REPORT DIGEST

ILLINOIS STATE UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2024

Release Date:  March 27, 2025

FINDINGS THIS AUDIT: 13

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 3 -- 3
Category 2:  3 -- 7 -- 10
Category 3:  0 -- 0 -- 0
TOTAL:  3 -- 10 -- 13

FINDINGS LAST AUDIT: 11

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Compliance
Examination of Illinois State University for
the year ended June 30, 2024.  A separate
digest covering the University’s financial
audit as of and for the year ended June 30,
2024 was previously released on December 12,
2024.  In addition, a separate digest
covering the University’s Single Audit for
the year ended June 30, 2024, was previously
released on February 25, 2025, respectively.
In total, this report contains 13 findings,
three of which were reported within the
University’s financial audit and single
audit.

SYNOPSIS

• (24-04) The University had not fully
implemented adequate internal controls
related to cybersecurity programs and
practices and control of confidential
information.

• (24-08) The University did not always
ensure compliance with the University
Faculty Research and Consulting Act and
University policies regarding outside
employment.

• (24-13) The University is not in
compliance with the Credit Card Marketing
Act.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The Illinois State University (University)
had not fully implemented adequate internal
controls related to cybersecurity programs
and practices and control of confidential
information.

The University utilizes various applications
which contain a significant amount of
critical and confidential data, such as
names, addresses, Social Security numbers,
banking information, etc.

The Illinois State Auditing Act (30 ILCS
5/3-2.4) requires the Auditor General to
review State agencies and their
cybersecurity programs and practices. During
our examination of the University’s
cybersecurity program, practices, and
control of confidential information, we
noted the University had not:

• Developed policies regarding configuration
management, system development, training,
on- boarding, and backup verification and
offsite storage.

• Formally reviewed the Policy on
Appropriate Use of Information Technology
Resources and Systems (Appropriate Use
Policy) since 2011.

• Conducted security awareness training.

• Conducted a comprehensive risk assessment
or implemented risk reducing controls within
the examination period.

• Reviewed their Data Classification Policy
since 2015.

• Classified their data in accordance with
the data classification methodology.

• Documented the security solutions utilized
to monitor the security of their assets.

• Developed a comprehensive cybersecurity
plan.

It was also noted the University could not
provide a population of vulnerabilities
identified during the examination period.
(Finding 4, Pages 14-16)  This finding has
been reported since 2019.

We recommended the University:
• Develop policies regarding configuration
management, system development, training,
onboarding, and backup verification and
offsite storage.
• Conduct security awareness training.
• Conduct a comprehensive risk assessment
and implement risk reducing controls.
• Review the Appropriate Use Policy and the
Data Classification Policy at least
annually.
• Classify their data in accordance with the
data classification methodology.
• Document the security solutions utilized
to monitor the security of their assets.
• Develop a comprehensive cybersecurity
plan.
• Strengthen controls to identify the
population of vulnerabilities.

University officials accepted the finding.

NONCOMPLIANCE WITH THE UNIVERSITY FACULTY
RESEARCH AND CONSULTING ACT

The Illinois State University (University)
did not always ensure compliance with the
University Faculty Research and Consulting
Act (Act) and University policies regarding
outside employment.

During Fiscal Year 2024, faculty members
reported 74 instances of outside employment
to the University Provost.
During testing, the auditors noted the
following:

• 28 of 74 (38%) instances had the Request
for Approval of Secondary/Outside Employment
Form (Form PERS 927) submitted by the
faculty member for approval by the
University’s Provost between 1 to 119 days
late.

• 38 of 74 (51%) instances had Form PERS 927
approved by the University’s Provost between
1 to 482 days late.

• 24 of 74 (32%) instances did not have the
Annual Report of Secondary/Outside
Employment (PERS 928) submitted by the
faculty member.

• 2 of 74 (3%) instances had the Form 928
submitted by the faculty member to the
University’s Provost approved between 10 to
27 days late.  (Finding 8, Pages 21-22)
This finding has been reported since 2012.

We recommended the University’s Provost take
appropriate corrective action and implement
internal controls to ensure faculty members
with outside research, consulting services,
or employment receive written pre-approval
to conduct the requested activity and
annually disclose the time spent on these
activities in accordance with State law and
University policy.

University officials accepted the finding
and stated they continue to inform faculty
of the reporting obligation and will
continue to evaluate processes to improve
compliance.

NONCOMPLIANCE WITH THE CREDIT CARD MARKETING
ACT

The University is not in compliance with the
Credit Card Marketing Act.

The University does not have a policy
prohibiting it and the University’s agents,
employees, student groups, alumni
organizations, or any affiliates from
providing certain student information to a
business organization or financial
institution for purposes of	marketing
credit cards.  (Finding 13, Page 28)

We recommended the University develop a
policy that will cover the requirements
listed in the Credit Card Marketing Act.

University officials accepted the finding
and stated they will work towards creating a
policy that specifically addresses the
Credit Card Marketing Act.

OTHER FINDINGS

The remaining findings are reportedly being
given attention by the University. We will
review the University’s progress towards the
implementation of our recommendations in our
next State compliance examination.

AUDITOR’S OPINIONS

The financial audit report was previously
released.  The auditors stated the financial
statements as of and for the year ended June
30, 2024 are fairly stated in all material
respects.

The single audit report was previously
released.  The auditors conducted a single
audit of the University as required by the
Uniform Guidance. The auditors stated the
University complied, in all material
respects, with the types of compliance
requirements that could have a direct and
material effect on the University’s major
federal programs for the year ended June 30,
2024.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the University for the year
ended June 30, 2024, as required by the
Illinois State Auditing Act.  The
accountants qualified their report on State
compliance for Findings 2024-001 thru
2024-003.  Except for the noncompliance
described in these findings, the accountants
stated the University complied, in all
material respects, with the requirements
described in the report.

This State compliance examination was
conducted by FORVIS MAZARS.

COURTNEY DZIERWA
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:TLK