EASTERN ILLINOIS UNIVERSITY
FINANCIAL AUDIT AND COMPLIANCE EXAMINATION
(In Accordance with the Single Audit Act and OMB Circular A-133)
For the Year Ended: June 30, 2009
Summary of Findings:
Total this audit 5
Total last audit 8
Repeated from last audit 2
Release Date: March 16, 2010
State of Illinois Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at http://www.auditor.illinois.gov
• The University did not establish an adequate process to estimate the allowance for bad debts.
• The University did not timely revoke access to University information systems and timely cancel telephone credit cards upon employee termination.
• The University did not report accurate student verification codes through the Common Origination and Disbursement (COD) system.
• The University did not require all employees to submit time sheets as required by the State Officials and Employees Ethics Act.
• The University did not adequately develop and test a disaster contingency plan.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
INADEQUATE PROCESS FOR ESTABLISHING ACCOUNTING ESTIMATES
Eastern Illinois University (University) did not establish an adequate process to estimate the allowance for bad debts.
The University estimated the allowance for bad debts of the student accounts receivable to be $3,982,640 at the end of June 30, 2009 which represented 35% of the student accounts receivable balance at the end of the fiscal year. The allowance for bad debts was computed based on estimated rates established and applied to the student accounts receivable balance by semester. During our audit, we noted the University did not establish a process to prepare these estimates. There was not sufficient data on which the estimates were based that were available for review. Auditors analyzed the allowance for doubtful student receivable accounts and determined that it was not materially misstated.
According to University personnel, the rates had been established in prior years and have been consistently used. The basis of the estimated rates was historical collection experience of the University. Due to employee turnover and change in the accounting system, the relevant information was not readily available. (Finding 1, pages 21-22)
We recommended University management establish a process to prepare accounting estimates.
University officials accepted our recommendation and responded that they would attempt to improve the documentation supporting the methodology used in the calculation of the estimate in the future.
FAILURE TO TIMELY REVOKE TERMINATED EMPLOYEES ACCESS TO UNIVERSITY INFORMATION SYSTEMS
The University did not timely revoke access to University information systems and timely cancel telephone credit cards upon employee termination. During our testing, we noted the following:
• During our testing of the access revocation of 25 terminated employees, we noted that 5 of 10 (50%) employees’ access to its enterprise resource planning system were revoked 6 to 172 days after the employee’s termination date.
• All cancelled credit cards were tested and we found 2 of 3 (67%) terminated employees’ telephone credit cards were both cancelled 28 days after the employees’ termination dates.
According to University personnel, the Information Technology Services and the Telecommunication Department were not informed when the Exit Interview Checklists of the resigning employees were signed. (Finding 2, pages 23-24)
We recommended the University timely revoke access of terminated employees to the University information systems and cancel telephone credit cards of these employees.
University officials concurred with the auditor’s recommendation and stated they are working on a reporting process that will automate the notification of appropriate Departments when employees leave University employment.
INACCURATE STUDENT STATUS CODES REPORTED THROUGH THE COMMON ORIGINATION AND DISBURSEMENT SYSTEM
The University did not report accurate student verification codes through the Common Origination and Disbursement (COD) system.
During our testing of Pell Origination and Disbursement Data, we noted 18 of 40 (45%) students reviewed did not have accurate verification codes reported through the COD. These students were erroneously reported as “V - Verified” by the University in the COD system when in fact, no verification was performed for these 18 students.
According to University officials, the Financial Aid Office uses the “Verification Complete” flag as a review flag for everyone. Because of this it is possible for students to be reported as verified when, in fact, verification has not been performed. University officials indicated that the Financial Aid Office has corrected the verification status code for over 900 students through the COD since they were made aware of the issue. (Finding 3, pages 25-26)
University officials accepted our recommendation to review the accuracy of report data before it is submitted to the COD and to remove the verification flag for those students not selected for Pell grant verification documentation.
