REPORT DIGEST

STATE UNIVERSITIES RETIREMENT SYSTEM

COMPLIANCE AUDIT
For the Year Ended:
June 30, 1998

Summary of Findings:

Total this audit 5

Total last audit 7

Repeated from last audit 4

Release Date:
January 27, 1999

State of Illinois
Office of the Auditor General

WILLIAM G. HOLLAND
AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General
Attn: Records Manager
Iles Park Plaza
740 E. Ash Street
Springfield, IL 62703
(217) 782-6046 or TDD (217) 524-4646

This Report Digest is also available on
the worldwide web at
http://www.state.il.us/auditor
(217) 782-6046

SYNOPSIS

The State Universities Retirement System (SURS) had inadequate controls over benefits and refund processes.
SURS did not have adequate procedures, processes, or controls over certain Information Systems functions. This finding has been repeated since 1996.

{Financial Information and Activity Measures are summarized on the reverse page.}

STATE UNIVERSITIES RETIREMENT SYSTEM
INFORMATION FROM FINANCIAL AND COMPLIANCE AUDITS
Two Years Ended June 30, 1998

FINANCIAL OPERATIONS	FY 1998	FY 1997
Additions Contributions Participants Employer Total Contributions Investment Income Net appreciation in fair market value Interest Dividends Other Less: Investment expense Total Investment Income Total Additions Deductions Total benefits Other expenses Total Deductions Net Increase	$221,769,326 227,798,626 $449,567,952 $1,318,526,073 113,753,599 54,520,698 1,055,193 13,265,935 $1,474,589,628 $1,924,157,580 $466,508,747 40,318,254 $506,827,001 $1,417,330,579	$202,181,711 182,040,869 $384,222,580 $1,359,175,105 104,446,588 38,197,426 731,260 12,520,827 $1,490,029,552 $1,874,252,132 $419,204,096 38,516,544 $457,720,640 $1,416,531,492
INVESTMENT PORTFOLIO ANALYSIS (Fair Market Value)	JUNE 30, 1998	JUNE 30, 1997
Total equities Total fixed income securities Cash and short-term investments Real estate investments Self-Managed Plan Funds Accrued investment income Total Investments at Fair Market Value	$6,852,903,345 2,660,031,036 460,282,838 134,492,069 27,736,949 1,581,208 $10,137,027,445	$5,696,018,450 2,028,156,816 666,316,945 178,817,319 20,700,409 $8,590,009,939
ADMINISTRATIVE EXPENSES	FY 1998	FY 1997
Personal services Other professional fees and services Depreciation Postage, freight, and expenses Equipment repair and rental Printing and copying services Building operations expenses Other expenses Total Administrative Expenses	$3,777,555 2,713,638 1,290,287 478,356 231,418 405,970 176,174 354,896 $9,428,294	$2,920,431 1,919,315 1,576,368 262,440 196,739 163,538 183,074 323,336 $7,545,241
SELECTED ACCOUNT BALANCES	JUNE 30, 1998	JUNE 30, 1997
Investments at Market Value Securities lending collateral Cash & short term investments Pending investment sales Accrued investment income receivable Other assets Total assets Securities lending collateral Payable to brokers for unsettled trades Other payables Total liabilities Net assets held in trust for pension benefits	$9,649,007,658 506,584,024 460,282,838 126,243,506 27,736,948 23,673,038 $10,803,528,012 $506,584,024 473,418,203 29,847,903 $1,009,850,130 $9,793,677,882	$7,902,992,585 318,109,886 666,316,945 130,956,926 20,700,409 24,714,860 $9,063,791,611 $318,109,886 342,247,386 27,087,036 $687,444,308 $8,376,347,303
SUPPLEMENTARY INFORMATION	FY 1998	FY 1997
Total investment administrative expenses Return on investments (unaudited) Average number of employees Number of active members Number of inactive members Number of retirement benefit recipients Number of survivors benefit recipients Number of disabilities benefit recipients	$13,265,935 17.8% 89 78,001 38,054 21,623 5,152 1,257	$12,520,827 21.4% 71 75,781 36,047 20,119 4,779 1,260
EXECUTIVE DIRECTOR
During Audit Period and Currently: Mr. James M. Hacking

Adequate audit trails and supporting documentation did not exist

Inadequate procedures, processes, or controls over certain information systems functions

INTRODUCTION

This digest covers our State compliance audit of the State Universities Retirement System for the year ended June 30, 1998. A financial audit covering the year ending June 30, 1998 is being issued separately.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INADEQUATE CONTROLS OVER BENEFITS AND REFUNDS

The State Universities Retirement System (SURS) had inadequate controls over its benefits and refunds processes to ensure documentation was sufficient to substantiate amounts and eligibility.

During our audit testing, we noted that adequate audit trails and supporting documentation did not exist for the on-line claims systems or in members' image files. The calculation of benefits is crucial to SURS, and therefore, prudent business practices require an adequate audit trail for calculating benefits be maintained. We also tested a member file that did not contain the Employee Statement from the original year of the survivor annuity. In discussions with SURS officials, it was determined that all 1991 survivor statements of account were not on the image system, resulting in missing documentation. (Finding 98-1, page 9)

We recommended SURS strengthen or revise its controls over benefits and refunds to ensure all documentation is complete and claim calculations are properly performed and documented.

SURS officials concurred with our recommendation and stated they are working to identify system enhancements which will provide on-line detail. SURS officials also stated survivor statements of account not on the image records system will be regenerated from computerized records and manually scanned into member files sometime in the current fiscal year.

INFORMATION SYSTEMS

The System did not have adequate procedures, processes or controls to ensure (1) the integrity of data and programs during the development period for computer applications and (2) to ensure all security access granted to computer system users is properly authorized. This finding has been repeated since 1996.

In our testing, we noted the following:

Application programmers had the ability to make modifications to an application once the user had tested and authorized the application change.
Certain formalized program change control procedures were not in place.
A program change control process ensuring that program source code is maintained in both the production and test environments did not exist.
The security administration process in place for granting, monitoring, and revoking access to production libraries for normal users was not being followed for special logons used by the system staff. (Findings 98-3 and 98-4, pages 12 and 13)

We recommended SURS design and implement controls to restrict changes to source code once it is tested and approved, establish formal program change procedures, create a control environment to ensure program source code is maintained in both the production and test environments, and implement formal security administration processes.

SURS officials concurred with our recommendations and have stated they will implement a procedure to ensure no unauthorized modifications have been made after user approval and that the process of completing program maintenance will be formalized. SURS officials also stated they will implement a process for migration of source code from development to the system test and production environments, and new policies will be developed for issuing logons to vendors and for specialized internal functions. (For previous Agency responses, see Digest Footnote 1.)

OTHER FINDINGS

The remaining findings are less significant, and SURS' responses indicate it is addressing the conditions. We will review progress toward implementing these recommendations in our next audit.

Mr. Steve Hayward, Internal Auditor at SURS provided responses to our recommendations. All responses were received in December, 1998.

_____________________________________
WILLIAM G. HOLLAND, Auditor General

WGH:BAR:pp

SPECIAL ASSISTANT AUDITORS

Arthur Andersen LLP were our special assistant auditors for this audit.

DIGEST FOOTNOTES

#1 INFORMATION SYSTEMS - Previous Agency Responses

1997: SURS concurs with these recommendations. SURS has been working on the implementation of the controls recommended in order that unauthorized changes in the source code are not implemented into production. Full implementation of the recommendations is expected in the near future.

1996: SURS concurs with these recommendations and will implement the recommended controls in order to ensure that unauthorized changes in the source code are not implemented into production.