REPORT DIGEST SOUTHERN ILLINOIS UNIVERSITY COMPLIANCE EXAMINATION FOR THE YEAR ENDED June 30, 2024 Release Date: September 30, 2025 FINDINGS THIS AUDIT: 14 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 1 -- 1 Category 2: 4 -- 9 -- 13 Category 3: 0 -- 0 -- 0 TOTAL: 4 -- 10 -- 14 FINDINGS LAST AUDIT: 17 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers Southern Illinois University’s (University) Compliance Examination for the year ended June 30, 2024. Separate digests covering the University’s Financial Audit and Single Audit were previously released on March 4, 2025, and March 25, 2025. In total, this report contains 14 findings, 1 of which was reported in the Financial Audit and Single Audit collectively. SYNOPSIS • (24-2) The University lacked adequate controls over the review of its service providers. • (24-8) The University’s Carbondale campus (SIUC) did not complete its annual census data reconciliation and certifications timely. • (24-14) SIUC did not offer or explain their decision not to offer developmental education coursework as part of developmental education reform in English, nor did it report developmental education models or detailed plans to improve outcomes for students insufficiently prepared in mathematics. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS FOR SERVICE PROVIDERS The University lacked adequate controls over the review of its service providers. The University utilized over 100 service providers for various services. We noted there is no formal University-wide requirement, defined in policy or procedure, to require an annual review of third-party service provider internal controls. As there was no University-wide requirement to obtain and review service organization control (SOC) reports for third-party service providers and no centralized oversight of third-party service providers, we were unable to conclude the University’s records of third-party service providers were complete, accurate, and reliable. We selected a sample of 36 service providers from the listings provided and noted: • Eight samples lacked contracts that documented controls, or roles and responsibilities, related to security, integrity, availability, confidentiality, and privacy controls over the University’s data. • For 11 samples, contracts, SOC reports, and/or bridge letters for service providers were not provided for testing. • Campuses did not map existing University controls to complementary user entity controls (CUECs) for 11 samples. (Finding 2, pages 15-19) This finding has been reported since 2018. We recommended the University strengthen its process and controls to identify and document all service providers utilized and determine and document if a review of controls is required. Where appropriate, we recommended the University: • Obtain and retain SOC reports (or perform independent reviews) and bridge letters, and document the assessment of internal controls associated with outsourced systems at least annually. • Monitor and adequately document the operation of the CUECs related to the University’s operations. • Obtain and review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. • Implement a formal process to monitor and track service-level agreements for service providers to ensure all provisions are met and meet contract requirements. The University responded it partially agreed and stated it continues to refine and strengthen its processes. The University also stated that SOC reports and bridge letters were not provided because access typically requires individuals to agree to a non-disclosure agreement with the service provider which often restrict their ability to retain or share information beyond its intended purpose. The University also noted that storing such sensitive documentation could expose the University to liability if the reports are compromised, stating that SOC reports are handled with the permission of the vendor as their property and can incur significant risk of liability if users retained them. The University also stated it will engage in discussion with General Counsel and seek necessary guidance for a process that mitigates liability and aligns with compliance and audit requirements. The University also responded that in most cases CUECs can be unmappable because they are broad or vague. The accountant’s comment noted that, as reported in the finding, the University did not require or perform annual reviews of internal controls for all third-party service providers. In addition, some SOC reports obtained by the University were not provided to the auditors. SOC 1 reports are intended to be auditor to auditor communications. SOC 2 reports are intended for the information and use of the service organization, the user entity, and the user entities’ auditors in accordance with attestation standards issued by the AICPA. These reports are integral to support the audit to obtain an understanding of the controls and operating deficiencies for third party service providers. The Illinois State Auditing Act (30 ILCS 5/6-1) requires the disclosure of confidential information to the auditors as necessary for the audit and subjects such information to the same legal confidentiality and protective restrictions with the auditors as with the official authorized custodian. Under the Attestation Standards promulgated by the AICPA, CUECs identified in a SOC report are controls which must be implemented by user entities in order to achieve the control objectives stated in management’s description of the service organizations’ system. All CUECs, despite the extent mapped to key controls, should be reviewed, evaluated, implemented, and acknowledged by the user entity. If there are CUECs identified, but the University does not ensure those controls are implemented, then the controls identified in the SOC report will not work effectively. CENSUS DATA RECONCILIATION SIUC did not complete its annual census data reconciliation and certifications timely. SIUC did not complete the reconciliation of changes in State University Retirement System (SURS) member data to University records or submit the required census data reconciliation certifications for Fiscal Year 2023 data, as required by SURS, by May 31, 2024. The campus reconciliation had not been completed as of the end of Fiscal Year 2024. (Finding 8, pages 33-34) We recommended the University dedicate specific resources to complete annual reconciliations of census data and to submit certifications and potential errors identified by the required due date. We further recommended the University promptly reconcile the census data, submit the required certifications and any potential errors noted to SURS, and work with SURS to address any differences noted. The University stated they agree and noted it continues to make progress in completing the SURS Census Earnings reconciliation. The University further responded that completion remains a priority while staff turnover and limited resources contribute to delays. Management also noted that all other related reconciliations of SURS census data are complete. NONCOMPLIANCE WITH THE DEVELOPMENTAL EDUCATION REFORM ACT SIUC did not offer or explain their decision not to offer developmental education coursework as part of developmental education reform in English, nor did it report developmental education models or detailed plans to improve outcomes for students insufficiently prepared in mathematics. We noted: •SIUC did not offer English developmental education coursework and did not report details or support to the Illinois Board of Higher Education (IBHE) regarding its decision not to offer developmental education coursework and the pathways available to students deemed to be insufficiently prepared for introductory college-level English coursework. •SIUC did not report to IBHE all required details of its developmental education reform plans for mathematics, including a description of the current developmental education models offered, the basis of the evidence and associated data considered, detailed plans for scaling reforms and improving outcomes for students, and details about the expected improvements in educational outcomes for Black students as a result of the proposed reforms. During Fiscal Year 2024, 280 (11%) and 194 (29%) students enrolled at SIUC were reported to be insufficiently prepared for college-level coursework in English and mathematics, respectively. (Finding 14, pages 46-48) We recommended the University ensure it timely reports all required information to oversight bodies. The University agreed and stated our recommendation has been partially implemented. The University further responded that although it has not reinstated traditional developmental education courses, it continues to evolve its strategies in alignment with national best practice prioritizing acceleration, early intervention, and inclusive support to help all students succeed in college-level coursework. The University also stated it acknowledges the importance of timely reporting to oversight bodies and will ensure that required reports are submitted accurately and on time to help improve coordination and ensure accountability moving forward. OTHER FINDINGS The remaining findings pertain to internal controls over financial reporting, information technology, computer inventory, personal services, and compliance with statutory mandates. We will review the University’s progress towards the implementation of our recommendations in our next State compliance examination. AUDITOR’S OPINIONS The financial audit was previously released. The auditors stated the financial statements of the University as of and for the year ended June 30, 2024 are fairly stated in all material respects. The Single Audit was also previously released. The auditors conducted a Single Audit of the University as required by the Uniform Guidance. The auditors stated the University complied, in all material respects, with the types of compliance requirements that could have a direct and material effect on the University’s major federal programs for the year ended June 30, 2024. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the University for the year ended June 30, 2024, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2024-002. Except for the noncompliance described in this finding, the accountants stated the University complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Plante & Moran, PLLC. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:lkw