State of Illinois
Office of the Auditor General
2025 Annual Report
March 1, 2026
The Honorable Members of the General Assembly
The Legislative Audit Commission
The Honorable JB Pritzker, Governor
Citizens of Illinois
Ladies and Gentlemen:
Enclosed is the Annual Report of the Auditor General’s Office, submitted in compliance with Section 3-15 of the Illinois State Auditing Act.
The mission of the Auditor General’s Office has been, and will continue to be, to present objective, balanced and independent audits. I believe this Annual Report reflects the Office’s success in fulfilling that goal during calendar year 2025.
I would like to thank the members of the General Assembly, members and staff of the Legislative Audit Commission, and the staff of the Auditor General’s Office, through whose efforts the reported accomplishments were made possible.
Yours truly,
FRANK J. MAUTINO
Auditor General
Overview
Frank J. Mautino became Auditor General of the State of Illinois on January 1, 2016. Prior to his appointment as Auditor General, Mr. Mautino was a member of the Illinois House of Representatives, and served as a co-chairman of the Legislative Audit Commission.
As a constitutional officer, the Auditor General audits public funds of the State and reports findings and recommendations to the General Assembly and to the Governor. The establishment of the Auditor General under the Legislature is important. It ensures that the Legislature, which grants funds and sets program goals, will ultimately review program expenditures and results. Thus, agencies are accountable to the people through their elected representatives.
The Auditor General’s Office performs several types of audits to review State agencies. Financial audits and Compliance examinations are mandated by law. They disclose the obligation, expenditure, receipt, and use of public funds. They also provide agencies with specific recommendations to help ensure compliance with State and federal statutes, rules and regulations.
Performance audits are conducted at the request of legislators to assist them in overseeing government. Programs, functions, and activities are reviewed according to the direction of the audit resolution or law directing the audit. The General Assembly may then use the audit recommendations to develop legislation for the improvement of government.
Information Systems audits are performed on the State’s computer networks. They determine whether appropriate controls and recovery procedures exist to manage and protect the State’s financial and confidential information.
Copies of all audits are made available to members of the Legislature, the Governor, the media, and the public. Findings include areas such as accounts receivable, computer security, contracts, expenditure control, leases, misappropriation of funds, personnel and payroll, property control, purchasing, reimbursements, telecommunications, and travel.
Audit reports are reviewed by the Legislative Audit Commission in a public hearing attended by agency officials. Testimony is taken from the agency regarding the audit findings and the plans the agency has for corrective action. In some cases, the Commission may decide to sponsor legislation to correct troublesome fiscal problems brought to light by an audit. All outstanding recommendations are reviewed during the next regularly scheduled audit of an agency or, if the Commission requests, a special interim audit may be conducted.
Public Information
An audit and its supporting workpapers, unless confidential by, or pursuant to, law or regulation, are public documents once the report has been officially released to the Legislature, the public, and the press. These documents are available for review in our Springfield and Chicago offices.
The following information is also available by request:
• Late Filing Affidavits
• Emergency Purchase Affidavits
Information about the Auditor General is available on the Internet. This information includes report summaries and full report texts.
Our internet web site address is: www.auditor.Illinois.gov
Our e-mail address is: audgen@auditor.illinois.gov
Public information is available by writing:
FOIA Officer
Office of the Auditor General
400 West Monroe, Suite 306
Springfield, IL 62704-9849
Springfield:
Telephone: (217) 782-6046
Fax: (217) 785-8222
Chicago:
Telephone: (312) 814-4000
Fax: (312) 814-4006
TTY: (888) 261-2887
Our Fraud Hotline is: Toll-Free: (855) 217-1895
Visit our web site at www.auditor.Illinois.gov for full details or for an on-line reporting form.
Organizational Chart
As of December 31, 2025, there were 76 employees. Seventy-one were located in the Springfield Office and five in the Chicago Office.
THE COMPLIANCE EXAMINATION PROGRAM
The Auditor General is required by the Illinois State Auditing Act to conduct, as is appropriate to the agency’s operations, a financial audit and/or compliance examination of every State agency at least once every two years. These audits and examinations inform the public, the Legislature, and State officers about the obligation, expenditure, receipt, and use of public funds, and provide State agencies with recommendations to help ensure compliance with State and federal statutes, rules, and regulations.
The Financial and Compliance Audit Division of the Office of the Auditor General (Office) conducted engagements at 87 agencies during the FY 2023 audit cycle. These engagements encompassed compliance examinations, financial audits, and federal single audits. Staff auditors conducted 13 of these audits. The remainder were performed by public accounting firms under the general direction and management of the Auditor General’s audit managers.
The Illinois Constitution of 1970 revised and expanded the traditional financial audits conducted of State agencies to focus on compliance with legislative intent and proper performance of governmental operations, as well as financial accountability.
The compliance program has a positive impact on the operations of State government because agencies implement many of the recommendations made in these reports. Compliance reports are also reviewed by the Legislative Audit Commission, where legislators question agency directors about audit findings and the corrective action they plan to take. Legislators and their staffs also use compliance reports during appropriation hearings in the spring legislative session. To maximize the usefulness of audit information, the Office attempts to deliver audits as early as possible in the legislative session
ACCOUNTABILITY
A number of reports issued since our last report had findings that were critically important from an accountability standpoint. A brief summary of some of these findings follows.
INADEQUATE FINANCIAL REPORTING PROCESS
The State of Illinois’ current financial reporting process does not allow the State to prepare a
complete and accurate Annual Comprehensive Financial Report (ACFR) in a timely manner. Reporting issues at various individual agencies caused delays in finalizing the financial statements. The lack of timely financial reporting limits effective oversight of State finances.
Accurate and timely financial reporting problems continue to exist even though the auditors have
(1) continuously reported numerous findings on the internal controls (material weaknesses and
significant deficiencies), (2) commented on the inadequacy of the financial reporting process of the State, and (3) regularly proposed adjustments to the financial statements year after year. These findings have been directed primarily towards major State agencies under the organizational structure of the Office of the Governor (Governor) and towards the Office of Comptroller (Comptroller).
The Comptroller has made significant changes to the system used to compile financial information; however, the State has not solved all the problems to effectively remediate these financial reporting weaknesses. The State has a highly decentralized financial reporting process due to the use of numerous financial reporting systems, many of which are not interrelated and require manual intervention to convert data. The process is also overly dependent on the post audit program, even though the Office of the Auditor General has repeatedly informed State agency officials that the post audit function is not a substitute for appropriate internal controls at State agencies.
Annual financial reporting to the Comptroller requires the State’s agencies to prepare a series of financial reporting forms (SCO forms) designed by the Comptroller, which are utilized to prepare the ACFR. Although these SCO forms are subject to review by the Comptroller’s financial reporting staff during the ACFR preparation process and there are recommended minimum qualifications for all new generally accepted accounting principles (GAAP) coordinators who oversee the preparation of the SCO forms, the current process still lacks sufficient internal controls at individual agencies.
We recommended the Governor and the Comptroller continue to work together to resolve the State’s inability to produce timely and accurate GAAP-basis financial information.
The Office of the Governor agreed with the recommendation and stated they will continue to work with the Comptroller and individual state agencies that have the most pressing challenges to produce timelier and more accurate GAAP-basis financial information. The state agencies under the Governor are completing the multi-year implementation of an Enterprise Resource Planning (ERP) system — an integrated, enterprise-wide system that includes a financial accounting component. All state agencies under the Governor’s purview are using the financial accounting component of the ERP system. Further, the Governor anticipates that all state agencies subject to the Grant Accountability and Transparency Act will join the Statewide grants management system currently under development. The grants management system will pull data from the ERP system, promoting consistency across state systems. Upon full implementation, the two systems are expected to improve internal controls and will better support the agencies’ production of accurate and timely financial statements. The Governor noted that he has no authority to direct or control the financial reporting processes employed by other constitutional offices. Finally, the Governor has taken steps to increase staffing of and training for agency fiscal offices to improve processes.
The Comptroller accepted the recommendation and stated the State still faces several roadblocks in the timely completion of the Annual Comprehensive Financial Report. The General Assembly enacted Public Act 96-1501, which extended the lapse period to October 31 for fiscal year 2021 and future fiscal years for medical payments of the Department of Veterans’ Affairs and medical, childcare, and substance abuse treatment payments of the Department of Human Services. Public Act 102-0291 extended lapse period from August 31 to October 31 for fiscal year 2022 and future fiscal years for medical assistance payments of the Department of Healthcare and Family Services. More importantly, the Annual Comprehensive Financial Report completion continues to be delayed because of financial reporting issues identified during individual State agency financial and compliance audits. The report cannot be finalized until these issues are resolved at the individual State agency reporting level.
The Comptroller will continue to work with the Governor’s Office, the Auditor General’s Office, and agency GAAP coordinators to improve the timeliness and quality of reporting, including alternative options for the completion of the financial reporting process of the State.
INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE
The Department of Natural Resources did not exercise adequate internal controls over its reporting and maintenance of accounts receivable.
We performed detailed testing of accounts receivable including the Quarterly Summary of Accounts Receivable – Accounts Receivable Activity Report (Form C-97) and Quarterly Summary of Accounts Receivable – Aging of Total Gross Receivables (Form C-98). During testing, we noted the following weaknesses:
Accounting System and Process Deficiencies
• The Department did not maintain a detailed accounts receivable subsidiary ledger to support the quarterly accounts receivable additions reported on the Form C-97s. Rather, the Department took the amount collected during the quarter, subtracted the beginning quarterly receivable balance, and added the ending quarterly gross receivable balance to calculate the accounts receivable additions for the quarter.
• During the compilation of Forms C-97 and C-98, the Department did not review and verify the accuracy of accounts receivable reported by the Department’s in-charge of each fund.
Inadequate Processing of Old Accounts Receivable
• The Department did not report accounts receivable “due over one year” as uncollectible on the Form C-97 for Funds 039, 040, 041, 905 and 962 for the fourth quarter of Fiscal Years 2023 and 2024. The Department’s accounts receivable balances “due over one year” for Funds 039, 040, 041, 905 and 962 ranged from $1,817 to $199,648.
