UNIVERSITY OF ILLINOIS
For the Year Ended June 30, 2010
Summary of Findings:
Total this audit: 3
Total last audit: 3
Repeated from last audit: 3
Release Date: January 12, 2011
State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov
The University’s financial audit report consists of three sets of financial statements as follows – The financial statements of the University, and the revenue bond financial statements of the Auxiliary Facilities System and the Health Services Facilities System.
This report contains only findings pertaining to the Financial Statement Audit.
The State Compliance Examination and Federal Single Audit Reports will be issued at a later date.
• The University has not established adequate internal controls over access to the information systems used in its financial reporting process.
• The University has not established adequate internal controls over accurately identifying and recording period end accounts payable for financial reporting purposes.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
INADEQUATE CONTROLS OVER USER ACCESS TO INFORMATION SYSTEMS
The University has not established adequate internal controls over access to the information systems used in its financial reporting process.
The University operates an Enterprise Resource Planning (ERP) system to manage the activities of the University. The University functions in a highly distributed operating environment with several thousand users having varying types of system access. Access is granted to users of the University’s information system based on standardized user access profiles.
The standardized user profiles are intended to assist the University in limiting access to the information systems based upon the assigned job functions of the specific users to which the profiles are assigned. However, the standardized user profiles currently used by the University are not designed to appropriately segregate conflicting duties and have resulted in an excessive number of users with access rights that were inappropriate based on their roles and job functions.
These exceptions identified during our 2009 review consisted of user profiles with inappropriate access to update or change employee pay rates, release financial holds, apply various payments and override three way matching. These exceptions also identified several user profiles with conflicting user access abilities to create and self approve restricted journal entries as well as update the University’s charts of accounts. The University did not have procedures in place to monitor user access through periodic access reviews.
During fiscal year 2010, the University began designing a process to review transactions assigned to standardized user profiles, train unit security contacts, and perform an annual review for the ERP system. Although the Administration Information Technology Services (AITS) has designed and initiated an annual access review process, this review was not completed during fiscal year 2010 for all departments.
In addition to the internal control deficiencies regarding inappropriate access to update or change employee pay rates, as well as users with conflicting access abilities to create and self approve restricted journal entries, during the current year we noted the following:
• There are 132 users (out of 517 total users reviewed) who had excessive access rights that were not appropriate based upon review of each users job function.
• There are 26 terminated users with active accounts that were not removed in a timely manner.
Further, we noted periodic reviews of terminated employees with access to the information systems are not performed consistently and documentation is not retained. In addition, there are no procedures in place to perform a periodic review of user access rights to the purchasing system and no procedures are in place to monitor user access rights for employees who transfer positions and change job functions. (Finding 1, pages 5-6) This finding was first reported in 2008.
We recommended that the University review and modify the standard user profiles to ensure (1) the profiles assigned to users appropriately limit each user’s access to the systems to which they require access based upon their assigned job responsibilities, (2) the authorization limits assigned to each user are appropriate, and (3) supervisory reviews of transactions are required as appropriate.
University officials accepted the recommendation and stated that new policies and related procedures were developed and became effective February 2010. Full implementation is expected to be performed in fiscal year 2011. (For the previous University response, see Digest footnote #1)
INADEQUATE YEAR END ACCOUNTS PAYABLE PROCESS
The University has not established adequate internal controls over accurately identifying and recording period end accounts payable for financial reporting purposes.
During our review of cash disbursements subsequent to year end, we identified seven subsequent disbursements totaling $1,212,182 which pertained to fiscal year 2010, but which were not properly identified by the University. Four of these subsequent disbursements totaling $1,180,130 were not identified because the University’s review of these transactions did not include a review of the shipping documents and any applicable shipping terms. (Finding 3, Pages 10-11)
We recommended that the University review its current process to assess the completeness of its accounts payable at year end and consider changes necessary to ensure all period end accounts payable are accurately identified and recorded. Such procedures should include a determination of when the underlying goods or services were received including a review of shipping documentation and any applicable shipping terms.
University officials accepted the recommendation and stated that they will take the necessary corrective action.
The remaining finding is reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next engagement.
Our auditors state the June 30, 2010 financial statements are fairly presented in all material respects.
WILLIAM G. HOLLAND
SPECIAL ASSISTANT AUDITORS
KPMG were our special assistant auditors.
#1 –Inadequate Controls Over User Access to Information Systems – Previous University Response
Accepted. The University’s highly distributed operating environment involves several thousand system users, in hundreds of departments across three campuses. These users are engaged in a variety of business and administrative functions necessary to perform the mission of the University. In connection with the implementation of the integrated information systems (Banner Systems) several years ago, certain system level controls and other processes were put in place to restrict accounts/funds accessible for users to post journal entries and also limit the ability of users to perform many other types of transactions. The University believes that many of these controls have been effective, but does agree that improvement to the user access control environment is needed and will be beneficial.
Since mid fiscal-year 2009, the University has been actively developing new policies and procedures to improve the controls over user access to information systems. Included in these improvements are new policies and procedures addressing controls over the set-up/maintenance of appropriate user access profiles and processes to be followed by unit security contacts (USCs). The improved USC controls include formally documented periodic reviews of user access, as well as training and other enhancements. The University’s target date for implementation is June 30, 2010. Staff has been increased and realigned in this area in preparation of implementation. The University plans to develop further user access controls enhancements, and implement the new policies and procedures noted above, to address the recommendations in this finding.