REPORT DIGEST WESTERN ILLINOIS UNIVERSITY SINGLE AUDIT AND COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2018 Release Date: March 19, 2019 FINDINGS THIS AUDIT: 6 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 2 -- 4 -- 6 Category 3: 0 -- 0 -- 0 TOTAL: 2 -- 4 -- 6 FINDINGS LAST AUDIT: 6 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION The digest covers our federal Single Audit and Compliance Examination of Western Illinois University (University) for the year ended June 30, 2018. A separate Financial Audit as of and for the year ending June 30, 2018 was previously released on January 23, 2019. In total this report contains six findings, none of which were reported in the Financial Audit. SYNOPSIS • (18-3) The University did not adequately comply with the University Guidelines on remittance of excess funds. • (18-5) The University was unable to locate 46 computers during their annual inventory and does not always protect their computers and removable media with encryption methods. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS NONCOMPLIANCE WITH THE UNIVERSITY GUIDELINES ON EXCESS FUNDS The University did not adequately comply with the University Guidelines on remittance of excess funds. During our testing of the University’s compliance with the University Guidelines, we noted the University complied with the requirement to calculate excess funds on indirect cost, auxiliary enterprises and accounting entities but failed to remit amounts due to the Income Fund for the following funds: Indirect Cost: $ 1,267,814 Public Service: 385,536 Instructional Resources: 397,156 University Publication: 1,433 Total: $ 2,051,939 (Finding 3, page 21) This finding has been repeated since 2016. We recommended the University continue to monitor the activities of each accounting entity and ensure compliance with all the requirements of the University Guidelines. The University agreed with the finding. (For the previous University response, see Digest Footnote #1.) WEAKNESS IN COMPUTER INVENTORY CONTROLS The University was unable to locate 46 computers during their annual inventory and does not always protect their computers and removable media with encryption methods. Additionally, we found although the University places responsibility to protect their computers and removable media to individual departments, the departments are not required to notify University Technology (uTech) of lost or stolen equipment. These items were noted as lost or stolen by University staff during their annual inventory conducted on its campuses during Fiscal Year 2018. The original cost of these items totaled $40,775. Although the University performs periodic scanning to identify social security numbers on University equipment, the University could not determine if the missing computers contained confidential information at the time they were reported missing. (Finding 5, pages 23-24) This finding has been repeated since 2016. We recommend the University review current practices to determine if enhancements can be implemented to prevent theft or loss of computers. We also recommended the University evaluate data maintained on computers and those containing confidential information are adequately protected with methods such as encryption. The University agreed with the finding. (For the previous University response, see Digest Footnote #2.) OTHER FINDINGS The remaining findings pertain to federal compliance, noncompliance with the Open Meetings Act, subsidies between accounting entities, and controls over external service providers. We will review the University’s progress towards the implementation of our recommendations in our next Single Audit and compliance examination. AUDITOR’S OPINIONS The financial audit report was previously released. The auditors stated the financial statements of the University as of and for the year ended June 30, 2018, are fairly stated in all material respects. The auditors also conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2018. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the University for the year ended June 30, 2018, as required by the Illinois State Auditing Act. The accountants stated the University complied, in all material respects, with the requirements described in the report. This Single Audit and compliance examination were conducted by Adelfia LLC. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:sjs DIGEST FOOTNOTES #1 – Noncompliance with the University Guidelines on Excess Funds 2017 – The University agrees with the finding. The University will continue to monitor the activities of each accounting entity and make a decision on remitting excess funds based on the University’s current resources affected by the State budget impasse. #2 – Weakness in Computer Inventory Controls 2017 – The University agrees with the finding. The University has started collecting media access control (MAC) addresses of devices to help with locating the item if it is not on the University’s network. In addition, the University also began collecting contact information for computer related items to help determine equipment locations by having their specific person associated with a device. Along with efforts of scanning for sensitive information on devices, the University is reviewing options to encrypt laptops and other mobile devices.