• The Department did not make sufficient attempts to either collect its aged accounts receivable or write off uncollectible accounts receivable greater than one year old. As of June 30, 2024, outstanding receivables aged more than a year totaled $2,305,314, $2,773,937, $123,374, and $199,648 for Funds 137, 261, 884, and 962, respectively.
Further, we noted these accounts receivable were aged more than one year; in some cases, were as old as Fiscal Year 1992.
• During testing of 40 accounts receivable, we noted 14 (35%), totaling $225,108, were over 90 days past due but not referred to the Comptroller’s Illinois Debt Recovery Offset Portal (IDROP) system.
Accounts Receivable Not Reported
• The Department was the lessor in several real property rental agreements but did not track the timing of the rental payment due dates against related receipts to determine if receivables should be recorded and reported to the Comptroller on its Fund 538 Form C-97. The total real property rental receipts reported by the Department for Fund 538 were $128,129 and $63,672 in Fiscal Years 2023 and 2024, respectively. Potential receivable amounts could not be determined.
We recommended the Department implement the necessary internal controls to ensure accounts receivable are adequately supported and are consistently and accurately reported to the Comptroller. Also, we recommended the Department ensure accounts receivable are timely pursued for collection and, if not collectible, submitted for uncollectible certification and subsequently written off. Lastly, we recommended the Department review rental transactions to determine the amount receivable to be reported quarterly and at the end of the year.
Department officials accepted the recommendation. Department officials stated the Department has updated its Finance Handbook, which includes the accounts receivable process, and has begun implementing the necessary internal controls to consistently and accurately report accounts receivable. Department officials further stated the Department has also provided staff with training on the Statewide Accounting Management System (SAMS) manual to ensure all accounts receivable reporting requirements are met. Additionally, Department officials stated the Department has hired additional staff to increase collection efforts and continues working to ensure that support for all receivables, uncollectable accounts and adjustments is obtained from each division. Finally, Department officials stated the Department will continue reviewing rental transactions within Fund 538 to determine the amount of receivable to be reported quarterly and at the end of the year.
NONCOMPLIANCE WITH THE ABUSED AND NEGLECTED CHILD REPORTING ACT
The Department of Children and Family Services failed to comply with several sections of the Abused and Neglected Child Reporting Act (Act) (325 ILCS 5) during the examination period.
We tested several sections of the Act and noted the following exceptions:
• The Department did not communicate to the State’s attorneys’ offices for 12 of 40 (30%) reports of child abuse and neglect for infants exposed to controlled substances tested. Additionally, the Department did not immediately communicate the investigation reports to the State’s attorneys’ offices for 3 of 40 (8%) reports tested. Specifically, we noted the State’s attorneys’ offices were notified between 107 to 114 days from report date.
• The Department notified the Director of the Department of Public Health (DPH) and the Director of the Department of Healthcare and Family Services (HFS) of the report of suspected abuse or neglect of a child alleged to have been abused or neglected while receiving care in a hospital 34 days to 8,122 days from the investigation date for 4 of 30 (13%) reports tested.
• The Act requires the Department to submit to the General Assembly reports summarizing the number of Unfounded Review and Indicated Reports of Child Abuse and Neglect (reports) on December 1 and June 1 of each year. As such, the Department was required to file four reports during the examination period. The results of our testing indicated the Department failed to timely file one (25%) of the reports required. Specifically, we noted the report due on December 1, 2022, was submitted to the General Assembly one day late.
• The Act states the Department must send a copy of its final findings from an indicated report of child abuse and neglect to the child’s school within 10 days of completing an investigation of alleged physical or sexual abuse under the Act. During testing of 40 such indicated reports, we noted the Department did not notify the child’s school for one (3%) completed investigation. Additionally, the Department did not timely notify the children’s school for 33 (83%) completed investigations. Specifically, we noted the schools were notified 3 to 848 days late.
• The Act requires the Department within 24 hours to orally notify local law enforcement personnel and the office of the State’s attorney of the involved county of the receipt of any report alleging the death of a child, serious injury to a child, including, but not limited to, brain damage, skull fractures, subdural hematomas, and internal injuries, torture of a child, malnutrition of a child, and sexual abuse to a child, including, but not limited to, sexual intercourse, sexual exploitation, sexual molestation, and sexually transmitted disease in a child age 12 and under.
During testing of 40 such reports, we noted the following:
– The Department did not timely notify local enforcement personnel and office of the State’s attorney of the involved county for 17 (43%) reports tested. Specifically, we noted the local enforcement personnel, and the office of the State’s attorney were notified 4 to 270 days late.
– The Department did not notify the local enforcement and the office of the State’s attorney of the involved county for 5 (13%) reports tested.
• The Act requires the Department, no later than 6 months after the date of the death or serious life-threatening injury of the child, to notify the President of the Senate, the Minority Leader of the Senate, the Speaker of the House of Representatives, the Minority Leader of the House of Representatives, and the members of the Senate and House of Representatives in whose district the child’s death or serious life-threatening injury occurred upon the completion of each report, and to submit an annual cumulative report to the Governor and the General Assembly incorporating cumulative data about the above reports and including appropriate findings and recommendations. During testing of 40 reports, we noted for 10 (25%) reports tested, the Department did not notify the President of the Senate, the Minority Leader of the Senate, the Speaker of the House of Representatives, the Minority Leader of the House of Representatives and the members of the Senate and House of Representatives in whose district the child’s death or serious life-threatening injury occurred upon the completion of the report. Additionally, the Department did not provide timely notification upon the completion of one (3%) report. The notification was submitted 43 days after the 6 months’ timeframe.
We recommended the Department perform the following:
• Immediately refer all reports of child abuse and neglect for a newborn infant whose blood, urine, or meconium contains any amount of a controlled substance to the appropriate State’s attorney’s office and to update procedures and provide training to staff to accomplish compliance with the Act.
• Notify the Director of DPH and HFS within a reasonable timeframe when the Department receives a report of suspected abuse or neglect of a child, and the child is alleged to have been abused or neglected while receiving care in a hospital.
• Ensure the timely submission of all reports required by the Act to the General Assembly.
• Strengthen its monitoring procedures for investigators to ensure they notify and provide copy of its final findings from an indicated report of child abuse and neglect related to the child’s school within 10 days of completing an investigation of alleged physical or sexual abuse of a student under the Act.
• Ensure local law enforcement personnel and the office of the State’s attorney of the involved county of the receipt of any report alleging the death of a child or serious injury to a child are timely notified.
•Ensure the timely notification of all reports completed required by the Act to the President of the Senate, the Minority Leader of the Senate, the Speaker of the House of Representatives, the Minority Leader of the House of Representatives, and the members of the Senate and House of Representatives in whose district the child’s death or serious life-threatening injury occurred.
The Department agreed with the recommendations and indicated corrective actions are being taken to address the conditions noted.
INADEQUATE MAINTENANCE OF COMMODITY AND COMMISSARY INVENTORY
The Department of Corrections did not properly maintain its commodity and commissary inventory.
During our commodity and commissary inventory testing at five correctional centers, we noted the following:
• Stateville Correctional Center staff did not enter into the accounting system the general commodity inventory items received or issued during Fiscal Year 2023 and 2024. As a result, the center failed to provide a complete and accurate population of items held in inventory on June 30, 2023, and 2024.
• Twelve of 60 (20%) inventory items selected from inventory records did not agree with physical test counts, resulting in a net variance of $15,407.
• Ten of 60 (17%) inventory items observed for physical test counts while touring inventory
locations did not agree with the inventory records, resulting in a net variance of $4,027.
• We tested 13 items with inventory balances exceeding $5,000 which appeared to be overstocked as of June 30, 2024, and noted Stateville and Danville Correctional Centers held more than one year’s supply of inventory for 5 (38%) items totaling an excess amount of $165,679.
We recommended the Department improve its centralized oversight function related to inventory to allow for adequate controls, compliance with procedures and rules, as well as provision of guidance, reminders, and assistance to the Center’s staff. We also recommended the Department ensure staff are adequately trained on inventory policies and procedures, to ensure inventory and records are properly maintained.
Department management accepted the recommendation and noted the Correctional Centers are required to count inventory at the end of each month and reconcile inventory records to physical counts at that time. Management further stated the auditors counted samples of inventory during the month in most cases, which caused the discrepancies since the inventory was actively being received and/or sold. Management also stated staff have been trained on the use of the ERP system in the Stateville and Danville locations.
In an accountant’s comment, we noted the inventory exceptions were communicated to the Centers and Department at the time of testing, but they were unable to provide support to resolve these discrepancies.
INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE
The Environmental Protection Agency did not have adequate controls over the administration of its accounts receivable.
Excluding receivables from the Water Revolving Fund and the Environmental Protection Trust Fund, the Agency reported $47.7 million in accounts receivable, of which $13 million was over one year past due as of June 30, 2024.
During testing, the auditors noted the following:
• Two of 40 (5%) accounts receivable tested, amounting to $222,951, were 13 and 14 years past due. The Agency had not made active collection efforts during the examination period or referred the accounts to the Comptroller’s Offset System, Department of Revenue’s Debt Collection Bureau, or the Attorney General.
• Three of 40 (8%) accounts receivable tested, totaling $13,869, were placed in the Comptroller’s Offset System 106 to 5,453 days after the due dates.
• One (3%) receivable was overstated by $79,646.
• For four of 40 (10%) accounts receivable totaling $5,109,241, the Agency did not provide documentation to determine if the Agency pursued collection efforts.
We recommended the Agency pursue all reasonable and appropriate procedures to collect outstanding debts as required by Agency policies and State laws and regulations. We also recommended the Agency maintain records of accounts receivable and documentation of its collection efforts and ensure receivables are properly recorded.
Agency officials accepted the recommendation and stated the Agency has made great progress on removing old account receivable balances.
INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE AND NON-SUFFICIENT FUNDS CHECKS
The Department of Financial and Professional Regulation did not maintain adequate internal controls over its accounts receivable and non-sufficient funds (NSF) checks during the examination period.
During testing of 40 accounts receivables, we noted the following:
• Twenty-six of 33 (79%) accounts receivable with balances greater than $250 and more than 90 days past due, totaling $424,920, had not been posted to the Office of Comptroller's Illinois Debt Recovery Offset Portal (IDROP) system.
• Fourteen of 22 (64%) accounts receivable which were 360 days past due, with balances greater than or equal to $1,000, totaling $410,127, had not been referred to the Attorney General for write-off certification.
