SOUTHERN ILLINOIS UNIVERSITY
Financial Audit and Compliance Examination (In accordance with the Single Audit Act and OMB Circular A-133)
For the Two Years Ended June 30, 2010
Summary of Findings:
Total this audit: 6
Total last audit: 4
Repeated from last audit: 1
Release Date: March 10, 2011
State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov
• The University’s Edwardsville campus does not formally document the supervisory review process related to the Return of Title IV Funds calculations.
• The University’s Carbondale campus does not have adequate segregation of duties within the P-Card approval process. Certain P-Card holders have the ability to approve their own purchases through the on-line P-Card approval process.
• The University had not assured adequate security and control over access to or the proper disposal of confidential information.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
DOCUMENTED CONTROLS OVER RETURN OF TITLE IV FUNDS CALCULATIONS
The Edwardsville campus does not formally document the supervisory review process related to the Return of Title IV Funds calculations.
The University does not formally review the Return of Title IV script within their computer software used to calculate Return of Title IV Funds to the U.S. Department of Education. The Edwardsville campus improperly calculated 100% of Return of Title IV funds calculations during the year because the script used to calculate the return amount contained the incorrect amount of “total days” in the equation. The University mistakenly calculated all fall 2009 semester returns using 117 days instead of the proper 110 days. This resulted in the University improperly returning $5,275 to the U.S. Department of Education in excess of the proper amount for the fall semester. The University mistakenly calculated all spring 2010 semester returns using 109 days instead of the proper 110 days. This resulted in the University not returning $378 to the Department of Education in the spring semester. (Finding 2, page 13)
We recommended that a documented supervisory review of Return of Title IV Funds calculation be performed.
University officials accepted our recommendation.
INADEQUATE SEGREGATION OF DUTIES WITHIN THE P-CARD APPROVAL PROCESS
The Carbondale campus has inadequate segregation of duties within the P-Card approval process.
The Carbondale campus has 1,112 employees that are P-Card holders. A total of 70 of these cardholders (6%) are also authorized to approve their own P-Card purchases. Of these 70 cardholders who had the ability to approve their own purchases, we noted 23 approved at least one transaction during the fiscal year. There should be a clear segregation of duties within the P-Card purchasing process. No employee should be allowed to approve their own purchases. (Finding 5, page 16)
We recommended the University modify the P-Card system to disallow any purchaser from approving their own purchases.
University officials accepted our recommendation and stated the inadequate segregation of duties was noted by Internal Audit in late summer, and corrective action has been taken.
INADEQUATE CONTROL OVER ACCESS TO AND DISPOSAL OF CONFIDENTIAL INFORMATION
The University had not assured adequate security and control over access to or the proper disposal of confidential information.
While performing walkthroughs at the University, we noted the following:
School of Medicine
Documents containing confidential or personal information including names, social security numbers, addresses, and diagnosis were found in unsecured boxes designated for recycling or waste containers in several School of Medicine facilities. In addition, confidential and personal health-related information was not always shredded or maintained in lockable bins until shredding. A service was used to pickup and dispose of confidential information, but it was not shredded onsite. Security of information taken offsite could not be assured.
Cross-cut shredders were not always utilized to dispose of confidential and personal health-related information. A service was used to pickup and dispose of confidential information, but it was not shredded onsite. Security of information taken offsite could not be assured.
Lockable bins were not always used to safeguard confidential information prior to shredding.
In addition, University-wide procedures for addressing the security and disposal of confidential information were lacking, confidential information in electronic form was not assured of being adequately protected, and a formal risk assessment to identify all confidential information had not been performed. The University had experienced at least 10 security breaches since June 30, 2009. (Finding 6, pages 17-18)
We recommended the University review University-wide policies to assure procedures exist for ensuring confidential and personal information is adequately secured and properly disposed. In addition, the University should also perform a formal risk assessment to evaluate its computer environment and data maintained to assure adequate security controls.
University officials accepted our recommendation.
The remaining findings are reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next audit.
Our auditors stated the financial statements of the University as of June 30, 2010 and for the year then ended are fairly presented in all material respects.
WILLIAM G. HOLLAND
SPECIAL ASSISTANT AUDITORS
Crowe Horwath LLP were our special assistant auditors for this audit.