REPORT DIGEST CHICAGO STATE UNIVERSITY FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2020 Release Date: May 25, 2021 FINDINGS THIS AUDIT: 3 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 2 -- 0 -- 2 Category 3: 0 -- 0 -- 0 TOTAL: 3 -- 0 -- 3 FINDINGS LAST AUDIT: 1 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Chicago State University’s (University) Financial Audit as of and for the year ended June 30, 2020. The University’s Compliance Examination (including the Single Audit) covering the year ended June 30, 2020 will be issued in a separate report at a later date. SYNOPSIS • (20-3) The University did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. • (20-2) The University had weaknesses over change management. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CONTROL OVER CENSUS DATA The University did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. During testing, some of the significant issues we noted included the following: • The University had not performed an initial complete reconciliation of its census data recorded by the State Universities Retirement System (SURS) and Department of Central Management Services (CMS) to its internal records to establish a base year of complete and accurate census data. • One of 80 (1%) employees tested had a disability leave of absence reported as a termination by the University to SURS and the employee’s eventual return from leave was not reported by the University to SURS. • Three of 80 (4%) employees tested had two events reported to CMS 305 and 453 days after the effective date of the event and one event where the employee’s insurance should have terminated due to the employee reaching the maximum leave of absence period in September 2017 which was never reported by the University to CMS. • We performed an analysis of transactions reported by the University to SURS during the census data accumulation period throughout Fiscal Year 2018, noting the following problems: – Six of 120 (5%) employees reported as hired had actually been hired in other fiscal years. SURS determined the total potential impact to each employee’s total service credit could be off by 1 to 2.75 years. – One of one (100%) employee reported as laid off by the University was untimely reported to SURS by the University. SURS determined the total potential impact to the employee’s total service credit could be off by 1 year. (Finding 3, pages 68-73) We recommended the University implement controls to ensure census data events are timely and accurately reported to SURS and CMS. Further, we recommended the University work with SURS and CMS to develop an annual reconciliation process of its active members’ census data from its underlying records to a report from each plan of census data submitted to the plan’s actuary. University officials agreed with the recommendation and stated the University would work with SURS and CMS to develop a reconciliation process. University officials also stated the University would request necessary employee visa data from SURS and GSU and act accordingly based on information received. Further, they stated internal workflows and procedures would be documented and improved to minimize mistakes and cross-training would be performed to provide improved backup and a system of secondary review. CHANGE CONTROL WEAKNESSES The University had weaknesses over change management. We tested a sample of nine changes made to the University’s Enterprise Application Software, noting: • Eight changes (89%) did not have a change request documented. • Eight changes (89%) did not have evidence of approval prior to the development of the change. • Seven changes (78%) were developed and deployed to the production environment by the same individual without maintaining adequate segregation of duties. • Seven changes (78%) did not have evidence of user acceptance testing and approval prior to deployment of the changes to the production environment. (Finding 2, pages 66-67) We recommended the University comply with its Change Management Policy, including the completion of Request for Change forms, approval of changes prior to development, and testing of changes prior to implementation to production. In addition, we recommended adequate segregation of duties be observed to prevent the risk that unauthorized changes are implemented to production. University officials agreed with the recommendation and stated the University was working on updating the change control policy, establishing a Change Advisory Board (CAB), creating a new process to funnel all changes to CAB for assessment, and updating documentation requirements around change requests. OTHER FINDINGS The remaining finding pertains to weaknesses over computer security. We will review the University’s progress towards the implementation of our recommendations in our next engagement. AUDITOR’S OPINION The auditors stated the financial statements of the University as of and for the year ended June 30, 2020, are fairly stated in all material respects. The financial audit was conducted by Roth & Company, LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb