REPORT DIGEST EASTERN ILLINOIS UNIVERSITY STATE COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2022 Release Date: April 27, 2023 FINDINGS THIS AUDIT: 9 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 1 -- 2 Category 2: 1 -- 6 -- 7 Category 3: 0 -- 0 -- 0 TOTAL: 2 -- 7 -- 9 FINDINGS LAST AUDIT: 8 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers Eastern Illinois University’s (University) Compliance Examination for the year ended June 30, 2022. A separate digest covering the University’s Financial Audit and a separate digest covering the University’s Single Audit were previously released on March 30, 2023. In total, this report contains 9 findings, two of which were reported in the Financial Audit and Single Audit collectively. SYNOPSIS • (22-4) The University did not obtain or conduct independent internal control reviews over service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUTAE CONTROLS OVER SERVICE PROVIDERS The University did not obtain or conduct independent internal control reviews over service providers. During our testing of the six service providers, we noted: • Three (50%) service provider agreements did not contain the necessary language to address the security, integrity, availability, confidentiality, and privacy controls over the University’s applications and data. • Six (100%) service provider agreements did not contain a requirement for a System and Organization Control (SOC) report or an independent internal control review of the outsourced controls. • The University did not obtain a SOC report or conduct independent internal control reviews for one service provider (17%). • For four (67%) service providers for which the SOC reports did not cover the entire fiscal year, the University did not obtain a bridge letter that covered the remainder of the fiscal period. The bridge letters did not cover the correct fiscal year for three (50%) service providers and a bridge letter was not obtained for one (17%) service provider. • One (17%) service provider agreement did not outline roles and responsibilities between the University and a Subservice Organization. (Finding 4, pages 18-19) This finding was first reported in 2019. We recommended the University ensure the agreements with the service providers address the security, integrity, availability, confidentiality, and privacy controls over the University’s applications and data. We also recommended the University obtain SOC reports from all service providers, and obtain bridge letters if the SOC report does not extend through the end of the engagement period. In addition, we recommended the University ensure the service provider agreements outline roles and responsibilities between the University and the Subservice Organization as well as contain a requirement for a SOC report or an independent internal control review of the outsourced controls. University officials stated they will continue to request and evaluate SOC reports and bridge letters where they are available from the vendor. Where those reports and bridge letters are unavailable, and, testing cannot be reasonably accomplished, University officials stated they will consider the risk versus the necessity of the service providers. OTHER FINDINGS The remaining findings are reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next State Compliance Examination. AUDITOR’S OPINIONS The financial audit report was previously released. The auditors stated the financial statements as of and for the year ended June 30, 2022 are fairly stated in all material respects. The single audit report was separately released. The auditors conducted a single audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2022. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of Eastern Illinois University for the year ended June 30, 2022, as required by the Illinois State Auditing Act. The accountants qualified their report on State Compliance for Findings 2022-001 and 2022-002. Except for the noncompliance described in that finding, the accountants stated the University complied, in all material respects, with the requirements described in the report. This State compliance examination were conducted by Sikich LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:TLK