REPORT DIGEST NORTHEASTERN ILLINOIS UNIVERSITY FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2025 Release Date: March 26, 2026 FINDINGS THIS AUDIT: 5 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 1 -- 1 Category 2: 1 -- 3 -- 4 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 4 – 5 FINDINGS LAST AUDIT: 5 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Northeastern Illinois University’s (University) Financial Audit as of and for the year ended June 30, 2025. The University’s State Compliance Examination and Single Audit will be issued in separate reports. SYNOPSIS • (25-01) The University did not have adequate internal control over reporting its census data process to provide assurance census data submitted to its pension and other postemployment benefits plans was complete and accurate. • (25-02) The University lacked adequate controls over review of internal controls over service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE INTERNAL CONTROLS OVER CENSUS DATA The University did not have adequate internal control over reporting its census data to provide assurance that the census data submitted to the State Universities Retirement System (System) and State Employees’ Group Insurance Program (Plan) was complete and accurate. Census data is demographic data (date of birth, gender, years of service, etc.) of the active, inactive, or retired members of a pension or other postemployment benefit (OPEB) plan. The accumulation of inactive or retired members’ census data occurs before the current accumulation period of census data used in the plan’s actuarial valuation (which eventually flows into each employer’s financial statements), meaning the plan is solely responsible for establishing internal controls over these records and transmitting this data to the plan’s actuary. In contrast, responsibility for active members’ census data during the current accumulation period is split among the plan and each member’s current employer(s). Initially, employers must accurately transmit census data elements of their employees to the plan. Then, the plan must record and retain these records for active employees and then transmit this census data to the plan’s actuary. We noted the University’s employees are members of both the pension plan administered by the System and the Plan sponsored by the State of Illinois, Department of Central Management Services (CMS) for their OPEB. In addition, we noted these plans have characteristics of different types of pension and OPEB plans, including single employer plans and cost- sharing multiple employer plans. Additionally, CMS’ actuary uses census data for employees of the State’s public universities provided by the System, along with census data for other participating members provided by the State’s four other pension systems, to prepare their projection of the liabilities of the Plan. Finally, the System’s actuary and CMS’ actuary used census data transmitted by the University during fiscal year 2023 to project pension and OPEB related balances and activity at the plans during fiscal year 2024, which is incorporated into the University’s fiscal year 2025 financial statements. During the performance of the census examination, the auditors noted the following: • The University had not performed an initial complete reconciliation of its census data recorded by the System to its internal records to establish a base year of complete and accurate census data. • After establishing a base year, the University had not developed a process to annually obtain from the System the incremental changes recorded by the System in their census data records and reconcile these changes back to the University’s internal supporting records. • During completeness testing of University faculty data, the auditors identified twelve instructors that were not reported as eligible to participate in the System and the Plan by the University. • During our cut-off testing of data transmitted by the University to the System, the auditors identified the following events that were reported to the System after the close of the fiscal year in which the event occurred, resulting in improper exclusion or inaccurate member status (active or inactive) as of fiscal year-end. -- Two new employee hires. -- Forty-six employee terminations. The result of the errors above led to contributions due to the plan being understated and inaccurate census data being utilized by the System and the State in the performance of the annual pension and OPEB actuarial valuation processes. The independent actuaries utilized by the System and the State of Illinois for the pension and OPEB plans deemed the errors immaterial to the plan level valuations as a whole. (Finding 1, Pages 92-94) This finding has been reported since 2020. We recommended the University continue to work with the System to complete the base year reconciliation of complete and accurate census data. Once completed, establish the process of annually obtaining from the System the incremental changes recorded in the census data records and reconcile these changes back to the University’s internal supporting records. If differences are noted between the University’s data and the System’s data, these differences should be communicated timely and rectified to ensure the actuarial valuations are using accurate data. We also recommended the University strengthen controls to ensure all eligible employees are reported to the System and State, along with any required employee and employer contributions. We further recommended the University strengthen controls to ensure all events occurring within the census data accumulation year are reported timely to the System so these events can be incorporated into the census data utilized in the annual actuarial valuation process. University officials agreed with the finding. LACK OF ADEQUATE CONTROL OVER THE REVIEW OF INTERNAL CONTROLS FOR SERVICE PROVIDERS The University lacked adequate controls over review of internal controls over service providers. The University entered into agreements with various service providers to assist with significant processes such as (1) implementing University-wide defined criteria to identify the third-party service providers that require a System and Organization Controls (SOC) report or equivalent review, including the frequency of reviews performed, and (2) enhancing the SOC report review procedures to perform mappings of Complementary User Entity Controls (CUEC) to specific University internal controls. We noted the University has not established documented policies and procedures to monitor performance and contractual compliance of service providers. In addition, the University has not established a documented and comprehensive policy or procedures to guide vendors’ due diligence when onboarding third-party service providers and defining a service provider versus a vendor. We selected a sample of five service providers where a SOC report was required for Fiscal Year 2025 and noted the following: • A documented risk assessment to ensure the contracted controls are in place for service providers was not provided for five (100%) service providers. • For one (20%) service provider, a contract was provided, but it did not outline the security, integrity, availability, confidentiality, or privacy controls over the University's applications and data. • For five (100%) service providers, a contract was provided, but documentation of monitoring over the performance measures and problems to ensure compliance with contractual terms was not provided. • For five (100%) service providers, CUEC mapping was provided, but the mapping did not cover the current audit period. • For one (20%) service provider, a SOC report and bridge letter was not provided. • For three (60%) service providers, SOC reports were provided, but the reports did not cover the current audit period, and the associated bridge letters were not provided. • For one (20%) service provider, a SOC report and bridge letter were provided, but the report and letter did not cover the current audit period. (Finding 2, Pages 95-97) This finding has been reported since 2019. We recommended the University: • Establish and enforce a formal University-wide onboarding requirement and processes for all service providers. • Establish and enforce contractual requirements to ensure all service provider agreements define security, integrity, availability, confidentiality, and privacy controls for the University’s applications and data. • Establish and enforce a formal risk assessment process to ensure contracted controls are in place for service providers. • Establish and enforce a formal University-wide requirement to perform CUEC mapping. • Establish and enforce a formal University-wide requirement in obtaining and reviewing SOC reports and bridge letters from service providers. University officials agreed with the finding. OTHER FINDINGS The remaining findings pertain to computer security weaknesses, lack of adequate change management controls, and a federal filing deficiency. We will review the University’s progress towards the implementation of our recommendations in our next financial audit. AUDITOR’S OPINIONS The auditors stated the financial statements of the University as of and for the year ended June 30, 2025 are fairly stated in all material respects. This financial audit was conducted by Plante & Moran, PLLC. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JGR