The University of Illinois relies on its information technology to meet its mission and mandates. Our review of the University's information systems identified the following weaknesses:

Our audit procedures at the University of Illinois Hospital identified the following weaknesses:

Our 2001 audit of the University of Illinois is presented in three reports. The financial part consists of two reports which include the various financial statements of the University and other supplementary information. The State and Federal Compliance Audit report contains the compliance findings disclosed by our audit tests.

The University did not consistently institute security practices to protect its extensive computing environment. In addition, enterprise-wide guidelines to promote baseline security requirements had not been developed.

Responsibility for security administration is decentralized, and each department has responsibility for security policies and security parameters for their computing environment. We reviewed security controls at several of the primary computing centers and at 10 department-controlled networks in Urbana. Several weaknesses were identified to indicate the existence of risks that could compromise the integrity of the computer systems, networks and critical system resources. Specifically:

The University had approximately $70 million budgeted for technology-related expenditures at Urbana, Chicago, Springfield, and the Hospital. University-wide baseline policies, procedures and standards regarding the security, administration, and use of the computing environment should assure the University's computer assets are properly safeguarded. (Finding 10, pages 23-24)

University officials concurred with many of the specific recommendations made to strengthen computer security. They stated that changes will be made by July 1, 2002.

The University's Administrative Information Technology Services (AITS) had developed a disaster contingency plan for the applications under AITS' stewardship and management; however, the plan had several weaknesses. Applications under AITS' stewardship included the University's general ledger system, payroll system, accounts payable and receivable systems, and student applications for registration, transcripts, and financial aid.

The disaster contingency plan included a listing of AITS-managed computer applications; however, the list was not prioritized in order of the recovery, required recovery timeframes were not stated, and systems and applications outside of AITS' management were not included. In addition, the plan had not been fully tested. A comprehensive test of the plan should be performed to ensure the plan meets its stated objectives, that adequate capacity for recovery of critical systems exists, that interfaces can be restored, and that systems can be recovered within required timeframes.

During our follow-up procedures, we noted that AITS was in the process of developing a new Business Continuity Plan and expects to have the plan completed and tested by the end of 2004. (Finding 9, pages 21-22)

We recommended the University continue its efforts towards developing a disaster contingency plan that addresses all the University's computing environments and test the plan annually.

University officials concurred with our recommendation and stated they are in the process of developing a new "business continuity plan" that will address the limitations of the existing plan. They said that in response to the tragedy of September 11, 2001 they have developed an intermediate disaster contingency plan that by spring of 2002 will provide 100% fail-over capability of current legacy systems.

The Student Accounts Receivable System (SAR) at the Urbana Campus is antiquated, complicating adherence to good data processing practices, and should be replaced before it disrupts operations. There is very little documentation as to how the system is structured and operates, and because of the age of the system, proposed updates and enhancements by users are limited. While the SAR is currently operative, the lack of documentation and age of the system puts continued maintenance at the mercy of the few programmers who have gained an understanding of how it works. Good data processing practices prescribe that system documentation exist so any experienced member of the AITS staff can understand the system and correct problems in a timely fashion. (Finding 8, page 20)

We recommended the University continue its efforts towards replacing the current Urbana Campus SAR with a modern receivable system within a reasonable time frame.

University officials concurred with our recommendation and stated that replacement of the Urbana Campus SAR is planned as part of the implementation of an Enterprise Resource Planning (ERP) system for support of university-wide administrative systems. The University selected SCT as their ERP vendor in September 2000 and the draft timeline indicates this module will be live in July 2003.

The University Library's administrative computer system lacked appropriate security controls. For example, user passwords were not encrypted and they were displayed when a user list was printed. In addition, it was determined that there was no in-house support from AITS for the system and software.

The Library system is a stand alone computer feeder system that processes approximately $10 million in accounts payable annually. The system generates a magnetic tape that feeds into the University Financial and Administrative Systems for payment of the accounts payable.

During our follow-up procedures, we noted that the Library had purchased a new software package and a new server for acquisitions and accounts payable. As of the end of audit fieldwork, implementation had not occurred. (Finding 7, page 19)

University officials concurred with our finding and stated that subsequent to the audit the new Acquisitions/Accounts Payable software and new Server at the Library have been installed.

Our review of the University Hospital's managed care department identified several weaknesses. We noted that certain contract terms, including negotiated discounts, stop loss provisions, etc. were not correctly applied to the associated patient billing file as services were performed. Also, personnel within the managed care department identified an error in its contractual payments from one of its payers resulting in an additional receivable of approximately $5 million. In addition, three accounts within our sample of 75 tested indicated that certain managed care contract terms were not applied correctly until the time of payment.

Hospital personnel indicated the specific exceptions resulted from an untimely review of managed care terms and lack of communication between the managed care negotiators and billing departments coupled with system limitations. Untimely recording of proper contract terms and conditions may misstate the Hospital's periodic operating statements and lack of contract monitoring might result in lost revenue. (Finding 2, page 14)

We recommended the managed care department implement procedures to ensure that all contractual changes are entered timely into the Hospital's billing process. We also recommended that case-by-case negotiated terms be monitored for large balances and adjusted accordingly at the time the services are performed.

University officials concurred with our recommendation and stated they have taken appropriate actions. They are also reviewing contract management systems that will enhance their ability to monitor the many difference contracts they currently have.

The University Hospital's reconciliation between the total accounts receivable per the subsidiary ledger and the total accounts receivable per the University Financial Accounting System (general ledger) contained an unlocated system variance of approximately $1,089,000 at June 30, 2001. An accounts receivable reconciliation of all detail components of the overall accounts receivable must be accumulated and manually prepared in order to tie to the general ledger at the end of each month. The underlying detail components are supported by various reports that were tested during audit procedures.

Hospital personnel stated the difference was not identified by Hospital personnel due to accounting reconciliation inaccuracies that made the difference appear immaterial. Gross accounts receivable for the University Hospital totaled approximately $105 million at June 30, 2001. The detailed reports were understated by the approximately $1,089,000 unlocated difference. Several individuals use the reports to compute contractual and bad debt reserves. (Finding 3, page 15)

University officials concurred with our finding and stated they are currently reconciling the accounts receivable subsidiary ledger and the general ledger monthly and resolving any material reconciling differences.

The remaining findings are reportedly being addressed by University management. We will review progress toward the implementation of our recommendations in our next audit. University responses were provided by Michael B. Bass, Assistant Vice President for Business and Finance.

The financial audit report contains five sets of financial statements in the Annual Financial Report; and the revenue bond financial statements of the Auxiliary Facilities System, the Willard Airport Facility, the Construction Engineering Research Laboratory, and the Health Services Facilities System.

Our auditors state the June 30, 2001 financial statements are fairly presented in all material respects.

_____________________________________

WILLIAM G. HOLLAND, Auditor General

WGH:KMA:pp

BKD LLP were our special assistant auditors.