REPORT DIGEST

GOVERNORS STATE UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2025

Release Date:  May 28, 2026

FINDINGS THIS AUDIT: 12

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 0 -- 0
Category 2:  1 -- 11 -- 12
TOTAL:  1 -- 11 -- 12

FINDINGS LAST AUDIT: 17

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Governors State
University (University) Compliance
Examination for the year ended June 30,
2025.  Separate digests covering the
University’s Financial Audit and Single
Audit as of and for the year ended June
30, 2025 were previously released.  In
total, this report contains 12 findings, 4
of which were reported in the Single Audit
report.

SYNOPSIS

• (25-05) The University did not have
adequate internal control over reporting
its census data.
• (25-06) The University had a deficiency
within its internal audit activities
during Fiscal Year 2025.
• (25-10) The University did not have
adequate controls around its service
providers.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INADEQUATE INTERNAL CONTROLS OVER CENSUS
DATA

The University did not have adequate
internal control over reporting its census
data to provide assurance census data
submitted to the State Universities
Retirement System (System) and State
Employees’ Group Insurance Program (Plan)
was complete and accurate.

During our cut-off testing of data
transmitted by the University to the
System, we identified the following events
that were reported to the System after the
close of the fiscal year in which the
event occurred, resulting in improper
exclusion or inaccurate member status
(active or inactive) as of fiscal year-
end.
• Four new employee hires
• Thirty-three employee terminations.
(Finding 5, Pages 19-22)  This finding has
been reported since 2020.

We recommended the University strengthen
controls to ensure all events occurring
within the census data accumulation year
are reported timely to the System so these
events can be incorporated into the census
data utilized in the annual actuarial
valuation process. Further, we recommended
the University strengthen controls to
ensure all eligible employees are reported
to the System and State, along with any
required employee and employer
contributions.

University officials agreed with the
finding and accepted the recommendation.

INTERNAL AUDIT DEFICIENCY

The University had a deficiency within its
internal audit activities during Fiscal
Year 2025.

During our testing, we noted the
University’s internal audit function
failed to conduct a new external
assessment during the examination period
as required by the International Standards
for the Professional Practice of Internal
Auditing.  The last external assessment
was conducted in July 2018.   (Finding 6,
Page 23)

We recommended the University establish
controls to ensure required external
quality assessments are conducted within
prescribed timeframes.

University officials agreed with the
finding and accepted the recommendation.

INADEQUATE CONTROLS AROUND SERVICE
PROVIDERS

The University did not have adequate
controls around its service providers.

In Fiscal Year 2025, the University
identified 106 service providers.  The
University maintains numerous cloud-based
solutions with various service providers.
These service providers maintain the
hardware, software and the data for
various applications regarding many
sectors, such as campus news and events,
student orientation, employment,
photographs, student organizations,
visitor tracking, course evaluations, and
emergency notifications.

During testing of 26 service providers, we
noted the University had not:

• Developed formal, documented policies
and procedures to ensure performance
measures are monitored to comply with
contractual terms for all (100%) of the
service providers tested.
• Timely reviewed the SOC reports or
equivalent, for 4 (15%) service providers,
with reviews conducted between 161 and 245
days after the report dates.
• Assessed and documented the operation of
Complementary User Entity Controls (CUECs)
relevant to the University’s operations
for 4 (15%) service providers.
• Provided the actual Fiscal Year 2025 SOC
reports for 9 (35%) service providers. As
a result, we were unable to test whether
the SOC report reviews performed by the
University were adequate.

The University is responsible for the
design, implementation, and maintenance of
internal controls related to information
systems and operations to ensure resources
and data are adequately protected from
unauthorized or accidental disclosure,
modifications, or destruction. This
responsibility is not limited due to the
process being outsourced.  (Finding 10,
Pages 31-33)  This finding has been
reported since 2021.

We recommended the University:

• Establish policies and procedures to
ensure performance measures are monitored
to comply with contractual terms and
service level agreements.
• Perform timely review of SOC reports or
equivalent of all service providers.
• Monitor and document the operation of
CUECs noted in the SOC reports that are
relevant to the University’s operations.
• Obtain the latest SOC reports of all
service providers.

University officials agreed with the
finding and accepted the recommendation.

OTHER FINDINGS

The remaining findings are reportedly
being given attention by the University.
We will review the University’s progress
towards the implementation of our
recommendations in our next State
compliance examination.

AUDITOR’S OPINIONS

The auditors stated the financial
statements of the University as of and for
the year ended June 30, 2025 are fairly
stated in all material respects.

The auditors also conducted a Single Audit
of the University as required by the
Uniform Guidance.  The auditors stated the
University complied, in all material
respects, with the types of compliance
requirements that could have a direct and
material effect on the University’s major
federal programs for the year ended June
30, 2025.

ACCOUNTANT’S OPINION

The accountants conducted a State
compliance examination of the University
for the year ended June 30, 2025, as
required by the Illinois State Auditing
Act.  The accountants stated the
University complied, in all material
respects, with the requirements describe
in the report.

This State compliance examination was
conducted by Adelfia, LLC.

COURTNEY DZIERWA
Deputy Auditor General

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

CHRISTOPHER B. MEISTER
Auditor General

CBM:JGR