TIME SHEETS NOT REQUIRED
The University did not require all employees to submit time sheets as required by the State Officials and Employees Ethics Act (Act).
Effective in fiscal year 2009, all employees’ time and leave balances were tracked using web based systems which were filled out online by each employee through the Panther Access to Web Services System or by each department’s representative through the Department Time Entry Reporting from the Banner System. During our review, we noted that salaried employees are only required to report hours when they are on leave or away from work, which is effectively a “negative” timekeeping system whereby the employee is assumed to be working unless noted otherwise. Civil Service and student employees report their time to the nearest quarter hour through this online web-based reporting.
Since adequate timesheets were not maintained for all employees, there was no adequate basis for allocating expenditures between the University and the University Related Organizations (URO). The UROs are the Eastern Illinois University Foundation and the Eastern Illinois University Alumni Association.
According to the University personnel, the University is in the process of identifying ways to comply with the requirements of the State Officials and Employees Ethics Act and the Master Contracts with the UROs. (Finding 4, pages 27-28) This finding has been repeated since 2005.
We recommended the University amend its policies to require all employees to submit time sheets in compliance with the Act.
University officials agreed with the auditor’s recommendation. (For previous University response, see Digest Footnote #1.)
INADEQUATE DISASTER CONTINGENCY PLANNING
Eastern Illinois University (University) had not adequately developed and tested a disaster contingency plan.
During the current engagement, it was noted the University initiated a complete rewrite of the existing Information Technology Services (ITS) Disaster Recovery Plan (DRP) in July 2009. During our review we noted the following:
- The Plan was in draft form and had not been approved by University management.
- An adequate recovery site had not been established. The University had established a hot site for backing up its ERP system. The site was not adequately distanced away from the primary computer facility and was inadequate for staging recovery activities associated with major disasters.
- A list of recovery timeframes for recovering the University’s critical applications had not been developed.
University personnel stated they are aware the plan has not been completed. Development of remaining sections including recovery of the University’s secondary and tertiary system is ongoing. However, the Plan was a ground-up rewrite with initial focus placed on the University’s critical ERP system. (Finding 5, pages 29-31) This finding has been reported since 2007.
We recommended that the University continue developing its contingency plan and have it approved by University management. Further, the University should perform recovery tests at least annually to identify any plan weaknesses and to ensure adequate resources are available for recovering the University’s critical systems within the required timeframes.
University officials agreed with the auditor’s recommendation. (For previous University response, see Digest Footnote #2.)
Our auditors stated the University's financial statements as of and for the year ended June 30, 2009 were fairly presented in all material respects.
WILLIAM G. HOLLAND, Auditor General
SPECIAL ASSISTANT AUDITORS
E.C. Ortiz & Co. LLP were our special assistant auditors on this engagement.
#1: TIMESHEETS NOT REQUIRED – Previous University Response
The University assumed its procedures were in compliance with the time reporting requirements of the State Officials and Employees Ethics Act (the “Ethics” Act) based upon guidance received from the Executive Inspector General. The University received a memo from the Office of the Inspector General that states: “it appears that a system of ‘absence reporting’ would be an appropriate method of time keeping under the Ethics Act. Under this system, an employee would only report time during their normal work schedule that was not spent at work and provide the category of leave taken for that time away.”
Hourly employees have always reported time worked on a quarter-hourly basis, however, salaried employees have not. We are working on developing a system that will permit salaried employees to report their time on a quarter-hourly basis but still allow them to be paid their contracted salary.
#2: INADEQUATE DISASTER CONTINGENCY PLANNING – Previous University Response
The University accepts the auditor’s recommendation.
As the University has moved away from the mainframe environment, the issues associated with the disaster contingency planning have changed. We have tested our recovery procedures and are confident that we can meet the University’s recovery needs. However, we have not documented this process adequately. We will continue to test our recovery procedures and update our Contingency Plan accordingly.