REPORT DIGEST

STATE UNIVERSITIES RETIREMENT SYSTEM

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2023

Release Date:  May 23, 2024

FINDINGS THIS AUDIT: 4

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 1 -- 1
Category 2:  3 -- 0 -- 3
Category 3:  0 -- 0 -- 0
TOTAL:  3 -- 1 -- 4

FINDINGS LAST AUDIT: 2

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers our compliance
examination of the State Universities
Retirement System (System) for the two years
ended June 30, 2023.  A separate digest
covering the Systems’ Financial Audit as of
and for the year ended June 30, 2023, was
previously released on February 29, 2024.
In total, this report contains 4 findings, 1
of which was reported in the Financial
Audit.

SYNOPSIS

• (23-4)	The System had weaknesses
over the controls within the information
technology (IT) environment.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INFORMATION TECHNOLOGY CONTROL SECURITY
WEAKNESSES

The State Universities Retirement System
(System) had weaknesses over the controls
within the information technology (IT)
environment.

The System relies on its computing
environment for maintaining several
critical, sensitive, and/or confidential
systems for financial reporting and meeting
its mission.

During testing of System’s information
technology security controls, we noted:

Change Management
The System did not have a sufficient change
management policy documenting the internal
controls over changes for the membership
application and date.  Furthermore, the
System’s policy does not require a formal,
documented post-implementation review of
changes.  Although the System did not have a
sufficient internal control policy, we
tested a sample of changes to the membership
application to ensure they were approved and
segregation of duties existed, noting no
exceptions.

Access Provisioning
During testing of terminated users’ access,
we noted 3 of 3 (100%) sample terminated
users’ access was not terminated
immediately, in accordance with internal
policy.  The terminated users’ access was
terminated the next business day.  The
System’s Computer Account Guidelines states
a terminated users’ access is to be removed
immediately.

Policy Review
During testing of the System’s review of
policies, we noted the Employee Security
Handbook and the Access Policy had not been
reviewed within the last two years. The
System’s IT Governance Policy requires
internal policies are to be reviewed at
least every two years.

Although the System had developed a change
management policy, it did not address
control over emergency changes, approval to
move changes to the production environment,
and
proper segregation of duties. (Finding 4,
pages 12-13)

We recommended the System:

• Develop a change management policy
documenting the internal controls over
changes to its applications and data and
require a documented post-implementation
review process.
• Process system access changes in
accordance with the established policy.
• Include the Employee Security Handbook and
Access Policy in the set cadence of policy
review.

System officials accepted the finding.

OTHER FINDINGS

The remaining findings pertains to
inadequate controls over service providers,
failure to record expenditures in the
correct Fiscal Year and a lack of disaster
recovery testing.  We will review the
System’s progress towards the implementation
of our recommendations in our next State
compliance examination.

AUDITOR’S OPINION

The auditors stated the financial statements
of the System as of and for the year ended
June 30, 2023 are fairly stated in all
material respects.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the System for the year ended
June 30, 2023, as required by the Illinois
State Auditing Act.  The accountants
qualified their report on State Compliance
for Finding 2023-001. Except for the
noncompliance described in that finding, the
accountants stated the System complied, in
all material respects, with the requirements
described in the report.

This compliance examination was conducted by
RSM US, LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:TLK