REPORT DIGEST NORTHEASTERN ILLINOIS UNIVERSITY FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2021 Release Date: June 2, 2022 FINDINGS THIS AUDIT: 3 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 1 -- 1 Category 2: 0 -- 2 -- 0 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 3 -- 1 FINDINGS LAST AUDIT: 3 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Northeastern Illinois University’s (University) Financial Audit as of and for the year ended June 30, 2021. The University’s Compliance Examination and Single Audit will be issued in separate reports. SYNOPSIS • (21-01) The University did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits plans was complete and accurate. • (21-02) The University had computer security weaknesses. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE INTERNAL CONTROLS OVER CENSUS DATA The University did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. Census data is demographic data (date of birth, gender, years of service, etc.) of the active, inactive, or retired members of a pension or OPEB plan. The accumulation of inactive or retired members’ census data occurs before the current accumulation period of census data used in the plan’s actuarial valuation (which eventually flows into each employer’s financial statements), meaning the plan is solely responsible for establishing internal controls over these records and transmitting this data to the plan’s actuary. In contrast, responsibility for active members’ census data during the current accumulation period is split among the plan and each member’s current employer(s). Initially, employers must accurately transmit census data elements of their employees to the plan. Then, the plan must record and retain these records for active employees and then transmit this census data to the plan’s actuary. We noted the University’s employees are members of both the State Universities Retirement System (SURS) for their pensions and the State Employees Group Insurance Program sponsored by the State of Illinois, Department of Central Management Services (CMS) for their OPEB. In addition, we noted these plans have characteristics of different types of pension and OPEB plans, including single employer plans and cost-sharing multiple-employer plans. Finally, CMS’ actuaries use census data for employees of the State’s public universities provided by SURS along with census data for the other participating members which is provided by the State’s four other pension plans to prepare the projection of the OPEB plan’s liabilities. During testing we noted the following: • The University had not performed an initial complete reconciliation of its census data recorded by SURS and CMS to its internal records to establish a base year of complete and accurate census data. • After establishing a base year, the University had not developed a process to annually obtain from SURS and CMS the incremental changes recorded by SURS and CMS in their census data records and reconcile these changes back to the University’s internal supporting records. (Finding 1, Pages 81-85) We recommended the University work with SURS to annually reconcile its active members’ census data from its underlying records to a report of census data submitted to SURS’ actuary and CMS’ actuary. After completing an initial full reconciliation, the University may limit the annual reconciliations to focus on the incremental changes to the census data file from the prior actuarial valuation, provided no risks are identified that incomplete or inaccurate reporting of census data may have occurred during prior periods. Any errors identified during this process should be promptly corrected by either the University or SURS, with the impact of these errors communicated to both SURS’ actuary and CMS’ actuary. University officials agreed with the finding. WEAKNESSES OVER COMPUTER SECURITY The University had computer security weaknesses. The University had invested in computer hardware and systems and had established several critical, confidential, or financially sensitive systems for use in meeting its mission. However, the University did not safeguard their computing environment. During testing, we noted: • User access rights to the applications and network were not periodically reviewed. • Access rights were not timely terminated. • Users were granted excessive access rights. • A change management process to configure network devices had not been developed. • The infrastructure was not properly secured. • Physical security weaknesses. • Encryption software was not installed on certain University laptops. • Weak password settings. (Finding 2, Pages 86-87) This finding has been repeated since 2017. We recommended the University: • Perform a periodic review of system access rights to ensure access rights are appropriate and based on job requirements. In addition, the University should ensure timely deactivation of users no longer needing access. • Develop a formal change management process for changes to network devices. • Ensure security of the infrastructure. • Ensure adequate physical security. • Ensure required laptops are encrypted. • Ensure strong password settings. University officials agreed with the finding. OTHER FINDINGS The remaining finding pertains to lack of controls over service providers. We will review the University’s progress towards the implementation of our recommendations in our next financial audit. AUDITOR’S OPINION The auditors stated the financial statements of the University as of and for the year ended June 30, 2021 are fairly stated in all material respects. This financial audit was conducted by Roth & Co., LLP JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JGR