REPORT DIGEST CHICAGO STATE UNIVERSITY FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2022 Release Date: February 23, 2023 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 1 -- 1 Category 2: 0 -- 1 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 2 -- 2 FINDINGS LAST AUDIT: 3 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Chicago State University’s (University) Financial Audit as of and for the year ended June 30, 2022. The University’s State Compliance Examination and Single Audit reports will be separately issued at a later date. SYNOPSIS • (22-01) The University did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. • (22-02) The University did not maintain adequate controls over computer security. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE INTERNAL CONTROLS OVER CENSUS DATA The University did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. During testing, we noted the following: • The University had not performed an initial complete reconciliation of its census data recorded by the State Universities Retirement System (SURS) to its internal records to establish a base year of complete and accurate census data. • The University had not developed a process to annually obtain from SURS the incremental changes recorded by SURS in their census data records and reconcile these changes back to the University’s internal supporting records. • During our cut-off testing of data transmitted by the University to SURS, we noted 16 instances of an active employee becoming inactive were reported to SURS after the close of the fiscal year in which the event occurred. • The University did not timely notify SURS of the re-employment of one of four (25%) annuitants tested. The University notified SURS 123 days late. (Finding 1, pages 70-72) This finding has been reported since 2020. We recommended the University continue to work with SURS to complete the base year reconciliation of Fiscal year 2021 active members’ census data from its underlying records to a report of census data submitted to SURS’ actuary and the Department of Central Management Services’ (CMS) actuary. In addition, we recommended after completing an initial full reconciliation, the University may limit the annual reconciliations to focus on the incremental changes to the census data file from the prior actuarial valuation, provided no risks are identified that incomplete or inaccurate reporting of census data may have occurred during prior periods. Further, we recommended the University ensure all events occurring within a census data accumulation year are timely reported to SURS so these events can be incorporated into the census data provided to SURS’ actuary and CMS’ actuary. University officials agreed with the recommendation and stated the University has been working with SURS to develop a reconciliation process. WEAKNESSES OVER COMPUTER SECURITY The University did not maintain adequate controls over computer security. During testing, we noted: • Separated employees continued to have access to the University’s environment. • Weaknesses over data center physical security. • Weaknesses over network configurations and recovery. • Information Technology (IT) infrastructure was not secured properly (Finding 2, pages 73-74). This finding has been repeated since 2020. We recommended the University ensure timely deactivation of separated users’ access, ensure adequate physical security over the data center, ensure network configurations are adequately maintained, implemented, and able to be recovered, and ensure the IT infrastructure is properly secured. University officials concurred with the recommendation and stated the University was developing a corrective action plan to address the lack of controls over computer systems. AUDITOR’S OPINION The auditors stated the financial statements of the University as of and for the year ended June 30, 2022, are fairly stated in all material respects. The financial audit was conducted by Roth & Company, LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb