ILLINOIS STATE UNIVERSITY
Financial Audit, Single Audit, and Compliance Examination
For the Year Ended: June 30, 2011
Release Date: March 20, 2012
Summary of Findings:
Total this audit: 5
Total last audit: 3
Repeated from last audit: 2
State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov
• The University did not exercise adequate internal control over accounts receivable.
• The University’s Internal Audit Department did not review the new Human Resources system prior to its implementation.
• The University had not established adequate security policies and control over its computer environment.
• The University had not established adequate University-wide procedures for disposal of confidential information.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
NEED TO IMPROVE ACCOUNTS RECEIVABLE ACCOUNTING AND REPORTING
Illinois State University (University) did not exercise adequate internal control over accounts receivable.
We noted the following:
• The University overstated tuition and fees receivable by amounts originally estimated to be received from the State, but were not adjusted to reflect actual amounts received. The University recorded tuition and fees accounts receivable for entitlement scholarships awarded to eligible students based upon various State laws. The University is reimbursed for the tuition and fee revenue at a later date, based upon the availability of funds within the State's budget. In the event of insufficient appropriations, the University must bear the cost of the awards. As the State did not pay the cost of tuition and fees waived, the University did not monitor and properly account for the nonpayment, resulting in an overstatement of receivables. The University recorded a prior period adjustment of $5,189,665 for overstated receivables from FY06 to FY10 and a current period adjustment of $1,289,557 for overstated receivables occurring in FY11.
• The University does not have a formal methodology to record, review, and adjust the allowance for uncollectible accounts receivable that takes into account historical factors, such as collections, with qualitative factors. Further, the University has not reviewed the allowance for uncollectible accounts receivable since FY09.
According to University personnel, the overstatement was a result of employees not being aware that certain scholarship payments from the State were no longer collectible. (Finding 1, pages 17-18)
We recommended the University the University implement controls to periodically review accounts receivable and adopt a methodology to record, review, and adjust an allowance for uncollectible accounts receivable based upon historical collectability data, adjusted for any potential qualitative considerations.
University officials agreed with the finding, indicating they will review controls to improve the reporting and accounting for accounts receivable.
LACK OF INTERNAL AUDIT REVIEW OF MAJOR SYSTEM IMPLEMENTATION
The University’s Internal Audit Department did not review the new Human Resources system prior to its implementation.
The University implemented a Human Resources system in July 2011. The system is used to perform and track functions such as payroll, time and labor for all 3,500 faculty and personnel at the University. The initial selection process began in 2006 to replace a 20-year old system. The project appears to have had an initial budget of $3.5 million, with a subsequent addition of $2 million in 2010, for a total budget of $5.5 million. The Fiscal Control and Internal Auditing Act requires the review of major new electronic data processing systems by the University’s Internal Audit Department prior to system installation to ensure the systems provide for adequate audit trails and accountability.
According to University personnel, the Office of Internal Audit was not involved in the development of the Human Resources system (iPeople) due to a change in management and staff within the Office of Internal Auditing. (Finding 2, pages 19-20)
We recommended the University's Internal Audit Department perform a review of any major computerized system prior to its implementation and maintain documentation of its review.
University officials agreed with the finding, indicating they are enhancing communication between the University’s information technology management and the Office of Internal Audit. Further, they are planning a post-implementation audit of the new system as part of the University’s planned FY12 internal audits.
NEED TO IMPROVE CONTROLS OVER COMPUTER SECURITY ADMINISTRATION
The University had not established adequate security policies and control over its computer environment.
We reviewed the University's policies and procedures and noted the following weaknesses:
• The University's Security Policy is in draft form. At the time of testing the policy had not been approved by senior management or communicated to the appropriate individuals.
• Over 73,300 active user accounts had never been used and another 2,400 had not been used in over a year.
• The University's password expiration policy was not enforced. 2,498 accounts had nonexpiring passwords.
• An excessive number (81) of user accounts had powerful administrative access rights.
According to University personnel, this resulted from the lack of a cohesive IT Governance structure including a common, formal, and disciplined approach for managing IT. (Finding 3, pages 21-23)
We recommended the University develop standard security guidelines to ensure security controls are adequately addressed across the University.
University officials accepted the finding and stated the policy, Security of Information Technology Resources and Systems, has been approved by the Academic Senate. The policy authorizes the creation of procedures that will outline how security will be administered and how access to systems and data will be granted, maintained, reviewed, and audited.
NEED TO ENHANCE CONTROLS OVER CONFIDENTIAL INFORMATION
The University had not established adequate University-wide procedures for disposal of confidential information.
Although the University had established various policies relating to the security of confidential information, the University failed to establish and implement procedures for adequately protecting and disposing of confidential information. During our review, the following weaknesses were noted:
• The University had not performed a comprehensive risk assessment to identify confidential or personal information and its location to assure such information is protected from unauthorized disclosure.
• While the University had established a uniform process for the wiping and destruction of media and data, the process had not been completely implemented.
• Although the University's Student Health Services maintained protected health information, a Health Insurance Portability and Accountability Act (HIPAA) risk assessment had not been completed.
• The University had not formally approved notification procedures in the event of a breach of security regarding personal information.
According to University personnel, this resulted from the lack of a cohesive IT Governance structure including a common, formal, and disciplined approach for managing IT. (Finding 4, pages 24-25) This finding was first reported in 2009.
We recommended the University perform a risk assessment to identify and secure all forms of confidential or personal information, implement a comprehensive process for the wiping and destruction of media, perform and document a HIPAA risk assessment for personal health information, and obtain formal approval of policies and procedures for notification following a breach of security regarding personal information.
University officials accepted the finding, indicating they the University is undertaking a risk assessment, including HIPAA, at the University that is expected to be completed by December 2012. Further, the University stated they are working to implement a coordinated electronic media wiping effort and adopt breach notification procedures. (For the previous University response, see Digest Footnote #1.)
The remaining finding is reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next audit.
Our auditors stated the financial statements of Illinois State University as of and for the year ended June 30, 2011 are fairly stated in all material respects.
WILLIAM G. HOLLAND
SPECIAL ASSISTANT AUDITORS
Our special assistant auditors for this engagement were BKD, LLP.
#1: NEED TO ENHANCE CONTROLS OVER CONFIDENTIAL INFORMATION
The University concurs with the recommendation to assess its procedures for safeguarding and subsequent disposal of all confidential information. Procedures for proper disposal of confidential information are established and will be reviewed to minimize lapses attributable to employee oversight.
The University concurs with the recommendation to perform a comprehensive risk assessment of its computer environment and data. The University Technology Council has finalized the Policy on Information Resource Access and Security and is in the process of obtaining formal approval. Also, a Data Stewardship and IT Services Council has been established to define standards for a master data access plan. These efforts will provide a more comprehensive identification of the University’s computer data security environment for purposes of risk assessment.
Encryption has been installed and utilized on systems storing and transmitting financial information. The University is developing data classification and corresponding security procedures for each level of data classification. The highest level will incorporate encryption technologies. Also, the University is seeking an outsourcing partner to host mainframe operations and will require encryption protection of data.