REPORT DIGEST BOARD OF HIGHER EDUCATION COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2021 Release Date: May 11, 2023 FINDINGS THIS AUDIT: 11 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 2 -- 0 -- 2 Category 2: 6 -- 3 -- 9 Category 3: 0 -- 0 -- 0 TOTAL: 8 -- 3 -- 11 FINDINGS LAST AUDIT: 3 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (21-01) The Board did not exercise adequate controls over contractual services. • (21-02) The Board did not implement adequate internal controls related to systems and applications access and control. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS WEAKNESSES IN CONTRACTUAL SERVICES The Board of Higher Education (Board) did not exercise adequate controls over contractual services. During testing, we noted the Board does not maintain a complete list of contract agreements. During the examination, we requested the Board provide a list of contract agreements in effect during the two years ended June 30, 2021. The Board was able to provide copies of certain contract agreements, but was unable to determine if all contracts in effect during the examination were included. Due to these conditions, the accountants were unable to conclude whether the Board’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36) to test the Board's contract agreements. Although the population limitations noted above hindered our ability to conclude whether the selected sample was representative of the population as a whole, we selected a sample of 3 contracts for testing and noted: • The Board was unable to provide supporting documentation for 2 (67%) contracts tested, totaling $209,733. Documentation missing included the following certifications: – Bribery clause certification (30 ILCS 500/50-5(d)) – Debt delinquency certification (30 ILCS 500/50-11(b)) – Drug free workplace certification (30 ILCS 580/3 through 580/4) – Environment Protection Act (30 ILCS 500/50-14(c)) – Felons certification (30 ILCS 500/50-10(b)) – Prohibited bidders and contractors certification (30 ILCS 500/50-10.5(b)) – Illinois use tax certification (30 ILCS 500/50-12(b)) – International anti-boycott certification (30 ILCS 582/5) – State Board of Elections certification (30 ILCS 500/20-160(b)) – Contractor’s/Lessor’s Federal Taxpayer Identification Number and Legal Status Disclosure certification (SAMS 15.20.50) – Conflicts of Interest (30 ILCS 500/50-13, 50-35) • For 1 (33%) contract tested, totaling $13,000, the contract was not signed prior to the performance of services or receipt of goods. Additionally, the Board was unable to provide supporting documentation of a request to receive a waiver of the Late Filing Affidavit requirement from the Comptroller or Treasurer. • One (33%) contract tested, totaling $13,000, was signed by someone other than either 1) the head of the agency or 2) a delegated authority to sign the agency’s name, with signature of the person actually signed the document. Specifically, the initial contract was signed by a Board member who did not have contract signature authority. • For 1 (33%) contract tested, totaling $13,000, the Contract Obligation Document (COD) was not properly completed. Specifically, the COD was missing a class code and the signature of an authorized individual. During testing of one contractual agreement over $3 million, we noted the following: • The Board did not obtain all required signature approvals for this agreement. Specifically, the Board did not designate in writing a senior executive to sign in place of a chief legal counsel. • The contractual agreement was not signed by all parties prior to the effective date of the agreement. The agreement was signed 38 days after its effective date. (Finding 1, pages 11-14) We recommended the Board strengthen controls to ensure: • contract population records are properly maintained; • documentation is completed and maintained; • contracts are signed by the proper parties; • COD documents are properly completed; and, • contracts over $250,000 are timely signed and approved by all required individuals. The Board accepted the recommendation and stated it will strengthen controls to ensure completeness and accuracy of records, and that all agreements are executed in compliance with the Fiscal Control and Internal Auditing Act. INADEQUATE CONTROLS OVER ACCESS TO SYSTEMS AND APPLICATIONS The Board did not implement adequate internal controls related to systems and applications access and control. In order to carry out its mission, the Board utilizes a myriad of systems and applications. We requested the Board provide a listing of users with access to their critical applications and databases. In response to our request, the Board provided a listing; however, they did not provide documentation demonstrating the population was complete and accurate. Even given the limitations noted, we tested a sample of users to determine if their access was appropriate, noting no exceptions. Further, we noted the Board had not developed access provisioning policies and procedures. Lastly, we noted the Board did not document regular reviews of access rights to the Board’s use of the Accounting Information System (AIS), Central Payroll System (CPS), and mainframe during the examination period. (Finding 2, pages 15-16) We recommended the Board implement controls to document the accuracy of their user listing and develop access provisioning policies and procedures. We also recommended the Board conduct regular reviews of access rights to its AIS, CPS, and mainframe to ensure they are appropriate. The Board accepted the recommendation and stated it will conduct regular reviews of user access rights and has created an employee offboarding process that includes deprovisioning employee user rights. OTHER FINDINGS The remaining findings pertain to internal controls over State property, failure to enforce compliance with grant agreements, Board not staffed as required, weaknesses in cybersecurity programs and practices, noncompliance with reporting requirements, weaknesses in preparation of GAAP reporting, lack of adequate controls over the review of internal controls for service providers, inadequate controls over receipt processing, and noncompliance with the Board of Higher Education Act. We will review the Board’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Board for the two years ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Findings 2021-001 and 2021-002. Except for the noncompliance described in those findings, the accountants stated the Board complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by the Office of the Auditor General’s staff. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:sdw