• Eight of 22 (36%) accounts receivable which were 360 days past due, with balances less than $1,000, totaling $4,377, had not been certified by the Department for write-off.
• All 22 (100%) accounts receivables that were 360 days past due, totaling $414,504, had not been referred to the Department of Revenue’s Debt Collection Bureau.
During our testing of 40 NSF checks, we noted the following:
• In 26 (65%) NSF checks, totaling $67,076, applicants were not notified when the check had been determined as insufficient.
• In 14 (35%) NSF checks, totaling $12,303, applicants were notified beyond 359 days after the check had been determined as insufficient. In addition, 2 of the 14 (14%) applicants had active licenses during the examination period despite no alternative payments being received.
We recommended the Department establish and implement standardized accounts receivable collection and write-off policies and address staffing shortages to ensure timely referral, certification, and write-off of past due accounts in compliance with statutory requirements. Additionally, we recommended the Department ensure timely follow-up actions are taken and proper procedures are consistently followed over its NSF checks.
The Department accepted the finding and indicated the Department is in the process of performing a comprehensive review of all outstanding receivables to identify items that should be referred for further collection efforts or written off.
INADEQUATE CONTROLS OVER STATE PROPERTY
The Illinois State Police did not maintain adequate controls over its reporting and monitoring of State property.
Due to the conditions identified below, we were unable to conclude whether the Department’s populations were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36) to test the Department’s controls over State property.
Even given the population limitations noted above, which hindered the ability of the accountants to conclude whether selected samples were representative of the population as a whole, we performed the following tests:
During testing of the Discrepancy Reports submitted by the Department to the Comptroller’s Office during Fiscal Years 2023 and 2024, we noted the following:
• The Fiscal Year 2023 Discrepancy Report included 283 missing items totaling $379,133 which were still included in the Fiscal Year 2024 Discrepancy Report.
• The Fiscal Year 2023 Discrepancy Report included 587 missing items totaling $914,571 which were still included in the Department’s asset inventory as of June 30, 2023.
• The Fiscal Year 2024 Discrepancy Report included 398 missing items totaling $1,077,482 which were still included in the Department’s asset inventory as of June 30, 2024.
In addition, the Department was unable to reconcile the differences noted between the Object Expense/Expenditures by Quarter Report (SA02) and the Department’s Report of State Property (C-15) reports. The Department had $34,866,983 and $42,055,433 in gross equipment and electronic data processing expenditures in the SA02 reports for Fiscal Year 2023 and 2024, respectively. However, the Department’s reported additions in the C-15 reports for Fiscal Year 2023 and 2024 were $30,576,892 and $44,137,242, respectively.
The Department did not have adequate controls over lost or missing property items. We noted 37 of 50 (74%) items listed as lost or missing could possibly have confidential information stored in them. The Department was unable to identify the use or the type of data stored or placed on these items. These items included servers, computers, laptops, tablets, and a video camera with a memory card.
During testing of 60 equipment deletions, we noted the following:
• Two (3%) equipment items, totaling $19,026, were deleted from the Department’s property records, 29 and 39 days late.
• Two (3%) equipment items deleted from the Department’s property records, totaling $12,672, were missing the related Request for Deletion from Inventory Form (ISP Form 2-664).
• For one (2%) equipment item deleted, the Department was unable to provide support for the value of the asset.
During our property observation, we noted the following:
• One of 60 (2%) items tested (a mobile radio), valued at $3,578, was not found.
• One of 60 (2%) items located within the Department (a scanning device) was not tagged. Thus, auditors were unable to determine whether the equipment was recorded in the property listing.
• There were 23 equipment items (scientific equipment, generators, power supplies, and cabinet), totaling $306,133, considered transferable and no longer in use by the Department. However, the items remained in the Department’s property records and had not been transferred to the Department of Central Management Services (CMS) for possible disposal through the surplus process.
We recommended the Department strengthen its controls over State property by performing thorough reviews of the data it uses for the Discrepancy Reports and reconciliations. We also recommended the Department develop procedures to promptly assess whether an electronic device may have contained confidential information whenever it is reported lost, stolen, or missing during the annual physical inventory, and document the results of the assessment. Finally, we recommended the Department strengthen its controls on monitoring missing properties and obsolete items to ensure accurate and timely recordkeeping and accountability for all State assets.
The Department concurred with our recommendation and acknowledged the need to strengthen controls over State property to ensure accurate and complete reporting.
INADEQUATE CONTROLS OVER STATE PROPERTY
The Department of Juvenile Justice did not maintain adequate documentation and control over its State property during the examination period.
Some of the more significant issues we noted follow:
• During our testing, we requested the Department provide a population related to its State property. The Department provided a property listing as of Fiscal Years 2023 and 2024. However, from our review of the population for both fiscal years, we noted 410 equipment items amounting to $91,184 were deemed unlocated property. While these items are segregated in the Department’s equipment records and assigned its own location code, these should have been removed from the property records as these were determined to be unlocated.
• During the property forwards and backwards testing, we noted the following:
– 13 of 60 (22%) equipment items selected from the property listing were unable to be located. These exceptions were noted at the Admin Office in Springfield, Youth Centers in St. Charles, Harrisburg, and Chicago, and the Aftercare Centers in Chicago and Chicago Heights.
– Four of 120 (3%) equipment items selected from the property listing and from the various locations throughout the Department were not reported in the Annual Inventory Certification submitted to the Central Management Services (CMS). These items are below $2,500 but considered high theft. These exceptions were noted at the Youth Centers in St. Charles and Harrisburg, and the Aftercare Centers in Chicago and Chicago Heights.
– Seven of 120 (6%) equipment items selected from the property listing and from the various locations throughout the Department were found in a different location as compared to the property system record. These exceptions were noted at the Aftercare Centers in Chicago, Chicago Heights and Peoria.
– Seven of 60 (12%) equipment items selected from the various locations throughout the Department were physically found but not reported on property records. These items are either above $2,500 or considered high theft.
These exceptions were noted at the Youth Centers in St. Charles and Chicago, and the Aftercare Center in Chicago Heights.
• During the property observation at the Aftercare Center in Chicago, it was noted that many ceiling covers and panels in one of the cubicle areas of the facility are out of place and showed signs of water damage.
• During the property observation at the Youth Center in St. Charles, we noted four unused, condemned, or worn-down buildings in need of repairs, demolition, or significant improvement.
• During testing of the Agency Report of State Property (C15) for Fiscal Year 2023, we noted the following:
– Inaccurate reporting of Additions in Fourth Quarter Form C-15, resulting in understatement of $59,460. The correct amount should be $66,067 but the reported amount is $6,607.
– Property transferred in were not reported in First Quarter and Fourth Quarter Form C-15, resulting in understatement of $24,146 and $1,042, respectively.
– Quarter Form C-15 Deletions amount not matching to total deletions per supporting documentation, resulting in overstatement of the deletions amount by $7,941 in Form C-15.
• During testing of the Agency Report of State Property (C15) for Fiscal Year 2024, we noted the following:
– For Third Quarter Form C-15, the Previous Quarter's Capital Development Board’s (CDB) Transfers In amount was not reported in the Current Quarter’s Net Transfers amount, resulting in understatement of $343,437.
– Property transferred out was not reported in the First Quarter Form C-15, resulting in understatement of the deletions amount by $36,845.
• During testing of Fiscal Year 2023 Annual Inventory Certification (Certification), it was noted the total Agency Inventory Items per the Certification did not agree with the supporting documentation, resulting in a difference of 661 items and overstatement of $1,555,412 in the Certification.
• During property testing of 60 deletions, we noted the following:
– For 14 (23%) deletions tested, the Request for Change of Status of Equipment (DJJ 0013) was not signed. As such, we were unable to test timeliness of recording of the deletion.
– For 35 (58%) deletions tested, the DJJ 0013 could not be provided. As such, we were unable to perform further testing.
– For two (3%) deletions tested, the Surplus Delivery Form from the CMS Asset Works System could not be provided.
We recommended the Department strengthen its controls over maintaining, recording, and reporting its State property and equipment by reviewing its inventory and recordkeeping practices to ensure compliance with State Laws and regulations. We further recommended the Department ensure all property transactions are accurately and timely recorded on the Department’s property records.
The Department accepted our recommendation.
VOUCHER PROCESSING INTERNAL CONTROLS NOT OPERATING EFFECTIVELY
The Illinois Department of Veterans Affairs’ internal controls over its voucher processing function were not operating effectively during the examination period.
Due to our ability to rely upon the processing integrity of the Enterprise Resource Planning (ERP) System operated by the Department of Innovation and Technology (DoIT), we were able to limit our voucher testing at the Department to determine whether certain key attributes were properly entered by the Department’s staff into the ERP System.
Our testing noted 4 of 140 (3%) attributes were not properly entered into the ERP System. Therefore, the Department’s internal controls over voucher processing were not operating effectively.
Due to this condition, we qualified our opinion because we determined the Department had not complied, in all material respects, with applicable laws and regulations, including the State uniform accounting system, in its financial and fiscal operations.
Even given the limitations noted above, we conducted an analysis of the Department’s expenditure data for Fiscal Years 2023 and 2024 to determine compliance with the State Prompt Payment Act and the Illinois Administrative Code and noted the following noncompliance:
• The Department owed 27 vendors interest totaling $5,944 in Fiscal Years 2023 and 2024; however, the Department had not approved these vouchers for payment to the vendors.
• The Department did not timely approve 3,110 of 33,172 (9%) vouchers processed during the
examination period, totaling $14,765,270. These vouchers were approved between 1 and
446 days late.
We recommended the Department design and maintain internal controls to provide assurance its data entry of key attributes into the ERP System is complete and accurate. Further, we recommended the Department approve proper bills within 30 days of receipt and approve vouchers for payment of interest due to vendors.
The Department accepted our recommendations.
INTERNAL AUDIT DEFICIENCIES
Governors State University had deficiencies within its internal audit activities for Fiscal Year 2024.
During our testing, we noted the following:
• Three of 4 (75%) audit reports had not been
provided to the auditors. Additionally, the internal audit workpapers for two sample audit reports remain outstanding. The University’s Chief Internal Auditor (CIA) reported four complete audits in the annual report dated September 30, 2024 to the University’s President.
