REPORT DIGEST

GOVERNORS STATE UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2022

Release Date:  July 20, 2023

FINDINGS THIS AUDIT: 9

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 1 -- 1
Category 2:  0 -- 7 -- 7
Category 3:  0 -- 1 -- 1
TOTAL:  0 -- 9 -- 9

FINDINGS LAST AUDIT: 15

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Governors State
University (University) Compliance
Examination for the year ended June 30,
2022.  Separate digests covering the
University’s Financial Audit and Single
Audit were previously released on March
30, 2023.  In total, this report
contains nine findings, three of which
were reported in the Financial Audit
and Single Audit collectively.

SYNOPSIS

• (22-07) The University did not obtain
or conduct timely independent internal
controls reviews over its service
providers.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

LACK OF COMPLETE REVIEW OF INTERNAL
CONTROLS OF SERVICE PROVIDERS

The University did not obtain or
conduct timely and adequate independent
internal controls reviews over its
service providers.

The University maintains numerous
cloud-based solutions with various
service providers. These service
providers maintain the hardware,
software and the data for various
applications regarding many sectors,
such as campus news and events, student
orientation, employment, photographs,
student orientation, employment,
photographs, student organizations,
visitor tracking, course evaluations,
and emergency notifications.

We selected a sample of six service
providers and requested the University
to provide a) documentation of having
obtained independent reviews assessing
the reliability of controls in place,
b) evidence of having reviewed the
independent reviews obtained, and c)
the University’s internal evaluation of
the controls related to service
providers who did not provide an
independent review report. The
University was able to provide the
System and Organization Control (SOC)
reports for these service provided and
the review documentation of these
reports.  We noted the following:
• Three (50%)  System and Organization
Control (SOC) reviews performed did not
include monitoring and documentation of
the operation of the Complementary User
Entity Controls (CUECs) relevant to the
University’s operations noted in the
SOC reports.
• Two (33%) SOC reviews performed were
not timely conducted.
The University is responsible for the
design, implementation, and maintenance
of internal controls related to
information systems and operations to
ensure resources and data are
adequately protected from unauthorized
or accidental disclosure,
modifications, or destruction. This
responsibility is not limited due to
the process being outsourced.  (Finding
7, pages 24-25)

We recommended the University monitor
and document the operation of the
Complimentary User Entity Controls
relevant to the University’s operations
noted in the SOC reports and timely
review SOC reports from service
providers in order to assess the risk
of identified deviations.

University officials agreed with the
finding and stated they will work
towards completing service providers’
reviews.

OTHER FINDINGS

The remaining findings are reportedly
being given attention by the
University.  We will review the
University’s progress towards the
implementation of our recommendations
in our next engagement.

AUDITOR’S OPINION

The auditors stated the financial
statements of the University as of and
for the year ended June 30, 2022, are
fairly stated in all material respects.

The auditors also conducted a Single
Audit of the University as required by
the Uniform Guidance.  The auditors
stated the University complied, in all
material respects, with the types of
compliance requirements that could have
a direct and material effect on the
University’s major federal programs for
the year ended June 30, 2022.


ACCOUNTANT’S OPINION

The accountants conducted a State
compliance examination of the
University for the year ended June 30,
2022, as required by the Illinois State
Auditing Act.  The accountants
qualified their report on State
compliance for Finding 2022-001.
Except for the noncompliance described
in this finding, the accountants stated
the University complied, in all
material respects, with the
requirements described in the report.

This State compliance examination was
conducted by Adelfia LLC.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:JGR