REPORT DIGEST

CHICAGO STATE UNIVERSITY

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2024

Release Date:  March 13, 2025

FINDINGS THIS AUDIT: 3

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 2 -- 2
Category 2:  0 -- 1 -- 1
Category 3:  0 -- 0 -- 0
TOTAL:  0 -- 3 -- 3

FINDINGS LAST AUDIT: 3

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Chicago State
University’s (University) Financial Audit as
of and for the year ended June 30, 2024.
The University’s State Compliance
Examination and Single Audit reports will be
separately issued at a later date.

SYNOPSIS

• (24-02) The University did not maintain
adequate controls over computer security.

• (24-03) The University did not have
adequate internal controls to ensure
compliance with the Illinois  Pension Code.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

WEAKNESSES OVER COMPUTER SECURITY

The University did not maintain adequate
general Information Technology (IT) controls
related to its environment and applications.

During testing, we requested the University
provide a population of its active servers.
In response to this request, the University
provided a listing of servers which included
decommissioned servers. Due to these
conditions, we were unable to conclude the
University’s population records were
sufficiently precise and detailed under the
Professional Standards promulgated by the
American Institute of Certified Public
Accountants (AU-C § 500.08 and AT-C §
205.36).

Despite this limitation, we performed
testing on a sample of servers and noted the
Information Technology (IT) infrastructure
was not secured properly.

Further, during our testing of the
University’s controls over access
provisioning, we noted separated employees
continued to have access to the University’s
environment.  (Finding 2, pages 66-68) This
finding has been reported since 2020.

We recommended the University implement
adequate general IT controls related to its
environment and applications.

University officials agreed with the
recommendation and stated the University
acknowledges the need to strengthen controls
over its IT environment and applications.
University officials further stated the
University has initiated a comprehensive
review of its identity and access management
(IAM) processes to improve offboarding
procedures and eliminate reliance on manual
and ad-hoc processes. Finally, University
officials stated the University was
formalizing procedures for server management
to ensure accurate inventory tracking and
decommissioning.

INADEQUATE CONTROLS TO ENSURE COMPLIANCE
WITH  THE ILLINOIS PENSION CODE

The University did not have adequate
internal controls to ensure compliance with
the Illinois Pension Code (Code).

During testing, we requested the University
provide the populations of retired
employees, persons receiving a retirement
annuity (Annuitant) from the State
Universities Retirement System (SURS) and
re-employed by the University, and employees
who filed for disability benefits during
Fiscal Year 2024. The University provided
the populations; however, these populations
could not be reconciled to the University’s
internal records and SURS.

Due to this condition, we were unable to
conclude the University’s population records
were sufficiently precise and detailed under
the Professional Standards promulgated by
the American Institute of Certified Public
Accountants (AU-C § 500.08 and AT-C §
205.36) to test the University’s compliance
with the Code.

Even given the population limitations noted
above, we performed the testing and noted:

• Two of four (50%) retired employees’
unused sick leave ranging 17 and 122 days
were incorrectly reported to SURS.

• Two of two (100%) re-employed annuitants
were not timely reported to SURS. The
University notified SURS 9 and 347 days
late.  (Finding 3, pages 69-70)

We recommended the University implement
controls to ensure the completeness and
accuracy of populations of retirees, re-
employed annuitants, and employees who filed
for disability benefits.  Further, we
recommended the University accurately report
unused sick leave and timely notify re-
employment of annuitants to SURS in
accordance with the Code.

University officials agreed with the
recommendation and stated the University was
working with SURS to reconcile data.
Further, University officials stated
internal controls would be strengthened to
ensure timely reporting.

OTHER FINDING

The remaining finding pertains to inadequate
internal controls over census data.  We will
review the University’s progress towards the
implementation of our recommendations in our
next financial audit.

AUDITOR’S OPINION

The auditors stated the financial statements
of the University as of and for the year
ended June 30, 2024, are fairly stated in
all material respects.

The financial audit was conducted by Roth &
Company, LLP.

COURTNEY DZIERWA
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:vrb