REPORT DIGEST WESTERN ILLINOIS UNIVERSITY SINGLE AUDIT FOR THE YEAR ENDED JUNE 30, 2021 Release Date: June 22, 2022 FINDINGS THIS AUDIT: 3 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 1 -- 1 -- 2 Category 2: 0 -- 1 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 2 -- 3 FINDINGS LAST AUDIT: 3 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers Western Illinois University’s (University) Single Audit for the year ended June 30, 2021. Separate digests covering the University’s Financial Audit and Compliance Examination were separately released. In total, this digest contains three findings, two of which were reported in the financial audit. SYNOPSIS • (21-03) The University did not document the Gramm-Leach-Bliley Act (GLBA) required risk assessments related to student information security. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INFORMATION TECHNOLOGY RISK ASSESSMENT NOT PERFORMED Western Illinois University (University) did not document the Gramm-Leach-Bliley Act (GLBA) required risk assessments related to student information security. As a requirement under the University’s Program Participation Agreement with the Department of Education, the University must protect student financial aid information. During our testing, we noted they had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of the students’ information. (Finding 3, pages 19-21). We recommended the University perform and document a comprehensive risk assessment that specifically addresses the requirements of GLBA related to the security, confidentiality, and integrity of student information. The University agreed with the finding and stated they will perform and document a comprehensive risk assessment that specifically addresses the requirements of GLBA related to the security, confidentiality, and integrity of student information. OTHER FINDINGS The remaining findings pertain to inadequate internal controls over census data and failure to apply appropriate generally accepted accounting principles. We will review the University’s progress towards the implementation of our recommendations in our next Single Audit. AUDITOR’S OPINIONS The financial audit report was issued separately. The auditors stated the financial statements of the University as of and for the year ended June 30, 2021, are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2021. This Single Audit was conducted by Adelfia LLC. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:sjs