REPORT DIGEST

SOUTHERN ILLINOIS UNIVERSITY

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED June 30, 2024

Release Date:  September 30, 2025

FINDINGS THIS AUDIT: 14

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 1 -- 1
Category 2:  4 -- 9 -- 13
Category 3:  0 -- 0 -- 0
TOTAL:  4 -- 10 -- 14

FINDINGS LAST AUDIT: 17

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers Southern Illinois
University’s (University) Compliance
Examination for the year ended June 30,
2024. Separate digests covering the
University’s Financial Audit and Single
Audit were previously released on March 4,
2025, and March 25, 2025. In total, this
report contains 14 findings, 1 of which was
reported in the Financial Audit and Single
Audit collectively.

SYNOPSIS

• (24-2) The University lacked adequate
controls over the review of its service
providers.
• (24-8) The University’s Carbondale campus
(SIUC) did not complete its annual census
data reconciliation and certifications
timely.
• (24-14) SIUC did not offer or explain
their decision not to offer developmental
education coursework as part of
developmental education reform in English,
nor did it report developmental education
models or detailed plans to improve outcomes
for students insufficiently prepared in
mathematics.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF
INTERNAL CONTROLS FOR SERVICE PROVIDERS

The University lacked adequate controls over
the review of its service providers.

The University utilized over 100 service
providers for various services. We noted
there is no formal University-wide
requirement, defined in policy or procedure,
to require an annual review of third-party
service provider internal controls.  As
there was no University-wide requirement to
obtain and review service organization
control (SOC) reports for third-party
service providers and no centralized
oversight of third-party service providers,
we were unable to conclude the University’s
records of third-party service providers
were complete, accurate, and reliable.

We selected a sample of 36 service providers
from the listings provided and noted:

• Eight samples lacked contracts that
documented controls, or roles and
responsibilities, related to security,
integrity, availability, confidentiality,
and privacy controls over the University’s
data.
• For 11 samples, contracts, SOC reports,
and/or bridge letters for service providers
were not provided for testing.
• Campuses did not map existing University
controls to complementary user entity
controls (CUECs) for 11 samples. (Finding 2,
pages 15-19) This finding has been reported
since 2018.

We recommended the University strengthen its
process and controls to identify and
document all service providers utilized and
determine and document if a review of
controls is required. Where appropriate, we
recommended the University:

• Obtain and retain SOC reports (or perform
independent reviews) and bridge letters, and
document the assessment of internal controls
associated with outsourced systems at least
annually.
• Monitor and adequately document the
operation of the CUECs related to the
University’s operations.
• Obtain and review contracts with service
providers to ensure applicable requirements
over the independent review of internal
controls are included.
• Implement a formal process to monitor and
track service-level agreements for service
providers to ensure all provisions are met
and meet contract requirements.

The University responded it partially agreed
and stated it continues to refine and
strengthen its processes.

The University also stated that SOC reports
and bridge letters were not provided because
access typically requires individuals to
agree to a non-disclosure agreement with the
service provider which often restrict their
ability to retain or share information
beyond its intended purpose. The University
also noted that storing such sensitive
documentation could expose the University to
liability if the reports are compromised,
stating that SOC reports are handled with
the permission of the vendor as their
property and can incur significant risk of
liability if users retained them. The
University also stated it will engage in
discussion with General Counsel and seek
necessary guidance for a process that
mitigates liability and aligns with
compliance and audit requirements.

The University also responded that in most
cases CUECs can be unmappable because they
are broad or vague.

The accountant’s comment noted that, as
reported in the finding, the University did
not require or perform annual reviews of
internal controls for all third-party
service providers. In addition, some SOC
reports obtained by the University were not
provided to the auditors.

SOC 1 reports are intended to be auditor to
auditor communications. SOC 2 reports are
intended for the information and use of the
service organization, the user entity, and
the user entities’ auditors in accordance
with attestation standards issued by the
AICPA. These reports are integral to support
the audit to obtain an understanding of the
controls and operating deficiencies for
third party service providers.

The Illinois State Auditing Act (30 ILCS
5/6-1) requires the disclosure of
confidential information to the auditors as
necessary for the audit and subjects such
information to the same legal
confidentiality and protective restrictions
with the auditors as with the official
authorized custodian.

