REPORT DIGEST NORTHERN ILLINOIS UNIVERSITY SINGLE AUDIT FOR THE YEAR ENDED JUNE 30, 2021 Release Date: June 29, 2022 FINDINGS THIS AUDIT: 4 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 1 -- 1 Category 2: 1 -- 2 -- 3 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 3 -- 4 FINDINGS LAST AUDIT: 4 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers Northern Illinois University’s (University) Single Audit for the year ended June 30, 2021. A separate digest covering the University’s Financial Audit as of and for the year ended June 30, 2021, was previously released on May 18, 2022. In addition, a separate digest covering the University’s State compliance examination for the year ended June 30, 2021 will be issued separately. In total, this report contains four findings, one of which was reported in the Financial Audit. SYNOPSIS • (21-2) The University did not correctly complete enrollment status reporting to the National Student Loan Data System. • (21-3) The University did not document required information technology risk assessments related to student information security. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS ENROLLMENT STATUS REPORTING Northern Illinois University (University) did not correctly complete enrollment status reporting to the National Student Loan Data System (NSLDS). During our testing from a statistically valid sample, we noted 6 of 40 students tested (15%) did not have their enrollment status correctly reported to the NSLDS. (Finding 2, pages 13-14) This finding has been reported since 2017. We recommended the University establish and maintain internal controls to ensure enrollment status is being correctly reported to the NSLDS. University officials accepted the recommendation. INFORMATION TECHNOLOGY RISK ASSESSMENT NOT PERFORMED The University did not document required information technology risk assessments related to student information security. As a requirement under the University’s Program Participation Agreement with the U.S. Department of Education, the University must protect student financial aid information. In addition, the Standards for Safeguarding Customer Information, required by the Gramm?Leach?Bliley Act (GLBA) (16 CFR §314.4(b)), requires the University to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of safeguards in place to control these risks. During our testing, we noted the University did not conduct a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of the student’s information. (Finding 3, pages 15-16) We recommended the University perform and document a comprehensive risk assessment identifying internal and external risks to the security, confidentiality, and integrity of the students’ information. In addition, we recommended the University ensure proper safeguards are in place to ensure the security of student information. University officials accepted our recommendation. OTHER FINDINGS The remaining findings pertain to inadequate controls over census data and the timeliness of Higher Education Emergency Relief Funding reporting. We will review the University’s progress towards the implementation of our recommendations in our next Single Audit. AUDITOR’S OPINION The financial audit report was previously released. The auditors stated the financial statements of the University as of and for the year ended June 30, 2021 are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2021. This Single Audit was conducted by CliftonLarsonAllen LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:TLK