UNIVERSITY OF ILLINOIS
For the Year Ended: June 30, 2011
Release Date: January 5, 2012
Summary of Findings:
Total this audit: 3
Total last audit: 3
Repeated from last audit: 3
State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov
The University’s financial audit report consists of three sets of financial statements as follows – The financial statements of the University, and the revenue bond financial statements of the Auxiliary Facilities System and the Health Services Facilities System.
This report contains only findings pertaining to the Financial Statement Audit.
The State Compliance Examination and Federal Single Audit Reports will be issued at a later date.
• The University has not established adequate internal controls over accurately identifying and recording year end accounts payable and accounts receivable transactions for financial reporting purposes.
•The University has not established adequate internal controls over access to the information systems used in its financial reporting process.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
INADEQUATE YEAR END RECEIVABLE AND PAYABLE ACCRUALS PROCESS
The University has not established adequate internal controls over accurately identifying and recording period end accounts payable and accounts receivable transactions for financial reporting purposes.
During the current year audit we reviewed 124 revenue transactions recorded during the fiscal year totaling $14,545,678 and 27 cash receipt transactions subsequent to year end totaling $1,274,941. In relation to our testwork on expense transactions, we reviewed 205 expense transactions recorded during the fiscal year totaling $51,343,490 and 63 cash disbursements subsequent to year end totaling $39,192,830. Some of the transactions that were not recorded in the proper accounting period follow:
• Six educational activities revenue transactions for third party pharmacy billings totaling $370,897 which pertained to fiscal year 2010 were recognized as revenue in fiscal year 2011.
• Three educational activities revenue transactions for drug information services billings totaling $52,356 which pertained to fiscal year 2011 were recognized as revenue in fiscal year 2012.
• Two educational activities revenue transactions for accelerated corporate MBA cohort program totaling $955,642 which pertained to fiscal years 2009 and 2010 were recognized as revenue in fiscal year 2011.
• One employee benefits transaction totaling $92,718 which pertained to fiscal year 2010 was recognized as expense in 2011.
• Two supplies and services expense transactions totaling $44,020 which pertained to fiscal year 2010 were recognized as expense in fiscal year 2011. (Finding 1, Pages 5-6)
We recommended that the University review its current process to assess the completeness of its revenue and expense at year end and consider changes necessary to ensure all period end accounts payable and accounts receivable are accurately identified and recorded.
University officials accepted the recommendation and stated that they will take the necessary corrective action.
INADEQUATE CONTROLS OVER USER ACCESS TO INFORMATION SYSTEMS
The University has not established adequate internal controls over access to the information systems used in its financial reporting process.
The University operates an Enterprise Resource Planning (ERP) system to manage the activities of the University. The University functions in a highly distributed operating environment with several thousand users having varying types of system access. Access is granted to users of the University’s information system based on standardized user access profiles.
The standardized user profiles are intended to assist the University in limiting access to the information systems based upon the assigned job functions of the specific users to which the profiles are assigned. The University has implemented a process to review standardized user profiles, train unit security contacts and perform an annual access review for the ERP. However, the annual access reviews are not consistently and formally documented to provide evidence supporting the results of each user review. Further the University has not performed a periodic access review of the human resources supporting information system.
In addition to the internal control deficiencies identified above, during our review of user access rights we identified several users with access rights that were inappropriate based upon their roles and job functions presenting segregation of duties conflicts and the risk that erroneous or fraudulent transactions may be recorded in the general ledger.
Further, we noted periodic reviews of terminated employees with access to the information systems are not performed effectively. Beginning in August 2010, the University’s information technology department began implementing procedures to perform terminated employee access reviews on a daily basis. However, this procedure alone was not sufficient to provide timely removal of access of terminated employees. In addition, there are no procedures in place to monitor user access rights for employees who transfer positions and change job functions. (Finding 2, pages 7-9) This finding was first reported in 2008.
We recommended that the University implement procedures to formally document reviews of user’s access rights and maintain documentation of the results of those reviews to ensure that the access rights granted to each user are appropriate based on their job responsibilities and that the planned level of segregation of duties is achieved on a continuing basis.
University officials accepted the recommendation and stated that they have been working steadily to improve information system access controls over the past year and will take the necessary corrective action going forward to address the recommendations in the finding. (For the previous University response, see Digest footnote #1)
The remaining finding is reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next engagement.
Our auditors state the June 30, 2011 financial statements are fairly presented in all material respects.
WILLIAM G. HOLLAND
SPECIAL ASSISTANT AUDITORS
KPMG were our special assistant auditors.
#1 –Inadequate Controls Over User Access to Information Systems – Previous University Response
Accepted. The University’s highly decentralized operating environment involves several thousand system users, in hundreds of departments across three campuses. These users are engaged in a variety of business and administrative functions necessary to perform the mission of the University. The University does have certain processes in place to limit the ability of users to perform many types of transactions. The University believes that many of these controls have been effective, but does agree that improvement to the user access control environment is needed and will be beneficial.
New policies and related procedures were developed, which became effective February 2010, to require documented annual reviews of standard user profiles and individual user access rights. The implementation of these new policies and procedures began in fiscal year 2010 and continues with full implementation expected to be performed in fiscal year 2011. The University will complete the necessary corrective action to address the recommendation in this finding.