REPORT DIGEST SOUTHERN ILLINOIS UNIVERSITY COMPLIANCE EXAMINATION AND SINGLE AUDIT FOR THE YEAR ENDED JUNE 30, 2017 Release Date: March 29, 2018 FINDINGS THIS AUDIT: 13 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 6 -- 6 -- 12 Category 3: 0 -- 0 -- 0 TOTAL: 7 -- 6 -- 13 FINDINGS LAST AUDIT: 12 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our federal Single Audit and Compliance Examination of Southern Illinois University (University) for the year ended June 30, 2017. A separate Financial Audit as of and for the year ending June 30, 2017, was previously released on March 20, 2018. In total, this report contains 13 findings, one of which was reported in the Financial Audit. SYNOPSIS • (17-2) The University did not have adequate procedures to ensure award accounts were completely closed out timely and the Schedule of Expenditure of Federal Awards expenditures were accurate. • (17-3) The Edwardsville campus did not accurately complete return of title IV calculations for students. • (17-8) The Edwardsville campus did not have proper review procedures to determine if the calculated indirect costs on expenditures for the TRIO programs were appropriate. • (17-9) Controls were inadequate to monitor and maintain the accounts payable master vendor file. • (17-11) The University did not manage the National Corn-to-Ethanol Research Pilot Plant under the review and guidance of the Illinois Ethanol Research Advisory Board. • (17-13) The University’s annual inventory failed to locate 220 computer equipment items with an original acquisition value of $306,005 and could not determine if missing computer items were encrypted. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS UNTIMELY AWARD CLOSE-OUT AND MISSTATEMENTS ON THE SCHEDULE OF EXPENDITURES OF FEDERAL AWARDS The University did not have adequate procedures in place to ensure award accounts were completely closed out on a timely basis and the expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA) contained the proper information. On each campus, federal award accounts were not completely closed out in a timely manner, causing extraneous entries on the SEFA during subsequent years. During our review of the Carbondale and Edwardsville campus SEFAs for fiscal year 2017, we noted expenditures reported for 53 and 20 federal awards, respectively, which were past the award period of performance end date and the 90-day close-out timeframe. We also noted subrecipient expenditure amounts on the Edwardsville campus SEFA for five (36%) grants with subrecipient expenditures differed from the expenditure detail for the fiscal year by $315,548. (Finding 2, pages 21-25) We recommended the University review internal policies and procedures regarding SEFA close- out and reporting requirements and implement additional procedures to ensure subrecipient grant award expenditures are properly coded and reconciled to SEFA amounts. University officials responded implementation is in process. RETURN OF TITLE IV ERRORS The Edwardsville campus did not accurately complete return of title IV calculations for 18 (30%) of the 60 students tested. We noted: • For eighteen students, the incorrect number of days was used to calculate the return of title IV funds which should have been earned by the students. • For one student, the wrong withdrawal date was used, resulting in erroneous calculation of funds totaling $209 which should have been returned to the Department of Education. (Finding 3, pages 26-28) We recommended the University establish a more thorough review to ensure errors are caught before refunds are processed. We also recommended the University update its academic calendar to ensure funds are properly and timely returned. University officials stated corrective action has been implemented. INADEQUATE REVIEW PROCEDURES FOR INDIRECT COST CALCULATIONS The Edwardsville campus did not have proper review procedures in place to determine if the calculated indirect costs on expenditures for the TRIO programs were appropriate. We tested 12 quarterly calculations and noted : • Four (25%) calculations erroneously included costs, resulting in questioned costs of $2,945. • Nine (75%) calculations tested lacked adequate review or approval to identify errors. (Finding 8, pages 39-41) We recommended the University implement procedures to more thoroughly review calculations to ensure the correct spreadsheet was used and enforce compliance with established internal controls, including program management review and approval. University officials stated corrective action has been implemented. INADEQUATE PROCEDURES OVER MAINTENANCE OF THE ACCOUNTS PAYABLE MASTER VENDOR FILE The University had inadequate controls in place to monitor and maintain the accounts payable master vendor file. The master file included an excessive number of vendor files with no activity, and the University had no policy to revoke approval to issue payments to non-active vendors in order to prevent inappropriate payments. We noted: “Active” Accounts Payable Vendor Files With No Activity Active Vendor Sites: 363,447 No Activity for 2 Years: 294,957 (81.2%) No Activity for 5 Years: 245,746 (67.6%) No Activity for 10 Years: 137,997 (38.0%) Sites That Were Never Written a Check: 27,917 (7.7%) We also noted the list of active accounts payable vendors included former employees and former students which no longer had a business relationship with the University. The file included 32,419 vendor sites designated as employees and 185,218 vendor sites designated as students. (Finding 9, pages 42-43) We recommended the University review and implement stronger internal controls in order to monitor and maintain the accounts payable master vendor file, including adopting a policy to deactivate vendors with no activity over a reasonable period of time. University officials agreed with the finding and responded they would research