REPORT DIGEST

NORTHEASTERN ILLINOIS UNIVERSITY

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2023

Release Date:  March 28, 2024

FINDINGS THIS AUDIT: 6

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  1 -- 2 -- 3
Category 2:  1 -- 2 -- 3
Category 3:  0 -- 0 -- 0
TOTAL:  2 – 4 -- 6

FINDINGS LAST AUDIT:  4

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State laws
and regulations (material noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no internal
control issues but are in noncompliance with
State laws and regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Northeastern Illinois
University’s (University) Financial Audit as
of and for the year ended June 30, 2023.
The University’s Compliance Examination and
Single Audit will be issued in separate
reports.

SYNOPSIS

• (23-01) The University did not have
adequate internal control over reporting its
census data and did not have a
reconciliation process to provide assurance
census data submitted to its pension and
other postemployment benefits plans was
complete and accurate.

• (23-02) The University did not timely
complete and did not have adequate review of
its year-end
reconciliations

• (23-04) The University did not document
independent internal control reviews over
service providers.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INADEQUATE INTERNAL CONTROLS OVER CENSUS
DATA

The University did not have adequate
internal control over reporting its census
data and did not have a reconciliation
process to provide assurance census data
submitted to its pension and other
postemployment benefits (OPEB) plans was
complete and accurate.

Census data is demographic data (date of
birth, gender, years of service, etc.) of
the active, inactive, or retired members of
a pension or OPEB plan.  The accumulation of
inactive or retired members’ census data
occurs before the current accumulation
period of census data used in the plan’s
actuarial valuation (which eventually flows
into each employer’s financial statements),
meaning the plan is solely responsible for
establishing internal controls over these
records and transmitting this data to the
plan’s actuary.  In contrast, responsibility
for active members’ census data during the
current accumulation period is split among
the plan and each member’s current
employer(s).  Initially, employers must
accurately transmit census data elements of
their employees to the plan.  Then, the plan
must record and retain these records for
active employees and then transmit this
census data to the plan’s actuary.

We noted the University’s employees are
members of both the State Universities
Retirement System (SURS) for their pensions
and the State Employees Group Insurance
Program sponsored by the State of Illinois,
Department of Central Management Services
(CMS) for their OPEB.  In addition, we noted
these plans have characteristics of
different types of pension and OPEB plans,
including single employer plans and cost-
sharing multiple-employer plans.

Additionally, CMS’ actuary uses census data
for employees of the State’s public
universities provided by SURS, along with
census data for the other participating
members provided
by the State’s four other pension plans, to
prepare their projection of the liabilities
of CMS’ plan. Finally, SURS’ actuary and
CMS’ actuary used census data transmitted by
the University during Fiscal Year 2021 to
project pension and OPEB-related balances
and activity at the plans during Fiscal Year
2022, which is incorporated into the
University’s Fiscal Year 2023 financial
statements.

During testing we noted the following:

• The University had not performed an
initial complete reconciliation of its
census data recorded by SURS to its internal
records to establish a base year of complete
and accurate census data.

• After establishing a base year, the
University had not developed a process to
annually obtain from SURS the incremental
changes recorded by SURS in their census
data records and reconcile these changes
back to the University’s internal supporting
records.

• During our cut-off testing of data
transmitted by the University to SURS, we
noted 1 instance of an active employee
becoming inactive and 1 instance of an
inactive employee becoming active were
reported to SURS after the close of the
fiscal year in which the event occurred.
There was also 1 instance previously
reported that impacted the June 30, 2021
census data. (Finding 1, Pages 88-90)

We recommended the University continue to
work with SURS to complete the base year
reconciliation of Fiscal Year 2021 active
members’ census data from its underlying
records to a report of census data submitted
to SURS’ actuary and CMS’ actuary and after
completing an initial full reconciliation,
the University may limit the annual
reconciliations to focus on the incremental
changes to the census data file from the
prior actuarial valuation, provided no risks
are identified that incomplete or inaccurate
reporting of census data may have occurred
during prior periods. We also recommend any
errors identified during this process should
be promptly corrected by either the
University or SURS, with the impact of these
errors communicated to both SURS’ actuary
and CMS’ actuary.  We further recommended
the University ensure all events occurring
within a census data accumulation year are
timely reported to SURS so these events can
be incorporated into the census data
provided to SURS’ actuary and CMS’ actuary.

