UNIVERSITY OF ILLINOIS
For the Year Ended: June 30, 2009
Release Date: March 25, 2010
State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and the Full Report are also available on the worldwide web at http://www.auditor.illinois.gov
The financial audit report contains three sets of financial statements in the Annual Financial Report the financial statements of the University; and the revenue bond financial statements of the Auxiliary Facilities System and the Health Services Facilities System.
This report contains only findings pertaining to the Financial Statement audit.
The State Compliance Examination and Federal Single Audit reports will be issued at a later date.
(of Financial Statement Audit Findings)
• The University has not established adequate internal controls over access to the information systems used in its financial reporting process.
• The University has not established adequate internal controls over procurement card transactions.
• The University has not established adequate internal controls over identifying and recording period end accounts payable for financial reporting purposes.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
INADEQUATE CONTROLS OVER USER ACCESS TO INFORMATION SYSTEMS
The University has not established adequate internal controls over access to the information systems used in its financial reporting process.
The University operates an Enterprise Resource Planning (ERP) system to manage the activities of the University. Access is granted to users of the University’s information systems based upon standardized user profiles designed by the Office of Business and Financial Services in connection with the Office of Administrative Information Technology Services. The University functions in a highly distributed operating environment with several thousand users having varying types of system access.
The standardized user profiles are intended to assist the University in limiting access to the information systems based upon the assigned job functions of the specific users to which the profiles are assigned; however, the standardized user profiles currently used by the University are not designed to appropriately segregate conflicting duties and have resulted in an excessive number of users with access to perform transactions in unlimited dollar amounts or with the capability to modify system data.
Specifically, we noted 2,258 users have access to create journal entries in unlimited dollar amounts without a supervisory review. We also noted 1,725 users with access to update employee pay rates within their assigned department and 112 individuals with access to update employee pay rates of all individuals across all departments of the University. Lastly, the University has not implemented procedures to monitor user access through periodic access reviews.
As a result of the internal control deficiencies identified above, we performed a detailed review of user access rights with the assistance of University management. This review identified several users with access rights that were inappropriate based on their roles and job functions presenting segregation of duties conflicts and the risk that erroneous or fraudulent transactions may be recorded in the general ledger.
Failure to properly assign and monitor user access rights may result in erroneous or fraudulent transactions being recorded in the general ledger system. Without adequate security over access rights, there is a greater risk that unauthorized changes or additions to the University’s financial systems could occur and not be detected in a timely manner. If access rights are not reviewed and updated based on job responsibilities on a regular basis, there is a greater risk that journal entries in unlimited dollar amounts, as well as cash disbursements, can be recorded by unauthorized individuals. (Finding 1, Pages 5-7)
We recommended the University review and modify the standard user profiles to ensure (1) the profiles assigned to users appropriately limit each user’s access to the systems to which they require access based upon their assigned job responsibilities, (2) the authorization limits assigned to each user are appropriate, and (3) supervisory reviews of transactions are required as appropriate.
University officials accepted the recommendation and stated that many of the controls that they have put into place have been effective but does agree that improvements to the user access control environment are needed and will be beneficial.
INADEQUATE CONTROLS OVER UNIVERSITY PROCUREMENT CARD TRANSACTIONS
The University has not established adequate internal controls over procurement card (P-Card) transactions.
The University operates a procurement card program which allows individuals to make smaller purchases (defined as less than $4,999) on a credit card which is directly reimbursed by the University on a monthly basis. The University’s policies require individuals assigned a procurement card to sign an agreement stipulating they will use the card in accordance with University policy. This agreement is also required to be authorized by the individual’s supervisor or the department head. The University’s policies require transactions incurred on the procurement card to be approved in the University’s procurement card system by the individual cardholder and an assigned reviewer.
Although the University has established policies and procedures for issuing procurement cards, incurring and paying for expenditures with procurement cards, and reviewing and approving of procurement card transactions, we noted these policies and procedures were not properly designed to prevent erroneous charges from being paid by the University and were not followed consistently by University personnel.
Specifically, we noted the procurement card system is configured to automatically record transactions in the general ledger to pre-assigned accounts (auto-reconciled) if the cardholder and/or assigned reviewer have not approved the respective transactions within seven days. The configuration of the system is inconsistent with the University policy that requires both the cardholder and reviewer to approve all procurement card transactions. The University also has not implemented procedures to identify duplicate charges or to reconcile procurement card transactions with travel reimbursement forms. As a result, erroneous or duplicate charges may be paid and recorded by the University without any further detective controls to identify them.
Our sample testwork involved examining 40 procurement card transactions totaling $42,586. Conditions noted entailed:
• transactions which were automatically reconciled by the system and as a result were not subject to supervisory approval procedures.
• transactions which were reconciled and approved by the same individual.
• a transaction made by an individual other than the card holder.
• a transaction where original supporting documentation could not be located.
• a transaction for which no University business purpose was documented.
• a transaction which included a charge for sales tax which is a prohibited since the University is tax-exempt.
In addition, the University was unable to locate approved Procurement Card Authorization/Agreement and Application forms for eight of 37 cardholders selected for testwork.
The University has approximately 5,700 active procurement cards and the procurement card expenditures paid during the year ended June 30, 2009 were $108,100,000.
Failure to properly review and approve procurement card transactions could result in erroneous or fraudulent transactions being recorded in the general ledger system. (Finding 2, Pages 8-10)
We recommended that the University revise its current process to require procurement card transactions be reviewed and approved by the card holder and an independent reviewer prior to recording the transactions in the general ledger. Such process modifications may include eliminating the auto-reconciliation function or establishing another mechanism to allow auto-reconciled transactions to be reviewed and approved prior to being recorded in the specific general ledger accounts. We also recommended that the University implement procedures to identify duplicate transactions and to reconcile procurement card transactions to travel reimbursement forms.
University officials accepted the recommendation and stated that they will continue to be proactive in improving controls over the P-Card system and will install system and/or process improvements to ensure all P-Card transactions are reconciled.
NEED TO IMPROVE YEAR END ACCOUNTS PAYABLE PROCESS
The University has not established adequate internal controls over identifying and recording period end accounts payable for financial reporting purposes.
During our audit, we noted the University’s year end accounts payable procedures include specifically reviewing cash disbursements made subsequent to year end through the fourth week in July to determine to which accounting period the expenditures pertain. Subsequent to the fourth week in July, further reviews are performed for certain expenditures by Health Services Facilities System to develop an accrual related to subsequent disbursements. No further formal procedures are performed over cash disbursements subsequent to the fourth week in July and the University does not perform procedures to estimate potential unrecorded liabilities.
In addition, we identified: a) two subsequent disbursements (totaling $18,325) which pertained to fiscal year 2009, but which were not properly accrued by the University; b) one disbursement (totaling $204,156) which pertained to 2010, but which had been accrued in error; and c) eight expenditures which pertained to fiscal year 2008 in our State Compliance testwork (totaling $39,135) which were reported in fiscal year 2009.
Failure to analyze cash disbursements subsequent to year end may result in the misstatement of the University’s financial position. (Finding 3, Pages 11-12)
We recommended that the University implement procedures to assess the completeness of its accounts payable at year end. Such procedures may include extending the timeframe for which the University evaluates cash disbursements subsequent to year end or developing procedures to estimate the accounts payable balance.
University officials accepted the finding and stated that they will develop improvements to procedures to address the recommendations noted in the finding.
Our auditors state the June 30, 2009 financial statements are fairly presented in all material respects.
WILLIAM G. HOLLAND, Auditor General
SPECIAL ASSISTANT AUDITORS
KPMG were our special assistant auditors.