and adopt a policy to deactivate inactive vendors. NONCOMPLIANCE WITH THE SOUTHERN ILLINOIS UNIVERSITY MANAGEMENT ACT (ILLINOIS ETHANOL RESEARCH ADVISORY BOARD) The University did not manage the National Corn-to-Ethanol Research Pilot Plant (Pilot Plant) under the review and guidance of the Illinois Ethanol Research Advisory Board (Advisory Board). The Advisory Board had not met since 2012 due to lack of a quorum. As a result, the Advisory Board had not performed its duties of providing review and guidance to the University Board of Trustees to assist in operating and managing the Pilot Plant as required by State statute. However, the Edwardsville campus had continued to manage the Pilot Plant under the guidance of a stakeholders group. Six of the thirteen Board members are appointed by the Governor and have expired terms. The Advisory Board is required to meet annually and has the following duties: • Review of annual operating plans and budget of the National Corn-to-Ethanol Research Pilot Plant, • Advising on research and development priorities and projects to be carried out at the Pilot Plant, • Advising on policies and procedures regarding the management and operation of the Pilot Plant, • Developing bylaws, • Submitting a final report to the Governor and General Assembly outlining the progress and accomplishments made during the year along with a financial report for the year, and • Establishing and operating the Pilot Plant with purposes and goals including conducting research, providing training, consulting, developing demonstration projects and serving as an independent resource to the ethanol industry. (Finding 11, pages 46-48) We recommended University officials continue to work with the seven existing Advisory Board members to schedule an annual meeting that all seven members can attend, thereby achieving a quorum, so the board can perform its duties under the Act. We further recommended the University continue to work with the Governor’s Office of Executive Appointments to fill the vacancies on the Advisory Board. University officials agreed with the finding and responded they would continue to work with the Advisory Board to achieve a quorum and with the Governor’s Office of Executive Appointments to fill the vacancies in the Board. WEAKNESSES IN COMPUTER INVENTORY CONTROL The University was unable to locate 220 computer equipment items from the Carbondale campus during their annual inventory The original cost of these items totaled $306,005. The computers noted as missing represent 0.17% percent of the University’s total computer related inventory at June 30, 2017. Although the University had established procedures for requiring encryption on computers that could have confidential information on them, the University could not determine if the missing computer items were encrypted. Since the University was not able to identify whether the missing items contained confidential information or were encrypted, the auditors could not determine if the items had confidential information exposed. (Finding 13, pages 51-52) This finding was first reported in 2012. We recommended the University: • Continue to review current practices to determine if enhancements can be implemented to prevent the theft or loss of computers. • Continue to evaluate and secure new computers as necessary to ensure that confidential information is protected. • Perform and document an evaluation of data maintained on computers and ensure those containing confidential information are adequately tracked and protected with methods such as encryption. University officials responded implementation is in process and detailed corrective actions underway. (For previous University response, see Digest Footnote #1.) OTHER FINDINGS The remaining findings pertain to Single Audit compliance, faculty timesheets, and an unfunded mandate. We will review the University’s progress towards the implementation of our recommendations in our next Single Audit and compliance examination. AUDITOR’S OPINIONS The financial audit report was previously released. The auditors stated the financial statements of the University as of and for the year ended June 30, 2017, are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the Agency’s major federal programs for the year ended June 30, 2017. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the University for the year ended June 30, 2017, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2017-001. Except for the noncompliance described in this finding, the accountants stated the University complied, in all material respects, with the requirements described in the report. This Single Audit and compliance examination were conducted by CliftonLarsonAllen LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:LKW DIGEST FOOTNOTES #1 –WEAKNESS IN COMPUTER INVENTORY CONTROL – prior response 2016: Accept. SIU will continue its efforts to improve inventory practices in order to further reduce instances of theft or loss of computers. We will also continue efforts to evaluate and secure new and existing networked computers, as necessary, in order to protect confidential information. Such measures will continue to include communication of applicable user policies, controlled access to confidential information based on user roles, use of available tools to scan network for computers for confidential information, and encryption in situations where it is deemed appropriate. Lastly, we will explore ways to better document our assessment practices, in order to track those containing confidential information and demonstrate they are protected. However, we are limited by our current budget situation and resources, and furthermore, it may be necessary to phase in such efforts as new computers are purchased. Corrective actions will be a joint effort between Information Technology, Property Control and Department staff.