025.

The System and Organization Controls
Report contains a qualified opinion
due to weaknesses associated with the
Department’s suitability of the
control design and operating
effectiveness of controls. In
addition, the Report Required under
Government Auditing Standards (GAS)
contains one finding.


SYNOPSIS

• (25-1) The controls related to the
control objectives stated in the
description of the Information
Technology Shared Services System
were not suitably designed or did not
operate effectively to provide
reasonable assurance the control
objectives would be achieved.


FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

CONTROLS WERE NOT SUITABLY DESIGNED
OR DID NOT OPERATE EFFECTIVELY

The controls related to the control
objectives addressing system edits
and validations, logical access, and
physical access stated in the
“Management of the State of Illinois,
Department of Innovation and
Technology’s Description of its
Information Technology Shared
Services System” (description),
provided by the Department of
Innovation and Technology
(Department), were not suitably
designed or did not operate
effectively to provide reasonable
assurance the control objectives
would be achieved.

System Edits and Validations

During our testing, we noted
Department management was unable to
provide a complete and reliable
population of  the Central Payroll
System (CPS) and eTime system edits
and validations used in its
processing environment. Due to this
condition, we were unable to conclude
the Department’s population records
were sufficiently precise and
detailed under the Attestation
Standards promulgated by the American
Institute of Certified Public
Accountants (AT-C § 320.30) to test
the suitable design of the controls.
Additionally, the edit check controls
within CPS were not suitably
designed.  The CPS manual, which was
ultimately used to derive a listing
of screens and fields to sample, was
outdated and inaccurate.
Specifically:

• CPS –We noted one of nine (11%)
screens documented in the manual was
no longer in use and had not been
maintained to reflect the current
system configuration.

• eTime –The Department provided a
manually maintained listing of system
edits and validations. However,
during testing we noted twenty of 37
(54%) edits and validations were
defunct and had not been maintained
to reflect the current system
configuration.

Logical Access

During testing, we noted the logical
access controls were not operating
effectively to ensure access to
Department resources was authorized
and approved. Specifically:

• Inappropriate User Access –

-- The Department was unable to
provide evidence (system listing or
access request form) to demonstrate
authorized pre-approvals were
obtained for the two of two (100%)
users, who were provisioned access to
merge eTime changes to production. To
merge a change into production means
to integrate finalized code or
configuration updates into the live,
customer-facing environment of a
system or application.

-- We compared the population of
developers to the population of users
who can update the production
environment and noted three users
were granted conflicting access to
both the development and production
environment for the CPS application.
This means the users can develop or
modify code/configurations and
directly deploy or update the
production environment.

• Revocation of Access – Access was
not revoked by the end of the next
business day following the employee’s
or contractor’s last day of work in
accordance with Department procedures
for two of 34 (6%) terminated users.

• Recertification of Access - Two
user accounts requested to be revoked
for one of 31 (3%) proxy agencies
during the annual access review were
not revoked.

Physical Access

During testing, we noted the physical
access controls were not operating
effectively to ensure physical access
to Department facilities was
restricted to authorized personnel.
Specifically:

• Revocation of Access –For seven of
46 (15%) separated/terminated users,
the Department could not provide
completed badge access removal forms.

• Recertification of Access –

-- User access for individuals with
access to the Central Computing
Facility (CCF), Communications
Building, and Warehouse was not
verified during the first quarter of
Fiscal Year 2025 access review in
accordance with the Department
policy.

-- User access for individuals with
access to the CCF secured area was
not verified for one of three (33%)
monthly reviews. (Finding 1, pages
7-10 of GAS Report)

We recommended the Department ensure
the controls are suitably designed
and operating effectively over the
services provided to user agencies,
specifically involving system edits
and validations and logical and
physical access.

Department officials agreed and
stated they will evaluate and
strengthen controls to ensure system
documentation is up to date, system
access processes are refined, and
physical access processes are
streamlined with access reviews
performed on schedule.

SERVICE AUDITOR’S OPINION

The System and Organization Controls
Report contained a qualified opinion.
Specifically, the Service Auditors
determined, except for the matters
described in the System and
Organization Controls Report, in all
material respects, based on the
criteria described in the State of
Illinois, Department of Innovation
and Technology’s assertion:

a. the description fairly presents
the Information Technology Shared
Services System that was designed and
implemented throughout the period
July 1, 2024 to June 30, 2025.

b. the controls related to the
control objectives stated in the
description were suitably designed to
provide reasonable assurance that the
control objectives would be achieved
if the controls operated effectively
throughout the period July 1, 2024 to
June 30, 2025, and if the subservice
organizations and user entities
applied the complementary controls
assumed in the design of the State of
Illinois, Department of Innovation
and Technology’s controls throughout
the period July 1, 2024 to June 30,
2025.

c. the controls operated effectively
to provide reasonable assurance that
the controls stated in the
description were achieved throughout
the period from July 1, 2024 to June
30, 2025, and if the subservice
organizations and user entities
applied the complementary controls
assumed in the design of the State of
Illinois, Department of Innovation
and Technology’s controls operated
effectively throughout the period
July 1, 2024 to June 30, 2025.

The System and Organization Controls
Examination was conducted by Sikich
CPA LLC.

COURTNEY DZIERWA
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:vrb