REPORT DIGEST WESTERN ILLINOIS UNIVERSITY COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2022 Release Date: July 13, 2023 FINDINGS THIS AUDIT: 7 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 1 -- 2 Category 2: 1 -- 4 -- 5 Category 3: 0 -- 0 -- 0 TOTAL: 2 -- 5 -- 7 FINDINGS LAST AUDIT: 9 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers Western Illinois University’s (University) State compliance examination for the year ended June 30, 2022. A separate Financial Audit as of and for the year ended June 30, 2022 was previously released on March 30, 2023. A separate Single Audit for the year ended June 30, 2022 was previously released on March 30, 2023. In total, this report contains seven findings, two of which were reported in the Financial Audit and Single Audit collectively. SYNOPSIS • (22-05) The University had weaknesses regarding the review of independent internal control reviews overs its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS Western Illinois University (University) had weaknesses regarding the review of independent internal control reviews over its service providers. We requested the University provide a listing of its service providers utilized, System and Organization Control (SOC) Reports reviewed, and a review of Complementary User Entity Controls (CUECs) as documented. However, the University was not able to provide a complete listing of service providers. Due to these conditions, we were unable to conclude the University’s population records were sufficiently precise and detailed under the Professional Standards promulgated by the American Institute of Certified Public Accountants (AT-C §205.36). Even given the population limitations noted above, we performed testing of the service providers identified by the University to have a SOC report. The University utilized various service providers to provide: • Credit card processing, • Online classes, • Emergency alert system, • Email, • Office Suite, and • Work order system. Our testing of the controls over seven service providers noted the University had not: • Obtained SOC reports for four (57%) service providers. • Reviewed the three SOC reports received to determine the impact of noted deviations or opinion modifications. • Analyzed the CUECs documented in the SOC reports received. • Analyzed the subservice organizations or performed alternative procedures to determine the impact on its internal control environment documented in SOC reports received. (Finding 5, pages 17-18) This finding has been reported since 2018. We recommended the University strengthen its controls to ensure all service providers are identified. In addition, we recommended the University: • Obtain and document the review of SOC reports and the impact of modified opinions and noted deviations. • Monitor and document the operation of the CUECs relevant to the University’s operations. • Either obtain and review SOC reports for subservice organizations or perform alternative procedures to satisfy itself that the existence of the subservice organization would not impact its internal control environment. The University agreed with the finding and stated it understands the importance of strengthening controls over service providers, and will continue to review policies and procedures related to SOC reports. OTHER FINDINGS The remaining findings pertain to census data, student enrollment reporting, noncompliance with the University Guidelines, cybersecurity weaknesses and payment card industry data security standards. We will review the University’s progress towards the implementation of our recommendations in our next State compliance examination. AUDITOR’S OPINIONS The financial audit report was issued separately. The auditors stated the financial statements of the University as of and for the year ended June 30, 2022, are fairly stated in all material respects. The single audit report was issued separately. The auditors conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2022. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the University for the year ended June 30, 2022, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for findings 2022-001 and 2022-002. Except for the noncompliance described in these findings the accountants stated the University complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Plante Moran. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:sjs