• The University’s internal audit function failed to conduct a new external assessment during the examination period as required. The last external assessment was conducted in July 2018. Additionally, the annual audit report dated September 30, 2024, incorrectly stated that internal audit engagements were conducted in accordance with International Standards for the Professional Practice of Internal Auditing (IPPIA).
We recommended the University improve its procedures to ensure timely finalization of its audit documentation. We further recommended the University to conduct a periodic external assessment of the internal audit function, in compliance with the IPPIA standards.
University officials agreed with the finding and stated the University will work toward full compliance.
INADEQUATE INTERNAL CONTROL OVER COMMODITIES
The Department of Military Affairs did not exercise adequate internal control over its
commodities inventories.
The Department used a web-based database for tracking commodities inventory. The database allowed Readiness Centers’ (armories) Managers throughout the State to email orders to the Storekeeper and the Department to maintain an items-on-hand count.
During our testing, we noted the Department performed an inventory count in Fiscal Year 2024 but did not prepare a reconciliation to identify differences with its system records. On July 30, 2024, the Department performed another inventory count and noted differences on six (6%) of 96 commodities amounting to $1,672.
Due to this condition, we were unable to conclude whether the Department’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36) to test the Department’s year end commodities inventories balances.
We recommended the Department implement procedures to maintain accurate records of its commodities inventory and reconcile its inventory records as required.
The Department accepted our recommendation.
NONCOMPLIANCE WITH THE ADULT PROTECTIVE SERVICES ACT
The Department on Aging did not comply with notification requirements of the Adult Protective Services Act.
During testing, we noted for two of 60 (3%) case investigations on abuse, abandonment, neglect, or financial exploitation of an eligible adult, the Department could not provide evidence of the Department having notified the eligible adult, or an eligible adult's guardian or agent, cared for by the caregiver, of the occurrence, that his or her
caregiver’s name may be placed on the Adult Protective Service Registry (Registry) based on a verified and substantiated finding of abuse, abandonment, neglect, or financial exploitation of an eligible adult.
We recommended the Department either comply with notification requirements of the Act itself,
or it should implement internal controls to adequately monitor the Adult Protective Services providers to ensure the notification requirements of the Act are met.
Department management partially concurred with this finding, stating the Department has robust monitoring, quality assurance, and educational initiatives in place as controls to ensure compliance with this requirement. Additionally, the Department stated, aside from the fact it is the provider versus the Department that provides the notice to an individual, the Department respectfully submitted that one instance should not rise to the level considered for material non-compliance.
In an accountant’s comment, we stated while we acknowledge the Department's monitoring, quality assurance, and education initiatives designed to support compliance, this requirement serves as a critical safeguard for vulnerable individuals and is fundamental to the integrity of the program; therefore, even two instances of noncompliance is significant and warrants a material classification.
NONCOMPLIANCE WITH STATUTORY MANDATES
The Department of Commerce and Economic Opportunity did not comply with various statutory mandates.
A few issues auditors noted during testing of statutory mandates are as follows:
• The Department’s official website did not contain a comprehensive list of State, local, and federal economic benefits available to businesses in each of the State’s counties and municipalities.
• The Department did not establish a freight rate information service for U.S. and foreign shippers in cooperation with the Department of Agriculture and the International Trade and Port Promotion Advisory Committee.
• The Department did not create the Clean Water Workforce Pipeline Program.
• The Department did not prepare uniform budgetary forms for use by the local governments of the State, was not a repository for financial reports and statements required by law of local governments of the State, and did not publish financial summaries of those reports and statements.
We recommended the Department seek or allocate resources to comply with its statutory requirements or seek a legislative remedy as appropriate.
The Department agreed with the finding and recommendation.
INADEQUATE CONTROLS OVER PROCUREMENT CARD USE
Northern Illinois University has not established adequate controls over its Commercial Card Program (P-Cards).
The University operates a P-card system that allows individuals throughout the University to make small purchases (defined as less than $5,000) on a credit card, which is directly paid by the University on a monthly basis. The University’s policies require employees allowed a P-card to complete training on P-card procedures and sign an agreement stipulating they will use the card in accordance with the University’s policies. The agreement must also be approved by the employee’s manager prior to the P-card being issued. The University’s policies require all transactions on a card to be approved by the cardholder’s manager. Receipts and other related support for the transaction must be provided to the manager for review with the transaction and retained. There were 437 cardholders with transactions during the period of examination who incurred a total of $10,839,407.
During our review of a sample of 60 P-card transactions, totaling $48,911, made by 60 employees, we noted the following:
• Six transactions (10%), totaling $8,935, had no record of being approved, and there has been no proper segregation of duties over these transactions.
• 27 transactions (45%), totaling $15,155, were not approved timely. The approvals ranged from one to 28 days late.
• Four employees (7%) did not sign the commercial card agreement acknowledging that they will follow the P-card policies and procedures.
• One employee (2%) did not complete the annual required refresher training on P-card procedures.
We recommended the University enhance its controls over the processing of commercial card program transactions to ensure employees comply with policies and procedures.
University officials accepted the recommendation.
INADEQUATE CONTROLS OVER PROPERTY AND EQUIPMENT
The University of Illinois did not comply with requirements applicable to its property and equipment.
We tested a sample of 60 items included in the University’s records to determine whether the equipment existed as of the University’s fiscal year-end. As a result of our testing, we noted the following:
• Two pieces of non-data storing equipment (totaling $1,084,288) had been provided to another University. The equipment was still included on the University’s year-end equipment listing at the Urbana-Champaign campus.
• One piece of non-data storing equipment (totaling $84,274) did not have proper documentation supporting the disposal. The equipment was still included on the University’s year-end equipment listing at the Chicago campus.
Additionally, the University’s certification of inventory as of June 30, 2024, which includes all equipment with an acquisition cost greater than $2,500 and all high theft equipment, disclosed 7 other items totaling $31,870 which could not be located out of the University’s $2,331,739,048 equipment inventory.
We recommended the University review its process for ensuring all equipment records are accurately maintained and updated in a timely manner. We also recommended the University strengthen its internal control over the accountability of University equipment.
University officials accepted the recommendation.
LATE PAYMENT OF STATUTORILY MANDATED TRANSFERS
The Office of Comptroller did not ensure all statutorily mandated transfers between State funds were made within established timeframes, as required.
The Office processed transfers from 34 to 365 days after the mandated transfer date. The late transfers outstanding as of and paid after June 30, 2024 totaled $448 million. The Office also made 207 late transfers, totaling $539 million, between State funds that were made between one and 30 days after the statutorily mandated transfer date. Lastly, we noted 68 late transfers, totaling $383 million, which were still outstanding as of October 18, 2024, relating to fiscal year 2024 and fiscal year 2023.
We recommended the Office make transfers within timeframes established by applicable statutes.
While we realize the lack of available funds in the State Treasury requires prioritization and cash management decisions, we recommended the Office continue in its efforts to make transfers in as timely a manner as possible.
Office officials accepted the recommendation and stated the Office will continue in its effort to make the required transfers timely but given all the competing payments from limited resources in the State Treasury there will always be some transfers pending until funds are available, or when needed. Office officials also stated most GRF transfers were made by the end of June 30, 2024 and the few pending GRF transfers were not delayed and the pending non-GRF transfers, especially those for capital obligations, will be processed upon collaboration with the respective State agencies. Office officials further stated the Office staff continues to work together with various State fiscal officers on a regular ongoing basis to manage the processing of such transfers throughout the fiscal year to avoid disruptions in the delivery of State services or programs.
INADEQUATE CONTROLS OVER PERSONAL SERVICES
The Illinois Gaming Board did not maintain adequate controls over personal services.
During testing of personnel records for 37 employees, we noted the following:
• Four (11%) employees were not evaluated during Fiscal Year 2023.
• Nine (24%) employees were not evaluated during Fiscal Year 2024.
• One (3%) employee’s Fiscal Year 2023 evaluation was not completed in a timely manner. The
evaluation was completed 170 days late.
• One (3%) employee did not complete the U.S. Citizenship and Immigration Services (USCIS) I-9 Employment Eligibility Verification (I-9) form, before the end of their first day. The employee signed Section 1 of the Form I-9 6 days late.
• One (3%) employee did not complete the required annual harassment and discrimination prevention training program.
We recommended the Board timely conduct annual performance evaluations in accordance with the Code and Handbook, ensure compliance with annual harassment and discrimination prevention training, and revise procedures over the preparation and review of Form I-9s to ensure compliance with the USCIS requirements.
The Board agreed with our recommendation and stated the Board will continue to work with its supervisors to meet performance evaluation deadlines, implement steps to identify and correct errors regarding Form I-9s, and improve controls over monitoring compliance with employee training requirements.
INADEQUATE CONTROLS OVER EQUIPMENT
The Illinois Law Enforcement Training and Standards Board did not maintain sufficient controls over its equipment and related fiscal records.
We noted several deficiencies and weaknesses within the Board’s property control process.
During testing, we noted the following inaccuracies in the quarterly Agency Report of State Property reports (Form C-15s) filed with the Office of Comptroller:
• The property additions, totaling $83,950, were reported twice on the Board’s Form C-15s submitted to the Comptroller for both the third and fourth quarters in Fiscal Year 2024.
• Eight property deletions, totaling $4,415, were reported twice on the Board’s Form C-15s submitted to the Comptroller for both third quarters in Fiscal Year 2023 and Fiscal Year 2024.
• Seven property deletions, totaling $4,696, were erroneously included on the Board’s Form C-15 submitted to the Comptroller for the fourth quarter in Fiscal Year 2024.
Due to the conditions noted above on Form C-15s, we were unable to conclude whether the Board’s population records to support the property additions and deletions during the examination period were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36) to test the Board’s property additions and deletions.
Even given the population limitations noted above which hindered our ability to conclude whether the Board’s population records for property additions and deletions were complete and accurate, we performed testing of equipment items added and deleted during the examination period.
During testing of 60 equipment items added to the property records during the examination period, we noted the following:
• For eight (13%) equipment items, totaling $3,263, the Board was unable to provide invoices. As a result, we were unable to determine if the assets were recorded at their proper values in the Board’s property control records.