Under the Attestation Standards promulgated
by the AICPA, CUECs identified in a SOC
report are controls which must be
implemented by user entities in order to
achieve the control objectives stated in
management’s description of the service
organizations’ system. All CUECs, despite
the extent mapped to key controls, should be
reviewed, evaluated, implemented, and
acknowledged by the user entity. If there
are CUECs identified, but the University
does not ensure those controls are
implemented, then the controls identified in
the SOC report will not work effectively.

CENSUS DATA RECONCILIATION

SIUC did not complete its annual census data
reconciliation and certifications timely.

SIUC did not complete the reconciliation of
changes in State University Retirement
System (SURS) member data to University
records or submit the required census data
reconciliation certifications for Fiscal
Year 2023 data, as required by SURS, by May
31, 2024. The campus reconciliation had not
been completed as of the end of Fiscal Year
2024. (Finding 8, pages 33-34)

We recommended the University dedicate
specific resources to complete annual
reconciliations of census data and to submit
certifications and potential errors
identified by the required due date. We
further recommended the University promptly
reconcile the census data, submit the
required certifications and any potential
errors noted to SURS, and work with SURS to
address any differences noted.

The University stated they agree and noted
it continues to make progress in completing
the SURS Census Earnings reconciliation. The
University further responded that completion
remains a priority while staff turnover and
limited resources contribute to delays.
Management also noted that all other related
reconciliations of SURS census data are
complete.

NONCOMPLIANCE WITH THE DEVELOPMENTAL
EDUCATION REFORM ACT

SIUC did not offer or explain their decision
not to offer developmental education
coursework as part of developmental
education reform in English, nor did it
report developmental education models or
detailed plans to improve outcomes for
students insufficiently prepared in
mathematics.

We noted:

•SIUC did not offer English developmental
education coursework and did not report
details or support to the Illinois Board of
Higher Education (IBHE) regarding its
decision not to offer developmental
education coursework and the pathways
available to students deemed to be
insufficiently prepared for introductory
college-level English coursework.

•SIUC did not report to IBHE all required
details of its developmental education
reform plans for mathematics, including a
description of the current developmental
education models offered, the basis of the
evidence and associated data considered,
detailed plans for scaling reforms and
improving outcomes for students, and details
about the expected improvements in
educational outcomes for Black students as a
result of the proposed reforms.

During Fiscal Year 2024, 280 (11%) and 194
(29%) students enrolled at SIUC were
reported to be insufficiently prepared for
college-level coursework in English and
mathematics, respectively. (Finding 14,
pages 46-48)

We recommended the University ensure it
timely reports all required information to
oversight bodies.

The University agreed and stated our
recommendation has been partially
implemented. The University further
responded that although it has not
reinstated traditional developmental
education courses, it continues to evolve
its strategies in alignment with national
best practice prioritizing acceleration,
early intervention, and inclusive support to
help all students succeed in college-level
coursework.

The University also stated it acknowledges
the importance of timely reporting to
oversight bodies and will ensure that
required reports are submitted accurately
and on time to help improve coordination and
ensure accountability moving forward.

OTHER FINDINGS

The remaining findings pertain to internal
controls over financial reporting,
information technology, computer inventory,
personal services, and compliance with
statutory mandates.

We will review the University’s progress
towards the implementation of our
recommendations in our next State compliance
examination.

AUDITOR’S OPINIONS

The financial audit was previously released.
The auditors stated the financial statements
of the University as of and for the year
ended June 30, 2024 are fairly stated in all
material respects.

The Single Audit was also previously
released. The auditors conducted a Single
Audit of the University as required by the
Uniform Guidance. The auditors stated the
University complied, in all material
respects, with the types of compliance
requirements that could have a direct and
material effect on the University’s major
federal programs for the year ended June 30,
2024.
ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the University for the year
ended June 30, 2024, as required by the
Illinois State Auditing Act. The accountants
qualified their report on State compliance
for Finding 2024-002. Except for the
noncompliance described in this finding, the
accountants stated the University complied,
in all material respects, with the
requirements described in the report.

This State compliance examination was
conducted by Plante & Moran, PLLC.

COURTNEY DZIERWA
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:lkw