REPORT DIGEST

WESTERN ILLINOIS UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2024

Release Date:  June 3, 2025

FINDINGS THIS AUDIT: 6

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 2 -- 2
Category 2:  1 -- 3 -- 4
Category 3:  0 -- 0 -- 0
TOTAL:  1 -- 5 -- 6

FINDINGS LAST AUDIT: 10

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers Western Illinois
University’s (University) State compliance
examination for the year ended June 30,
2024. Separate digests covering the
University’s Financial Audit as of and for
the year ended June 30, 2024 and Single
Audit for the year ended June 30, 2024 were
previously released. In total, this report
contains 10 findings, two of which were
reported in the Single Audit.

SYNOPSIS

• (24-04) The University did not have proper
controls over State property.
• (24-06) The University had weaknesses
regarding the review of independent internal
control reviews over its service providers.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INADEQUATE CONTROLS OVER STATE PROPERTY

Western Illinois University (University) did
not have proper controls over State
property.

During our testing of equipment
acquisitions, we noted 18 out of 40 (45%)
acquisitions tested, totaling $705,951, were
not recorded in the University’s property
records within 90 days of acquisition. These
items were recorded 1 to 248 days late.

During our testing of equipment disposals,
we noted 2 out of 25 (8%) disposals,
totaling $82,806, were not removed from the
University’s property records within 90 days
after disposal of the equipment. These items
were removed from records 69 and 224 days
late.

During our equipment inventory observation,
1 of 25 (4%) of the items selected for
observation from the inventory listing was
unable to be located. The cost of this item
was $21,939. (Finding 4, pages 16-17)

We recommended the University record
equipment acquisitions and disposals within
90 days after acquisition, change, or
disposal of the equipment, as well as
strengthen its controls over equipment
inventory to ensure all records are
accurate.

The University agreed with the finding and
stated they will make efforts to apply
adequate staffing to properly record and
dispose of assets in a timely manner.

LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF
INTERNAL CONTROLS OVER SERVICE PROVIDERS

Western Illinois University (University) had
weaknesses regarding the review of
independent internal control reviews over
its service providers.

We requested the University provide a
listing of its service providers utilized,
System and Organization Control (SOC)
Reports reviewed, and review of
Complementary User Entity Controls (CUECs)
as documented. However, the University was
not able to provide a complete listing of
service providers.

Due to the conditions noted above, we were
unable to conclude the University’s
population records of third-party service
providers were complete, accurate, and
reliable under the Attestation Standards
promulgated by the American Institute of
Certified Public Accountants (AT-C §205.36).

Even given the population limitations noted
above, we performed testing of the service
providers identified by the University to
have a SOC report.

The University utilized various service
providers to provide:
• Credit card processing,
• Online classes,
• Emergency alert system,
• Email,
• Office Suite, and
• Work order system.

Our testing of the controls over service
providers noted the following:
• For 8 of 8 (100%) service providers
tested, the University did not obtain
contracts that documented roles and
responsibilities related to security,
integrity, availability, confidentiality,
and privacy controls over the University’s
data.
• For 6 of 8 (75%) service providers tested,
the University did not obtain the SOC report
and bridge letter for the third-party
service provider.
• For 8 of 8 (100%) service providers
tested, the University did not map existing
University controls to complementary user
entity controls. (Finding 6, pages 20-22)

This finding has been reported since 2018.

We recommended the University strengthen
controls to identify and document all
service providers utilized and determine and
document if a review of controls is
required. Where appropriate, we recommended
the University:
• Establish and enforce formal university-
wide onboarding requirements and processes
for all third-party service providers.
• Establish and enforce a formal university-
wide requirement to obtain SOC reports from
third-party service providers.
• Establish and enforce a formal university-
wide requirement to review SOC reports.
• Establish and enforce a formal university-
wide requirement to review applicable
Complementary User Entity Controls (CUECs)
and map CUECSs to existing internal controls
at the University.

The University agreed with the finding. The
University indicated they understand the
importance of strengthening controls over
service providers and will continue to
review policies and procedures related to
SOC reports.

OTHER FINDINGS

The remaining findings pertain to inadequate
internal control over student enrollment
reporting, return of Title IV Funds,
noncompliance with the Illinois Pension
Code, and weaknesses in cybersecurity
programs and practices.  We will review the
University’s progress towards the
implementation of our recommendations in our
next State compliance examination.

AUDITOR’S OPINIONS

The financial audit was issued separately.
The auditors stated the financial statements
of the University as of and for the year
ended June 30, 2024, are fairly stated in
all material respects.

The auditors also conducted a Single Audit
of the University as required by the Uniform
Guidance.   The single audit was issued
separately. The auditors stated the
University complied, in all material
respects, with the types of compliance
requirements that could have a direct and
material effect on the University’s major
federal programs for the year ended June 30,
2024.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the University for the year
ended June 30, 2024, as required by the
Illinois State Auditing Act.  The
accountants qualified their report on State
compliance for Findings 2024-001 and
2024-002.  Except for the noncompliance
described in these findings, the accountants
stated the University complied, in all
material respects, with the requirements
described in the report.

This State compliance examination was
conducted by Plante & Moran, PLLC.

COURTNEY DZIERWA
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:sjs