REPORT DIGEST NORTHERN ILLINOIS UNIVERSITY COMPLIANCE AND SINGLE AUDIT For the Year Ended: June 30, 2011 Release Date:  May 31, 2012 Summary of Findings the Audit Cycle: • Compliance: 4 • Financial Audit (previously reported 3-8-12): 1 Total findings:  5 Total last audit: 5 Repeated from last audit: 3 State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217)    782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION The Financial Audit for the year ended June 30, 2011 was previously released on March 8, 2012.  That audit contained one finding.  This report addresses Federal and State compliance findings pertaining to the Single Audit and State Compliance Examination.  In total, this report contains 5 findings, 1 of which was also reported in the Financial Audit. SYNOPSIS •Northern Illinois University Math and Science Partnership grants had monthly cash balances exceeding the      average monthly expenditures. •Northern Illinois University continued to have weaknesses with its security and control over confidential information. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CASH MANAGEMENT PROCEDURES Northern Illinois University Math and Science Partnerships (MSP) grants had monthly cash balances exceeding the average monthly expenditures for the following month for 50 of the 60 months tested for the eight grants received during the fiscal year ended June 30, 2011. The University received eight MSP grants during fiscal year 2011 as a pass through from the Illinois State Board of Education (ISBE).  We tested the federal cash management compliance for all 60 months pertaining to the eight MSP grants and determined that ending month fund balances exceeded expenditures for the following month by an average of $4,739 for 50 of the 60 months tested. Office of Management and Budget (OMB) Circular A-110, and 34 Code of Federal Regulations (CFR) 74.22 (b) require recipients that are paid in advance to maintain: (1) Written procedures that minimize the time elapsing between the transfer of funds and disbursement to the recipient. (2)  Cash advances to a recipient organization are limited to the minimum amounts needed and be timed in accordance with actual, immediate cash requirements of the recipient organization in carrying out the purpose of the approved program or project. (3) The timing and amount of cash advances are as close as is administratively feasible to the actual disbursements by the recipient organization for direct program or project costs and the proportionate share of any allowable indirect costs. University officials stated that they believe ISBE manages the cash balances of the MSP grants, according to the terms of the contracts.  The University never made a cash draw against these grants and filed quarterly reports with ISBE detailing the cash position of each award.  (Finding 2, pages 20-21) University officials accepted our recommendation to improve controls over MSP cash management procedures to ensure that cash draws are performed in accordance with Federal regulations and ISBE policies. WEAKNESSES REGARDING THE SECURITY AND CONTROL OF CONFIDENTIAL INFORMATION The University continued to have weaknesses with its security and control over confidential information. The University had not formally assessed its procedures for safeguarding and ensuring subsequent disposal of confidential information, and had not effectively communicated procedures for disposing confidential information to all University personnel. During our review, we found the University: • Had not performed a comprehensive risk assessment for identifying all confidential systems and data to ensure they were adequately secured. • Had not ensured confidential data was adequately secured with methods such as encryption or redaction. • Had a breach of confidential information. Specifically, confidential information (including affidavits with names, addresses, social security numbers, and checking account information) was found in a file cabinet sent to surplus by the University. University personnel stated they have been taking action to assure their confidential information is secure.  A risk assessment had been initiated and the University plans to perform a refreshed risk assessment every five years.  (Finding 5, pages 24-25)  This finding was first reported in 2009. We recommended the University assure its confidential information is adequately secured at all times and properly disposed when no longer needed.  In addition, we recommend the University: • Assess its procedures for safeguarding and subsequent disposal of all confidential information and ensure procedures are periodically communicated to all University personnel. • Perform a comprehensive risk assessment to identify all forms of confidential or personal information and ensure adequate security controls, including adequate physical and logical access restrictions, have been established to safeguard data and resources. • Ensure confidential information is adequately secured with methods such as encryption or redaction, including such data maintained on backup media. University officials agreed and indicated they had already undertaken several measures to address this need.  (For the previous University response, see Digest Footnote #1) OTHER FINDINGS The remaining findings are reportedly being given attention by the University.  We will review the University’s progress towards the implementation of our recommendations in our next engagement. AUDITORS’ OPINION The auditors conducted a State compliance examination and federal Single audit of the University for the year ended June 30, 2011.  A financial audit covering the year ended June 30, 2011 was issued separately. WILLIAM G. HOLLAND Auditor General WGH:JAF:rt AUDITORS ASSIGNED Our special assistant auditors for this engagement were McGladrey & Pullen LLP. DIGEST FOOTNOTE #1 - Weaknesses Regarding the Security and Control of Confidential Information The University disagrees with the finding.  The University agrees to assess its procedures for safeguarding and subsequent disposal of all confidential information and ensure procedures are periodically communicated to all university personnel.  The University has already completed a risk assessment and implemented policy and procedure changes based upon that review.  Confidential information is currently secured with adequate methods and when removed from secured locations encryption and redaction are used by policy/procedure.