REPORT DIGEST SOUTHERN ILLINOIS UNIVERSITY COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2023 Release Date: July 18, 2024 FINDINGS THIS AUDIT: 17 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 2 -- 2 Category 2: 5 -- 10 -- 15 Category 3: 0 -- 0 -- 0 TOTAL: 5 -- 12 -- 17 FINDINGS LAST AUDIT: 21 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers Southern Illinois University’s (University) Compliance Examination for the year ended June 30, 2023. Separate digests covering the University’s Financial Audit and Single Audit were previously released on March 5, 2024 and March 28, 2024. In total, this report contains 17 findings, 2 of which were reported in the Financial Audit and Single Audit collectively. SYNOPSIS • (23-5) The University lacked adequate controls over the review of internal control of its service providers. • (23-7) Southern Illinois University Edwardsville (SIUE) had not completed all requirements to demonstrate full compliance with the Payment Card Industry Data Security Standards (PCI DSS). • (23-11) The University did not maintain a minimum of one approved course per major under the Illinois Articulation Initiative (Initiative or IAI) for some majors offered by the University. • (23-16) The University did not complete its annual census data reconciliation and certifications. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS FOR SERVICE PROVIDERS The University lacked adequate controls over the review of internal control of its service providers. The University utilized over 100 service providers for various services. The University did not have adequate controls to ensure all third-party service organizations were identified by university departments in order to perform annual reviews of the need for Service Organization Control (SOC) reports. We further noted the risk assessment questionnaire for onboarding vendors and service providers did not consistently document the sensitive data and related processing performed by the service providers, or document alternate means of addressing service providers’ risks beyond review of SOC reports. Also, University personnel lacked sufficient guidance for completing their assessments. Due to these conditions, we were unable to conclude the University’s records of third-party service providers were complete, accurate, and reliable. We selected a sample of service providers from the listings provided and noted instances where: • Contracts and/or SOC reports for service providers were not obtained. • Contracts did not require submission of a SOC report. • Campuses had not completed a SOC Report Review Checklist or documented mapping of internal controls at the University to key complementary user entity controls (CUECs) noted in SOC reports tested. (Finding 5, pages 22-24) This finding has been reported since 2018. We recommended the University strengthen its process and controls to identify and document all service providers utilized and determine and document if a review of controls is required. Where appropriate, we recommended the University: • Obtain SOC reports (or perform independent reviews) and document the assessment of internal controls associated with outsourced systems at least annually. • Monitor and adequately document the operation of the CUECs related to the University’s operations. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. The University stated they agree and implementation continues. The University also stated continued efforts will be made to further refine their process for identifying and managing service providers. The University also stated progress has been and is being made and noted that processes in place with respect to the service providers material to their financial statements have been refined and are functioning as designed. WEAKNESS WITH PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS Southern Illinois University Edwardsville (SIUE) had not completed all requirements to demonstrate full compliance with the Payment Card Industry Data Security Standards (PCI DSS). The University is responsible for confirming merchants complete Self-Assessment Questionnaires (SAQs) per the guidance of the Payment Card Industry (PCI) Security Standards Council and within the context of what is considered applicable to the University in order to properly attest to PCI requirements. In Fiscal Year 2023, SIUE handled approximately 406,021 transactions estimated at $7,165,077. During our review, we noted SIUE did not ensure that appropriate Self-Assessment Questionnaires (SAQs) were completed and the service providers for all merchant IDs were identified to ensure PCI compliance. SIUE did not complete the annual SAQ during Fiscal Year 2023 and did not have a complete population of SAQs that are appropriate for their cardholder environment. (Finding 7, pages 28-29) This finding has been reported since 2020. We recommended SIUE strengthen its controls to identify all service providers. We further recommended the campus: • At least annually, properly assess each program accepting credit card payments, the methods in which payments can be made, and match these methods to the appropriate SAQ. • Complete the required SAQ. • Ensure all service providers are evaluated for compliance with PCI requirements. The University stated they agree and noted that a consultant had been engaged to assist with remediating these weaknesses, however there was not sufficient time to execute all corrective actions during FY23. The University also stated they expect to be SAQ compliant by FY24 year-end. NONCOMPLIANCE WITH ILLINOIS ARTICULATION INITIATIVE Southern Illinois University (University) did not maintain a minimum of one approved course per major under the Illinois Articulation Initiative (Initiative or IAI) for some majors offered by the University. The Initiative, through its itransfer.org website, exists to ease the transfer of students among the State’s associate and baccalaureate degree granting institutions. The Initiative consists of both a General Education Core Curriculum package, where completion of the entire package at one institution is fully accepted by 108 institutions across the State, and an Initiative major, which provides guidance for students with uncertain transfer plans. During Fiscal Year 2023, the University did not have a minimum of one course approved by the Initiative panel included within the related Initiative major for its early childhood education, political science, or physics (SIUE) degree programs. University management stated they had a different interpretation of the Act’s requirements and did not believe they had, nor were required to offer, equivalent courses for all majors. The auditors noted the General Assembly required participation in the Initiative to enhance the ability of students to transfer to any of the participating institutions without having to retake courses similar to courses they took at their initial institution. Further, the University’s interpretation of the Act that any incongruence within a course descriptor means equivalent courses are not offered and do not require any modification or convergence among the participation institutions would frustrate the legislative purpose of the Act. (Finding 11, pages 35-36) This finding has been reported since 2020. We recommended the University continue to monitor courses offered and approved for equivalent majors and ensure courses meeting the major panel requirements are submitted for review. The University stated they will continue efforts to reconcile the differing interpretations, and as recommended will continue to monitor courses offered and approved for the identified majors and ensure courses meeting the major panel requirement are submitted for review. The University stated both campuses are actively working on identifying and gaining approvals for IAI Majors courses and noted they are making progress toward full compliance. CENSUS DATA RECONCILIATION Southern Illinois University (University) did not complete its annual census data reconciliation and certifications. During our testing, we noted that neither campus reconciled changes in SURS member data to University records or submitted the required census data reconciliation certifications for FY22 data, as required by SURS, by May 31, 2023, although they had a process in place to do so. (Finding 16, pages 44-45) We recommended the University dedicate specific resources to complete annual reconciliations of census data and to submit certifications and potential errors identified by the required due date. We further recommended the University promptly reconcile the Fiscal Year 2022 census data, submit the required certifications and any potential errors noted to SURS, and work with SURS to address any differences noted. The University stated they agree and responded that they have taken measures to prioritize timely submission of the SURS census data reconciliation report going forward. The University also noted that they verify data as requested by SURS before any individual retirement account actions are taken. OTHER FINDINGS The remaining findings pertain to internal controls over employee data reported to SURS, student enrollment reporting, faculty timesheets, computer inventory, information technology, and compliance with statutory mandates. We will review the Agency’s progress towards the implementation of our recommendations in our next State compliance examination. AUDITOR’S OPINIONS The auditors stated the financial statements of the University as of and for the years ended June 30, 2023 are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2023. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the University for the year ended June 30, 2023, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Findings 2023-005 and 2023-007. Except for the noncompliance described in these findings, the accountants stated the University complied, in all material respects, with the requirements described in the report. This financial audit, single audit, and State compliance examination was conducted by Plante Moran. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:lkw