REPORT DIGEST NORTHEASTERN ILLINOIS UNIVERSITY FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2024 Release Date: March 27, 2025 FINDINGS THIS AUDIT: 5 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 2 -- 2 Category 2: 0 -- 3 -- 3 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 5 -- 5 FINDINGS LAST AUDIT: 6 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Northeastern Illinois University’s (University) Financial Audit as of and for the year ended June 30, 2024. The University’s Compliance Examination and Single Audit will be issued in separate reports. SYNOPSIS • (24-01) The University did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits plans was complete and accurate. • (24-02) The University did not comply with the Fiscal Control and Internal Auditing Act. • (24-03) The University lacked adequate controls over review of internal controls for service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE INTERNAL CONTROLS OVER CENSUS DATA The University did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. Census data is demographic data (date of birth, gender, years of service, etc.) of the active, inactive, or retired members of a pension or OPEB plan. The accumulation of inactive or retired members’ census data occurs before the current accumulation period of census data used in the plan’s actuarial valuation (which eventually flows into each employer’s financial statements), meaning the plan is solely responsible for establishing internal controls over these records and transmitting this data to the plan’s actuary. In contrast, responsibility for active members’ census data during the current accumulation period is split among the plan and each member’s current employer(s). Initially, employers must accurately transmit census data elements of their employees to the plan. Then, the plan must record and retain these records for active employees and then transmit this census data to the plan’s actuary. We noted the University’s employees are members of both the State Universities Retirement System (SURS) for their pensions and the State Employees Group Insurance Program sponsored by the State of Illinois, Department of Central Management Services (CMS) for their OPEB. In addition, we noted these plans have characteristics of different types of pension and OPEB plans, including single employer plans and cost- sharing multiple-employer plans. Additionally, CMS’ actuary uses census data for employees of the State’s public universities provided by SURS, along with census data for the other participating members provided by the State’s four other pension plans, to prepare their projection of the liabilities of CMS’ plan. Finally, SURS’ actuary and CMS’ actuary used census data transmitted by the University during Fiscal Year 2022 to project pension and OPEB-related balances and activity at the plans during Fiscal Year 2023, which is incorporated into the University’s Fiscal Year 2024 financial statements. During testing we noted the following: • The University had not performed an initial complete reconciliation of its census data recorded by SURS to its internal records to establish a base year of complete and accurate census data. • After establishing a base year, the University had not developed a process to annually obtain from SURS the incremental changes recorded by SURS in their census data records and reconcile these changes back to the University’s internal supporting records. • During our cut-off testing of data transmitted by the University to SURS, we noted 1 instance of an active employee becoming inactive and 1 instance of an inactive employee becoming active were reported to SURS after the close of the fiscal year in which the event occurred. We also noted 1 instance whereby service credit was different by a total of ¼ of a year. These were previously reported, but still had an impact on the June 30, 2022 census data. (Finding 1, Pages 89-91) This finding has been reported since 2020. We recommended the University continue to work with SURS to complete the base year reconciliation of Fiscal Year 2021 active members’ census data from its underlying records to a report of census data submitted to SURS’ actuary and CMS’ actuary and after completing an initial full reconciliation, the University may limit the annual reconciliations to focus on the incremental changes to the census data file from the prior actuarial valuation, provided no risks are identified that incomplete or inaccurate reporting of census data may have occurred during prior periods. We also recommended any errors identified during this process should be promptly corrected by either the University or SURS, with the impact of these errors communicated to both SURS’ actuary and CMS’ actuary. We further recommended the University ensure all events occurring within a census data accumulation year are timely reported to SURS so these events can be incorporated into the census data provided to SURS’ actuary and CMS’ actuary. University officials agreed with the finding. NONCOMPLIANCE WITH THE FISCAL CONTROL AND INTERNAL AUDITING ACT The University did not comply with the Fiscal Control and Internal Auditing Act (FCIAA). During testing of the University’s Fiscal Year 2024 internal audit activities, we noted the following: • The University did not perform its required peer review in Fiscal Year 2024. The last peer review was performed in 2019. • The Internal Auditor position was vacant from January 2023 to September 2023. • The Internal Auditor did not conduct all the approved audits in its Fiscal Year 2024. Only one audit was completed. • The Fiscal Year 2025 audit plan was not approved by the President prior the required July 1, 2024 date. (Finding 2, Pages 92-93) This finding has been reported since 2022. We recommended the University complete it peer review and continue to implement requirements of the FCIAA. University officials agreed with the finding. LACK OF ADEQUATE CONTROL OVER THE REVIEW OF INTERNAL CONTROLS FOR SERVICE PROVIDERS The University lacked adequate controls over review of internal controls over service providers. The University entered into agreements with various service providers to assist with significant processes such as (1) implementing University wide defined criteria to identify the third-party service providers that require a service organization controls (SOC) report or equivalent review, including the frequency of reviews performed, and (2) enhancing the SOC report review procedures to perform mappings of Complementary User End Controls (CUECs) to specific University internal controls. The University could not provide a population of service providers. The population/report of service providers is manually maintained by the University and includes both vendors and service providers, resulting in samples that did not meet the criteria of a service provider. Due to the condition noted above, we were unable to conclude the University’s population records of service providers were complete, accurate, and reliable under the Professional Standards promulgated by the American Institute of Certified Public Accountants (AT-C 205.36; AU-C 330; AU-C 530). The auditors selected a sample of service providers where a SOC report was required for Fiscal Year 2024 and noted the following: • The University has not established a documented and comprehensive policy or procedures to guide vendor's due diligence when onboarding third-party service provider and defining a service provider versus a vendor. • The University has not established documented policies and procedures to monitor performance and contractual compliance of service providers. • Even given the population limitation, we selected 10 service providers from the listing provided by the University, where the SOC report was required for Fiscal Year 2024 and noted the CUECs in these SOC reports were not mapped to existing internal controls at the University. (Finding 3, Pages 94-95) We recommended the University strengthen its controls in identifying and documenting all service providers. Further, we recommended the University: • Establish and enforce a formal University- wide onboarding requirement and processes for all service providers. • Establish and enforce a formal University- wide requirement in obtaining SOC reports from service providers. • Establish and enforce a formal University- wide requirement in reviewing SOC reports. • Establish and enforce a formal University- wide requirement in reviewing applicable CUECs and mapping of these CUECs to existing internal controls at the University. University officials agreed with the finding. OTHER FINDINGS The remaining findings pertain to computer security weaknesses and lack of adequate change management controls. We will review the University’s progress towards the implementation of our recommendations in our next financial audit. AUDITOR’S OPINIONS The auditors stated the financial statements of the University as of and for the year ended June 30, 2024 are fairly stated in all material respects. This financial audit was conducted by Plante & Moran, PLLC. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JGR