REPORT DIGEST

ILLINOIS STATE UNIVERSITY

Single Audit and Compliance Examination
For the One Year Ended June 30, 2013


Release Date:   March 26, 2014

Summary of Findings:
• Compliance:   6
• Financial Audit (released 11-14-13):   1
Total findings:   7
Total last audit:   6
Repeated from last audit:   4

State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza,
740 E. Ash Street, Springfield, IL 62703
(217) 	782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

This digest covers our Single Audit and
compliance examination of the Illinois State
University for the year ended June 30, 2013.  A
financial audit as of and for the year ending
June 30, 2013, was previously released on
November 14, 2013.  In total, this report
contains seven findings, one of which was also
reported in the financial audit released on
November 14, 2013.

• The University lacked sufficient internal
control over its computer inventories.

• The University’s internal controls over
compliance with the College Student Immunization
Act need to be improved.

• The University needs to improve compliance
with the University Faculty Research and
Consulting Act and University policies regarding
outside employment.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

NEED TO ENHANCE CONTROLS OVER THE UNIVERSITY’S
COMPUTER INVENTORY

Illinois State University (University) did not
have sufficient internal control over its
computer inventories.

The auditors noted the following:

• During Fiscal Year 2013, the University
reported five laptop computers, two desktop
computers, four iPads, and an iPod as stolen,
totaling $9,269.

• During the University’s Fiscal Year 2013
physical inventory count, the University
reported 35 laptop computers, 21 desktop
computers, and one server as lost, totaling
$76,826.

During testing, the auditors noted the
University had not protected its computers with
encryption software, thus increasing the risk
that confidential information could be exposed.
Confidential information routinely collected and
maintained by the University includes education
records, health records, personal information,
and sensitive information.

At the time of our review, the University had
not performed a detailed assessment and
therefore was unable to assess whether the
missing computers contained confidential
information.

According to University officials, this resulted
from the lack of a cohesive IT Governance
structure including a common, formal, and
disciplined approach for managing IT.  (Finding
2, pages 19-20)

We recommended the University review current
practices to determine if enhancements can be
implemented to prevent the theft or loss of
computers, establish procedures to immediately
notify security personnel of any missing or
stolen computers to allow them to assess if a
computer may have contained confidential
information and document the results of the
assessment, and ensure confidential information
is adequately secured with methods such as
encryption or redaction.

University officials agreed with the
recommendation, indicating they will review
their current practices to identify enhancements
to better safeguard against the theft or loss of
computers.

NEED TO IMPROVE INTERNAL CONTROLS OVER
COMPLIANCE WITH THE COLLEGE STUDENT IMMUNIZATION
ACT

The University had weaknesses in internal
controls over compliance with the College
Student Immunization Act (Act).

During testing, the auditors noted the following
internal control weaknesses:

• The University did not maintain documentation
supporting the classification of students
(medical exemption, religious exemption, total
immune/not immune to individual communicable
diseases, and total compliant/noncompliant with
the Act) as of the date the University prepared
its report to the Department of Public Health.

• The University was unable to provide the
auditors with a reconciliation between new
students enrolled at the University in Fall 2012
and the number of new covered students first
enrolled in Fall 2012 and reported to the
Department of Public Health.

• The data reported for noncompliant covered
students contained discrepancies.  Specifically,
the auditors noted a difference of 127
noncompliant new students and 249 total students
across campus between the auditor’s calculation
of noncompliant students and the number of
noncompliant students reported by the University
to the Department of Public Health.

In response to the auditors’ notification to the
University of these conditions, the University
performed a review of students enrolled and
attending classes in Fall 2013 who were
identified as likely to have been included in
the population of noncompliant students who
should have been precluded from enrolling in
classes during Fiscal Year 2013.  The
University’s review indicated the following:

• 16 students were enrolled and attending
classes when they should have been blocked from
registration.

• Five students were erroneously coded as “on
campus” when they were actually “off campus”
students.

• The University’s computer system was
identifying students as noncompliant when the
student was actually either in compliance or
deferred by the University for medical reasons,
such as a pregnancy.

According to University officials, these errors
were due to oversight and computer coding
problems.  (Finding 3, pages 21-23)

We recommended the University review, improve,
and maintain a system of internal controls to
monitor covered student compliance, identify
noncompliant students and preclude them from
enrolling in subsequent academic terms,
accurately report summary information to the
Department of Public Health, and provide
sufficient audit trails for accountability.

University officials agreed with the
recommendation, indicating they will review and
improve the University’s current internal
controls for monitoring compliance.

NEED TO IMPROVE COMPLIANCE WITH THE UNIVERSITY
FACULTY RESEARCH AND CONSULTING ACT

The University did not always ensure compliance
with the University Faculty Research and
Consulting Act and University policies regarding
outside employment.

During testing, the auditors noted the
following:

• 52 of 113 (46%) Request for Approval of
Secondary/ Outside Employment Forms were
submitted to the University Provost and approved
between one and 140 days late.

• Six of 113 (5%) Request for Approval of
Secondary/ Outside Employment Forms were not
submitted by the faculty member to the
University’s Provost for approval prior to the
completion of the employee’s outside employment.

• 76 of 113 (67%) faculty members approved for
secondary/outside employment tested did not file
their Annual Report of Secondary/Outside
Employment Form with the University’s Provost by
the deadline of August 31, 2013.

According to University officials, the failure
to seek timely approval and file reports was due
to oversight. (Finding 5, pages 27-28)

We recommended the University Provost implement
internal controls to ensure faculty members with
outside research, consulting services, or
employment receive written pre-approval to
conduct the requested activity and annually
disclose the time spent on these activities in
accordance with State law and University policy.

University officials agreed with the
recommendation and stated they will continue to
assess the process and implement modifications
to improve compliance.

OTHER FINDINGS

The remaining findings are reportedly being
given attention by the University.  We will
review the University’s progress towards the
implementation of our recommendations in our
next audit.

AUDITORS’ OPINION

Our auditors conducted a Single Audit of the
University as required by OMB Circular A-133.
Our auditors stated the University complied, in
all material respects, with the types of
compliance requirements that could have a direct
and material effect on each of the University’s
major federal programs for the year ended June
30, 2013.

Our auditors also conducted a compliance
examination of the University for the year ended
June 30, 2013, as required by the Illinois State
Auditing Act.  The auditors qualified their
report on State Compliance for Findings
2013-001, 2013-002, and 2013-003.  Except for
the noncompliance described in these findings,
the auditors stated the University complied, in
all material respects, with the requirements
described in the report.

A financial audit of the University as of and
for the year ended June 30, 2013, was previously
released.

WILLIAM G. HOLLAND
Auditor General

WGH:djn

SPECIAL ASSISTANT AUDITORS

Our special assistant auditors for this
engagement were BKD, LLP.