REPORT DIGEST

UNIVERSITY OF ILLINOIS

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2024

Release Date:  January 28, 2025

FINDINGS THIS AUDIT: 1

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 1 -- 1
Category 2:  0 -- 0 -- 0
Category 3:  0 -- 0 -- 0
TOTAL:  0 -- 1 -- 1

FINDINGS LAST AUDIT: 3

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

The University’s financial audit report
consists of three sets of financial
statements as follows – the financial
statements of the University, the revenue
bond financial statements of the Auxiliary
Facilities System, and the revenue bond
financial statements of the Health Services
Facilities System.

This digest covers the University of
Illinois’s Financial Audit as of and for the
year ended June 30, 2024.  The University’s
Compliance Examination and Single Audit will
be issued in separate reports at a later
date.

SYNOPSIS

• (24-1) The University had not implemented
adequate access termination controls over
their Electronic Health Record System and
Enterprise Resource Planning System.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

WEAKNESSES IN CONTROLS OVER ACCESS
TERMINATION

The University of Illinois (University) had
not implemented adequate access termination
controls over their Electronic Health Record
System (EHR) and Enterprise Resource
Planning System (ERP).

The University maintains an EHR that
contains patient medical records and data.
The EHR supports billing and transaction
workflows which feed into the financial
statements. Additionally, the University
maintains an ERP that contains student,
faculty, financial, and personal data. The
University relies on the ERP for financial
reporting.

During our testing of separated users’
access to the ERP and EHR, we noted the
University’s departments were not timely
notifying Human Resources, which in turn did
not timely notify the Information Technology
security team. As a result, users’ access to
the ERP and EHR was not timely disabled.
Specifically, our testing noted 2 of 40 (5%)
ERP users’ and 25 of 60 (42%) EHR users’
access had not been timely removed after
separation. Access was disabled 24 to 73
days for ERP and 9 to 191 days for EHR after
the user had separated from the University.
(Finding 1, Pages 5-6)

We recommended the University terminate
separated users’ access within 7 business
days and 20 business days of the last day of
employment for EHR and ERP, respectively.

University officials accepted the
recommendation.

AUDITOR’S OPINIONS

Our auditors stated the financial statements
of the University, the Auxiliary Facilities
System and the Health Services Facilities
System as of June 30, 2024, and for the year
then ended, are fairly stated in all
material respects.

This financial audit was conducted by RSM US
LLP.

COURTNEY DZIERWA
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:TLK