REPORT DIGEST

SOUTHERN ILLINOIS UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2023

Release Date:  July 18, 2024

FINDINGS THIS AUDIT: 17

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 2 -- 2
Category 2:  5 -- 10 -- 15
Category 3:  0 -- 0 -- 0
TOTAL:  5 -- 12 -- 17

FINDINGS LAST AUDIT: 21

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers Southern Illinois
University’s (University) Compliance
Examination for the year ended June 30,
2023. Separate digests covering the
University’s Financial Audit and Single
Audit were previously released on March 5,
2024 and March 28, 2024. In total, this
report contains 17 findings, 2 of which were
reported in the Financial Audit and Single
Audit collectively.

SYNOPSIS

• (23-5) The University lacked adequate
controls over the review of internal control
of its service providers.
• (23-7) Southern Illinois University
Edwardsville (SIUE) had not completed all
requirements to demonstrate full compliance
with the Payment Card Industry Data Security
Standards (PCI DSS).
• (23-11) The University did not maintain a
minimum of one approved course per major
under the Illinois Articulation Initiative
(Initiative or IAI) for some majors offered
by the University.
• (23-16) The University did not complete
its annual census data reconciliation and
certifications.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF
INTERNAL CONTROLS FOR SERVICE PROVIDERS

The University lacked adequate controls over
the review of internal control of its
service providers.

The University utilized over 100 service
providers for various services.

The University did not have adequate
controls to ensure all third-party service
organizations were identified by university
departments in order to perform annual
reviews of the need for Service Organization
Control (SOC) reports.

We further noted the risk assessment
questionnaire for onboarding vendors and
service providers did not consistently
document the sensitive data and related
processing performed by the service
providers, or document alternate means of
addressing service providers’ risks beyond
review of SOC reports. Also, University
personnel lacked sufficient guidance for
completing their assessments.  Due to these
conditions,
we were unable to conclude the University’s
records of third-party service providers
were complete, accurate, and reliable.

We selected a sample of service providers
from the listings provided and noted
instances where:

• Contracts and/or SOC reports for service
providers were not obtained.
• Contracts did not require submission of a
SOC report.
• Campuses had not completed a SOC Report
Review Checklist or documented mapping of
internal controls at the University to key
complementary user entity controls (CUECs)
noted in SOC reports tested. (Finding 5,
pages 22-24) This finding has been reported
since 2018.

We recommended the University strengthen its
process and controls to identify and
document all service providers utilized and
determine and document if a review of
controls is required. Where appropriate, we
recommended the University:

• Obtain SOC reports (or perform independent
reviews) and document the assessment of
internal controls associated with outsourced
systems at least annually.
• Monitor and adequately document the
operation of the CUECs related to the
University’s operations.
• Review contracts with service providers to
ensure applicable requirements over the
independent review of internal controls are
included.
The University stated they agree and
implementation continues. The University
also stated continued efforts will be made
to further refine their process for
identifying and managing service providers.

The University also stated progress has been
and is being made and noted that processes
in place with respect to the service
providers material to their financial
statements have been refined and are
functioning as designed.

WEAKNESS WITH PAYMENT CARD INDUSTRY DATA
SECURITY STANDARDS

Southern Illinois University Edwardsville
(SIUE) had not completed all requirements to
demonstrate full compliance with the Payment
Card Industry Data Security Standards (PCI
DSS).

The University is responsible for confirming
merchants complete Self-Assessment
Questionnaires (SAQs) per the guidance of
the Payment Card Industry (PCI) Security
Standards Council and within the context of
what is considered applicable to the
University in order to properly attest to
PCI requirements. In Fiscal Year 2023, SIUE
handled approximately 406,021 transactions
estimated at $7,165,077.

During our review, we noted SIUE did not
ensure that appropriate Self-Assessment
Questionnaires (SAQs) were completed and the
service providers for all merchant IDs were
identified to ensure PCI compliance. SIUE
did not complete the annual SAQ during
Fiscal Year 2023 and did not have a complete
population of SAQs that are appropriate for
their cardholder environment. (Finding 7,
pages 28-29) This finding has been reported
since 2020.

