REPORT DIGEST

ILLINOIS STATE UNIVERSITY

COMPLIANCE EXAMINATION AND SINGLE AUDIT
FOR THE YEAR ENDED JUNE 30, 2020

Release Date:  June 29, 2021

FINDINGS THIS AUDIT:  14

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  2 -- 2 -- 4
Category 2:  3 -- 7 -- 10
Category 3:  0 -- 0 -- 0
TOTAL:  5 -- 9 -- 14

FINDINGS LAST AUDIT: 13

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Single Audit and
Compliance Examination of Illinois State
University for the year ended June 30,
2020.  A separate financial audit as of
and for the year ended June 30, 2020, was
previously released on June 23, 2021.  In
total, this report contains 14 findings,
3 of which were reported within the
University’s financial audit.

SYNOPSIS

• (20-07) The University had not
implemented adequate internal controls
related to cybersecurity programs and
practices.
• (20-09) The University did not submit a
minimum of one course per major under the
Illinois Articulation Initiative for some
majors offered by the University.
• (20-11) The University did not always
ensure compliance with the University
Faculty Research and Consulting Act and
University policies regarding outside
employment.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The University had not implemented
adequate internal controls related to
cybersecurity programs and practices.

The Illinois State Auditing Act (30 ILCS
5/3-2.4) requires the Auditor General to
review State agencies and their
cybersecurity programs and practices. We
noted the following:

• During our examination of the
University’s cybersecurity program,
practices, and control of confidential
information, we noted the University:
– had not formalized a cybersecurity
plan;
– lacked formal policies and procedures
over configuration management, system
development, and information technology
(IT) project management;
– did not track completion of information
security training of staff designated as
security liaisons; and,
– did not systemically track and document
responses to information security
incidents.

• During our sample testing of 40
computers transferred out of the
University to other entities, we noted
the University:
– did not have evidence four (10%) tested
computers had their hard drive(s) erased,
wiped, sanitized, or destroyed in a
manner preventing the retrieval of data;
and,
– did not have written documentation of
the name and signature of the person who
performed the overwriting or destruction
process of each tested computer’s hard
drive(s), along with the date the process
was performed, for the other 36 (90%)
tested computers.

• We inquired of University officials who
reported seven devices able to store data
across the University were deemed lost or
stolen during the examination period.
During our review of these items, we
noted University officials were unable to
provide evidence two (29%) devices, a
computer and a tablet, were encrypted and
they were unfamiliar with the nature of
the data stored on these items. As such,
we were unable to determine whether a
“breach of the security of the system
data” occurred and the extent to which
personal and/or confidential records may
have been breached.  (Finding 7, pages
34-36)

We recommended the University:
1) formalize a cybersecurity plan
covering all relevant aspects of
cybersecurity management and keep it up-
to-date;
2) develop and approve policies governing
configuration management, project
management, and a system development
lifecycle;
3) implement a mechanism to track
compliance with annual security training
requirements and enforce those training
requirements;
4) track, monitor, remediate, and
document all information security
incidents;
5) fully comply with the requirements of
the Data Security on State Computers Act;
and,
6) enable full disk encryption on all
University-owned computers.

University officials concurred with the
recommendation.

NONCOMPLIANCE WITH THE ILLINOIS
ARTICULATION INITATIVE ACT

The University did not submit a minimum
of one course per major under the
Illinois Articulation Initiative
(Initiative) for some majors offered by
the University.

During testing, we noted the University
did not have a minimum of one course
included within the related
Initiative major for its art, physics,
and psychology degree programs.  (Finding
9, page 39)

We recommended the University comply with
the requirements of the Illinois
Articulation Initiative Act or seek a
legislative remedy.

University officials concurred with our
recommendation and will work on
correcting this matter over the next 12
months.

NONCOMPLIANCE WITH THE UNIVERSITY FACULTY
RESEARCH AND CONSULTING ACT

The University did not always ensure
compliance with the University Faculty
Research and Consulting Act (Act) and
University policies regarding outside
employment.

During Fiscal Year 2020, faculty members
reported 101 instances of outside
employment to the University
Provost.  During testing, some of the
more significant problems we noted
included the following:

• Twenty-four of 101 (24%) instances had
the Request for Approval of Secondary/
Outside Employment (Form PERS 927)
submitted by the faculty member for
approval by the University’s Provost
between five to 233 days late.

• One of 101 (1%) instances never had a
Form PERS 927 submitted by the faculty
member to the University’s Provost.

• Fifty-two of 101 (51%) instances had
Form PERS 927 approved by the
University’s Provost between three to 248
days late.

• Twenty-nine of 101 (29%) instances did
not have the Annual Report of Secondary/
Outside Employment (Form PERS 928)
submitted by the faculty member by the
deadline of August 31, 2020.

• Thirteen of 101 (13%) instances had the
Form PERS 928 submitted by the faculty
member to the University’s Provost during
September 2020, which reduced the amount
of time available for review and approval
by the faculty member’s department chair
and dean prior to receiving final
approval from the University’s Provost by
September 30, 2020.

Further, this finding was first noted
during the University’s Fiscal Year 2012
State compliance examination, nine years
ago. As such, University management has
been unsuccessful in implementing a
corrective action plan to remedy these
deficiencies. (Finding 11, pages 42-43)
This finding has been repeated since
2012.

We recommended the University’s Provost
take appropriate corrective action and
implement internal controls to ensure
faculty members with outside research,
consulting services, or employment
receive written pre-approval to conduct
the requested activity and annually
disclose the time spent on these
activities in accordance with State law
and University policy.

University officials noted the University
implemented a new online application and
approval process to enhance compliance
with the Act during Fiscal Year 2021.

OTHER FINDINGS

The remaining findings pertain to:
1) failing to provide exit counseling to
nursing students, returning unearned
Title IV assistance, and appointing a
sustainability committee;
2) inadequate control over property and
equipment and training;
3) inadequate business continuity and
disaster recovery planning; and,
4) noncompliance with civil service
requirements and the State Officials and
Employees Ethics Act.

We will review the University’s progress
towards the implementation of our
recommendations in our next Single Audit
and compliance examination.

AUDITOR’S OPINIONS

The auditors previously stated the
financial statements of the University as
of and for the year ended June 30, 2020,
are fairly stated in all material
respects.

The auditors also conducted a Single
Audit of the University as required by
the Uniform Guidance.  The auditors
stated the University complied, in all
material respects, with the types of
compliance requirements that could have a
direct and material effect on the
University’s major federal programs for
the year ended June 30, 2020.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the University for the
year ended June 30, 2020, as required by
the Illinois State Auditing Act.  The
accountants qualified their report on
State compliance for Findings 2020-001,
2020-002, 2020-006, and 2020-007.  Except
for the noncompliance described in these
findings, the accountants stated the
University complied, in all material
respects, with the requirements described
in the report.

This Single Audit and compliance
examination was conducted by RSM US LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:djn