REPORT DIGEST

WESTERN ILLINOIS UNIVERSITY

FINANCIAL AUDIT AND COMPLIANCE EXAMINATION

(In accordance with the
Single Audit Act and OMB Circular A-133)

For the Year Ended

June 30, 2006

Summary of Findings:

Total this audit 5

Total last audit 3

Repeated from last audit 2

Release Date:

May 8, 2007

State of Illinois

Office of the Auditor General

WILLIAM G. HOLLAND

AUDITOR GENERAL

To obtain a copy of the Report contact:

Office of the Auditor General

Iles Park Plaza

740 E. Ash Street

Springfield, IL 62703

(217) 782-6046 or TTY (888) 261-2887

This Report Digest and the Full Report are also available on

the worldwide web at

www.auditor.illinois.gov

SYNOPSIS

· All employees were not required to submit time sheets to document the time spent on official State business as required by the State Officials and Employees Ethics Act.

· The University failed to ensure adequate security over its computer systems and resources.

{Financial Information is summarized on the reverse page.}

WESTERN ILLINOIS UNIVERSITY

FINANCIAL AUDIT AND COMPLIANCE EXAMINATION

For the Year Ended June 30, 2006

FINANCIAL OPERATIONS	FY 2006		FY 2005
OPERATING REVENUES Tuition and fees, net.......................................................... Auxiliary enterprises, net................................................... Grants and contracts.......................................................... Other..................................................................................... Total Operating Revenues........................................ OPERATING EXPENSES Instruction........................................................................... Research............................................................................... Public service...................................................................... Academic support.............................................................. Student services................................................................. Institutional support.......................................................... Operation and maintenance of plant................................ Student aid........................................................................... Auxiliary enterprises.......................................................... Depreciation........................................................................ On-behalf payments........................................................... Other..................................................................................... Total Operating Expenses......................................... Operating Income (Loss)........................................................... NONOPERATING REVENUES (EXPENSES) State appropriations........................................................... Capital appropriations........................................................ Gifts....................................................................................... Interest on capital assets - related debt.......................... Investment income............................................................. Other net.............................................................................. INCREASE IN NET ASSETS................................................... Net assets, beginning of year................................................... Net assets, end of year..............................................................	$56,901,766 48,131,654 20,043,910 7,244,230 $132,321,560 $50,065,412 4,199,667 10,211,092 16,251,212 17,518,386 11,215,194 13,609,700 5,297,383 41,334,877 9,926,247 27,624,162 5,441,032 $212,694,364 $(80,372,804) $84,025,247 3,152,373 696,200 (2,359,443) 2,420,131 (122,109) $7,439,595 $97,476,795 $104,916,390		$51,075,172 45,848,730 20,928,925 7,817,875 $125,670,702 $51,059,319 4,565,146 10,303,513 12,894,622 15,254,938 9,572,886 12,702,001 5,297,863 38,970,579 9,763,734 29,966,687 5,492,584 $205,843,872 $(80,173,170) $86,359,787 346,136 607,893 (2,391,788) 1,033,515 2,456 $5,784,829 $91,691,966 $97,476,795
SELECTED ACCOUNT BALANCES	June 30, 2006		June 30, 2005
Cash and Investments............................................................... Capital Assets, net of accumulated depreciation.................. Accrued Compensated Absences........................................... Revenue Bonds Payable............................................................	$60,199,562 $128,156,579 $16,782,325 $49,512,640		$50,331,945 $128,364,208 $18,034,715 $45,202,845
SUPPLEMENTAL INFORMATION (unaudited)	FY 2006		FY 2005
Employment Statistics
Faculty and Administrative...............................................	1,109		1,052
Civil Service.........................................................................	832		822
Student Employees.............................................................	303		302
Total Employees.........................................................	2,244		2,176
Enrollment Statistics
Fall term enrollment - undergraduate...............................	10,930	10,752
Fall term enrollment –graduate.........................................	1,564	1,715
Fall term enrollment – extension.......................................	910	1,091
Total..............................................................................	13,404	13,558
UNIVERSITY PRESIDENT
During Audit Period: Dr. Alvin Goldfarb Currently: Dr. Alvin Goldfarb

Negative time reporting is not adequate

Security breach occurred

Physical access not adequately restricted

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

EMPLOYEE TIME SHEETS NOT ADEQUATE

The University did not require all employees to periodically submit time sheets as required by the State Officials and Employees Ethics Act.

