REPORT DIGEST NORTHERN ILLINOIS UNIVERSITY COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2020 Release Date: June 9, 2021 FINDINGS THIS AUDIT: 16 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 6 -- 9 -- 15 Category 3: 0 -- 0 -- 0 TOTAL: 7 -- 9 -- 16 FINDINGS LAST AUDIT: 12 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our federal Single Audit and Compliance Examination of Northern Illinois University for the year ended June 30, 2020. A separate Financial Audit as of and for the year ended June 30, 2020, was previously released on June 2, 2021. In total, this report contains 16 findings, one of which was reported in the Financial Audit. SYNOPSIS • (20-4) The University did not document required information technology risk assessments related to student information security. • (20-5) The University has not established adequate internal controls over contracts to ensure they are approved prior to performance and comply with all applicable State requirements. • (20-8) The University has not established adequate controls over the completion of I-9 forms for employees hired by the University. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INFORMATION TECHNOLOGY RISK ASSESSMENT NOT PERFORMED Northern Illinois University (the University) did not document required information technology risk assessments related to student information security. As a requirement under the University’s Program Participation Agreement with the U.S. Department of Education, the University must protect student financial aid information. However, during our testing, we noted the University did not conduct a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of the student’s information. The Standards for Safeguarding Customer Information, required by the Gramm?Leach? Bliley Act (GLBA) (16 CFR §314.4(b)), requires the University to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. (Finding 4, pages 25-26) We recommended the University perform and document a comprehensive risk assessment identifying internal and external risks to the security, confidentiality, and integrity of the students’ information. In addition, we recommended the University ensure proper safeguards are in place to ensure the security of student information. University officials accepted our recommendation and stated they will evaluate the feasibility of performing a comprehensive information technology risk assessment. INADEQUATE INTERNAL CONTROLS OVER CONTRACTS The University has not established adequate internal controls over contracts to ensure they are approved prior to performance and comply with all applicable State requirements. During our review of a sample of 40 contracts for the year ended June 30, 2020, some of the items we noted are as follows: • Fifteen contracts (38%) totaling $2,213,921 were not approved prior to goods or services being provided. The contracts were executed between 2 to 85 days after the commencement of the services or the receipt of the goods. • Five contracts (13%) totaling $8,347,139 contained contract obligation documents that were not filed within 30 days of execution of the contract. The contract obligation documents were filed between 1 to 116 days late. • Two contracts (5%) totaling $49,987 did not have a change order contract obligation document filed with the Illinois Office of Comptroller. Each contract contained an order for delivery that exceeded $20,000. The change order contract obligation documents were not yet filed as of June 30, 2020. • Two contracts (5%) totaling $15,500 did not obtain the vendor certification agreement prior to the approval of the contract. In one instance, the certification agreement was signed 33 days late. In the second instance, the certification agreement was not yet obtained as of June 30, 2020. (Finding 5, pages 27-28). This finding has been repeated since 2012. We recommended the University establish and maintain internal control procedure over contracts to ensure contracts are complete and properly approved prior to performance, and that contract obligation documents are filed timely. We also recommended the University adhere to State laws and regulations. University officials accepted the recommendation. INADEQUATE CONTROLS OVER I-9 FORMS The University has not established adequate controls over the completion of I-9 forms for employees hired by the University. During our review of a sample of forty (40) employee hires, we noted the following: • Nine employees (23%) did not complete the preparer and/or translator certification portion of section 1 of the I-9 form. • Three employees (8%) did not complete section 1 of the I-9 form on or before their respective hire date. • Two employees (5%) did not have their verification of employee eligibility performed timely (within 3 days) by the University. • Two employees (5%) did not input their name on section 2 of the I-9 form. • Two employees (5%) failed to date their completion of section 1 of the I-9 form. • One employee (3%) dated and completed the I-9 form prior to accepting the job offer. • One employee (3%) did not provide their address in section 1 of the I-9 form. • One employee (3%) did not have their first date of employment documented in Section 2 of the I-9 form. • One employee personnel file (3%) failed to document the accepted job offer date and therefore couldn’t be matched to the I-9 form. (Finding 8, page 31) We recommended the University enhance their controls over the process for preparing and reviewing the I-9 Forms to ensure compliance with U.S. Citizenship and Immigration Services requirements. University officials accepted the recommendation. OTHER FINDINGS The remaining findings are reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next Single Audit and State Compliance Examination. AUDITOR’S OPINION The financial audit report was previously released. The auditors stated the financial statements of the University as of and for the year ended June 30, 2020 are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2020. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the University for the year ended June 30, 2020, as required by the Illinois State Auditing Act. The accountants qualified their report on State Compliance for Finding 2020-001. Except for the noncompliance described in that finding, the accountants stated the University complied, in all material respects, with the requirements described in the report. This Single Audit and State Compliance Examination was conducted by CliftonLarsonAllen LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:TLK