REPORT DIGEST CHICAGO STATE UNIVERSITY FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2021 Release Date: June 22, 2022 FINDINGS THIS AUDIT: 3 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 1 -- 1 Category 2: 0 -- 2 -- 2 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 3 -- 3 FINDINGS LAST AUDIT: 3 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Chicago State University’s (University) Financial Audit as of and for the year ended June 30, 2021. The University’s Compliance Examination and Single Audit reports were separately issued. SYNOPSIS • (21-02) The University had weaknesses over change management. • (21-03) The University did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS CHANGE CONTROL WEAKNESSES The University had weaknesses over change management. We tested a sample of seven program changes made to the University’s Enterprise Application Software, noting: • Seven changes (100%) did not have a change request documented. • Seven changes (100%) did not have evidence of approval prior to the development of the change. • Seven changes (100%) were developed and deployed to the production environment by the same individual without maintaining adequate segregation of duties. • Four changes (57%) did not have evidence of user acceptance testing and approval prior to deployment of the changes to the production environment. (Finding 2, pages 68-69) We recommended the University comply with its Change Management Process, including the completion of Request for Change forms, approval of changes prior to development, and testing and approval of changes prior to implementation to production. In addition, we recommended adequate segregation of duties be observed to prevent the risk that unauthorized changes are moved to production. University officials concurred with the recommendation. INADEQUATE INTERNAL CONTROLS OVER CENSUS DATA The University did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. During testing, we noted the following: • The University had not performed an initial complete reconciliation of its census data recorded by the State Universities Retirement System (SURS) to its internal records to establish a base year of complete and accurate census data. • The University had not developed a process to annually obtain from SURS the incremental changes recorded by SURS in their census data records and reconcile these changes back to the University’s internal supporting records. (Finding 3, pages 70-74) We recommended the University work with SURS to annually reconcile its active members’ census data from its underlying records to a report of census data submitted to SURS’ actuary and CMS’ actuary. In addition, we recommended after completing an initial full reconciliation, the University may limit the annual reconciliations to focus on the incremental changes to the census data file from the prior actuarial valuation, provided no risks are identified that incomplete or inaccurate reporting of census data may have occurred during prior periods. University officials agreed with the recommendation and stated the University has been working with SURS and CMS to develop a reconciliation process. University officials also stated the University requested and received necessary employee data from SURS and Governor’s State University and has acted accordingly on that information. University officials further stated documentation and cross-training has also begun to improve processes, minimize errors, and provide a system of secondary review. OTHER FINDING The remaining finding pertains to weaknesses over computer security. We will review the University’s progress towards the implementation of our recommendations in our next audit. AUDITOR’S OPINION The auditors stated the financial statements of the University as of and for the year ended June 30, 2021, are fairly stated in all material respects. The financial audit was conducted by Roth & Company, LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb