REPORT DIGEST NORTHERN ILLINOIS UNIVERSITY COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2024 Release Date: May 6, 2025 FINDINGS THIS AUDIT: 15 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 0 -- 0 Category 2: 6 -- 9 -- 15 Category 3: 0 -- 0 -- 0 TOTAL: 6 -- 9 -- 15 FINDINGS LAST AUDIT: 17 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our Compliance Examination of Northern Illinois University (University) for the year ended June 30, 2024. A separate Financial Audit and a separate Single Audit as of and for the year ended June 30, 2024, were both previously released on March 13, 2025 and March 27, 2025, respectively. In total, this report contains 15 findings, 4 of which were reported in the Financial Audit and Single Audit. SYNOPSIS • (24-8) The University has not established adequate controls over its Commercial Card Program (P-Cards). • (24-15) The University did not terminate separated employees’ user accounts having access to the University’s information technology environment, applications, and data timely. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CONTROLS OVER PROCUREMENT CARD USE Northern Illinois University (University) has not established adequate controls over its Commercial Card Program (P-Cards). The University operates a P-card system that allows individuals throughout the University to make small purchases (defined as less than $5,000) on a credit card, which is directly paid by the University on a monthly basis. The University’s policies require employees allowed a P-card to complete training on P-card procedures and sign an agreement stipulating they will use the card in accordance with the University’s policies. The agreement must also be approved by the employee’s manager prior to the P-card being issued. The University’s policies require all transactions on a card to be approved by the cardholder’s manager. Receipts and other related support for the transaction must be provided to the manager for review with the transaction and retained. There were 437 cardholders with transactions during the period of examination who incurred a total of $10,839,407. During our review of a sample of 60 P-card transactions, totaling $48,911, made by 60 employees, we noted the following: • Six transactions (10%), totaling $8,935, had no record of being approved, and there has been no proper segregation of duties over these transactions. • 27 transactions (45%), totaling $15,155, were not approved timely. The approvals ranged from one to 28 days late. • Four employees (7%) did not sign the commercial card agreement acknowledging that they will follow the P-card policies and procedures. • One employee (2%) did not complete the annual required refresher training on P-card procedures. (Finding 8, Pages 21-22) This finding has been reported since 2021. We recommended the University enhance its controls over the processing of commercial card program transactions to ensure employees comply with policies and procedures. University officials accepted the recommendation. INADEQUATE CONTROLS OVER TERMINATED EMPLOYEE USER ACCOUNTS Northern Illinois University (University) did not terminate separated employee’s user accounts having access to Financial Management System. During the examination, we noted users’ access was not timely removed for the following: • For 3 out of 6 sampled terminated users (50%) tested, the access was not removed timely (i.e. within 2 days as required per the policy). Access was removed between 1 and 182 days late. • Additionally, 4 other terminated users still appeared active and their access was not disabled after their termination date as per the active user listing dated August 14, 2024. Additionally, we noted the University had not developed a policy requiring reviews of individual access rights on at least an annual basis or requiring timely reviews and notification of employee separations to Human Resources (HR). (Finding 15, page 31) This finding has been reported since 2021. We recommended the University terminate separated users’ access on the last day of employment and conduct annual reviews of users’ access. University officials accepted the recommendation. OTHER FINDINGS The remaining findings are reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next State Compliance Examination. AUDITOR’S OPINIONS The financial audit report was previously released. The auditors stated the financial statements of the University as of and for the year ended June 30, 2024 are fairly stated in all material respects. The single audit report was previously released. The auditors conducted a single audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2024. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the University for the year ended June 30, 2024, as required by the Illinois State Auditing Act. The accountants stated the University complied, in all material respects, with the requirements described in the report. This State Compliance Examination was conducted by RSM US LLP. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:TLK