REPORT DIGEST UNIVERSITY OF ILLINOIS COMPLIANCE EXAMINATION AND SINGLE AUDIT FOR THE YEAR ENDED JUNE 30, 2020 Release Date: June 2, 2021 FINDINGS THIS AUDIT: 19 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 12 -- 6 -- 18 Category 3: 0 -- 0 -- 0 TOTAL: 13 -- 6 -- 19 FINDINGS LAST AUDIT: 12 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our federal Single Audit and State Compliance Examination of the University of Illinois for the year ended June 30, 2020. A separate Financial Audit as of and for the year ended June 30, 2020 was previously released on May 25, 2021. In total, this report contains 19 findings, three of which were reported in the Financial Audit. SYNOPSIS • (20-04) The University of Illinois System did not properly document required risk assessments related to student information security. • (20-10) The University did not have adequate procedures in place to ensure the proper Higher Education Emergency Relief Fund (HEERF) reporting requirements were submitted accurately and timely. • (20-12) The University of Illinois Hospital was unable to provide adequate records substantiating written notices were provided to patients within 24 hours after their admittance into the University Hospital indicating the patients were under observation status in accordance with the University of Illinois Hospital Act and University policies and procedures. • (20-15) The University did not comply with the requirements of the Illinois Health Policy Center Act. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS FAILURE TO DOCUMENT RISK ASSESSMENTS FOR STUDENT INFORMATION SECURITY The University of Illinois System (University) did not properly document required risk assessments related to student information security. As a requirement under the University’s Program Participation Agreement with the Department of Education, the University must protect student financial aid information. However, during our testing, we noted the University had not properly conducted a risk assessment identifying all internal and external risks related to the security, confidentiality, and the integrity of the students’ information. The University of Illinois at Urbana- Champaign and at Chicago, did not complete a risk assessment for year ended June 30, 2020; therefore, risks have not been properly assessed to ensure adequate controls have been implemented for protecting student information. The University of Illinois at Springfield, conducted a risk assessment for the year ended June 30, 2020; however, the risk assessment did not include all considerations of risk in each relevant area of operations; including the processing, storage, transmission and disposal of information, as well as detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the University did not have safeguards documented for each risk required to be identified. The Standards for Safeguarding Customer Information, required by the Gramm-Leach- Bliley Act (16 CFR 314.4 (b)), requires customers to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: (1) Employee training and management; and (2) Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and (3) Detecting, preventing, and responding to attacks, intrusions, or other system failures. (Finding 4, pages 26-27) We recommended the University perform and document a comprehensive risk assessment identifying internal and external risks to the security, confidentiality, and integrity of the students’ information. In addition, we recommended the University ensure proper safeguards are in place to ensure the security of student information. University officials accepted our recommendation. UNTIMELY SUBMISSION OF HEERF REPORTING The University did not have adequate procedures in place to ensure the proper Higher Education Emergency Relief Fund (HEERF) reporting requirements were submitted accurately and timely. During our testing of reporting requirements for HEERF programs at the University, we noted the University of Illinois at Springfield and the University of Illinois at Chicago, the John Marshall Law School (JMLS) did not submit the initial Section 18004(a)(1) Student Portion Public Report within the 30-day requirement. Additionally, the University of Illinois at Springfield, did not accurately report one of the required criteria which includes the total number of students who have received an Emergency Financial Aid Grant to students under 18004(a)(1) of the CARES Act at the time of reporting. The University of Illinois at Springfield reported the total number of students to date who had received Emergency Financial Aid Grants as 619 when the actual total was 669 students. (Finding 10, Pages 35-36) We recommended the University review and update current policies and procedures to ensure HEERF program reporting requirements are completed accurately and timely. University officials accepted our recommendation. FAILURE TO MAINTAIN ADEQUATE RECORDS SUBSTANTIATING WRITTEN NOTICES The University of Illinois Hospital (University) was unable to provide adequate records substantiating written notices were provided to patients within 24 hours after their admittance into the University Hospital indicating the patients were under observation status in accordance with the University of Illinois Hospital Act (Act) and University policies and procedures. The University’s Patient Admissions Policy and Procedure (Policy) requires the University to issue Notice of Observation Status (Form UI-5010) to patients after their admittance into the University Hospital notifying they have been placed under outpatient observation status and have not been admitted as an inpatient. In addition, the University requires patients or their legal representative to sign the Form UI-5010 to acknowledge the receipt and understanding of their outpatient observation status. During testing, we requested Form UI-5010s for 25 patients selected to test the University’s compliance with the Act and the Policy. The University was unable to provide Form UI 5010s for 6 (24%) patients. As a result, we were unable to determine the University’s compliance with the Act and the Policy. (Finding 12, Pages 38-39) This finding has been repeated since 2017. We recommended the University strengthen its controls to ensure Notice of Observation Status forms are retained for all patients not admitted into the University Hospital, but who are under observation status. University officials accepted the recommendation. NONCOMPLIANCE WITH THE ILLINOIS HEALTH POLICY CENTER ACT The University of Illinois (University) did not comply with the requirements of the Illinois Health Policy Center Act (Act). As of June 30, 2020, the University had not created the Illinois Health Policy Center (Center) as required by the Act. The purpose of the Center is to develop and implement policies to improve the health and healthcare of the people of Illinois. The Illinois Health Policy Center Act (110 ILCS 430/10) requires the Illinois Health Policy Center to be created within the University of Illinois, to be sponsored by the University of Illinois at Chicago College of Medicine and the University of Illinois Institute of Government and Public Affairs. (Finding 15, Page 43) This finding has been repeated since 2017. We recommend the University comply with the requirements of the Illinois Health Policy Center Act or seek legislative remedy. University officials accepted the recommendation. OTHER FINDINGS The remaining findings are reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in the next engagement. AUDITOR’S OPINIONS The financial audit was previously released. Our auditors stated the financial statements of the University of Illinois as of and for the year ended June 30, 2020 are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by the Uniform Guidance. Our auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2020. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the University for the year ended June 30, 2020, as required by the Illinois State Auditing Act. The accountants stated the University complied, in all material respects, with the requirements described in the report. The Single Audit and State Compliance Examination was conducted by CliftonLarsonAllen LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:TLK