REPORT DIGEST ILLINOIS STATE UNIVERSITY FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2023 Release Date: February 22, 2024 FINDINGS THIS AUDIT: 3 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 2 -- 1 -- 3 Category 2: 0 -- 0 -- 0 Category 3: 0 -- 0 -- 0 TOTAL: 2 – 1 -- 3 FINDINGS LAST AUDIT: 3 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the financial audit of Illinois State University (University) as of and for the year ended June 30, 2023. The University’s Single Audit and State compliance examination reports will be separately issued at a later date. SYNOPSIS • (23-01) The University had multiple computer security weaknesses. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INFORMATION SECURITY WEAKNESSES The Illinois State University (University) had multiple computer security weaknesses. During testing of University information technology controls, we noted the University: • Had not developed access provisioning policies documenting the internal controls for all environments and applications. • Had not developed a policy documenting requirements for an annual review of users’ access. • Had not conducted a review of users’ access. • Had not developed a policy documenting the review of security violation reports to ensure remediation is timely conducted. (Finding 1, pages 5-6) This finding has been reported since 2018. We recommended the University implement adequate security, including: • Approving the updated policies and procedures to (1) reflect the University’s current environment and (2) address future changes in processed and new systems; and • Documenting, during formal user access reviews, the appropriateness of each user’s access to the University’s applications for all departments’. Additionally, we recommended the University strengthen its controls to maintain a complete and accurate population of servers, update their servers with the vendors’ latest versions of antivirus and operating systems, conduct security assessments over its environment and ensure al security operations are properly configured. University officials concurred with our finding. OTHER FINDING The remaining findings pertain to inadequate internal controls over its service providers and inadequate controls over changes to its environment, applications and data. We will review the University’s progress towards the implementation of our recommendations in our next financial audit. AUDITOR’S OPINION The auditors stated the financial statements of the University as of and for the years ended June 30, 2023, are fairly stated in all material respects. This financial audit was conducted by FORVIS LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:TLK