REPORT DIGEST

ILLINOIS STATE UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2023

Release Date:  May 2, 2024

FINDINGS THIS AUDIT: 11

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  2 -- 1 -- 3
Category 2:  2 -- 6 -- 8
Category 3:  0 -- 0 -- 0
TOTAL:  4 -- 7 -- 11

FINDINGS LAST AUDIT: 11

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Compliance
Examination of Illinois State University for
the year ended June 30, 2023.  A separate
digest covering the University’s financial
audit as of and for the year ended June 30,
2023 was previously released on February 22,
2024.  In addition, a separate digest
covering the University’s Single Audit for
the year ended June 30, 2023, was previously
released on March 28, 2024, respectively.
In total, this report contains 11 findings,
four of which were reported within the
University’s financial audit and single
audit.

SYNOPSIS

• (23-05) The University had not implemented
adequate internal controls related to
cybersecurity programs and practices and
control of confidential information.

• (23-09) The University did not always
ensure compliance with the University
Faculty Research and Consulting Act and
University policies regarding outside
employment.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The Illinois State University (University)
had not implemented adequate internal
controls related to cybersecurity programs
and practices and control of confidential
information.

The University utilizes various applications
which contain a significant amount of
critical and confidential data, such as
names, addresses, Social Security numbers,
banking information, etc.

The Illinois State Auditing Act (30 ILCS
5/3-2.4) requires the Auditor General to
review State agencies and their
cybersecurity programs and practices. During
our examination of the University’s
cybersecurity program, practices, and
control of confidential information, we
noted the University had not:

• Developed policies regarding configuration
management, system development, training,
on- boarding, and backup verification and
offsite storage.

• Formally reviewed the Policy on
Appropriate Use of Information Technology
Resources and Systems (Appropriate Use
Policy) since 2011.

• Conducted security awareness training.

• Conducted a comprehensive risk assessment
or implemented risk reducing controls within
the examination period.

• Reviewed their Data Classification Policy
since 2015.

• Classified their data in accordance with
the data classification methodology.

• Documented the security solutions utilized
to monitor the security of their assets.

• Developed a comprehensive cybersecurity
plan.

It was also noted the University could not
provide a population of vulnerabilities
identified during the examination period.

Further, this finding was first noted during
the University’s Fiscal Year 2019 State
compliance examination. As such, University
management has been unsuccessful in
implementing a corrective action plan to
remedy these deficiencies.  (Finding 5,
pages 14-16)  This finding has been reported
since 2019.

We recommended the University:
• Develop policies regarding configuration
management, system development, training,
onboarding, and backup verification and
offsite storage.
• Conduct security awareness training.
• Conduct a comprehensive risk assessment
and implement risk reducing controls.
• Review the Appropriate Use Policy and the
Data Classification Policy at least
annually.
• Classify their data in accordance with the
data classification methodology.
• Document the security solutions utilized
to monitor the security of their assets.
• Develop a comprehensive cybersecurity
plan.
• Strengthen controls to identify the
population of vulnerabilities.

University officials accepted the finding.

NONCOMPLIANCE WITH THE UNIVERSITY FACULTY
RESEARCH AND CONSULTING ACT

The Illinois State University (University)
did not always ensure compliance with the
University Faculty Research and Consulting
Act (Act) and University policies regarding
outside employment.
During Fiscal Year 2023, faculty members
reported 105 instances of outside employment
to the University Provost.

During testing, the auditors noted the
following:

• 26 of 66 (39%) instances had the Request
for Approval of Secondary/ Outside
Employment Form (Form PERS 927) submitted by
the faculty member for approval by the
University’s Provost between 1 to 189 days
late.

• 38 of 66 (58%) instances had Form PERS 927
approved by the University’s Provost between
1 to 498 days late.

• 23 of 66 (35%) instances did not have the
Annual Report of Secondary/Outside
Employment (PERS 928) submitted by the
faculty member.

• 3 of 66 (5%) instances had the Form 928
submitted by the faculty member to the
University’s Provost approved between 6 to
60 days late.

• 1 of 66 (2%) instances had the Form 928
submitted by the faculty member to the
University’s Provost, however it was not
approved.

Further, this finding was first noted during
the University’s Fiscal Year 2012 State
compliance examination. As such, University
management has been unsuccessful in
implementing a corrective action plan to
remedy these deficiencies.  (Finding 9,
pages 22-23)  This finding has been reported
since 2012.

We recommended the University’s Provost take
appropriate corrective action and implement
internal controls to ensure faculty members
with outside research, consulting services,
or employment receive written pre-approval
to conduct the requested activity and
annually disclose the time spent on these
activities in accordance with State law and
University policy.

University officials accepted the finding
and stated they continue to inform faculty
of the reporting obligation.

OTHER FINDINGS

The remaining findings are reportedly being
given attention by the University. We will
review the University’s progress towards the
implementation of our recommendations in our
next State compliance examination.

AUDITOR’S OPINIONS

The financial audit report was previously
released.  The auditors stated the financial
statements as of and for the year ended June
30, 2023 are fairly stated in all material
respects.

The single audit report was previously
released.  The auditors conducted a single
audit of the University as required by the
Uniform Guidance. The auditors stated the
University complied, in all material
respects, with the types of compliance
requirements that could have a direct and
material effect on the University’s major
federal programs for the year ended June 30,
2023.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the University for the year
ended June 30, 2023, as required by the
Illinois State Auditing Act.  The
accountants qualified their report on State
compliance for Findings 2023-001 thru
2023-003.  Except for the noncompliance
described in these findings, the accountants
stated the University complied, in all
material respects, with the requirements
described in the report.

This State compliance examination was
conducted by FORVIS LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:TLK