ILLINOIS STATE UNIVERSITY
FINANCIAL AUDIT AND COMPLIANCE EXAMINATION
(In accordance with the Federal Single Audit Act and OMB Circular A-133)
For the Year Ended: June 30, 2009
Summary of Findings:
Total this audit: 2
Total last audit : 2
Repeated from last audit: 1
Release Date: March 11, 2010
State of Illinois Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at http://www.state.il.us/auditor
• The University had not assured adequate University-wide procedures existed for disposal of confidential information. In addition, security controls over computer equipment maintained within the University Warehouse were inadequate.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
INADEQUATE PROCEDURES FOR DISPOSAL OF CONFIDENTIAL INFORMATION
The University had not assured adequate University-wide procedures existed for disposal of confidential information. We noted the University:
• Had not performed a risk assessment of its computing environment to identify and protect confidential information from unauthorized disclosure.
• Had not installed disk encryption software on its laptop computers
• Had not formally approved procedures regarding the University’s responsibility for the prompt investigation and notification in the event of a breach of personal information.
While performing walkthroughs at the University, we found personal information and personal health information in unsecured bins. In addition, weaknesses in the procedures for wiping confidential information from computers and electronic media were found.
Failure to establish adequate procedures to protect and timely dispose of confidential information and to enforce compliance with established procedures can lead to such information being compromised. (Finding No. 09-2, pages 15-18)
We recommended the University assess its procedures for safeguarding and subsequent disposal of all confidential information. University-wide procedures for properly disposing confidential information should be established. Once established, the University should effectively communicate the procedures to all University personnel, and enforce compliance with its procedures ensuring all confidential information is kept secured until no longer needed, and then properly disposed.
University officials concurred with the recommendation.
We conducted a compliance examination of the University for the year ended June 30, 2009, as required by the Illinois State Auditing Act, the Single Audit Act and OMB Circular A-133.
Our auditors stated the University’s June 30, 2009 financial statements are fairly presented in all material respects.
WILLIAM G. HOLLAND, Auditor General
SPECIAL ASSISTANT AUDITORS
Our special assistant auditors were Clifton Gunderson, LLP.