REPORT DIGEST
SOUTHERN ILLINOIS UNIVERSITY
Financial Audit and Compliance Examination (In accordance with the Single Audit Act and OMB Circular A-133)
For the Two Years Ended June 30, 2010
Summary of Findings:
Total this audit: 6
Total last audit: 4
Repeated from last audit: 1
Release Date: March 10, 2011
State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov
____________________________
SYNOPSIS
• The University’s Edwardsville campus does not formally
document the supervisory review process related to the Return of Title IV Funds
calculations.
• The University’s Carbondale campus does not have adequate
segregation of duties within the P-Card approval process. Certain P-Card holders have the ability to
approve their own purchases through the on-line P-Card approval process.
• The University had not assured adequate security and control over access to or the proper disposal of confidential information.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
DOCUMENTED CONTROLS OVER RETURN OF TITLE IV FUNDS
CALCULATIONS
The Edwardsville campus does not formally document the
supervisory review process related to the Return of Title IV Funds
calculations.
The University does not formally review the Return of Title
IV script within their computer software used to calculate Return of Title IV
Funds to the U.S. Department of Education.
The Edwardsville campus improperly calculated 100% of Return of Title IV
funds calculations during the year because the script used to calculate the
return amount contained the incorrect amount of “total days” in the
equation. The University mistakenly
calculated all fall 2009 semester returns using 117 days instead of the proper
110 days. This resulted in the
University improperly returning $5,275 to the U.S. Department of Education in
excess of the proper amount for the fall semester. The University mistakenly calculated all
spring 2010 semester returns using 109 days instead of the proper 110
days. This resulted in the University
not returning $378 to the Department of Education in the spring semester. (Finding 2, page 13)
We recommended that a documented supervisory review of
Return of Title IV Funds calculation be performed.
University officials accepted our recommendation.
INADEQUATE SEGREGATION OF DUTIES WITHIN THE P-CARD APPROVAL
PROCESS
The Carbondale campus has inadequate segregation of duties
within the P-Card approval process.
The Carbondale campus has 1,112 employees that are P-Card
holders. A total of 70 of these
cardholders (6%) are also authorized to approve their own P-Card
purchases. Of these 70 cardholders who
had the ability to approve their own purchases, we noted 23 approved at least
one transaction during the fiscal year.
There should be a clear segregation of duties within the P-Card
purchasing process. No employee should
be allowed to approve their own purchases.
(Finding 5, page 16)
We recommended the University modify the P-Card system to
disallow any purchaser from approving their own purchases.
University officials accepted our recommendation and stated
the inadequate segregation of duties was noted by Internal Audit in late
summer, and corrective action has been taken.
INADEQUATE CONTROL OVER ACCESS TO AND DISPOSAL OF
CONFIDENTIAL INFORMATION
The University had not assured adequate security and control
over access to or the proper disposal of confidential information.
While performing walkthroughs at the University, we noted
the following:
School of Medicine
Documents containing confidential or personal information including
names, social security numbers, addresses, and diagnosis were found in
unsecured boxes designated for recycling or waste containers in several School
of Medicine facilities. In addition,
confidential and personal health-related information was not always shredded or
maintained in lockable bins until shredding.
A service was used to pickup and dispose of confidential information,
but it was not shredded onsite. Security
of information taken offsite could not be assured.
Carbondale Campus
Cross-cut shredders were not always utilized to dispose of confidential
and personal health-related information.
A service was used to pickup and dispose of confidential information,
but it was not shredded onsite. Security
of information taken offsite could not be assured.
Edwardsville Campus
Lockable bins were not always used to safeguard confidential
information prior to shredding.
In addition, University-wide procedures for addressing the
security and disposal of confidential information were lacking, confidential
information in electronic form was not assured of being adequately protected,
and a formal risk assessment to identify all confidential information had not
been performed. The University had
experienced at least 10 security breaches since June 30, 2009. (Finding 6, pages 17-18)
We recommended the University review University-wide
policies to assure procedures exist for ensuring confidential and personal
information is adequately secured and properly disposed. In addition, the University should also
perform a formal risk assessment to evaluate its computer environment and data
maintained to assure adequate security controls.
University officials accepted our recommendation.
OTHER FINDINGS
The remaining findings are reportedly being given attention
by the University. We will review the
University’s progress towards the implementation of our recommendations in our
next audit.
AUDITORS’ OPINION
Our auditors stated the financial statements of the
University as of June 30, 2010 and for the year then ended are fairly presented
in all material respects.
WILLIAM G. HOLLAND
Auditor General
WGH:GSR:pp
SPECIAL ASSISTANT AUDITORS
Crowe Horwath LLP were our special assistant auditors for
this audit.