REPORT DIGEST

SOUTHERN ILLINOIS UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2021

Release Date:  July 13, 2022

FINDINGS THIS AUDIT:  16

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 – 1 -- 1
Category 2:  3 -- 12 -- 15
Category 3:  0 -- 0 -- 0
TOTAL:  3 -- 13 -- 16

FINDINGS LAST AUDIT: 18

Category 1: Findings that are material
weaknesses in internal control and/or
a qualification on compliance with
State laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers Southern Illinois
University’s Compliance Examination
for the year ended June 30, 2021. A
separate digest covering the
University financial audit was
previously released on June 8, 2021.
In addition, a separate digest
covering the University’s Single Audit
was separately released.  In total,
this report contains 16 findings, five
of which were reported in the
Financial Audit and Single Audit.

SYNOPSIS

• (21-10) The University lacked
adequate controls over its service
providers
• (21-11) The University did not
maintain a minimum of one approved
course per major under the Illinois
Articulation Initiative for some
majors offered by the University.
• (21-14) The University did not
maintain adequate security controls
over its environment and devices.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

LACK OF ADEQUATE CONTROLS OVER THE
REVIEW OF INTERNAL CONTROLS FOR
SERVICE PROVIDERS

The University lacked adequate
controls over its service providers.
During tested, we noted:

• The campuses’ population of service
providers utilized was incomplete.
• The risk assessment questionnaire
for onboarding vendors and service
providers did not consistently
document all relevant information.
• University personnel lacked
sufficient guidance for completing
their assessments.
• The University had not obtained
System and Organization Controls (SOC)
reports or documented an assessment of
controls for 5 of 15 (33%) service
providers.
• The University did not maintain the
SOC report for 3 of 15 (20%) service
providers where the University had
documented their review of controls.
Therefore, we were unable to determine
whether the SOC reports were
adequately reviewed, Complementary
User Entity Controls (CUECs) were
properly identified, monitored and
documented; and SOC reports for
subservice organizations were obtained
and reviewed or alternative procedures
performed to determine the impact on
its internal control environment.
• The University did not document all
key elements of their review of SOC
reports including opinions, weaknesses
reported and management’s responses,
CUECs and mapping to related internal
controls at the University, and SOC
reports or alternative procedures for
sub-service organizations.
• The contracts between the University
and the service providers did not
contain a requirement for an
independent review to be completed.
(Finding 10, pages 36-39).  This
finding has been reported since 2018.

We recommended the University fully
implement their process and strengthen
controls to identify and document all
service providers utilized and
determine and document if a review of
controls is required. Where
appropriate, we recommended the
University ensure knowledgeable staff:

• Obtain and maintain SOC reports or
(perform independent reviews) of
internal controls associated with
outsourced systems at least annually.
• Monitor and document the operation
of the CUECs related to the
University’s operations.
• Either obtain and review SOC reports
for subservice organizations or
perform alternative procedures to
satisfy itself the existence of the
subservice organizations would not
impact the internal control
environment.
• Document its review of the SOC
reports and review all significant
issues with subservice organizations
to ascertain if a corrective action
plan exists and when it will be
implemented, any impacts to the
University, and any compensating
controls.
• Review contracts with service
providers to ensure applicable
requirements over the independent
review of internal controls are
included.

University management agreed the
established process for reviewing the
internal controls of their service
providers contains certain weaknesses
which should be improved.  The
University also agreed to take
specified actions to strengthen their
process. The University further stated
they currently do not intend to begin
storing/maintaining SOC reports upon
completion of the associated review
due to the high risk and high impact
damages to the University with no
business benefit or return, especially
once vendor security controls have
been reviewed, breach liability has
been established, and a risk decision
has been made.  The University did
agree to re-evaluate their process to
enhance it as needed to ensure a
sufficient audit trail of the review
process and conclusions reached,
despite not maintaining the SOC
report.  University management also
responded they will re-visit the SOC
maintenance and storage issue with
their legal counsel.
In an accountant’s comment, we stated
that given the University’s intention
of not maintaining SOC reports, the
auditors will not be able to review
the efficiency and effectiveness of
the service providers’ internal
controls and the associated
examination of the controls by an
independent service auditor. In
addition, the auditors may be required
to conduct additional testing to
determine the University’s compliance
with the specified requirements.