We recommended SIUE strengthen its controls
to identify all service providers. We
further recommended the campus:

• At least annually, properly assess each
program accepting credit card payments, the
methods in which payments can be made, and
match these methods to the appropriate SAQ.
• Complete the required SAQ.
• Ensure all service providers are evaluated
for compliance with PCI requirements.

The University stated they agree and noted
that a consultant had been engaged to assist
with remediating these weaknesses, however
there was not sufficient time to execute all
corrective actions during FY23. The
University also stated they expect to be SAQ
compliant by FY24 year-end.

NONCOMPLIANCE WITH ILLINOIS ARTICULATION
INITIATIVE

Southern Illinois University (University)
did not maintain a minimum of one approved
course per major under the Illinois
Articulation Initiative (Initiative or IAI)
for some majors offered by the University.

The Initiative, through its itransfer.org
website, exists to ease the transfer of
students among the State’s associate and
baccalaureate degree granting institutions.
The Initiative consists of both a General
Education Core Curriculum package, where
completion of the entire package at one
institution is fully accepted by 108
institutions across the State, and an
Initiative major, which provides guidance
for students with uncertain transfer plans.

During Fiscal Year 2023, the University did
not have a minimum of one course approved by
the Initiative panel included within the
related Initiative major for its early
childhood education, political science, or
physics (SIUE) degree programs.

University management stated they had a
different interpretation of the Act’s
requirements and did not believe they had,
nor were required to offer, equivalent
courses for all majors.

The auditors noted the General Assembly
required participation in the Initiative to
enhance the ability of students to transfer
to any of the participating institutions
without having to retake courses similar to
courses they took at their initial
institution. Further, the University’s
interpretation of the Act that any
incongruence within a course descriptor
means equivalent courses are not offered and
do not require any modification or
convergence among the participation
institutions would frustrate the legislative
purpose of the Act. (Finding 11, pages
35-36)  This finding has been reported since
2020.

We recommended the University continue to
monitor courses offered and approved for
equivalent majors and ensure courses meeting
the major panel requirements are submitted
for review.

The University stated they will continue
efforts to reconcile the differing
interpretations, and as recommended will
continue to monitor courses offered and
approved for the identified majors and
ensure courses meeting the major panel
requirement are submitted for review. The
University stated both campuses are actively
working on identifying and gaining approvals
for IAI Majors courses and noted they are
making progress toward full compliance.

CENSUS DATA RECONCILIATION

Southern Illinois University (University)
did not complete its annual census data
reconciliation and certifications.

During our testing, we noted that neither
campus reconciled changes in SURS member
data to University records or submitted the
required census data reconciliation
certifications for FY22 data, as required by
SURS, by May 31, 2023, although they had a
process in place to do so. (Finding 16,
pages 44-45)

We recommended the University dedicate
specific resources to complete annual
reconciliations of census data and to submit
certifications and potential errors
identified by the required due date. We
further recommended the University promptly
reconcile the Fiscal Year 2022 census data,
submit the required certifications and any
potential errors noted to SURS, and work
with SURS to address any differences noted.

The University stated they agree and
responded that they have taken measures to
prioritize timely submission of the SURS
census data reconciliation report going
forward.  The University also noted that
they verify data as requested by SURS before
any individual retirement account actions
are taken.

OTHER FINDINGS

The remaining findings pertain to internal
controls over employee data reported to
SURS, student enrollment reporting, faculty
timesheets, computer inventory, information
technology, and compliance with statutory
mandates.

We will review the Agency’s progress towards
the implementation of our recommendations in
our next State compliance examination.

AUDITOR’S OPINIONS

The auditors stated the financial statements
of the University as of and for the years
ended June 30, 2023 are fairly stated in all
material respects.

The auditors also conducted a Single Audit
of the University as required by the Uniform
Guidance.  The auditors stated the
University complied, in all material
respects, with the types of compliance
requirements that could have a direct and
material effect on the University’s major
federal programs for the year ended June 30,
2023.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the University for the year
ended June 30, 2023, as required by the
Illinois State Auditing Act. The accountants
qualified their report on State compliance
for Findings 2023-005 and 2023-007.  Except
for the noncompliance described in these
findings, the accountants stated the
University complied, in all material
respects, with the requirements described in
the report.

This financial audit, single audit, and
State compliance examination was conducted
by Plante Moran.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:lkw