REPORT DIGEST EASTERN ILLINOIS UNIVERSITY COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2021 Release Date: July 6, 2022 FINDINGS THIS AUDIT: 8 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 1 -- 1 Category 2: 2 -- 4 -- 6 Category 3: 1 -- 0 -- 1 TOTAL: 3 -- 5 -- 8 FINDINGS LAST AUDIT: 9 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers Eastern Illinois University’s (University) Compliance Examination for the year ended June 30, 2021. A separate digest covering the University’s Financial Audit was previously released on June 22, 2022. In addition, a separate digest covering the University’s Single Audit was separately released. In total, this report contains 8 findings, one of which was reported in the Financial Audit and Single Audit. SYNOPSIS • (21-4) The University did not obtain or conduct independent internal control reviews over certain service providers. • (21-6) The University subsidized operations of University activities between accounting entities during fiscal year 2021. • (21-7) The University’s had weaknesses over the security of its computers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER SERVICE PROVIDERS The University did not obtain or conduct independent internal control reviews over certain service providers. During our testing of the six service providers, we noted: • Two (33%) service provider contracts did not address the security, integrity, availability, confidentiality, and privacy controls over the University’s applications and data. • A System and Organization Controls (SOC) report was not obtained for one (17%) service provider. • The University did not obtain a bridge letter extending through the end of the engagement period for four (67%) service providers. (Finding 4, pages 16-17) This finding was first reported in 2019. We recommended the University ensure the contracts with the service providers address the security, integrity, availability, confidentiality, and privacy controls over the University’s applications and data, obtain SOC reports from all service providers, and obtain bridge letters if the SOC report does not extend through the end of the engagement period. University officials stated they will continue to request and evaluate SOC reports and bridge letters where they are available from the vendor. Where those reports and bridge letters are unavailable, and, testing cannot be reasonably accomplished, University officials stated they will consider the risk versus the necessity of the service providers. NONCOMPLIANCE WITH UNIVERSITY GUIDELINES The University subsidized operations of University activities between accounting entities during fiscal year 2021. Activities are functions which are self-supporting in whole or in part, which are directly related to instructional, research, or service units. During our review of compliance with the University Guidelines, we noted several accounting entities which did not have a positive operating cash balance at any point during the fiscal year. Some of the issues included: • The Continuing Education Contract Credit accounting entity had negative operating cash balances at the beginning and end of the fiscal year, totaling $0.6 million and $1.3 million, respectively. • The Unique Charges Credit Courses accounting entity had negative operating cash balances at the beginning and end of the fiscal year, totaling $.06 million and $0.05 million, respectively • The Student Fee Programs accounting entity had negative operating cash balances at the beginning and end of the fiscal year, totaling $2.6 million and $2.1 million, respectively. • The Student Facilities accounting entity had negative cash balances at the beginning and end of the fiscal year, totaling $3.1 million and $2.4 million respectively. (Finding 6, pages 19-20) We recommended the University annually review the activities of each accounting entity, ensure fees charged for services are sufficient to cover expenditures, and take appropriate corrective actions to ensure subsidies between accounting entities do not continue. University officials partially agreed with the recommendation and stated they review annually the financial position and consider changes to fees and other charges, but due to competitive pressures, they are sometimes unable to raise fees to fully recover the costs sufficiently to cover the costs of some operations. WEAKNESSES IN SECURITY OVER COMPUTERS The University had weaknesses over the security of computers. During the examination period, we noted the University encrypted approximately 15% of its laptop and desktop computers. Furthermore, we noted 1,600 of 1,873 (85%) computers required encryption to be installed. Additionally, we noted 152 hard drives removed from computers sent to the University’s warehouse for surplus had not been properly destroyed or sanitized/wiped of data. (Finding 7, pages 21-22) We recommended the University ensure all laptops and computer equipment have adequate security such as encryption installed. Additionally, we recommended the University destroy and/or wipe its devices currently held in its internal surplus. University officials agreed with the recommendation and stated they are working to encrypt all laptop computers. OTHER FINDINGS The remaining findings are reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next State Compliance Examination. AUDITOR’S OPINIONS The financial audit report was previously released. The auditors stated the financial statements as of and for the year ended June 30, 2021 are fairly stated in all material respects. The single audit report was separately released. The auditors conducted a single audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2021. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of Eastern Illinois University for the year ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants qualified their report on State Compliance for Finding 2021-001. Except for the noncompliance described in that finding, the accountants stated the University complied, in all material respects, with the requirements described in the report. This State compliance examination were conducted by Sikich LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:PH