REPORT DIGEST

WESTERN ILLINOIS UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2023

Release Date:  May 9, 2024

FINDINGS THIS AUDIT: 10

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  1 -- 1 -- 2
Category 2:  5 -- 3 -- 8
Category 3:  0 -- 0 -- 0
TOTAL:  6 -- 4 -- 10

FINDINGS LAST AUDIT: 7

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers Western Illinois
University’s (University) State compliance
examination for the year ended June 30,
2023. Separate digests covering the
University’s Financial Audit as of and for
the year ended June 30, 2023 and Single
Audit for the year ended June 30, 2023 were
previously released on March 14, 2024.  In
total, this report contains ten findings,
two of which were reported in the Financial
Audit and Single Audit collectively.

SYNOPSIS

• (23-05) Western Illinois University
(University) had weaknesses regarding the
review of independent internal control
reviews over its service providers.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF
INTERNAL CONTROLS OVER SERVICE PROVIDERS

Western Illinois University (University) had
weaknesses regarding the review of
independent internal controls reviews over
its service providers.

We requested the University provide a
listing of its service providers utilized,
System and Organization Control (SOC)
Reports reviewed, and review of
Complementary User Entity Controls (CUECs)
as documented. However, the University was
not able to provide a complete listing of
service providers.

Due to these conditions, we were unable to
conclude the University’s population records
were sufficiently precise and detailed under
the Professional Standards promulgated by
the American Institute of Certified Public
Accountants (AT-C §205.36).

Even given the population limitations noted
above, we performed testing of the service
providers identified by the University to
have a SOC report.

The University utilized various service
providers to provide:
• Credit Card Processing,
• Online Classes,
• Emergency alert system,
• Email,
• Office Suite, and
• Work Order system

Our testing of the controls over service
providers noted the following:
• For 8 of 8 (100%) service providers
sampled, there was no formal requirement to
obtain or review SOC reports at the
University.
• For 6 of 8 (75%) service providers
sampled, SOC reports were not collected by
the University.
• For 8 of 8 (100%) service providers
sampled, there was no SOC report review
conducted by the University.
• For 8 of 8 (100%) service providers
sampled, there was no CUEC mapping to the
University’s internal controls conducted by
the University. (Finding 5, pages, 18-20)
This finding has been reported since 2018.

We recommend the University strengthen
controls to identify and document all
service providers utilized and determine and
document if a review of controls is
required. Where appropriate, we recommend
the University:
• Establish and enforce a formal university-
wide onboarding requirement and processes
for all third-party service providers.
• Establish and enforce a formal university-
wide requirement to obtain SOC reports from
third-party service providers.
• Establish and enforce a formal university-
wide requirement to review SOC reports.
• Establish and enforce a formal university-
wide requirement to review applicable
Complementary User Entity Controls (CUECs)
and map CUECs to existing internal controls
at the University.

The University agreed with the finding and
stated they will continue to review policies
and procedures related to SOC reports.

OTHER FINDINGS

The remaining findings pertain to inadequate
control over student enrollment reporting,
Return of Title IV Funds, verification
requirements, lack of adequate change
control, security related weaknesses,
weaknesses in cybersecurity programs and
practices, lack of access reviews and
inappropriate screen access, weaknesses with
payment card industry data and security
standards, and untimely recognition of
equipment acquisitions and disposals. We
will review the University’s progress
towards the implementation of our
recommendations in our next State compliance
examination.

AUDITOR’S OPINIONS

The financial audit report was issued
separately. The auditors stated the
financial statements of the University as of
and for the year ended June 30, 2023, are
fairly stated in all material respects.

The single audit report was issued
separately. The auditors also conducted a
Single Audit of the University as required
by the Uniform Guidance.  The auditors
stated that the University complied, in all
material respects, with the types of
compliance requirements that could have a
direct and material effect on the
University’s major federal programs for the
year ended June 30, 2023.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the University for the year
ended June 30, 2023, as required by the
Illinois State Auditing Act.  The
accountants qualified their report on State
compliance for findings 2023-001 and
2023-002.  Except for the noncompliance
described in these findings, the accountants
stated the University complied, in all
material respects, with the requirements
described in the report.

This State compliance examination was
conducted by Plante Moran.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM: sjs