REPORT DIGEST

SOUTHERN ILLINOIS UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2022

Release Date:  July 27, 2023

FINDINGS THIS AUDIT: 21

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 3 -- 3
Category 2:  8 -- 10 -- 18
Category 3:  0 -- 0 -- 0
TOTAL:  8 -- 13 -- 21

FINDINGS LAST AUDIT: 16

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Southern
Illinois University’s (University)
Compliance Examination for the year
ended June 30, 2022.  Separate digests
covering the University’s Financial
Audit and Single Audit were previously
released on March 30, 2023.  In total,
this report contains 21 findings, 8 of
which were reported in the Financial
Audit and Single Audit collectively.

SYNOPSIS

• (22-12) The University did not
maintain adequate security controls
over its environment and devices.

• (22-18) The University did not
maintain adequate security controls
over its environment and devices.

• (22-20) The University did not
establish a forensic psychiatry
fellowship training program as required
by statute.

The University did not maintain a
minimum of one approved course per
major under the Illinois Articulation
Initiative for some majors offered by
the University.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

SECURITY RELATED WEAKNESSES

Southern Illinois University
(University) did not maintain adequate
security controls over its environment
and devices.

The University maintains computer
resources across its campuses for users
to conduct University functions.
During our examination, we selected a
sample of servers and workstations to
determine if appropriate security
controls had been implemented, noting
the University did not maintain
adequate information security controls.
(Finding 12, pages 36 – 37) This
finding has been repeated since 2018.

We recommended the University implement
adequate security controls across the
University’s environment and devices.

University management stated they
disagree with the materiality of this
finding and asserted that exceptions
provided during fieldwork regarding
unsupported systems were immaterial in
number. The University also argued it
is misleading to strictly state it did
not maintain adequate security controls
over its environment. Management
further stated they do have adequate
security controls over its assets as
evidenced by their CIS controls
analysis which is documented and mapped
directly to the relevant controls of
NIST SP 800-171. University management
further responded they will continue to
monitor the situation, with respect to
unsupported systems and remedy or
otherwise improve their posture when
circumstances warrant.

In an accountant’s comment, we stated
we believe the lack of adequate
security controls in today’s
environment, given the events taken
place, to be material to the security
of the University’s systems, data, and
overall mission to provide educational
opportunities. It is very concerning
the University does not have the same
apprehension as we do.

FORENSIC PSYCHIATRY FELLOWSHIP TRAINING
PROGRAM

The University did not establish a
forensic psychiatry fellowship training
program as required by statute.

The University had not offered a
forensic psychiatry fellowship training
program at its School of Medicine since
the mandate became effective in August
2007. Furthermore, the University had
not sought funding of this mandate
during Fiscal Year 2022. (Finding 18,
page 45)

We recommended the University take
measures to establish a forensic
psychiatry fellowship training program
and to request funding if needed, or to
seek legislative change. We further
recommended the University implement
internal controls to monitor laws,
assess applicability, and ensure
compliance.

University management agreed that a
forensic psychiatric fellowship
training program is not currently being
offered. Management further responded
the University does not want to see the
requirement for this fellowship to be
eliminated, but it sought relief from
this unfunded mandate by recommending
the statute be amended to make the act
subject to appropriation through an
omnibus state government statute clean-
up in House Bill 3856.

NONCOMPLIANCE WITH ILLINOIS
ARTICULATION INITIATIVE

The University did not maintain a
minimum of one approved course per
major under the Illinois Articulation
Initiative (Initiative or IAI) for some
majors offered by the University.

During testing, we noted the University
did not have a minimum of one course
approved by the Initiative panel
included within the related Initiative
major for its early childhood
education, physics, and political
science degree programs. (Finding 20,
pages 48 – 50) This finding was first
reported in 2020.

We recommended the University continue
to monitor courses offered and approved
for the identified majors and ensure
courses meeting the major panel
requirements are submitted for review.

University management disagreed with
the finding on the basis of
interpretation of the Act, but agreed
with the recommendation. University
management stated they believe the
language in the Act provides latitude
for situations in which the University
does not have any such majors or
course, and further contended they did
not have any majors or course for the
exception areas noted. Management
stated they will continue their effort
to reconcile the differing
interpretations, and as recommended
will continue to monitor courses
offered and approved for the identified
majors and ensure courses meeting the
major panel requirement are submitted
for review.

In an accountant’s comment, we noted
the University offered early childhood
education, physics, and political
science degree programs, but did not
have any courses approved by the
Initiative panel for the related
Initiative majors. Additionally, the
General Assembly required participation
in the Initiative by the State's public
universities to enhance the ability of
students, after completing their lower-
division coursework, to transfer to any
of the 78 four-year institutions
participating in the Initiative without
having to retake courses similar to the
courses they took at their initial
institution. Each campus of the State's
public universities, as a separate
institution within the Initiative, is
responsible for identifying if their
campus offers an equivalent course
within the definition of the
Initiative's underlying course
descriptors for each major offered in
the Initiative. Then, each institution
must select, at least, one course that
meets one of the course descriptors
within an Initiative major and get this
course accepted into the Initiative by
ensuring the selected course meets the
course descriptor's underlying
elements.

If the interpretation of the Act was
solely for a campus to review its
courses and conclude any incongruence
with the underlying elements within a
course descriptor, no matter how minor,
meant the institution did not offer an
equivalent course, then the legislative
purpose of the Act would be frustrated.
In this scenario, it is highly unlikely
any of the 78 participating
institutions would have had complete
alignment between the syllabi and
content of their courses without some
modification and convergence through
the Initiative.

OTHER FINDINGS

The remaining findings pertain to
weaknesses in internal controls,
federal and state legal compliance, and
information technology. We will review
the University’s progress towards the
implementation of our recommendations
in our next State compliance
examination.

AUDITOR’S OPINION

The auditors stated the financial
statements of the University as of and
for the year ended June 30, 2022, are
fairly stated in all material respects.

The auditors also conducted a Single
Audit of the University as required by
the Uniform Guidance.  The auditors
stated the University complied, in all
material respects, with the types of
compliance requirements that could have
a direct and material effect on the
University’s major federal programs for
the year ended June 30, 2022.

ACCOUNTANT’S OPINION

The accountants conducted a State
compliance examination of the
University for the year ended June 30,
2022, as required by the Illinois State
Auditing Act. The accountants qualified
their report on State Compliance for
Findings 2022-001, 2022-009 and
2022-011. Except for the noncompliance
described in those findings, the
accountants stated the University
complied, in all material respects,
with the requirements described in the
report.

This State compliance examination was
conducted by Plante & Moran, PLLC.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:lkw