Administrative, professional and faculty employees are required to submit time reports. However, the employee’s time is reported using a negative reporting method. The negative reporting method assumes employees are working their contracted/required hours on official State business unless otherwise reported. The time report lists minimum contracted hours and the employee indicates time away from the office, for vacation, sick or other types of leave. Employees paid on a non-monthly basis were utilizing a positive time reporting system.

The Act requires the University adopt personnel policies which require State employees to periodically submit time sheets documenting the time spent each day on official State business to the nearest quarter hour. (Finding 1, page 15) This finding was first reported in 2005.

We recommended the University begin requiring monthly employees to submit time sheets in compliance with the Act.

University officials concurred with the finding and indicated implementation has been delayed by two factors. First, any additional job related requirements placed on employees subject to collective bargaining agreements have to be negotiated. Also, they are awaiting clarification from the Attorney General on the requirements and implementation of the law. (For the previous University response, see Digest Footnote #1)

INADEQUATE COMPUTER SECURITY

The University failed to ensure adequate security over its computer systems and resources. During our review, we noted the following:

- The University failed to implement solutions to correct security administration and firewall weaknesses identified in the prior audit. In June 2006, the University experienced a security breach which led to the unauthorized access and potential compromise of personal and confidential information, including social security numbers and credit card numbers of anywhere from 200,000 to 240,000 students and alumni.

- The University did not ensure that personal, confidential, or sensitive information is adequately disposed when no longer needed. During our review, we noted that approximately 24 disks were maintained in a box on a shelf within a network room. Although access to the network room is restricted, University officials stated the disks were maintained because they did not have the means to properly dispose of the information. It was noted that the disks contained personal and confidential information similar to the data breached.

- Access to the University’s Data Center and network wiring closets were not adequately restricted. Access to the Data Center is restricted using a keypad system; however, the access code is shared by everyone having access to the computer room thereby eliminating adequate accountability.

- The number of personnel having powerful system-level access privileges was excessive.

Without an adequately secured computer environment, the University cannot ensure that access to critical applications, programs and confidential data is appropriately restricted to authorized personnel and the integrity of its computer systems and data is maintained. (Finding 3, pages 18-20)

We recommended the University evaluate its computer environment and data maintained to ensure adequate security controls, including physical and logical access restrictions, have been established to safeguard its computer resources.

University officials agreed and stated that since the breach, the University has taken measures to strengthen security and address the noted control weaknesses.

OTHER FINDINGS

The remaining findings are reportedly being given attention by University management. We will review progress toward the implementation of our recommendations in our next examination.

AUDITORS' OPINION

Our auditors state the financial statements of Western Illinois University as of June 30, 2006, and for the year then ended, are fairly presented in all material respects.

___________________________________

WILLIAM G. HOLLAND, Auditor General

WGH:KMA:pp

SPECIAL ASSISTANT AUDITORS

BKD, LLP were our special assistant auditors.

DIGEST FOOTNOTES

#1: EMPLOYEE TIME SHEETS NOT ADEQUATE – Previous University Response

The University has been addressing this problem by re-writing its personnel/payroll systems, all of which are automated, to accommodate the requirement that administrative personnel fill out time cards. Because of the level of automation and integration of our personnel/payroll systems, these are not changes that could be put into place within a short period. We anticipate having the systems completed and ready for testing and implementation during the Spring of 2006.