REPORT DIGEST

WESTERN ILLINOIS UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2022

Release Date:  July 13, 2023

FINDINGS THIS AUDIT: 7

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  1 -- 1 -- 2
Category 2:  1 -- 4 -- 5
Category 3:  0 -- 0 -- 0
TOTAL:  2 -- 5 -- 7

FINDINGS LAST AUDIT: 9

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers Western Illinois
University’s (University) State
compliance examination for the year
ended June 30, 2022. A separate
Financial Audit as of and for the year
ended June 30, 2022 was previously
released on March 30, 2023. A separate
Single Audit for the year ended June
30, 2022 was previously released on
March 30, 2023. In total, this report
contains seven findings, two of which
were reported in the Financial Audit
and Single Audit collectively.

SYNOPSIS

• (22-05) The University had weaknesses
regarding the review of independent
internal control reviews overs its
service providers.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

LACK OF ADEQUATE CONTROLS OVER THE
REVIEW OF INTERNAL CONTROLS OVER
SERVICE PROVIDERS

Western Illinois University
(University) had weaknesses regarding
the review of independent internal
control reviews over its service
providers.

We requested the University provide a
listing of its service providers
utilized, System and Organization
Control (SOC) Reports reviewed, and a
review of Complementary User Entity
Controls (CUECs) as documented.
However, the University was not able to
provide a complete listing of service
providers.

Due to these conditions, we were unable
to conclude the University’s population
records were sufficiently precise and
detailed under the Professional
Standards promulgated by the American
Institute of Certified Public
Accountants (AT-C §205.36).

Even given the population limitations
noted above, we performed testing of
the service providers identified by the
University to have a SOC report.

The University utilized various service
providers to provide:
• Credit card processing,
• Online classes,
• Emergency alert system,
• Email,
• Office Suite, and
• Work order system.

Our testing of the controls over seven
service providers noted the University
had not:
• Obtained SOC reports for four (57%)
service providers.
• Reviewed the three SOC reports
received to determine the impact of
noted deviations or opinion
modifications.
• Analyzed the CUECs documented in the
SOC reports received.
• Analyzed the subservice organizations
or performed alternative procedures to
determine the impact on its internal
control environment documented in SOC
reports received. (Finding 5, pages
17-18) This finding has been reported
since 2018.

We recommended the University
strengthen its controls to ensure all
service providers are identified. In
addition, we recommended the
University:
• Obtain and document the review of SOC
reports and the impact of modified
opinions and noted deviations.
• Monitor and document the operation of
the CUECs relevant to the University’s
operations.
• Either obtain and review SOC reports
for subservice organizations or perform
alternative procedures to satisfy
itself that the existence of the
subservice organization would not
impact its internal control
environment.

The University agreed with the finding
and stated it understands the
importance of strengthening controls
over service providers, and will
continue to review policies and
procedures related to SOC reports.

OTHER FINDINGS

The remaining findings pertain to
census data, student enrollment
reporting, noncompliance with the
University Guidelines, cybersecurity
weaknesses and payment card industry
data security standards. We will review
the University’s progress towards the
implementation of our recommendations
in our next State compliance
examination.

AUDITOR’S OPINIONS

The financial audit report was issued
separately. The auditors stated the
financial statements of the University
as of and for the year ended June 30,
2022, are fairly stated in all material
respects.

The single audit report was issued
separately. The auditors conducted a
Single Audit of the University as
required by the Uniform Guidance. The
auditors stated the University
complied, in all material respects,
with the types of compliance
requirements that could have a direct
and material effect on the University’s
major federal programs for the year
ended June 30, 2022.

ACCOUNTANT’S OPINION

The accountants conducted a State
compliance examination of the
University for the year ended June 30,
2022, as required by the Illinois State
Auditing Act. The accountants qualified
their report on State compliance for
findings 2022-001 and 2022-002.  Except
for the noncompliance described in
these findings the accountants stated
the University complied, in all
material respects, with the
requirements described in the report.

This State compliance examination was
conducted by Plante Moran.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:sjs