REPORT DIGEST GOVERNORS STATE UNIVERSITY COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2021 Release Date: July 13, 2022 FINDINGS THIS AUDIT: 15 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 1 -- 1 Category 2: 7 -- 6 -- 13 Category 3: 0 -- 1 -- 1 TOTAL: 7 -- 8 -- 15 FINDINGS LAST AUDIT: 11 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers Governors State University’s (University) Compliance Examination for the year ended June 30, 2021. A separate digest covering the University’s Financial Audit was previously released on June 16, 2022. In addition, a separate digest covering the University’s Single Audit was separately released. In total, this report contains 15 findings, five of which were reported in the Financial Audit and Single Audit. SYNOPSIS • (21-06) The University did not comply with the Abused and Neglected Child Reporting Act. • (21-08) The University’s program of internal auditing included deficiencies in completing its responsibilities in accordance with the Fiscal Control and Internal Auditing Act. • (21-11) The University had not established adequate controls for its computing environment. • (21-12) The University did not obtain or conduct timely independent internal controls reviews over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS CHILD ABUSE REPORTER TRAINING The University did not comply with the Abused and Neglected Child Reporting Act (Act) regarding training. Our testing of 35 employees identified: • 11 (31%) employees did not receive the required reporter training within one year of initial employment or within three months of initial employment if they were hired after 1/1/2020. • 2 (6%) employees for which the University did not have any documentation in which the employee acknowledged the Act’s reporting requirements. • 9 (26%) employees did not sign the documentation in which the employee acknowledged the reporting requirements of the Act prior to the commencement of employment. • 18 (51%) employees signed documents after January 1, 2019 acknowledging the reporting requirements of the Act; however the form was not up to date as it did not include information regarding mandated reporter training provided by the Department of Children and Family Services. (Finding 6, page 21-22) This finding has been reported since 2016. We recommended the University comply with the requirements of the Act and ensure all employees receive the proper training within the required timeframe, include the proper information in the employee’s signed training statements, and timely obtain signed statements from required employees. University officials agreed with the finding and stated the University will modify its practices to work towards compliance. INTERNAL AUDIT DEFICIENCIES The University’s program of internal auditing included deficiencies in completing its responsibilities in accordance with the Fiscal Control and Internal Auditing Act (Act). The University’s Chief Internal Auditor utilized a risk-based approach to select discretionary risk areas to recommend in its two year audit plan, then planned procedures in order to ensure all 11 major systems of accounting and administrative controls are included at least every two years. From the audits provided, we noted the property, equipment and inventories major system was only minimally reviewed by audits during the two year period. Although several audits were included in the University’s two year internal audit plan (including an audit specific to the property, equipment and inventories major system), the only internal audit reports provided to the auditors included an audit of the Illinois Board of Higher Education tuition and fee waiver guidelines from Fiscal Year 2020; and audits of expenditures for the Early Head Start Grant Program, a pre-implementation review of a new information system application used for Admissions and a pre- implementation review of an electronic time entry application from Fiscal Year 2021. In addition, the auditors noted the Chief Internal Auditor reported six other audits were “completed” in the annual report dated September 30, 2021 to the University’s President; however, as of February 14, 2022, none of the noted six audit reports had been provided to the auditors in response to requests for audits completed. (Finding 8, pages 25-26) We recommended the University improve its procedures to ensure all major systems of internal accounting and administrative controls are fully reviewed at least once every two years as required by the Act. We further recommended the Chief Internal Auditor timely finalize its audit documentation and clearly report the status of audits in its annual reports. University officials agreed with the finding and stated the Office of Internal Audit will ensure the efficient completion of planned audits and timely issuance of the reports thereon. COMPUTER SECURITY WEAKNESSES The University had not established adequate controls for its computing environment. During the examination, we requested the University provide a list of computers in order to determine if the University’s computers were properly secured. In response to our request, the University provided a listing. We compared the listing to other records obtained from the University and concluded the listing was not complete and accurate. Due to these conditions, we were unable to conclude whether the University’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36). Even given the population limitations noted above which hindered our ability to conclude whether a sample selected could be representative of the population, we selected a sample and performed testing noting the University’s computing environment contained significant weaknesses. We sampled 15 employees who terminated employment in Fiscal Year 2021, noting 6 (40%) employees with user accounts for the University’s ERP system which had not been removed. These six employees had terminated employment with the University 88 to 377 days prior to the date of our testing. The University indicated these employees’ active directory accounts were deactivated but could not provide evidence of when the deactivation was performed, so we were unable to conclude those accounts were deactivated timely. Further, we noted the University had not established formal guidelines for configuration of virus detection software. (Finding 11, pages 33-34) This finding has been reported since 2016. We recommended the University maintain a complete inventory of all computers, ensure the environment is appropriately secured, and ensure access rights of terminated or transferred employees are removed on a timely basis. We further recommended the University establish formal policies and guidelines for virus detection systems. University officials agreed with the finding and stated they will continue to improve its computer security. LACK OF REVIEW OF INTERNAL CONTROLS OF SERVICE PROVIDERS The University did not obtain or conduct timely independent internal controls reviews over its service providers. The University maintains numerous cloud-based solutions with various service providers. These service providers maintain the hardware, software and the data for various applications regarding many sectors, such as campus news and events, student orientation, employment, photographs, student organizations, visitor tracking, course evaluations, and emergency notifications. We selected a sample of seven service providers and requested the University to provide a) documentation of having obtained independent reviews assessing the reliability of controls in place, b) evidence of having reviewed the independent reviews obtained, and c) the University’s internal evaluation of the controls related to service providers who did not provide an independent review report. We noted the following: • The University had not obtained a System and Organization Control (SOC) report for 6 (86%) service providers. • For the one (14%) SOC report obtained, no evidence of the University’s review of SOC report was noted along with reviewing the Complimentary User Entity Controls. This SOC report also identified a subservice provider. However, there was no evidence the University obtained and reviewed the SOC report of the subservice provider or performed alternative procedures to determine the impact on the University’s internal control environment. The University is responsible for the design, implementation, and maintenance of internal controls related to information systems and operations to ensure resources and data are adequately protected from unauthorized or accidental disclosure, modifications, or destruction. This responsibility is not limited due to the process being outsourced. (Finding 12, pages 35-36) We recommended the University perform the following procedures for all service providers which the University has determined that a review of controls is required: • Obtain SOC reports or (perform independent reviews) of internal controls associated with outsourced systems at least annually. • Monitor and document the operation of the Complimentary User Entity Controls relevant to the University’s operations noted in the SOC reports. • Obtain and review SOC reports for subservice organizations or perform alternative procedures to satisfy itself that the existence of the subservice organization would not impact its internal control environment. • Document its review of the SOC and other reports and review all significant issues with subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the University, and any compensating controls. University officials agreed with the finding and stated they will work towards completing service providers’ reviews. OTHER FINDINGS The remaining findings are reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next engagement. AUDITOR’S OPINIONS The financial audit report was previously released. The auditors stated the financial statements as of and for the year ended June 30, 2021 are fairly stated in all material respects. The single audit report was separately released. The auditors conducted a single audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2021. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the University for the year ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2021-001. Except for the noncompliance described in this finding, the accountants stated the University complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Borschnack, Pelletier & Co. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JGR