• For six (10%) equipment items, totaling $10,776, delivery charges were not included in the acquisition value of the equipment.
• 13 (22%) equipment items, totaling $4,990, were added to the Board’s property records between 26 and 2,818 days late after the actual delivery date of the equipment.
• Five (8%) equipment items, totaling $5,295, were not recorded at their proper values in the Board’s property control records.
During testing of nine equipment deletions, we noted the following:
• One (11%) equipment item, amounting to $41,000, was removed from the Board’s property records 454 days late.
We recommended the Board strengthen its controls over recording and reporting of its State property and equipment transactions. Furthermore, we recommended the Board implement a corrective action plan to identify and correct its accumulated property and equipment errors.
Board officials accepted the finding and indicated the Board acknowledged the importance of accurate recording and reporting of property and equipment transactions. Board officials also stated the Board was in the process of reviewing and enhancing its internal controls related to property and equipment to ensure compliance with applicable requirements. Finally, Board officials stated the Board would develop and implement a corrective action plan to identify and address any accumulated errors and improve ongoing accuracy in reporting.
FEDERAL AUDITING
STATEWIDE SINGLE AUDIT UPDATE
The purpose of the Statewide Single Audit is to fulfill the State mandate in accepting federal funding. It includes all State agencies that are part of the primary government and expend federal awards.
In our most recently completed Statewide Single Audit, we noted a total of 44 Illinois State agencies expended federal financial assistance in Fiscal Year 2023, and the Schedule of Expenditures of Federal Awards for the year ended June 30, 2023 reflected total expenditures of $44.825 billion. Overall, the State participated in 348 different federal programs provided by 25 different federal agencies; however, 10 of these programs or program clusters accounted for 83.1% of the total federal award expenditures.
Overall, 10 State agencies accounted for approximately 96.6% of all federal dollars spent during Fiscal Year 2023.
Our report contained 46 findings related to 9 State agencies.
The Statewide Single Audit of Fiscal Year 2024 is not yet complete due to a number of factors, but we expect to release that report publicly as soon as practical following the completion of the audit.
THE PERFORMANCE AUDIT PROGRAM
Performance audits are conducted at the request of legislators to assist them in their oversight function. Based on the scope specified in the resolution or the law requesting the audit, State agencies’ programs, functions, and activities are reviewed. The audits determine if the services are provided as intended by the General Assembly and directly impact and improve agency operations.
The General Assembly uses performance audit information to develop legislation, to deal with budgetary issues, and to direct agencies to improve programs. Some audits produce immediate changes. In other instances, significant changes may not be seen for several years. The length of time it takes to see changes is due to the process of transforming the audit findings and recommendations into legislative bills and converting bills into law; additionally, once a law is implemented, the effects may not be apparent for some time.
The National State Auditors Association (NSAA) established the Excellence in Accountability Awards Program in 2003 to recognize outstanding performance audits and special projects.
Performance audits performed by the Office of the Auditor General (OAG) have received six NSAA awards in past years:
|
2021 |
Department of Children and Family Services Investigations of Abuse and Neglect (released in 2019) |
|
2015 |
Neighborhood Recovery Initiative (released in 2014) |
|
2013 |
Department of State Police’s Administration of the Firearm Owner’s Identification Act (released in 2012) |
|
2008 |
Mass Transit Agencies of Northeastern Illinois: RTA, CTA, Metra, and Pace (released in 2007) |
|
2005 |
Rend Lake Conservancy District (released in 2004) |
|
2004 |
Illinois State Toll Highway Authority (released in 2003) |
Another national organization, the National Legislative Program Evaluation Society (NLPES), also has an Impact Award which is given annually to audits that demonstrate significant dollar savings, program improvements, or impact from The OAG has received 24 NLPES Certificate of Impact awards since the program’s inception, including the following audits over the last 10 years:
|
2025 |
State’s Response to the COVID-19 Outbreak at the LaSalle Veterans’ Home (released in 2022) |
|
2024 |
Department of Children and Family Services Child Safety and Well-Being (released in 2022) |
|
2023 |
Firearm Owner’s Identification Card and Concealed Carry License Program (released in 2021) |
|
2022 |
Department of Children and Family Services LGBTQ Youth in Care (released in 2021) |
|
2021 |
Department of Children and Family Services Investigations of Abuse and Neglect (released in 2019) |
|
2020 |
Legionnaires’ Disease at the Quincy Veterans’ Home (released in 2019) |
|
2019 |
Medicaid Managed Care Organizations (released in 2018) |
|
2017 |
College of DuPage (released in 2016) |
PERFORMANCE AUDITS COMPLETED IN 2025
The Auditor General released three performance audits and three reviews in 2025. The performance audits released are listed below. Performance audits released in 2025 included 18 recommendations for improvement.
HEALTH BENEFITS FOR IMMIGRANT SENIORS AND ADULTS
On November 7, 2023, the Legislative Audit Commission adopted Resolution Number 165, which directed the Office of the Auditor General to conduct a performance audit of the Illinois Department of Healthcare and Family Services’ (HFS’) administration of the program of Medicaid services and coverage provided to undocumented immigrants.
In 2020, Illinois began to expand healthcare coverage to noncitizen immigrants. The first
expansion, the Health Benefits for Immigrant Seniors program (HBIS), began in December 2020, and covered adult seniors 65 years of age and older. The second expansion began in May 2022 and covered immigrant adults between the ages of 55 and 64. The most recent expansion began in July 2022 and covered immigrant adults between the ages of 42 and 54. These two expansions are both part of the Health Benefits for Immigrant Adults program (HBIA).
The audit found:
• Actual enrollment and actual costs exceeded the initial program estimates for both the HBIS and HBIA programs. Regarding estimated number of enrollees, in FY23:
– for HBIS (65+), the initial estimated number of enrollees was 6,700, while the actual number enrolled was 15,831;
– for HBIA (55-64), the initial estimated number of enrollees was 8,000, while the actual number enrolled was 17,024; and
– for HBIA (42-54), the initial estimated number of enrollees was 18,800, while the actual number enrolled was 36,912.
• Regarding the initial cost estimates for all three Fiscal Years 2021, 2022, and 2023:
– for HBIS (65+) the total estimate was $224.0 million, while the actual total cost was $412.3 million or 84 percent higher;
– for HBIA (55-64) the total estimate was $58.4 million, while the actual total cost was $223.1 million or 282 percent higher; and
– for HBIA (42-54) the total estimate was $68.0 million, while the actual total cost was $262.2 million or 286 percent higher.
• In FY21, 6,884 individuals were enrolled in HBIS (65+). HBIS (65+) enrollment increased to 11,362 in FY22, 15,831 in FY23, and decreased to 11,464 in FY24. The HBIA (55-64) enrollment increased from 6,675 in FY22 to 17,024 in FY23, before decreasing to 13,596 in FY24. The HBIA (42-54) enrollment increased from 5,823 in FY22 to 36,912 in FY23, before decreasing to 27,941 in FY24. According to HFS officials, the FY24 numbers exclude those who have been removed from the program due to redetermination or due to the change in eligibility that removed legal permanent residents from the program.
• In total, from FY21 through FY23, the expanded programs for immigrant seniors and adults cost just under $898 million. The cost for all three levels increased greatly in FY23. The HBIA
(42-54) level was the largest and most costly in FY23 at $244 million. The HBIS (65+) level cost $211 million, and the HBIA (55-64) level cost $189 million in FY23. The cost for FY24 increased from FY23. In FY24, the HBIA (42-54) level was the most costly at almost $312 million. The HBIS (65+) level cost $211 million, and the HBIA (55-64) level cost $196 million in FY24.
• For Fiscal Years 2021, 2022, and 2023, the three largest costs were for outpatient services, inpatient hospital services, and pharmacy services. Beginning in FY24 with the conversion to managed care, capitation payments became the largest cost at $265 million. Outpatient services ($145 million), inpatient hospital services ($94 million), and pharmacy services ($106.8 million) were the next highest costs. The total cost for the HBIS and HBIA programs since inception was just over $1.6 billion.
• According to HFS, the redetermination process reviewed 64,244 HBIS and HBIA enrollees. HFS removed a total of 21,362 HBIS and HBIA enrollees as of January 2025. In total, 19,872 were removed from HBIS and HBIA for eligibility or procedural reasons, which involved not responding to redetermination requests. Additionally, another 1,490 were removed and were enrolled in another program.
• Inpatient reimbursement through fee-for-service payments for services provided within the Cook County Health and Hospital System or the University of Illinois Hospital System are subject to enhanced rates established by HFS by rule. According to HFS, the rates paid for HBIS and HBIA to enhanced rate hospitals are the same as is paid for Medicaid.
• Auditors reviewed the eligibility data as of June 30, 2023, and identified 478 enrollees with two or more Recipient Identification Numbers. This was due to poor data entry and a lack of internal
controls or system edits over the entry of this information.
• During a review of the enrollment data, auditors identified 6,098 enrollees designated as “undocumented” who also had a Social Security Number. Auditors provided the 6,098 enrollees to HFS asking whether enrollees classified as undocumented enrollees should also have a Social Security Number. HFS officials reviewed and provided responses for a sample of 94 enrollees. Auditors determined that 19 of the 94 should have been recorded in the system as lawfully present or as being a legal permanent resident, not undocumented. This is an important distinction as after five years in the country, legal permanent residents become eligible for Medicaid and thus the State would receive federal matching dollars.
• Auditors identified 688 enrollees who were enrolled in the HBIS (65+) program who were not 65 years of age or above. These 688 exceptions were provided to HFS for comment. After HFS’ review of 151, it was determined that 79 were signed up in error. Many of the errors occurred from incorrect birthdates provided by the enrollee, which were later corrected when documentation was provided.
• During a review of the enrollment data, auditors identified 394 enrollees who appeared to have been enrolled in HBIS or HBIA after they had been in the country legally for over five years. These individuals are eligible for Medicaid, thus the State would receive federal matching dollars. These exceptions were provided to HFS for review and comment. HFS reviewed a sample of 17 and determined that 13 were approved incorrectly. Allowing ineligible enrollees in State-only funded programs should be avoided when possible.
The audit report contained two recommendations directed to the Illinois Department of Healthcare and Family Services. The Department agreed with the recommendations.
MEDICAID ELIGIBILITY DETERMINATIONS FOR LONG-TERM CARE
On August 25, 2017, the Governor signed into law Public Act 100-380, which amended the Illinois Public Aid Code. This amendment to the Illinois Public Aid Code requires that beginning July 1, 2017, the Auditor General is to report every three years to the General Assembly on the performance and compliance of the Department of Healthcare and Family Services (HFS), the Department of Human Services (DHS), and the Department on Aging (DoA) in meeting the requirements placed upon them by Section 11-5.4 of the Illinois Public Aid Code and federal requirements concerning eligibility determinations for Medicaid long-term care services and supports.
This is the third audit (CY21-CY23) on their performance and compliance related to Medicaid eligibility determinations for long-term care. The first audit (CY15-CY17) was released in March 2019 and contained eight recommendations. The second audit (CY18-CY20) was released in September 2022 and contained five recommendations.
The audit found:
• During this audit, issues related to the Integrated Eligibility System (IES) continued to be identified. These issues surrounded the system’s internal controls as well as the completeness of the data provided. Due to these issues, we determined reviewing the entire population of the applications data would not provide accurate results for the purposes of this audit and instead performed sample testing.
• For the 50 applications tested, we found that 11 applications (22%) were pending past the required number of days. On average, it took 41 days from receipt of application to decision. Three different reports produced by HFS (backlog reports, monthly reports, and weekly reports) all indicated applicants were not receiving their determinations of eligibility in a timely manner, particularly after the end of the Public Health Emergency. Consequently, the status of the prior recommendation on the timeliness of eligibility determinations was determined to be partially implemented.
• DHS and HFS noted that an IES system enhancement was established to address the processing delays related to OIG asset investigations. However, applications involving HFS OIG asset discovery investigations continued to be overdue during this audit period. The prior audit found that all 16 applications involving asset discovery investigations were not completed in a timely manner. For this audit, we tested 17 cases referred to the HFS OIG in calendar year 2023 to follow up on this recommendation. During this testing, we found that 8 of the 17 applications were not completed in a timely manner, ranging from 14 to 156 days overdue.
• In addition, multiple issues were identified for these HFS OIG cases during our review. These issues included incorrect information in IES and a lack of controls in IES. As a result, the status of the recommendation on processing delays related to HFS OIG asset discovery investigations was determined to be partially implemented.
• Although HFS noted that a system enhancement was implemented in IES to address the prior audit recommendation regarding extension tracking, the testing results showed the enhancement was not fully effective. For the 10 extension cases reviewed, 5 applications (50%) had issues with inaccurate IES data, including granting one 60-day extension. While there continued to be cases with inaccurate IES data, there was improvement over the prior audit. Also, we found no examples of more than two extensions or extensions that were not in IES. As a result, the status of the recommendation on extension tracking was determined to be partially implemented.
• HFS is not posting the LTC reports on a monthly basis as required by the Illinois Public Aid Code. HFS completed reports for 28 of the 36 months (78%) during the audit period. We also requested documentation to support the posting of the monthly reports completed during calendar years 2021 to 2023. HFS was only able to provide documentation for 5 of the 28 (18%) reports.
• The prior audit found the LTC monthly reports did not contain all elements as required by statute. We reviewed the LTC monthly reports for calendar years 2021 to 2023 and found some required elements were still not included. As a result, the status of this recommendation on the LTC monthly report completeness was determined to be partially implemented.
• During the prior audit, we found the LTC monthly reports were not accurate due to duplicate entries and other issues with the source data. During this audit, we reviewed the monthly reports for calendar years 2021 to 2023 and found similar issues with accuracy that were identified during the prior audit. We also found 19 of 50 applicants tested (38%) had a reported disability, which would allow 60 days for processing those applications.
• We requested LTC data on the total number of redeterminations completed during the audit and found the redeterminations data in the monthly reports did not have any issues with the totals matching. The only remaining issue involved multiple entries, and no reports after February 2023 contained multiple entries. Therefore, the status of the recommendation on the LTC monthly report accuracy was determined to be partially implemented.
• Public Act 100-380 requested the Auditor General to review and evaluate the efficacy and efficiency of the task-based process used for making eligibility determinations in the centralized offices of DHS for LTC services. During this audit period, DHS moved away from the task-based system to a new facility-based system. During the current audit period, the IES reports used to identify work were designed to identify tasks. However, work is assigned to teams based on facilities rather than tasks. After the end of the audit period DHS began re-assessing the reports. Since the reports were not re-designed until after the end of the current audit period, we could not fully assess the efficacy and efficiency of the facility-based approach. Therefore, additional follow-up will need to be conducted during the next audit period.
The audit report contained six recommendations directed to DHS and HFS. DHS and HFS agreed with the recommendations.
STATE’S BEP AND VBP PROGRAMS
On February 20, 2024, the Legislative Audit Commission adopted Resolution Number 166 requiring a performance audit of both the State’s Business Enterprise Program, including the certification program for businesses owned by minorities, women, and persons with disabilities, and the State’s Veterans Business Program for
FY22 and FY23. Auditors established the audit period as FY22-FY24. The Resolution contained six determinations.
The Business Enterprise Program (BEP) and Veterans Business Program (VBP) are administered by the Illinois Commission on Equity and Inclusion (CEI). State agency contracts with a contract value of $100,000 or greater are subject to BEP and VBP goals, unless exempted. The overall statewide goal increased to 30 percent effective January 1, 2022.
The audit found:
• Auditors tested 65 vendor files, including 31 Full BEP/VBP files and 34 Recognition Certification files. Auditors, in most cases, agreed that there was adequate documentation to meet program qualifications; however, based upon available information, auditors could not determine if 3 of the 65 (5%) vendor files tested met the requirements to be qualified for the respective program.
– One Full BEP vendor appeared to be owned by an ineligible owner. The most recent business tax returns provided at the time of certification (2020 and 2021) indicated the ineligible owner was the 100 percent shareholder. The vendor file was missing information, such as individual tax returns, and the certification analyst did not conduct a site visit or any other in-depth interview to assess ownership and control.
– One Full VBP vendor was certified, but auditors could not find documentation to support that: 1) the business had a home office in Illinois; and 2) that the veteran was living in Illinois.
– One BE BEP vendor file lacked evidence of certification by an approved certifying entity.
• Auditors determined that the established certification procedures in place for Full BEP and Full VBP applicants are comprehensive and adequate to assure that businesses are legitimately qualified to participate in the programs; however, auditors encountered a lack of documentation suggesting that established procedures were not always followed. Auditors tested 25 Full BEP and 6 Full VBP and found deficiencies in the vendor files for 15 of the required documentation requirements. Nine of these documentation requirements were missing for just one or two vendors; however, 6 of the 15 documentation requirements were missing from multiple vendor files.
• CEI was unable to provide all requested documents and dates due to a data migration and the inability to access files from the previous system. In addition to the missing documents, CEI was unable to provide various application and No Change Application processing dates, such as date submitted, date(s) of request(s) for information, and date the application was accepted and ready for a Certification Analyst to review. As a result, auditors were unable to calculate the timeliness of the application and No Change Application processes.
• The FastTrack Recognition Certification entities do not have a cap on gross sales as a requirement for certification and allow for higher gross sales than what is allowed through CEI BEP certification. Auditors tested five FastTrack approved vendors and requested all related certification documents. The certification documents auditors received for these five vendors did not include any company income taxes. It is unclear how CEI was confirming and ensuring that the vendor’s gross annual sales did not exceed the gross sales maximum for program eligibility.
• To determine whether certifications are periodically reviewed for continued program participation, auditors reviewed a total of 24 No Change Applications for Full BEP and Full VBP vendor files. Many of the No Change Applications contained all required documents; however, there were some documents missing: 3 out of 24 were missing the no change affidavit, and 9 out of 24 were missing business income taxes.
• CEI officials noted that the list of contracts tracked during FY22-FY24 only included contracts with supplier diversity goals under the Chief Procurement Office for General Services, which does not include all construction and non-construction agencies, boards, commissions, public universities, and community colleges. It is difficult for CEI to monitor compliance with the required BEP goals if contracts from all purchasing entities subject to the BEP Act are not tracked.
• CEI did not have a formalized training process in place for certification staff. Training files for two of six CEI certification staff lacked documentation to support that the staff received training specific to certification. One of these two certification staff was a new employee, and the training files lacked documentation of the training received during the onboarding process.
• Certain policies and procedures were outdated and conflict with current statutory requirements.
• The BEP Act requires the creation of a Special Committee on Minority, Female, Persons with Disabilities, and Veterans Contracting; however, this committee has not met since its inception (30 ILCS 575/8j).
The audit report contained ten recommendations directed to the Commission on Equity and Inclusion. The Commission on Equity and Inclusion agreed with the recommendations.
PERFORMANCE AUDIT FOLLOW-UP
After performance audits are released, the Office conducts follow-up audit work to determine whether the recommendations have been implemented. This follow-up work was formerly presented as part of the Illinois Office of the Auditor General compliance examinations. However, this work is now presented in separate follow-up reports. During 2025, the Office issued nine follow-up reports:
Illinois State Police – released June 2025
• Division of Forensic Services
• FOID Card Act
• FOID and CCL Programs
Department of Commerce and Economic Opportunity – released July 2025
• EDGE Tax Credit Program
• Business Interruption Grant Program
Department of Children and Family Services – released July 2025
• Search for Missing Children
• Placement of Children
• Investigations of Abuse and Neglect
• LGBTQ Youth in Care
REGIONAL OFFICES OF EDUCATION AUDITS
In addition to other duties, the Auditor General has the responsibility for annual audits of the financial statements of the regional superintendent of schools of each educational service region in the State.
There were a total of 38 Fiscal Year 2024 audits the Performance Audit Division had the responsibility for: 35 of Regional Offices of Education (ROEs) and 3 of Intermediate Service Centers (ISCs). Our Office arranged for auditing firms to perform these audits under the general direction and management of the Auditor General’s audit managers.
The FY24 ROE audits released in 2025 contained a total of 16 recommendations for improvement. Most of the recommendations dealt with the ROEs not having sufficient internal controls, including controls over their financial reporting processes.
PERFORMANCE AUDITS IN PROGRESS
IEMA’S ADMINISTRATION OF CONTRACTS AND STAFFING
On May 20, 2024, the Legislative Audit Commission adopted Resolution Number 167, which directed the Office of the Auditor General to conduct a performance of the Illinois Emergency Management Agency’s administration of contracts and staffing. The Resolution directed that the audit, for the period FY22 and FY23, include but not be limited to, the following determinations:
1. An examination of contracts, specifically contracts that include billable hours, to determine: the purpose of the contracts, the extent contracts were monitored, whether billings were adequately supported, and whether all deliverables were met;
2. An examination of the organizational structure at IEMA to determine the number of unfunded positions, the number of funded positions, the number of vacant positions, and whether any IEMA officials/employees had involvement with outside contractors; and
3. The amount of overtime incurred, including an analysis of the types of positions incurring overtime, the approval process for the overtime payment requests, and, if any overpayments have been processed, whether IEMA has collected the overpayments.
DCFS CHILD SAFETY AND WELL-BEING
Public Act 101-0237 was enacted on August 9, 2019, and it amended both the Children and Family Services Act (20 ILCS 505) and the Abused and Neglected Child Reporting Act (325 ILCS 5). The Public Act also directed the Auditor General to conduct a performance audit one year after the effective date of January 1, 2020. The audit is to determine if the Department of Children and Family Services (DCFS) is meeting the requirements of the Public Act. Within two years of the audit’s release, the Auditor General is to conduct a follow-up performance audit in order to determine if DCFS has implemented the recommendations within the initial performance audit. The initial audit was released in May 2022. The follow-up audit is in process.
STATE MONIES PROVIDED TO DISCOVERY PARTNERS INSTITUTE
On April 29, 2025, the Legislative Audit Commission adopted Resolution Number 168, which directed the Office of the Auditor General to conduct a performance audit of the State monies provided to the Discovery Partners Institute (DPI) and the Illinois Innovation Network to examine the entities’ purpose and handling of funds appropriated by the General Assembly. The audit was to specifically include, but not be limited to, the following
determinations:
1. A comprehensive accounting of all expenditures of State monies by the Discovery Partners Institute and the Illinois Innovation Network, assessing the adequacy and appropriateness of these expenditures;
2. A thorough evaluation of the allocation, utilization, and monitoring of the $500 million appropriated to the Department of Commerce and Economic Opportunity and the Capital Development Board by the Illinois General Assembly, ensuring accuracy and accountability; and
3. An assessment of DPI’s Purpose, Goals, and Impact to include documentation of DPI’s original stated purpose and objectives at its inception; records of any mission, strategic, or operational changes since the initiative began; performance assessments highlighting progress made toward achieving stated goals; and an assessment on the impact of any changes to its mission and projects since inception on the initiative and its funding to determine if DPI is meeting the purposes for which State monies were provided.
EMERGENCY PROCUREMENTS
On August 22, 2025, the Legislative Audit Commission adopted Resolution Number 169, which directed the Office of the Auditor General to conduct a performance audit of emergency procurements. The audit was to specifically include, but not be limited to, the following determinations, for the period FY24 and FY25:
1. Whether statutory requirements and administrative rule requirements related to emergency procurements are being followed;
2. Whether emergency procurements examined fall within the definition of an emergency procurement;
3. Identify emergency procurements that appear to constitute an abuse of the Illinois Procurement Code section on emergency purchases; and
4. An examination of estimated costs versus actual costs.
REGIONAL OFFICES OF EDUCATION
Since 2002, the School Code (105 ILCS 5/2-3.17a) has required the Office of the Auditor General to conduct annual audits of the financial statements of all accounts, funds, and other moneys in the care, custody, or control of the regional superintendent of schools of each educational service region in the State. For Fiscal Year 2025, a total of 38 audits are to be performed.
OAG FRAUD HOTLINE
The Auditor General’s Office is required by law [30 ILCS 5/2-15, added by P.A. 97-261, effective August 5, 2011] to operate a toll-free fraud hotline for the public to report allegations of fraud in the executive branch of State government. The hotline went into operation at the beginning of January 2012.
The toll free number is 1-855-217-1895. The hotline is available 24 hours a day, 7 days a week. Live operators are generally available Monday-Friday from 8:00 a.m. to 4:00 p.m. (CST).
In addition to calling the toll-free number, other options have been established for the public to report allegations of fraud. The public may also:
• Complete the Fraud Reporting Form on-line located on the OAG web-site (www.auditor.illinois.gov);
• E-mail a description of the allegation to: Hotline@auditor.illinois.gov;
• Contact the Auditor General via telecommunications device for the disabled (TTY) at 1-888-261-2887; or
• Send a written report via the U.S. Postal Service to the following address:
Fraud Hotline, Auditor General’s Office, 400 West Monroe, Suite 306, Springfield, IL 62704-9849.
Individuals reporting alleged fraud to the hotline may remain anonymous. However, if the individual chooses not to be identified, the Office’s ability to follow up on the allegation may be limited.
More information regarding the reporting of fraud allegations can be found at the Fraud Hotline section of the OAG website. Jurisdiction of the Fraud Hotline does not include the legislative or judicial branches of government, nor units of local government. Other resources the public may use to report fraud if it is outside of the jurisdiction of the OAG can also be found on the website. Even if the Auditor General’s Office does not have jurisdiction over the allegation, our hotline manager will try to direct the caller to another State, federal, or local agency that may be able to help. Image
CONTINUING PROFESSIONAL EDUCATION AND TRAINING REQUIREMENTS
The U.S. Government Accountability Office established Government Auditing Standards (the Yellow Book) for performing high-quality audit work with competence, integrity, objectivity, and independence to provide accountability and to help improve government operations and services.
The Yellow Book standard relating to competence specifies that management must assign auditors to conduct the engagement who collectively possess the competence needed to address the engagement objectives and perform their work in accordance with Generally Accepted Government Auditing Standards (GAGAS).
Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of continuing professional education (CPE) every 2 years.
A minimum 24 hours of that CPE should be directly related to the government environment, government auditing, or the specific or unique environment in which the audited entity operates. The remaining 56 CPE hours should be in subject matter that directly enhances auditors’ professional expertise to conduct engagements. Auditors should complete at least 20 hours of CPE in each year of the 2-year period.
Auditors hired or assigned to a GAGAS engagement after the beginning of the 2-year CPE period may complete a prorated number of CPE hours. Also, auditors who charge less than 20 percent of their time annually to engagements conducted in accordance with GAGAS and are not involved in planning, directing, or reporting on the engagement need only complete the 24-hour requirement.
The most recently completed 2-year period for CPE requirements as measured by the Office of the Auditor General was January 1, 2023, through December 31, 2024. All auditors, audit directors, and information specialists required to meet the CPE standards were in compliance for this 2-year period and are in compliance with current CPE requirements.
Additionally, the Office of the Auditor General is a registered sponsor with the Illinois Department of Financial and Professional Regulation, and complies with the rules of the Illinois Public Accounting Act.
THE INFORMATION SYSTEMS AUDIT PROGRAM
Computers are an integral part of State government, processing billions of dollars in financial transactions each year and helping control the operations of State agencies. Since financial transactions and confidential information are processed using computers, audits of information system activities are necessary to ensure that computer processing is secure and accurate.
TESTING CONTROLS AND SYSTEMS
The Auditor General’s office plans to continue to emphasize the review of information system controls at State agencies. We performed expanded information system reviews at the following agencies:
Department of Agriculture, Department of Central Management Services, Illinois Commerce Commission, Illinois Community College Board, Office of Comptroller, Illinois Criminal Justice Information Authority, Eastern Illinois University, Illinois Emergency Management Agency and Office of Homeland Security, Department of Employment Security, Governors State University, Department of Healthcare and Family Services, Department of Human Services, Illinois State University, Illinois Liquor Control Commission, Department of Lottery, Northeastern Illinois University, Department of Public Health, Department of Revenue, Office of Secretary of State, Illinois State Board of Investments, Illinois State Board of Elections, State Employee Retirement System, State University Retirement System, Teachers’ Retirement System, Office of Treasurer, Illinois Workers’ Compensation Commission, and Western Illinois University.
To enhance the control environment, the Auditor General has emphasized the review of cybersecurity, networks, access rights, and the security and control of confidential information. These reviews have focused on the necessity of establishing consistent and effective security policies and programs, performing comprehensive risk assessments, and implementing comprehensive security techniques on all computer systems.
ISA FINDINGS
Eight agencies – Department of Innovation and Technology, Eastern Illinois University, Governor’s State University, Illinois Finance Authority, Northern Illinois University, Office of Comptroller, Southern Illinois University, and University of Illinois – had not established adequate controls for securing their computer resources. We recommended that these agencies evaluate their computer environments and ensure adequate security controls and policies exist to safeguard computer resources.
Four agencies – Chicago State University, Governor’s State University, Illinois Mathematics and Science Academy, and University of Illinois – had not completed all requirements to demonstrate full compliance with the Payment Card Industry Data Security Standards. We recommended that these agencies at least annually, assess each program accepting credit card payments, review and validate its environment, and ensure agreements with service providers are current and maintained.
Eight agencies – Department on Aging, Governor’s State University, Illinois Law Enforcement Training and Standards Board, Illinois State University, Legislative Information System, Northeastern Illinois University, Office of Comptroller, and Southern Illinois University – had not implemented effective change management processes to ensure changes to computer applications were properly approved, tested, and documented. We recommended that these agencies develop and implement change management standards to ensure adequate oversight of all changes to computer applications.
Twenty-five agencies – Capital Development Board, Chicago State University, Department of Children and Family Services, Department of Corrections, Department of Employment Security, Department of Financial and Professional Regulation, Department of Innovation and Technology, Department of Insurance, Department of Juvenile Justice, Department of Natural Resources, Department on Aging, Governor’s State University, Illinois Department of Veterans Affairs, Illinois Gaming Board, Illinois Housing Development Authority, Illinois State Board of Education, Illinois State Police, Illinois State University, Legislative Information System, Northeastern Illinois University, Northern Illinois University, Office of Attorney General, Office of Comptroller, Southern Illinois University, and University of Illinois – had not developed or implemented access provisioning policies to ensure access rights to computer systems were properly controlled. We recommended that these agencies develop and implement access provisioning policies to ensure access rights are approved, disabled timely, and periodically reviewed.
