REPORT DIGEST

ILLINOIS STATE UNIVERSITY

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2024

Release Date:  December 12, 2024

FINDINGS THIS AUDIT: 3

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 3 -- 3
Category 2:  0 -- 0 -- 0
Category 3:  0 -- 0 -- 0
TOTAL:  0 -- 3 -- 3

FINDINGS LAST AUDIT: 3

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the financial audit of
Illinois State University (University) as of
and for the year ended June 30, 2024.  The
University’s Single Audit and State
compliance examination reports will be
separately issued at a later date.

SYNOPSIS

• (24-01) The University had multiple
computer security weaknesses.
• (24-02) The University did not implement
adequate internal controls over its service
providers.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INFORMATION SECURITY WEAKNESSES

The Illinois State University (University)
had multiple computer security weaknesses.

During testing of University information
technology controls, we noted the
University:

• Had not fully developed access
provisioning policies documenting the
internal controls for all environments and
applications.

• Had not fully developed a policy
documenting requirements for an annual
review of users’ access.

• Had not fully developed a policy
documenting the review of security violation
reports to ensure remediation is timely
conducted.

In order to determine if proper security
controls had been implemented across the
University’s environment, we requested a
population of servers. Although the
University provided a population,
documentation demonstrating its completeness
and accuracy was not provided.  Even given
the population limitations, we tested the
population of servers, noting the University
could not provide documentation
demonstrating the antivirus and operating
systems were running the vendors’ latest
versions.

In addition, our testing noted the
University had not ensured all security
operations were properly configured.
(Finding 1, pages 5-6)  This finding has
been reported since 2018.

We recommended the University implement
adequate security, including approving the
updated policies and procedures to (1)
reflect the University’s current environment
and (2) address future changes in processed
and new systems.

Additionally, we recommended the University
strengthen its controls to maintain a
complete and accurate population of servers,
update their servers with the vendors’
latest versions of antivirus and operating
systems, and ensure all security operations
are properly configured.

University officials concurred with our
finding and stated they are now prioritizing
the formalization of policies that reflect
established process and procedure.

LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF
INTERNAL CONTROLS OVER SERVICE PROVIDERS

The Illinois State University (University)
did not implement adequate internal controls
over its service providers.

We requested the University provide a
population of their service providers
utilized in order to determine if the
University had reviewed the internal
controls of its service providers. However,
the University was not able to provide such
a population.

Additionally, we noted the University had
not fully developed policies and procedures
to ensure their due diligence and monitoring
of their service providers. Furthermore, the
University did not obtain System and
Organization Control (SOC) reports to ensure
the internal controls at the service
providers had been implemented and were
operating effectively.

Finally, the University had not conducted a
review of the Complementary User Entity
Controls (CUEC) and the University’s related
controls. (Finding 2, pages 7-8)

We recommended the University implement
controls to maintain a list of all of their
service providers and determine and document
if a review of the service providers’
internal controls were performed, if
required.

Additionally, we recommended the University:

• Obtain SOC reports or perform independent
reviews of internal controls for all service
providers.
• Monitor and document the operation of the
CUECs relevant to the University’s
operations.
• Either obtain and review SOC reports for
subservice organizations or perform
alternative procedures to satisfy itself
that the existence of the subservice
organization would not impact its internal
control environment.
• Document its review of the SOC reports and
review all significant issues with
subservice organizations to ascertain if a
corrective action plan exists and when it
will be implemented, any impacts to the
University, and any compensating controls.

University officials concurred with our
finding.

OTHER FINDING

The remaining finding pertains to weaknesses
in change control. We will review the
University’s progress towards the
implementation of our recommendations in our
next financial audit.

AUDITOR’S OPINION

The auditors stated the financial statements
of the University as of and for the years
ended June 30, 2024, are fairly stated in
all material respects.

This financial audit was conducted by FORVIS
MAZARS, LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:TLK