REPORT DIGEST NORTHERN ILLINOIS UNIVERSITY COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2023 Release Date: June 13, 2024 FINDINGS THIS AUDIT: 17 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 0 -- 0 Category 2: 8 -- 9 -- 17 Category 3: 0 -- 0 -- 0 TOTAL: 8 -- 9 -- 17 FINDINGS LAST AUDIT: 16 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our Compliance Examination of Northern Illinois University (University) for the year ended June 30, 2023. A separate Financial Audit and a separate Single Audit as of and for the year ended June 30, 2023, were both previously released on March 28, 2024. In total, this report contains 17 findings, 7 of which were reported in the Financial Audit and Single Audit, respectively. SYNOPSIS • (23-9) The University has not established adequate controls over the completion of I-9 forms for employees hired by the University. • (23-15) The University did not terminate separated employees’ user accounts having access to the University’s information technology environment, applications, and data timely. • (23-16) The University did not conduct trainings for all its employees as required by the State Officials and Employees Ethics Act. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CONTROLS OVER I-9 FORMS The University has not established adequate controls over the appropriate completion of I-9 forms for employees hired by the University. During our review of 17 employees hired during the period of examination, we noted the following: • Section 1 of the I-9 form was not completed by six employees (35%) until 4 to 49 days after their first day of employment. • Section 2 of the I-9 form was not completed by the University for the same six (35%) employees until 5 to 39 business days after the employees’ first day of employment. (Finding 9, page 22) This findings has been reported since 2018. We recommended the University enhance their controls over the process of obtaining and reviewing the I-9 Forms to ensure compliance with U.S. Citizenship and Immigration Services requirements. University officials accepted the recommendation. INADEQUATE CONTROLS OVER TERMINATED EMPLOYEE USER ACCOUNTS Northern Illinois University (University) did not terminate separated employees’ user accounts having access to the University’s information technology environment, applications, and data timely. During the examination, we noted: • The University has not developed a policy requiring reviews of an individual’s access rights on at least an annual basis or that requires timely review and notification of employee separations to Human Resources (HR). • User access was not timely terminated. Specifically: — Six of 15 (40%) employees, selected from a listing of terminated system access rights, did not have their system access terminated until two to 31 days after the employee left the University. — 16 of 20 (80%) employees, selected from a listing of terminated employees, still had active system access rights. (Finding 15, page 30 ) This finding has been reported since 2021. We recommended the University establish a policy that requires the University departments to perform an annual review of all application user accounts, and timely notify HR of any employee separations. We also recommended the University ensure separated individuals’ access is timely terminated. University officials accepted the recommendation. WEAKNESSES IN CYBERSECURITY PROGRAMS AND PRACTICES Northern Illinois University (University) had weaknesses in the internal controls related to cybersecurity programs and practices. The University relies on critical applications which store and maintain confidential, financially sensitive and personally identifiable information such as name, addresses, and Social Security numbers. The Illinois State Auditing Act (30 ILCS 5/3-2.4) requires the Auditor General to review State agencies and their cybersecurity programs and practices. Based on our testing of the University’s cybersecurity programs, practices, and control of confidential information, we noted: • One of 17 (6%) tested newly hired employees did not complete the new hire information security awareness training. • Six of 17 (35%) tested newly hired employees did not complete the new hire information security awareness training in the required timeframe. The training was completed between 28 and 197 days late. • One of 67 (1%) tested employees did not complete the annual information security awareness training. (Finding 16, pages 31-32) We recommended the University ensure all employees, including new hires, complete the required training within the required timeline. University officials accepted the finding. OTHER FINDINGS The remaining findings are reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next State Compliance Examination. AUDITOR’S OPINION The financial audit report was previously released. The auditors stated the financial statements of the University as of and for the year ended June 30, 2023 are fairly stated in all material respects. The single audit report was previously released. The auditors conducted a single audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2023. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the University for the year ended June 30, 2023, as required by the Illinois State Auditing Act. The accountants stated the University complied, in all material respects, with the requirements described in the report. This State Compliance Examination was conducted by RSM US LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:TLK