REPORT DIGEST SOUTHERN ILLINOIS UNIVERSITY COMPLIANCE EXAMINATION AND SINGLE AUDIT FOR THE YEAR ENDED JUNE 30, 2020 Release Date: July 14, 2021 FINDINGS THIS AUDIT: 18 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 10 -- 7 -- 17 Category 3: 0 -- 0 -- 0 TOTAL: 11 -- 7 -- 18 FINDINGS LAST AUDIT: 10 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers Southern Illinois University’s Single Audit and Compliance Examination for the year ended June 30, 2020. A separate digest covering the University’s Financial Audit as of and for the year ended June 30, 2020 was previously released on May 25, 2021. In total, this report contains 18 findings, 2 of which were reported in the Financial Audit. SYNOPSIS • (20-5) The University did not document required risk assessments related to student information security. • (20-10) The University issued payments for lost wages to student workers who continued to work and earn wages on campus. • (20-16) The University had not implemented adequate internal controls related to cybersecurity programs and practices. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INFORMATION TECHNOLOGY RISK ASSESSEMENT NOT PERFORMED The University Edwardsville campus did not document required risk assessments related to student information security. As a requirement under the University’s Program Participation Agreement with the Department of Education, the University must protect student financial aid information. However, we noted they had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of the students’ information. (Finding 5, pages 34-35) We recommended the University perform and document a comprehensive risk assessment identifying internal and external risks to the security, confidentiality, and integrity of the students’ information. In addition, we recommended the University ensure proper safeguards are in place to ensure the security of student information. The University agreed and responded that Edwardsville Student Financial Aid (SFA) and Information Technology Services will co-lead a cross functional team that assess the internal and external risks associated to student data and privacy. The University also stated that team will in turn provide a risk assessment that indicates how they plan to mitigate any breaches and SFA will conduct annual trainings for team members. HEERF INSTITUTIONAL EXPENDITURES The University did not have adequate procedures in place to ensure Higher Education Emergency Relief Fund (HEERF) Institutional Aid Portion awards were spent on allowable expenditures. The University issued payments for lost wages to student workers who continued to work and earn wages on campus. Three of 30 (10%) samples tested included students that were paid estimated wages for spring 2020 semester utilizing HEERF institutional aid portion awards to alleviate the lost wages to these student employees caused by the disruption to campus operations as a result of COVID-19. In addition, students who were able to continue working for the University after the issuance of the Stay at Home Executive Order 2020-10 were paid for actual hours worked. One of the 3 students tested who received estimated wages to alleviate lost wages was also paid for actual hours worked from University funds. $219,661 in estimated wages was paid to students who also actually worked hours after the issuance of Executive Order 2020-10. The University was unable to provide sufficient documentation to support HEERF awards to students who continued to work were due to significant changes to the delivery of instruction due to the coronavirus. (Finding 10, pages 44-47) We recommended the University establish processes and procedures to ensure that federal funds are only spent on allowable expenditures. The University stated they agree with the facts but disagree with the auditor’s conclusion that payments totaling $219,661 were questionable and not spent in compliance with the HEERF guidance. The University stated the 337 (19%) students who were able to continue to work during this closure were paid a total of $168,000 in actual wages earned paid out of university funds. Management stated these students’ portion of the estimated wages payment was $220,000, and contended the fact that actual wages earned were less than estimated wages for these students is indicative of a “clear nexus to significant changes to the delivery of instruction due to the coronavirus”. The University also stated it believed the payments made from HEERF institutional funds were made in compliance with the HEERF guidance available at the time, and therefore no corrective action was being planned. In an auditor’s comment, we noted Federal guidance for use of the funds and the University’s grant award certification and agreement require HEERF funds be spent only on costs with a clear nexus to significant changes to the delivery of instruction due to the coronavirus. Only the specific costs incurred due to the change to on-line instruction were therefore allowable costs. The questioned costs relate to students considered “essential” by the University who were allowed to continue working and were paid both for hours worked, as well as payments designated to alleviate lost wages due to the inability of students to work. These jobs generally involved in- person work for the health and safety for people and animals, as well as technical and academic assistance conducted remotely. This student work continued regardless of the University’s change to remote instruction. There is no federal guidance permitting use of these HEERF grant funds to pay supplemental wages to essential student workers who continued to work and earn wages already being paid by the University. Since essential student work and University payment of wages continued despite the campus closure and the move to on-line instruction, the payments in question were not caused by the change to remote learning as required to be allowable uses of these HEERF awards. Further, payments to alleviate lost wages for earnings which were not lost results in overpayment of students, whether paid from University funds or reimbursed from federal funds. While we agree there is a clear nexus to the change to remote learning shown for students who could not work during the pandemic, we do not believe there is a clear causal link, or nexus, for the payments of estimated wages and actual wages to essential student workers for this period. WEAKNESSES IN CYBERSECURITY PROGRAMS AND PRACTICES The University had not implemented adequate internal controls related to cybersecurity programs and practices. During our examination of the University’s cybersecurity program, practices, and control of confidential information, we noted: • The Edwardsville Campus experienced a malware breach of its systems in July 2019, which was isolated to peripheral systems with minimal lost data. A change ticket was not created for the security incident. • The Edwardsville Campus had not established a formal risk management framework for identifying, managing and mitigating risks. • The University’s risk assessments were not comprehensive and did not take decentralized systems into consideration to ensure a complete evaluation of inherent risk exposure. • Policies and procedures were not always updated, and the Edwardsville campus security policies did not adequately address configuration management, security awareness and training, on-boarding policies for staff and contractors, system development standards, change management, disaster recovery planning, maintenance and testing, and data maintenance and destruction. (Finding 16, pages 59-61) We recommended the University: • Review their risk management frameworks to ensure it is comprehensive and adequate for assisting the University in ensuring its risks are identified, managed and mitigated where appropriate. • Ensure all campuses have a comprehensive risk assessment completed and take decentralized systems into consideration in performing their assessments to ensure a complete evaluation of inherent risk exposure. • Ensure all security incidents are documented with a change ticket outlining the nature of the incident, the impact and any corrective action taken. • Review existing security-related policies and procedures to ensure they are updated where appropriate for ensuring they adequately address the University’s security needs and ensure Edwardsville Campus security policies adequately address all areas. The University agreed with the finding and stated an enterprise risk assessment program and an internal monitoring system have been implemented at the Edwardsville Campus. The University also stated other measures were implemented in Fiscal Year 2021 where appropriate, policies will be reviewed periodically and the Chief Information Officer will make recommendations of updates. The University further stated the Carbondale and School of Medicine campuses will review the recommendation and make any necessary enhancements to current practices and procedures to ensure full implementation. OTHER FINDINGS The remaining findings pertain to weaknesses in internal controls, capital asset reporting, federal and state legal compliance, and information technology. We will review the Agency’s progress towards the implementation of our recommendations in our next compliance examination and single audit. AUDITOR’S OPINIONS The financial audit report was previously released. The auditors stated the financial statements of the University as of and for the year ended June 30, 2020 are fairly stated in all material respects. The auditors conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2020. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the University for the year ended June 30, 2020, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2020-001. Except for the noncompliance described in this finding, the accountants stated the Agency complied, in all material respects, with the requirements described in the report. This compliance examination and single audit was conducted by Plante Moran. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:lkw