REPORT DIGEST

CHICAGO STATE UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2021

Release Date:  June 22, 2022

FINDINGS THIS AUDIT:  10

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 1 -- 1
Category 2:  1 – 8 -- 9
Category 3:  0 -- 0 -- 0
TOTAL:  1 -- 9 -- 10

FINDINGS LAST AUDIT: 14

Category 1: Findings that are material
weaknesses in internal control and/or
a qualification on compliance with
State laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Compliance
Examination of Chicago State
University (University) for the year
ended June 30, 2021.  Separate digests
covering the University’s Financial
Audit and Single Audit were separately
released.  In total, this report
contains ten findings, five of which
were reported in the Financial Audit
and Single Audit.

SYNOPSIS

• (21-06) The University did not have
adequate controls over its contractual
service expenditures.

• (21-07) The University did not
conduct adequate independent internal
control reviews over its   service
providers’ System and Organization
Controls (SOC) reports.

• (21-08) The University did not fully
comply with the requirements of the
Chicago State University Law regarding
flexible hours positions.


FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS


INADEQUATE CONTROLS OVER CONTRACTUAL
SERVICES EXPENDITURES

The University did not have adequate
controls over its contractual service
expenditures.

During our review of 25 contracts
(totaling $1,451,591), including
purchase orders, executed during the
fiscal year ended June 30, 2021, we
noted the following:

• One exempt purchase (totaling
$50,000) was published in the Illinois
Procurement Bulletin 63 days late.

• Three contracts (totaling $138,380)
were executed subsequent to the start
date of the contracts.  The contract
execution dates ranged from 8 to 328
days from the commencement of
services.

• Ten contracts (totaling $892,838)
were not submitted or submitted timely
to the Office of Comptroller.  Of the
ten contracts, nine contracts
(totaling $842,838) were filed 1 to
190 days late and the remaining
contract (totaling $50,000) was not
filed.

• The disclosure of financial interest
statement for one contract (totaling
$76,500) was obtained 426 days after
the execution of the contract.

• One contract (totaling $38,380) was
not supported by three price quotes
from vendors on the University’s
bidders list.

• One contract (totaling $260,000) was
not properly approved. One signatory,
who approved the contract, did not
complete and file a Contract Signature
Authorization Form (Form SCO-470) with
the Office of Comptroller.

• The University indicated there were
no interagency agreements in effect
during the examination period,
however, throughout testing of
University contracts, interagency
agreements were discovered. Due to
these conditions, we were unable to
conclude whether the University’s
population records were sufficiently
precise and detailed under the
Attestation Standards promulgated by
the American Institute of Certified
Public Accountants (AT-C § 205.35) to
test the University’s interagency
agreements.  (Finding 6, pages 24-26)
This finding has been repeated since
2016.

We recommended the University
establish appropriate procedures to
ensure all contracts are completed,
approved, and properly executed prior
to the commencement of services. We
also recommended the University
maintain documentation of its
population of interagency agreements.
Further, we recommended the University
review its procedures to ensure
disclosures are obtained prior to the
execution of contracts, and contracts
are supported by three price quotes
when required, posted in the Illinois
Procurement Bulletin, and filed with
the Office of Comptroller in
accordance with the State statutes and
guidelines.

University officials agreed with the
recommendation and stated the
University has created a monthly
procurement training for staff and
continue to update its procurement
documentation and guidelines.
University officials further stated
purchasing activities that did not
conform to established requirements
would prompt engagement of senior
campus leadership with noncompliant
departments.


LACK OF ADEQUATE CONTROLS OVER REVIEW
OF INTERNAL CONTROLS OVER SERVICE
PROVIDERS

The University did not conduct
adequate independent internal control
reviews over its service providers’
System and Organization Controls (SOC)
reports.

During our testing of six service
providers, we noted the following:

• Six (100%) SOC reports identified
Complementary User Entity Controls
(CUEC) necessary for the service
provider’s system which relies on the
University to implement the CUECs in
order to achieve the service
providers’ control objectives. The
University did not perform an
assessment to determine if it had
implemented the CUECs for each service
provider.

• Five (83%) SOC reports identified
subservice providers. The University
did not perform additional assessments
on the subservice providers to
determine the impact to the
University’s internal control
environment.

• One (17%) SOC report had a qualified
opinion due to deficiencies noted by
the Service Auditor. The University
did not document the deviations and
perform an analysis of the impact of
those deviations on the University’s
internal control environment. (Finding
7, pages 27-29)

We recommended the University:
• Monitor and document the operation
of the CUECs relevant to the
University's operations; and
• Document the deviations noted on SOC
reports and perform an analysis of the
impact of those deviations on the
University’s internal control
environment.

In addition, we recommended for SOC
Reports with subservice providers, the
University should:

• Either obtain and review a SOC
report for each subservice provider or
perform alternative procedures to
satisfy the usage of each subservice
provider would not impact the
University’s internal control
environment; and,
• Document its review of the SOC
reports and review all significant
issues with each subservice provider
to ascertain if a corrective action
plan exists and when it will be
implemented, any impacts to the
University, and any compensating
controls.

University officials agreed with the
recommendation and stated the
University has obtained required SOC
reports and initiated necessary steps
for review and approval of the SOC
reports.

NONCOMPLIANCE WITH THE CHICAGO STATE
UNIVERSITY LAW

The University did not fully comply
with the requirements of the Chicago
State University Law regarding
flexible hours positions.

The University Board of Trustees
(Board) established goals for flexible
hours positions at the University. The
Board passed a resolution in 2013 to
achieve a goal of having 20% of its
employees working on flexible
schedules by 2016.

During testing, we noted the
University reached its 20% goal.
However, the University did not track
the flexible hours worked by the
employees, thus the Board did not
evaluate the effectiveness and
efficiency of the flexible hours
program. (Finding 8, page 30)

We recommended the University track
employees’ flexible hours and
schedules to evaluate the
effectiveness and efficiency of the
program in compliance with the
requirements of the Chicago State
University Law.

University officials agreed with the
recommendation and stated a plan to
create a monitoring mechanism to track
the flexible work schedule was in
development and was expected to begin
in fiscal year 2022. University
officials also stated the monitoring
would allow for assessing the
effectiveness of the flexible hours
program.

OTHER FINDINGS

The remaining findings pertain to
weaknesses over computer security,
change control weaknesses, inadequate
internal controls over census data,
lack of adherence to controls  and
noncompliance with requirement
applicable to Education Stabilization
Fund,  inadequate controls over
preparation of the Schedule of
Expenditures of Federal Awards,
weaknesses in cybersecurity programs
and practices, and inadequate disaster
recovery process. We will review the
University’s progress towards the
implementation of our recommendations
in our next engagement.

ACCOUNTANT’S OPINION

The accountants conducted a State
compliance examination of the
University for the year ended June 30,
2021, as required by the Illinois
State Auditing Act.  The accountants
qualified their report on State
compliance for Finding 2021-003.
Except for the noncompliance described
in this finding, the accountants
stated the University complied, in all
material respects, with the
requirements described in the report.

This State Compliance Examination was
conducted by Roth & Company, LLP.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:vrb