REPORT DIGEST

ILLINOIS STATE UNIVERSITY

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2019

Release Date:  February 19, 2020

FINDINGS THIS AUDIT:  1

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 0 -- 0
Category 2:  0 -- 1 -- 1
Category 3:  0 -- 0 -- 0
TOTAL:  0 -- 1 -- 1

FINDINGS LAST AUDIT: 2

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State laws
and regulations (material noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and regulations.
Category 3: Findings that have no internal
control issues but are in noncompliance with
State laws and regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the University’s financial
audit as of and for the year ended June 30,
2019.  A separate digest covers the
University’s compliance examination (including
the Single Audit) for the year ended June 30,
2019.

SYNOPSIS

• (19-01) The University had computer security
weaknesses.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INFORMATION SECURITY WEAKNESSES

The Illinois State University (University) had
computer security weaknesses.

During testing, we identified the following
information security-related weaknesses:

• While the University had formed the Office
of Identity and Access Management (OIAM), the
new OIAM had not finalized its drafting of
policies and procedures related to user access
management, including ensuring the policies
and procedures (1) reflect the University’s
current environment and (2) address future
changes in processes and new systems.

• The University had not conducted access
reviews of all system administrators and
processes, including those users with access
to the University’s primary financial system.

• The University was not enforcing its
password change requirements for all users.
(Finding 1, pages 6-7 in the Government
Auditing Standards report)

We recommended the University implement
adequate security, including:

• finalizing the policies and procedures
related to user access management to (1)
reflect the University’s current environment
and (2) address future changes in processes
and new systems;

• finalizing the corrective action plan by
ensuring all required access reviews are
performed, documented, and cover all users,
including system administrators; and,

• ensuring password requirements comply with
policies and are consistently enforced to all
users.

University officials agreed with our
recommendation.

AUDITOR’S OPINION

The auditors stated the financial statements
of the University as of and for the year ended
June 30, 2019, are fairly stated in all
material respects.

This financial audit was conducted by RSM US
LLP.

JANE CLARK
Division Director

This report is transmitted in accordance with
Section 3-14 of the Illinois State Auditing
Act.

FRANK J. MAUTINO
Auditor General

FJM:djn