REPORT DIGEST ILLINOIS STATE UNIVERSITY FINANCIAL AUDIT, SINGLE AUDIT, AND COMPLIANCE EXAMINATION For the Year Ended June 30, 2012 Release Date: February 28, 2013 Summary of Findings: Total this audit: 6 Total last audit: 5 Repeated from last audit: 2 State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • The University did not exercise adequate internal control over revenue recognition. • The University was unable to locate seven laptop computers. These items were deemed by the University to have been lost or stolen during Fiscal Year 2012. • The University had not established adequate University-wide procedures for disposal of confidential information. • The University did not exercise adequate internal control over the University’s vehicles. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS NEED TO IMPROVE REVENUE RECOGNITION PROCEDURES FOR FINANCIAL REPORTING The Illinois State University (University) did not exercise adequate internal control over revenue recognition. The auditors noted the following: • The University needs to improve its methodology for recording tuition and fee revenues due from the State for entitlement scholarships awarded to eligible students based upon various State laws. During the prior examination, the auditors identified the University had overstated tuition and fees receivable by amounts originally estimated to be received from the State. Upon notification from the auditors, the University analyzed Fiscal Year 2011 receivables, determining $883,000 in amounts due from the State was collectable as of June 30, 2011 based upon the University’s review of another State agency’s website and historical collection information. During the current period, the University determined the remaining $883,000 receivable reported as collectable by the University as of June 30, 2011 was not collectable and recorded an adjustment to the University’s records during Fiscal Year 2012. • The University did not properly recognize deferred revenues earned during the year, totaling $146,276, from the sale of season tickets to University athletic events. • The University improperly recognized revenue by not remitting proceeds from the sale of scrap metal, totaling $138,598 from Fiscal Year 2007 through Fiscal Year 2012, to the Department of Central Management Services. These amounts were deemed immaterial by University management and were not adjusted in the University’s financial statements. According to University personnel, they were unaware of the change in collectability of certain State funded scholarships from the University’s past historical experience. In addition, failure to properly recognize deferred revenues and remit scrap metal proceeds was due to employee oversight. (Finding 1, pages 18-19) We recommended the University develop a methodology which includes communication with other relevant State agencies for estimating tuition and fee revenues due from the State for entitlement scholarships, recognize deferred revenues from athletic ticket sales as earned, and remit scrap metal proceeds to the Department of Central Management Services. University officials agreed with the finding, indicating they will modify the University’s procedures to correct these noted errors. NEED TO ENHANCE CONTROLS OVER THE UNIVERSITY’S COMPUTER INVENTORY The University was unable to locate seven laptop computers. These items were deemed by the University to have been lost or stolen during Fiscal Year 2012. During testing, the auditors noted the University had not protected its computers with encryption software, thus increasing the risk that confidential information could be exposed. Confidential information routinely collected and maintained by the University includes education records, health records, personal information, and sensitive information. At the time of our review, the University had not performed a detailed assessment and therefore was unable to assess whether the missing computers contained confidential information. However, after notification from the auditors, the University performed an assessment concluding the nature of the use of the computers limits the likelihood they contained confidential information. According to University personnel, this resulted from the lack of a cohesive IT Governance structure including a common, formal, and disciplined approach for managing IT. (Finding 2, pages 20-21) We recommended the University review current practices to determine if enhancements can be implemented to prevent the theft or loss of computers, establish procedures to immediately notify security personnel of any missing or stolen computers to allow them to assess if a computer may have contained confidential information and document the results of the assessment, and ensure confidential information is adequately secured with methods such as encryption or redaction. University officials agreed with the recommendation, indicating they will work on implementing the auditors’ recommendations. NEED TO ENHANCE CONTROLS OVER CONFIDENTIAL INFORMATION The University had not established adequate University-wide procedures for disposal of confidential information. Although the University had established various policies relating to the security of confidential information, the University failed to establish and implement procedures for adequately protecting and disposing of confidential information. During our review, the following weaknesses were noted: • The University had not performed a comprehensive risk assessment