Twenty-three agencies – Chicago State University, Department of Children and Family Services, Department of Corrections, Department of Employment Security, Department of Financial and Professional Regulation, Department of Insurance, Department of Juvenile Justice, Department of Natural Resources, Governor’s State University, Illinois Conservation Foundation, Illinois Department of Veterans Affairs, Illinois Gaming Board, Illinois Racing Board, Illinois State Board of Education, Illinois State Police, Illinois State Toll Highway Authority, Illinois State University, Northeastern Illinois University, Office of Attorney General, Office of Comptroller, Office of the State’s Attorney’s Appellate Prosecutor, Southern Illinois University, and Western Illinois University – did not perform and document internal control reviews of all external data processing and hosting service providers. We recommended that these agencies obtain or perform independent reviews of internal controls associated with service providers at least annually.
Eighteen agencies – Capital Development Board, Chicago State University, Department of Children and Family Services, Department of Commerce and Economic Opportunity, Department of Corrections, Department of Financial and Professional Regulation, Department of Innovation and Technology, Department of Juvenile Justice, Department of Natural Resources, Department on Aging, Environmental Protection Agency, Illinois Department of Veterans Affairs, Illinois Gaming Board, Illinois State Police, Illinois State University, Legislative Information System, Northern Illinois University, and Office of Comptroller – had not adequately developed or tested recovery plans to provide for continuation of critical computer operations in the event of a disaster. We recommended that these agencies develop and test disaster contingency plans.
CYBERSECURITY AUDITS
The Illinois State Auditing Act (30 ILCS 5/3-2.4) requires us to include Cybersecurity as part of our Compliance Examination program as follows:
Sec. 3-2.4. Cybersecurity audit.
(a) In conjunction with its annual compliance examination program, the Auditor General shall review State agencies and their cybersecurity programs and practices, with a particular focus on agencies holding large volumes of personal information.
(b) The review required under this Section shall, at a minimum, assess the following:
(1) the effectiveness of State agency cybersecurity practices;
(2) the risks or vulnerabilities of the cybersecurity systems used by State agencies;
(3) the types of information that are most susceptible to attack;
(4) ways to improve cybersecurity and eliminate vulnerabilities to State cybersecurity systems; and
(5) any other information concerning the cyber-security of State agencies that the Auditor General deems necessary and proper.
(c) Any findings resulting from the testing conducted under this section shall be included within the applicable State agency’s compliance examination report.
To meet the requirements of the Illinois State Auditing Act on the compliance examinations, we did the following:
• Updated the Compliance Audit Guide to include specific questions concerning cybersecurity
practices, policies and procedures, training, roles and responsibilities, risk assessments, and data classifications. In addition, we provided guidance to assist audit staff and special assistant auditors in obtaining and reviewing documentation to support responses.
• Performed detailed testing at 54 agencies as part of the June 30, 2024 compliance examinations. We provided these agencies with detailed information regarding our analysis and, if appropriate, we developed findings.
• Performed follow up procedures for any entity that had a cybersecurity finding reported in their
previous report as required by Government Auditing Standards.
As a result of our processes for the June 30, 2024 examinations, we identified significant weaknesses at 32 agencies:
Capital Development Board, Chicago State University, Department of Children and Family Services, Department of Commerce and Economic Opportunity, Department of Corrections, Department of Financial and Professional Regulation, Department of Innovation and Technology, Department of Insurance, Department of Juvenile Justice, Department of Natural Resources, Department on Aging, Environmental Protection Agency, Governor’s State University, Illinois Department of Veterans Affairs, Illinois Gaming Board, Illinois Housing Development Authority, Illinois Law Enforcement Training and Standards Board, Illinois Mathematics & Science Academy, Illinois Racing Board, Illinois State Board of Education, Illinois State Police, Illinois State Toll Highway Authority, Illinois State University, Joint Committee on Administrative Rules, Legislative Information System, Northern Illinois University, Office of Attorney General, Office of Comptroller, Office of the State’s Attorney’s Appellate Prosecutor, Procurement Policy Board, Southern Illinois University, and Western Illinois University.
To promote agencies’ responsibility to ensure that confidential information is protected from accidental or unauthorized disclosure, we generally recommended they:
• Establish and document cybersecurity roles and responsibilities.
• Establish and communicate policies, procedures and processes to manage and monitor the regulatory, legal, environmental and operational requirements.
• Perform a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information most susceptible to attack.
• Classify data to establish the types of information most susceptible to attack to ensure adequate protection.
• Ensure all employees annually complete cybersecurity training as outlined in the Data Security on State Computers Act.
• Evaluate and implement appropriate controls to reduce risk of attack.
We will continue to review cybersecurity programs and practices in our June 30, 2025 compliance examinations.
Agency officials generally concurred with our recommendations concerning these issues.
SYSTEM AND ORGANIZATION CONTROLS (SOC) REPORTS
The Office’s special assistant auditors also reviewed and tested the systems and procedures at the Department of Innovation and Technology for the year ended June 30, 2025. We released three System and Organization Controls (SOC) Reports regarding the Department’s control environment.
Information Technology Hosting Services
System - the Department provides Information Technology Hosting Services for State agencies.
This SOC Report contained a qualified opinion as a result of the controls related to the trust services criteria stated in the “Management of the State of Illinois, Department of Innovation and Technology’s Description of its Information Technology Hosting Services System” which did not operate effectively.
Information Technology Shared Services System - the Department provides Information Technology Hosting Services for State agencies.
This SOC Report contained a qualified opinion as a result of the controls related to the control objectives stated in the “Management of the State of Illinois, Department of Innovation and Technology’s Description of its Information Technology Shared Services System” which were not suitably designed or did not operate effectively.
State of Illinois, Enterprise Resource Planning System - the Enterprise Resource Planning System is utilized by State agencies.
This SOC Report contained an unqualified opinion.
As a result of the modified opinions, auditors of these agencies will likely modify the agency-level risk assessments to accommodate the additional risk to agencies and perform additional procedures to properly address these risks.
Department officials concurred with the exceptions noted in the SOC reports.
OTHER OFFICE RESPONSIBILITIES
ANNUAL AUDIT ADVISORY
Every year, the Auditor General’s Office distributes an Illinois Audit Advisory to all State agencies for the purpose of sharing information that may make their operations more efficient and effective, and increase compliance with State law. Copies of this audit advisory are available on our website at: www.auditor.illinois.gov.
COMPTROLLER’S ACCOUNTING SYSTEM REVIEW
The Auditor General is required by law to annually review the Comptroller’s Statewide accounting system. This review is accomplished through the Office’s audit of the State Comptroller, and by ensuring that all agency audits are performed in accordance with the Auditor General’s Audit Guide.
In addition, the Auditor General annually reviews the State Comptroller’s pre-audit function. Pre-audit is the primary control over expenditure voucher processing. The State Comptroller pre-audits financial transactions to determine if they are proper and legal.
PEER REVIEW
Peer review is an external quality control review conducted every three years by audit professionals from across the United States who are selected by the National State Auditors Association. The peer review helps to ensure that our procedures meet all required professional standards, comply with Government Auditing Standards and produce reliable products for the agencies we audit.
The September 2023 peer review of the Auditor General’s audit processes resulted in an unmodified (clean) opinion. Additionally, the peer review team did not note any deviations from professional standards that would have required a written letter of comments. Our prior peer reviews, conducted in 1996, 1999 and 2002, 2005, 2008, 2011, 2014, 2017 and 2020 likewise resulted in unmodified opinions. Our next peer review is slated for 2026.
STATE ACTUARY
Public Act 97-694, effective June 18, 2012, directed the Auditor General to “contract with or hire an actuary to serve as the State Actuary.” Among its duties, the State Actuary is required to “review assumptions and valuations prepared by actuaries retained by the boards of trustees of the State-funded retirement systems” and “issue preliminary reports...concerning proposed certifications of required State contributions submitted to the State Actuary by those boards.” [30 ILCS 5/2-8.1 (a) and (b)] In addition, Public Act 100-465, effective August 31, 2017, added a similar requirement for the State Actuary to review the Public School Teachers’ Pension and Retirement Fund of Chicago. [40 ILCS 5/17-127(e)] Through a competitive proposal process, the Auditor General awarded a contract in August 2012 to Cheiron, a full-service actuarial and consulting firm.
Cheiron issued its preliminary reports to the public retirement systems on November 26, 2024. As required by statute, the Auditor General submitted a written report to the General Assembly and Governor on December 19, 2024, documenting the initial assumptions and valuations prepared by the actuaries retained by the boards of trustees of the State-funded retirement systems, the State Actuary’s preliminary reports, and the responses of each board to the State Actuary’s recommendations. The report is available in its entirety on our website at www.auditor.illinois.gov.
CLAIMS DUE THE STATE AND METHODS OF COLLECTION
As required by law [30 ILCS 205/2 (k)], the Office of the Auditor General is reporting that there were no outstanding claims administered by the Office that were due and payable to the State as of December 31, 2025. The accounts receivables generated by our Office primarily represent billings to other State agencies for reimbursement of audit costs. Reimbursements for federal single audits are deposited into the General Revenue Fund. Reimbursements for audits not associated with federal single audits are deposited or transferred to the Audit Expense Fund. If normal collection methods fail, we request assistance from the Office of the Attorney General. To date we have never used the services of a private collection agency.
SUMMARY OF APPROPRIATIONS AND EXPENDITURES
The Office of the Auditor General was funded by appropriations from the General Revenue Fund and Audit Expense Fund for Fiscal Year 2025 (July 1, 2024 to August 31, 2025, including lapse period).
FY 2025 - FINAL
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appropriation . . . . . .Expended . . . . . . . Balance
GRF Operations:
Personal Services . . . . . . . . . . . . . . . . $7,500,000 . . . . . . . . . 6,605,646 . . . . . . . .$894,354
Social Security . . . . . . . . . . . . . . . . . . . . $600,000 . . . . . . . . . .482,014. . . . . . . . . $117,986
GRF Operations Total . . . . . . . . . . . .$8,100,000 . . . . . . . .$7,087,660 . . . . . . .. $1,012,340
Audit Expense Fund:
Audits/Studies/Investigations . . . . . . . 38,229,296 . . . . . . . .$20,982,178 . . . . . . .$5,985,928