REPORT DIGEST ILLINOIS STATE UNIVERSITY FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2022 Release Date: February 2, 2023 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 2 -- 2 Category 2: 0 -- 0 -- 0 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 2 -- 2 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the financial audit of Illinois State University (University) as of and for the year ended June 30, 2022. The University’s Single Audit and State compliance examination reports will be separately issued at a later date. SYNOPSIS • (22-02) The University had multiple computer security weaknesses. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INFORMATION SECURITY WEAKNESSES The Illinois State University (University) had multiple computer security weaknesses. During testing, we identified the following security weaknesses: • The University's Information Technology (IT) policies and procedures were updated during the audit period to reflect the University's current environment or address future changes in processes and new systems, however the updates have not been reviewed and approved. • The University did not formally document whether users’ roles within its applications were appropriate for all departments. • The University did not conduct segregation of duties reviews between development and production environments for systems where University personnel have development responsibilities. • For Colleague, an application used for financial reporting, and iPeople, the University’s human resources and payroll application, we noted some users still had access to the application after the University’s period for removing access had passed. • During our review of user access listings during December 2021, we noted some users with general access to the various University systems, which was previously necessary based on their prior job duties, still had this access after their termination. While it is possible some of this access was appropriate after the employee’s termination date, the University was unable to show the access rights which remained were appropriate. • The University has not established a process or procedure for timely documenting its risk analysis and reasoning for when a failed patch of its system endpoints and servers can be exempted. (Report Required Under Government Auditing Standards, Finding 2, pages 7-9) This finding has been reported since 2018. We recommended the University implement adequate security, including: • approving the updated policies and procedures to (1) reflect the University's current environment and (2) address future changes in processes and new systems; • document, during formal user access reviews, the appropriateness of each user’s access to the University’s applications for all departments; • perform an annual review of segregation of duties or compensating controls exist for University personnel with development responsibilities; • ensuring access to all applications is terminated in a timely manner and any access remaining after an individual departs from the University is limited and appropriate; and, • establishing a process or procedure to ensure all devices are timely patched with vendor updates and that any failed patches of system endpoints and servers have a documented risk assessment and reasoning for why an exemption to the patching requirement is necessary. University officials concurred with our finding. OTHER FINDING The remaining findings pertain to inadequate internal controls over census data and improper calculation of net investment in capital assets. We will review the University’s progress towards the implementation of our recommendations in our next financial audit. AUDITOR’S OPINION The auditors stated the financial statements of the University as of and for the years ended June 30, 2022, are fairly stated in all material respects. This financial audit was conducted by RSM US LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:TLK