NONCOMPLIANCE WITH ILLINOIS
ARTICULATION INITIATIVE

The University did not maintain a
minimum of one approved course per
major under the Illinois Articulation
Initiative (Initiative or IAI) for
some majors offered by the University.

We noted the University did not have a
minimum of one course approved by the
Initiative panel included within the
related Initiative major for its early
childhood education and political
science degree programs. (Finding 11,
Pages 40-42)

We recommended the University comply
with the requirements of the Act or
seek legislative change.

University management disagreed on the
basis of interpretation and stated
they do not believe the intent to be
to change or create courses to match
panel criteria in all majors offered
when IAI recommendations exist for
that major. Management further stated
they will continue their effort to
reconcile the differing
interpretations, and if they learn
that their interpretation is not in
line with the intent of the
legislation, they will take steps to
become fully compliant.

In an accountant’s comment, we noted
the General Assembly required
participation in the Initiative by the
State's public universities to enhance
the ability of students, after
completing their lower-division
coursework, to transfer to any of the
78 four-year institutions
participating in the Initiative
without having to retake courses
similar to the courses they took at
their initial institution.  Each
campus of the State's public
universities, as a separate
institution within the Initiative, is
responsible for identifying if their
campus offers an equivalent course
within the definition of the
Initiative's underlying course
descriptors for each major offered in
the Initiative.  Then, each
institution must select, at least, one
course that meets one of the course
descriptors within an Initiative major
and get this course accepted into the
Initiative by ensuring the selected
course meets the course descriptor's
underlying elements.

If the interpretation of the Act was
solely for a campus to review its
courses and conclude any incongruence
with the underlying elements within a
course descriptor, no matter how
minor, meant the institution did not
offer an equivalent course, then the
legislative purpose of the Act would
be frustrated.  In this scenario, it
is highly unlikely any of the 78
participating institutions would have
had complete alignment between the
syllabi and content of their courses
without some modification and
convergence through the Initiative.

SECURITY RELATED WEAKNESSES

The University did not maintain
adequate security controls over its
environment and devices.
We selected a sample of workstations,
servers, applications and firewalls to
determine if security had been
properly implemented to protect
information assets and resources from
unauthorized access and/or compromise
of system integrity.  Our testing
noted the University did not maintain
adequate security controls over some
of their workstations, servers, and
firewalls. (Finding 14, Pages 49-50)

We recommended the University
implement adequate security controls
across the University’s environment
and devices.

University management agreed it did
not maintain adequate security
controls over some of its
workstations, servers and firewalls.
Management further stated it will
continue to implement adequate
security controls across the
University’s environment and devices.

OTHER FINDINGS

The remaining findings pertain to
weaknesses in internal controls,
federal and state legal compliance,
and information technology. We will
review the University’s progress
towards the implementation of our
recommendations in our next State
compliance examination.

AUDITOR’S OPINIONS

The financial audit report was
previously released. The auditors
stated the financial statements as of
and for the year ended June 30, 2021
are fairly stated in all material
respects.

The single audit report was separately
released. The auditors conducted a
Single Audit of the University as
required by the Uniform Guidance. The
auditors stated the Agency complied,
in all material respects, with the
types of compliance requirements that
could have a direct and material
effect on the University’s major
federal programs for the year ended
June 30, 2021.

ACCOUNTANT’S OPINION

The accountants conducted a State
compliance examination of the
University for the year ended June 30,
2021, as required by the Illinois
State Auditing Act.  The accountants
qualified their report on State
Compliance for Finding 2021-001.
Except for the noncompliance described
in that finding, the accountants
stated the University complied, in all
material respects, with the
requirements described in the report.

This State compliance examination was
conducted by Plante & Moran, PLLC.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:lkw