REPORT DIGEST WESTERN ILLINOIS UNIVERSITY COMPLIANCE EXAMINATION AND SINGLE AUDIT FOR THE YEAR ENDED JUNE 30, 2020 Release Date: June 29, 2021 FINDINGS THIS AUDIT: 11 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 4 -- 6 -- 10 Category 3: 0 -- 0 -- 0 TOTAL: 5 -- 6 -- 11 FINDINGS LAST AUDIT: 8 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS INTRODUCTION This digest covers our single audit and compliance examination of Western Illinois University (University) for the year ended June 30, 2020. A separate financial audit as of and for the year ending June 30, 2020 was previously released on June 16, 2021. In total, this report contains 11 findings, one of which was reported in the financial audit. SYNOPSIS • (20-02) The University did not document the Gramm-Leach-Bliley Act (GLBA) required risk assessments related to student information security. • (20-03) The University disbursed the Higher Education Emergency Relief Fund to non-eligible students and inconsistently applied the University’s approved methods of determining and distribution of funds to students. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INFORMATION TECHNOLOGY RISK ASSESSMENT NOT PERFORMED Western Illinois University (University) did not document the Gramm-Leach-Bliley Act (GLBA) required risk assessments related to student information security. As a requirement under the University’s Program Participation Agreement with the Department of Education, the University must protect student financial aid information. During our testing, we noted they had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of the students’ information. (Finding 2, pages 25-27) We recommended the University perform and document a comprehensive risk assessment that specifically addresses the requirements of GLBA related to the security, confidentiality, and integrity of student information. The University agreed with the finding and stated they will perform and document a comprehensive risk assessment that specifically addresses the requirements of GLBA related to the security, confidentiality, and integrity of student information. INACCURATE CALCULATION AND DISBURSEMENT OF HIGHER EDUCATION EMERGENCY RELIEF FUND (HEERF) Western Illinois University (University) disbursed the HEERF to non-eligible students and inconsistently applied the University’s approved methods of determining and distribution of funds to students. During our testing of HEERF Student Aid Portion of the emergency aid grant disbursement for 60 students, a statistically valid sample, we noted the following: • Two of 60 (3%) students enrolled in an online program received $2,875. The question cost was determined by obtaining the summary of students enrolled in online programs for the fiscal year 2020 spring and summer semesters. The list was matched to students awarded with HEERF grants for the same period. We noted 88 students enrolled in online program were awarded HEERF grants. The University charged $56,409 to the grant and recognized revenue for the same amount. If the amount is not recovered from the students, the University will have incurred unnecessary expenses for the same amount resulting in a total financial loss to the University of $112,818. • One of 60 (2%) students with a total score of more than 1 was awarded $500 instead of the computed $2,500 based on the distribution plan. To determine the underpayment, we obtained the summary per the distribution plan for the fiscal year 2020 spring and summer semesters. This summary is the manual calculation of HEERF grants to be awarded to eligible students. We matched the calculated amount against HEERF grants disbursed to students by billing and receivable for the same period. We noted 63 students were underpaid by $56,566. (Finding 3, pages 28-30) We recommended the University implement controls to ensure proper determination of eligibility and accuracy in the distribution of HEERF student aid. The University agrees with the finding and stated the Financial Aid office will review and modify its controls related to HEERF to ensure accuracy in awarding HEERF student aid. OTHER FINDINGS The remaining findings pertain to noncompliance with statutory requirements, subsidies between accounting entities, internal audit, computer inventory controls, controls over external service providers and segregation of duties over programmer access to production. We will review the University’s progress towards the implementation of our recommendations in our next Single Audit and compliance examination. AUDITOR’S OPINIONS The financial audit report was previously released. The auditors stated the financial statements of the University as of and for the year ended June 30, 2020, are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2020. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the University for the year ended June 30, 2020, as required by the Illinois State Auditing Act. The accountants stated the University complied, in all material respects, with the requirements described in the report. This Single Audit and compliance examination was conducted by Adelfia LLC. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:sjs