REPORT DIGEST

ILLINOIS STATE UNIVERSITY

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2020

Release Date:  June 23, 2021

FINDINGS THIS AUDIT:  3

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  2 -- 0 -- 2
Category 2:  0 -- 1 -- 1
Category 3:  0 -- 0 -- 0
TOTAL:  2 -- 1 -- 3

FINDINGS LAST AUDIT: 1

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the financial audit of
Illinois State University (University) as
of and for the year ended June 30, 2020.
A compliance examination (including the
Single Audit) of the University for the
year ended June 30, 2020, will be issued
in a separate report at a later date.

SYNOPSIS

• (20-01) The University did not have
adequate internal control over reporting
its census data and did not have a
reconciliation process to provide
assurance census data submitted to its
pension and other postemployment benefits
(OPEB) plans was complete and accurate.
• (20-02) The University did not obtain
or conduct timely independent internal
controls reviews over its service
providers.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

INADEQUATE INTERNAL CONTROLS OVER CENSUS
DATA

The University did not have adequate
internal control over reporting its
census data and did not have a
reconciliation process to provide
assurance census data submitted to its
pension and other postemployment benefits
(OPEB) plans was complete and accurate.

During testing, some of the more
significant issues we noted included the
following:

• The University had not performed an
initial complete reconciliation of its
census data recorded by the State
Universities Retirement System (SURS) and
the State Employees Group Insurance
Program sponsored by the State of
Illinois, Department of Central
Management Services (CMS) to its internal
records to establish a base year of
complete and accurate census data.

• We performed an analysis of
transactions reported by the University
to SURS during the census data
accumulation period throughout Fiscal
Year 2018, noting the following problems:

– Four of 505 (1%) employees reported as
hired had actually been hired in other
fiscal years. SURS determined the total
potential impact to each employee’s total
service credit was it could be off by
one-half to 4.25 years.

– Two of 33 (6%) employees with a
departure on a leave of absence had the
start date of the leave of absence
untimely reported to SURS by the
University. SURS determined the total
potential impact to each of these
employee’s total service credit was it
could be off by 1 to 1.75 years.

– Five of 40 (13%) employees with a
return from a leave of absence had the
end date of the leave of absence untimely
reported to SURS by the University. SURS
determined the total potential impact to
each of these employee’s total service
credit was it could be off by one-half to
three-quarters of a year. (Finding 1, GAS
Report pages 6-10)

We recommended the University implement
controls to ensure census data events are
timely and accurately reported to SURS
and CMS.

Further, we recommended the University
work with SURS and CMS to develop an
annual reconciliation process of its
active members’ census data from its
underlying records to a report from each
plan of census data submitted to the
plan’s actuary.

Additionally, we recommended the
University work with SURS and CMS to
identify and address any unremitted or
erroneously remitted employee and, if
applicable, employer contributions
related to these events.

The University agreed with our
recommendation.

LACK OF ADEQUATE CONTROLS OVER THE REVIEW
OF INTERNAL CONTROLS OVER SERVICE
PROVIDERS

The University did not obtain or conduct
timely independent internal controls
reviews over its service providers.

We requested the University provide a
listing of service providers utilized in
order to determine if the University had
reviewed the internal controls over their
service providers. However, the
University was unable to provide a
listing of service providers utilized
during the examination period.

Due to these conditions, we were unable
to conclude the University’s population
records were complete and accurate under
the Professional Standards promulgated by
the American Institute of Certified
Public Accountants (AU-C § 500, AU-C §
530, and AT-C § 205.35).

Even though the University did not
provide a listing of service providers,
we determined the University utilized
service providers for hosting:
• a system containing significant amounts
of data and student records protected by
the federal Family Education Rights and
Privacy Act (FERPA);
• a system which maintains prospective
and new student information; and,
• the University’s payroll application
with Human Resources (HR) functionality.

The University did not have a program to
obtain and review System and Organization
Control (SOC) reports. In addition, the
University did not track compliance with
service levels agreed to with the service
providers.  (Finding 2, GAS Report pages
11-12)

We recommended the University identify
all service providers and determine and
document if a review of internal controls
is required. If required, the University
should:

• obtain SOC reports or perform
independent reviews of internal controls
associated with outsourced systems at
least annually;

• monitor and document the operation of
the Complementary User Entity Controls
(CUECs) relevant to the University's
operations; and,

• review service level agreements with
service providers to ensure applicable
requirements are met.

In addition, if a SOC report indicates
one or more subservice providers exist,
the University should:

• either obtain and review a SOC report
for each subservice organization or
perform alternative procedures to satisfy
the usage of each subservice organization
would not impact the University's
internal control environment; and,

• document its review of the SOC reports
and review all significant issues with
each subservice organization to ascertain
if a corrective action plan exists and
when it will be implemented, any impacts
to the University, and any compensating
controls.

The University agreed with our
recommendation.

OTHER FINDING

The remaining finding pertains to
information security weaknesses.  We will
review the University’s progress towards
the implementation of our recommendations
in our next financial audit.

AUDITOR’S OPINION

The auditors stated the financial
statements of the University as of and
for the year ended June 30, 2020, are
fairly stated in all material respects.

This financial audit was conducted by RSM
US LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:djn