University officials agreed with the
finding.

LACK OF CONTROLS OVER YEAR-END REVIEWS AND
RECONCILIATIONS

The University did not timely complete and
did not have adequate review of its year-end
reconciliations.

During testing we noted the following:

• We noted a Fiscal Year payment for 4
invoices totaling $310,443 which should have
been accrued for in Fiscal Year 2023, an
invoice totaling $100,950 which should have
been accrued for in Fiscal Year 2023, and a
vendor with 3 invoices totaling $15,000
which should have been accrued for in Fiscal
Year 2024 but were accrued for in Fiscal
Year 2023.

• When University went live on April 16,
2023 with their new Payroll and Human
Resources system there were conversion
issues with how the activity was calculated
and recorded in the University’s general
ledger. Several corrections had to be made
to both employee pay and amounts posted into
the University’s general ledger. Due to the
inability to get accurate data from the new
system, the University recorded estimates
for deferred faculty pay and accrued sick
and vacation as of June 30, 2023, based on
historical trend information and recorded an
additional liability of $483,130. The
University also recorded an entry in late
October for retroactive pay of $1,245,337
that was paid in July 2023 for Fiscal Year
2023.

• The University did not reconcile federal
and state grant receivables and revenue
until October 2023.  The University recorded
a receivable of $1,502,692, federal grant
revenues of $2,029,994, and a net reduction
of state grant and other grant revenues by
$527,757.

• The University did not complete a final
analysis and recording of subscription-based
information technology arrangements (SBITAs)
until November 2023. The amounts recorded
increased assets by $3,326,049, liabilities
(current and noncurrent) by $3,009,333, as
well as impacted several expense accounts
including rent expense and amortization.
(Finding 2, Pages 91-92)

We recommended the University strengthen its
internal controls by performing timely and
accurate reconciliations throughout the
year, as well as, at year end. In addition,
we recommended the University closely
monitor allocation of resources based on
priorities to ensure there are sustained
internal controls on a consistent basis.

University officials agreed with the
finding.

LACK OF CONTROLS OVER REVIEW OF INTERNAL
CONTROLS OVER SERVICE PROVIDERS

The University did not document independent
internal control reviews over service
providers.

The University entered into agreements with
various service providers to assist with
significant processes such as (1) receipts
processing for online credit card payments,
(2) disbursement processing of purchasing
card, (3) handling of Perkins student loans,
(4) tracking of property and equipment, and
(5) hosting its Enterprise Application
System.

We requested the University to provide a
population of service providers. In response
to this request, the University provided a
listing of service providers. However, our
testing noted the listing contained all
vendors of the University Technology
Services. In addition, we identified service
providers from testing that were not on the
list. Due to this deficiency, we were unable
to conclude the University’s records were
sufficiently precise and detailed under the
Professional Standards promulgated by the
American Institute of Certified Public
Accountants (AU-C § 330, AU-C § 530, and AT-
C § 205.36) to test the University’s
controls over service providers.

Even given the population limitation, we
selected five service providers from the
listing provided by the University. During
our testing, we noted the University had
not:

• Established a documented and comprehensive
policy or procedures to guide vendor's due
diligence when onboarding third-party
service provider.

• Established documented policies and
procedures to monitor performance and
contractual compliance of service providers.

• Mapped the Comprehensive User Entity
Controls (CUECs) noted in service providers’
to existing internal controls at the
University. (Finding 4, Pages 95-96)

We recommended the University strengthen its
controls in identifying and documenting all
service providers. Further, we recommended
the University:
• Continue to obtain and document its review
of SOC reports (including subservice
organizations) or conduct independent
internal control reviews at least annually.
• Establish a regular review process to
monitor specified performance measures,
problems encountered, and compliance with
contractual terms with the service
providers.
• Monitor and document the operation of the
CUECs relevant to the University’s
operations.

University officials agreed with the
finding.

OTHER FINDINGS

The remaining findings pertain to
noncompliance with the Fiscal Control and
Internal Audit Act, computer security
weaknesses and lack of adequate change
management controls.  We will review the
University’s progress towards the
implementation of our recommendations in our
next financial audit.

AUDITOR’S OPINION

The auditors stated the financial statements
of the University as of and for the year
ended June 30, 2023 are fairly stated in all
material respects.

This financial audit was conducted by Plante
& Moran, PLLC.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:JGR