REPORT DIGEST CHICAGO STATE UNIVERSITY SINGLE AUDIT AND COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2020 Release Date: June 2, 2021 FINDINGS THIS AUDIT: 14 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 10 -- 3 -- 13 Category 3: 0 -- 0 -- 0 TOTAL: 11 -- 3 -- 14 FINDINGS LAST AUDIT: 10 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our federal Single Audit and Compliance Examination of Chicago State University (University) for the year ended June 30, 2020. A separate digest covering the University’s Financial Audit as of and for the year ended June 30, 2020 was previously released on May 25, 2021. In total, this report contains 14 findings, three of which were reported in the Financial Audit. SYNOPSIS • (20-7) The University did not have adequate controls over its contractual service expenditures. • (20-8) The University did not ensure proper completion and retention of the Employment Eligibility Verification (I-9) forms. • (20-12) The University did not obtain or conduct timely independent internal control reviews over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CONTROLS OVER CONTRACTUAL SERVICES EXPENDITURES The University did not have adequate controls over its contractual service expenditures. During our review of 25 contracts (totaling $2,303,507), including purchase orders, executed during the fiscal year ended June 30, 2020, we noted the following: • One contract (totaling $900,000) was not approved by the University’s Board of Trustees. • Two exempt purchases (totaling $260,581) were not published in the Illinois Procurement Bulletin. • Five contracts (totaling $1,096,695) were executed subsequent to the start date of the contracts. The contract execution dates ranged from 37 to 120 days from the commencement of services. • Seven contracts (totaling $376,075) were not submitted or submitted timely to the Office of Comptroller. Of the seven contracts, three contracts (totaling $192,260) were filed 5 to 379 days late and the remaining four contracts (totaling $183,815) were not filed. • Two contracts (totaling $183,178) did not contain disclosure of financial interest statements. • Two contracts (totaling $208,755) did not include standard vendor certifications. • Three contracts (totaling $174,754) were not supported by three price quotes from vendors on the University’s bidders list. • One contract (totaling $18,000) was paid $1,500 more than the amount indicated in the contract. (Finding 7, pages 34-36) This finding has been repeated since 2016. We recommended the University establish appropriate procedures to ensure all contracts are completed, approved, and properly executed prior to the commencement of services and total payments to vendors do not exceed contracted amounts. Further, we recommended the University review procedures to ensure disclosures are obtained prior to the execution of contracts, and contracts are supported by three price quotes when required, posted in the Illinois Procurement Bulletin, and filed with the Office of Comptroller in accordance with the State statutes and guidelines. University officials agreed with the finding and stated many of the procurement policies and procedures were updated and re-written. University officials also stated regular training on key topics were being held monthly. They further stated a vendor audit would be conducted to reaffirm terms of engagement with all vendors that serve the University, and to enlist the vendors as partners in the University’s compliance efforts. COMPLETION AND RETENTION OF EMPLOYMENT ELIGIBILITY VERIFICATION FORM The University did not ensure proper completion and retention of the Employment Eligibility Verification (I-9) forms. During review of 40 employees’ (current and terminated during the year) personnel records, we noted the following: • I-9 forms for four (10%) employees were not found in their personnel files. Of the four employees, one was terminated during the fiscal year, and the remaining three were current employees with hire dates ranging from September 1997 to August 2003. Upon bringing the issue to their notice, the University completed I-9 forms for the three current employees. • One (3%) employee’s I-9 form did not have Section 2 of the I-9 form completed by the University. (Finding 8, pages 37-38) This finding has been repeated since 2018. We recommended the University enhance its controls over employee verifications to ensure timely completion and proper retention of I-9 forms. University officials agreed with the finding and stated all missing I-9s were identified. They also stated employees with missing I-9s were contacted and a process was created to re-verify the I-9s, including for employees who are working remotely. They further stated procedures for I-9 completion and record management were updated. LACK OF ADEQUATE CONTROLS OVER REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS The University did not obtain or conduct timely independent internal control reviews over its service providers. During our testing of six service providers, we noted the University had not: • Obtained System and Organization Controls (SOC) reports. Subsequent to our request, the University was able to provide the SOC reports for five of the six service providers. • Documented its review of each of the SOC reports. • Monitored and documented the operation of the Complementary User Entity Controls (CUECs) relevant to the University’s operations. • Obtained and reviewed SOC reports for subservice organizations or performed alternative procedures to determine the impact on its internal control environment. Additionally, we noted the contracts between the University and the service providers did not contain a requirement for an independent review to be completed. (Finding 12, pages 44-46) We recommended the University: • Obtain SOC reports or perform independent reviews of internal controls associated with outsourced systems at least annually. • Monitor and document the operation of the CUECs relevant to the University's operations. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. In addition, if the SOC Report documents subservice providers, we recommended the University: • Either obtain and review SOC reports for subservice organizations or perform alternative procedures. • Document its review of the SOC reports and review all significant issues with subservice organizations. University officials agreed with the finding and stated the University was undertaking actions to resolve the issue by reviewing all vendors in the procurement system to determine if SOC reports are required, creating a file sharing site to establish a central repository for storing SOC reports within last 12 months, obtaining and uploading annual SOC reports issues, and building SOC reporting requirements within the procurement process, where appropriate. OTHER FINDINGS The remaining findings pertain to weaknesses over computer security, change control weaknesses, inadequate internal controls over census data, lack of adherence to controls and noncompliance with Center for STEM Education and Research, lack of adherence to controls and noncompliance with requirement applicable to Education Stabilization Fund, inadequate controls over preparation of the Schedule of Expenditures of Federal Awards, noncompliance with Illinois Articulation Initiative Act, noncompliance with Higher Education Student Assistance Act, inaccurate accounts receivable and locally held fund reporting, weaknesses in cybersecurity programs and practices, and inadequate disaster recovery process. We will review the University’s progress towards the implementation of our recommendations in our next engagement. AUDITOR’S OPINIONS The financial audit was previously released. Our auditors stated the financial statements of Chicago State University as of and for the year ended June 30, 2020 are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2020. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the University for the year ended June 30, 2020, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2020-003. Except for the noncompliance described in this findings, the accountants stated the University complied, in all material respects, with the requirements described in the report. This Single Audit and State Compliance Examination was conducted by Roth & Company LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb