REPORT DIGEST CHICAGO STATE UNIVERSITY Single Audit and Compliance Examination For the Year Ended June 30, 2015 Release Date: February 25, 2016 FINDINGS THIS AUDIT: 15 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 8 -- 7 -- 15 Category 3: 0 -- 0 -- 0 TOTAL: 8 -- 7 -- 15 FINDINGS LAST AUDIT: 20 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our Single Audit and Compliance Examination of Chicago State University (University) for the year ended June 30, 2015. A separate Financial Audit as of and for the year ending June 30, 2015, was previously released on December 17, 2015. In total, this report contains 15 findings, one of which was reported in the Financial Audit. SYNOPSIS • (15-2) The University’s Federal Perkins Loan cohort default rate is in excess of the threshold for administrative capability stipulated by the U.S. Department of Education. • (15-3) The University failed to prepare an accurate Schedule of Expenditures of Federal Awards. • (15-8) The University did not fully comply with requirements applicable to its property and equipment. • (15-9) The University had inadequate controls in place that would ensure required criminal background investigations were conducted prior to employment for those employees hired for security sensitive positions. • (15-10) The University lacked sufficient controls to ensure compliance with University policies in the hiring of certain new employees. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS FEDERAL PERKINS LOAN COHORT DEFAULT RATE TOO HIGH The University’s Federal Perkins Loan cohort default rate is in excess of the threshold for administrative capability stipulated by the U.S. Department of Education. The Federal Perkins Loan cohort default rate as of June 30, 2015 was 20.59% and was obtained from the University’s Federal Perkin’s loan servicer. The U.S. Department of Education regulations state that the Cohort Default Rate for Perkins Loans made to students for attendance at the institution should not exceed 15%. (Finding 2, page 23) We recommended the University improve procedures to collect its Federal Perkins Loans made to students in order to continue to participate in this program. University officials agreed with the recommendation and stated they are restructuring their collection department to fill the gaps of collection personnel due to limited resources. NEED TO IMPROVE THE CONTROLS OVER PREPARATION OF AN ACCURATE SCHEDULE OF EXPENDITURES OF FEDERAL AWARDS The University did not prepare an accurate Schedule of Expenditures of Federal Awards (SEFA). The University provided the auditors their “Final” SEFA on November 18, 2015. We tested the accuracy and completeness of the SEFA and noted the following: • Two programs were reported with the incorrect Catalog of Federal Domestic Assistance (CFDA) numbers and incorrectly identified the Federal agency that provided the funding. • One program passed awards through to nine sub-recipients totaling $86,231 that were not reported as such. • A pass-through award was initially identified as a directly funded award and included in the University’s Research and Development (R&D) Cluster. The University subsequently determined that the award was not Federally funded and removed it from the R&D Cluster and the SEFA. • A pass-through award was initially identified as a directly funded award. (Finding 3, pages 24-25) We recommended the University improve their controls over Federal awards so that it can prepare an accurate SEFA. University officials agreed with the recommendation and stated that they will increase the review of all program descriptions and program numeration in the preparation for next year’s report. NEED TO IMPROVE CONTROLS OVER PROPERTY AND EQUIPMENT The University did not fully comply with requirements applicable to its property and equipment. We reviewed the University’s property inventory certification as of March 31, 2015 that was submitted to the Department of Central Management Services (DCMS). The inventory certification to DCMS reported 163 items ($269,905) of equipment that could not be located by the University. These assets were acquired by the University during the current year as well as past fiscal years. Included in the equipment that was reported as “unlocated” were approximately 76 computers, servers, CPUs or other electronic storage devices. The University did not immediately perform a complete assessment of one of the missing computers to determine if notification was required as outlined in the Personal Information Protection Act (815 ILCS 530/25). After our inquiry, the University performed further procedures and concluded that no sensitive data would have been on the computer. We also noted that the University owns six cellular devices that are assigned to and used by University employees. The phones were assigned a tag number by the University, but these items were not recorded in the University’s property certification to DCMS. Each of these cellular devices cost $200 and would be considered an item subject to theft. (Finding 8, pages 34-35) This finding was first reported in 2013. We recommended the University strengthen its internal controls over the accountability of equipment. We also recommended the University complete detailed assessments of any missing or lost computer devices in a timely manner. University officials agreed with the recommendation. (For the previous University response, see Digest Footnote #1.) NONCOMPLIANCE WITH CAMPUS SECURITY ENHANCEMENT ACT OF 2008 The University did not have adequate controls in place to ensure that required criminal background investigations were conducted prior to employment for those employees hired for security sensitive positions. The Campus Security Enhancement Act of 2008 (Act) (110 ILCS 12/5) states that “Each public institution of higher education shall, through written policy and procedures, identify security-sensitive positions and make provision for the completion of criminal background investigations prior to employing individuals in those positions”. We obtained a listing of 210 security- sensitive positions identified by the University and selected 25 individuals for testing (15 employees that were hired in the current fiscal year and 10 employees that were hired in previous fiscal years). We noted the following: • Sixteen employees were hired prior to the completion of criminal background investigations (ten of these employees were hired in the current fiscal year). These background investigations were completed between 2 days to 9.4 years after the hiring of the employee. • Three employees that were hired for security sensitive positions in prior years had no evidence that a criminal background investigation had ever been obtained. (Finding 9, page 36) We recommended the University comply with the requirements of the Act and obtain criminal background investigations prior to hiring employees for security-sensitive positions. We further recommended the University identify employees in security sensitive positions who have not had a previous criminal background check and obtain one. University officials agreed with the recommendation and stated a written policy and procedure identifying security sensitive positions has been created and criminal background investigations have been completed. NEED TO IMPROVE CONTROLS OVER THE HIRING OF NEW EMPLOYEES The University did not have sufficient controls in place to ensure compliance with University policies applicable to the hiring of certain new employees. We selected a sample of 10 employees that were hired during fiscal year 2015 and noted the following: • The University could not provide any documentation that the University had verified the employment history of any of the applicants. • For seven of the new hires, the University could not provide evidence that it had verified the education credentials that were contained on the job applicant’s resume. (Finding 10, pages 37-38) We recommended the University improve its procedures to ensure compliance with University policies applicable to hiring. University officials agreed with the recommendation and stated that they have increased its pre-employment services to include background checks, verification of at least the last employment record, criminal record and education verification. OTHER FINDINGS The remaining findings are reportedly being given attention by University officials. We will review progress toward implementation of our recommendations in our next audit. AUDITOR’S OPINION The financial audit report was previously released. The auditors stated the financial statements of the Chicago State University as of and for the year ended June 30, 2015, are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by OMB Circular A-133. Our auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on each of the University’s major federal programs for the year ended June 30, 2015. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the University for the year ended June 30, 2015, as required by the Illinois State Auditing Act. The auditors stated the University complied, in all material respects, with the requirements described in the report. FRANK J. MAUTINO Auditor General FJM:tlk SPECIAL ASSISTANT AUDITORS Borschnack Pelletier & Co. were our special assistant auditors. DIGEST FOOTNOTES #1 – INADEQUATE CONTROLS OVER PROPERTY AND EQUIPMENT 2014 - The University has made significant progress in tracking and accounting for University property. The University’s Property Control Department will provide additional training to its fiscal officers to reinforce the process governing asset movement. The Property Control Department will coordinate periodic spot audits and midyear inventories with University departments to ensure proper oversight of University property. The Office of Compliance will review the results of these audits and inventories. Additionally the University will institute disciplinary procedures which will hold individuals accountable for the property under their control. The University’s Information Technology Department has been tasked with the responsibility of reporting any future informational breaches to the General Assembly as required by the statute. Additionally, the General Assembly had been notified of the breach that occurred in FY14.