to identify confidential or personal information and its location to assure such information is protected from unauthorized disclosure. • While the University had established a uniform process for the wiping and destruction of media and data, the process had not been completely implemented. The University did not have a process for the removal of information from certain types of computers nor for the physical destruction of computer drives that failed and could not be cleaned using software. • Although the University's Student Health Services maintained protected health information, a Health Insurance Portability and Accountability Act (HIPAA) risk assessment had not been completed. • The University had not formally approved notification procedures in the event of a breach of security regarding personal information. According to University personnel, this resulted from the lack of a cohesive IT Governance structure including a common, formal, and disciplined approach for managing IT. (Finding 3, pages 22-24) This finding was first reported in 2009. We recommended the University perform a risk assessment to identify and secure all forms of confidential or personal information, implement a comprehensive process for the wiping and destruction of media, perform and document a HIPAA risk assessment for personal health information, and obtain formal approval of policies and procedures for notification following a breach of security regarding personal information. University officials accepted the finding, indicating the University is in the process of implementing corrective action across the campus. (For the previous University response, see Digest Footnote #1.) NEED TO IMPROVE CONTROLS OVER UNIVERSITY-OWNED VEHICLES The University did not exercise adequate internal control over the University’s vehicles. During testing, the auditors noted the following: • The University has not performed an analysis of the University’s vehicles to determine whether maintaining each vehicle can be justified as the most cost effective solution for the specific operational needs of the University. The auditors noted five underutilized University-owned vehicles during Fiscal Year 2012. Four of the five vehicles were driven less than 100 miles during the year. • The University does not have a policy in place requiring all University vehicles to undergo regular service and/or repairs in order to maintain the vehicles in a road worthy and safe operating condition. • The University was unable to provide documentation supporting regular maintenance for three of 25 (12%) vehicles tested. • The University did not survey its vehicle inventory for transferable equipment. The auditors noted one vehicle driven three miles during the year not utilized due to excessive rust and the vehicle’s overall poor mechanical condition and another vehicle driven zero miles during the year with 460,614 total miles. According to University personnel, the University’s department-level fiscal officers are responsible for ensuring all University-owned equipment is necessary for University operations and properly maintained. As such, the exceptions noted are likely due to fiscal officer oversight. (Finding 4, pages 25-27) We recommended the University perform an analysis of the University’s vehicles to determine whether each vehicle can be justified as the most cost effective solution for the University’s specific operational needs, adopt a policy and implement internal controls to ensure all University vehicles undergo regular service and/or repair, and survey the University’s equipment to identify and report transferable equipment. University officials accepted the finding, indicating the University will perform a cost benefit analysis of the utilization of University-owned vehicles, assess vehicle maintenance documentation and history, and identify obsolete or transferable vehicles. OTHER FINDINGS The remaining findings are reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next audit. AUDITORS’ OPINION Our auditors stated the financial statements of the Illinois State University as of and for the year ended June 30, 2012 are fairly stated in all material respects. WILLIAM G. HOLLAND Auditor General WGH:djn SPECIAL ASSISTANT AUDITORS Our special assistant auditors for this engagement were BKD, LLP. DIGEST FOOTNOTE #1: NEED TO ENHANCE CONTROLS OVER CONFIDENTIAL INFORMATION FY2011: Accepted. The University agrees with the recommendation related to risk assessment and procedures for wiping and destruction of media. As of the date this response, Administrative Technologies, Campus Technology Support Group, and Internal Audit have teamed together to perform a risk assessment of information technology at the University. It is expected the preliminary risk assessment, including HIPAA, will be completed by December 2012. In terms of the wiping procedures, the University currently degausses media that cannot be wiped with available tools. Examples of such media include Apple/Macintosh computers, some servers and USB flash drives. While there is a centrally-managed program at Property Control, several units also perform their own media wiping efforts. The University understands there is an effort required to implement a coordinated electronic media wiping for the institution. As for breach notification procedures, the draft Information Technology Security Incident Response Plan (ITSIR), includes such procedures. Approval of this plan is expected to be finalized by the end of fiscal year 2012.