REPORT DIGEST GOVERNORS STATE UNIVERSITY COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2022 Release Date: July 20, 2023 FINDINGS THIS AUDIT: 9 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 1 -- 1 Category 2: 0 -- 7 -- 7 Category 3: 0 -- 1 -- 1 TOTAL: 0 -- 9 -- 9 FINDINGS LAST AUDIT: 15 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Governors State University (University) Compliance Examination for the year ended June 30, 2022. Separate digests covering the University’s Financial Audit and Single Audit were previously released on March 30, 2023. In total, this report contains nine findings, three of which were reported in the Financial Audit and Single Audit collectively. SYNOPSIS • (22-07) The University did not obtain or conduct timely independent internal controls reviews over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF COMPLETE REVIEW OF INTERNAL CONTROLS OF SERVICE PROVIDERS The University did not obtain or conduct timely and adequate independent internal controls reviews over its service providers. The University maintains numerous cloud-based solutions with various service providers. These service providers maintain the hardware, software and the data for various applications regarding many sectors, such as campus news and events, student orientation, employment, photographs, student orientation, employment, photographs, student organizations, visitor tracking, course evaluations, and emergency notifications. We selected a sample of six service providers and requested the University to provide a) documentation of having obtained independent reviews assessing the reliability of controls in place, b) evidence of having reviewed the independent reviews obtained, and c) the University’s internal evaluation of the controls related to service providers who did not provide an independent review report. The University was able to provide the System and Organization Control (SOC) reports for these service provided and the review documentation of these reports. We noted the following: • Three (50%) System and Organization Control (SOC) reviews performed did not include monitoring and documentation of the operation of the Complementary User Entity Controls (CUECs) relevant to the University’s operations noted in the SOC reports. • Two (33%) SOC reviews performed were not timely conducted. The University is responsible for the design, implementation, and maintenance of internal controls related to information systems and operations to ensure resources and data are adequately protected from unauthorized or accidental disclosure, modifications, or destruction. This responsibility is not limited due to the process being outsourced. (Finding 7, pages 24-25) We recommended the University monitor and document the operation of the Complimentary User Entity Controls relevant to the University’s operations noted in the SOC reports and timely review SOC reports from service providers in order to assess the risk of identified deviations. University officials agreed with the finding and stated they will work towards completing service providers’ reviews. OTHER FINDINGS The remaining findings are reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next engagement. AUDITOR’S OPINION The auditors stated the financial statements of the University as of and for the year ended June 30, 2022, are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2022. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the University for the year ended June 30, 2022, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2022-001. Except for the noncompliance described in this finding, the accountants stated the University complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Adelfia LLC. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JGR