FY11-ISU-Fin-Comp-Digest |
Previous | 1 of 2 | Next |
|
small (250x250 max)
medium (500x500 max)
large ( > 500x500)
Full Resolution
|
This page
All
Subset |
Office of the Auditor General, Iles Park Plaza, 740 E. Ash St., Springfield, IL 62703 • Tel: 217-782-6046 or TTY 888-261-2887
This Report Digest and a Full Report are also available on the internet at www.auditor.illinois.gov
ILLINOIS STATE UNIVERSITY
Financial Audit, Single Audit, and Compliance Examination
For the Year Ended: June 30, 2011
Summary of Findings:
Total this audit:
Total last audit:
Repeated from last audit:
5
3
2
Release Date: March 20, 2012
SYNOPSIS
• The University did not exercise adequate internal control over accounts receivable.
• The University’s Internal Audit Department did not review the new Human Resources system prior to its implementation.
• The University had not established adequate security policies and control over its computer environment.
• The University had not established adequate University-wide procedures for disposal of confidential information.
{Expenditures and Activity Measures are summarized on the reverse page.}ii
STATEMENT OF NET ASSETS (in thousands)
Assets
Cash and cash equivalents.........................................................................................
25,622$
49,826$
Restricted cash and cash equivalents.........................................................................
11,061
11,203
Receivables...............................................................................................................
53,955
39,290
Capital assets, net......................................................................................................
420,890
398,770
Other.........................................................................................................................
123,517
94,517
Total.....................................................................................................................
635,045$
593,606$
Liabilities
Accounts payable and accrued liabilities....................................................................
21,510$
25,968$
Deferred revenues......................................................................................................
6,998
7,344
Assets held in custody for others and deposits...........................................................
3,512
3,605
Current portion of long-term liabilities.......................................................................
9,070
8,758
Long-term liabilities..................................................................................................
141,569
133,302
Total.....................................................................................................................
182,659$
178,977$
Net Assets
Invested in capital assets, net of related debt..............................................................
298,586$
285,373$
Restricted..................................................................................................................
9,467
9,456
Unrestricted...............................................................................................................
144,333
119,800
Total.....................................................................................................................
452,386$
414,629$
REVENUES, EXPENSE AND CHANGES IN NET ASSETS (in thousands)
Revenues
Tuition and fees, net..................................................................................................
167,142$
151,104$
State appropriations...................................................................................................
80,499
92,730
Auxiliary enterprises..................................................................................................
83,018
80,914
Payments on behalf of the University........................................................................
86,470
78,553
Federal, state, and private grants and gifts.................................................................
23,478
21,563
Laboratory Schools....................................................................................................
9,086
7,732
Other.........................................................................................................................
48,380
47,943
Total.....................................................................................................................
498,073$
480,539$
Expenses
Instruction.................................................................................................................
113,992$
109,970$
Research....................................................................................................................
13,991
14,202
Public Service............................................................................................................
15,695
15,099
Academic support......................................................................................................
18,134
14,191
Student services.........................................................................................................
35,748
35,310
Institutional support...................................................................................................
29,544
27,230
Auxilliary enterprises.................................................................................................
57,127
61,584
Student aid................................................................................................................
36,920
31,674
Payments on behalf of the University........................................................................
86,470
78,553
Operation and maintenance of plant..........................................................................
24,246
29,536
Depreciation..............................................................................................................
19,779
17,939
Other.........................................................................................................................
8,670
6,902
Total.....................................................................................................................
460,316$
442,190$
Change in net assets.......................................................................................................
37,757$
38,349$
EMPLOYMENT STATISTICS (UNAUDITED)
FY 2011
FY 2010
Faculty and Administrative.........................................................................................
1,895
1,881
Civil Service...............................................................................................................
1,297
1,304
Student Employees.....................................................................................................
566
525
Miscellaneous Contractual..........................................................................................
82
96
Total Employees...................................................................................................
3,840
3,806
ENROLLMENT STATISTICS (UNAUDITED)
FY 2011
FY 2010
Annual full-time equivalent students...........................................................................
19,059
19,022
COST PER STUDENT (UNAUDITED)
FY 2011
FY 2010
Cost per full time equivalent student...........................................................................
11,171$
10,776$
During Examination Period: Dr. C. Alvin Bowman
Currently: Dr. C. Alvin Bowman
ILLINOIS STATE UNIVERSITY
FINANCIAL AUDIT AND COMPLIANCE EXAMINATION
For The Year Ended June 30, 2011
UNIVERSITY PRESIDENT
2010 (as restated)
2011
2010 (as restated)
2011iii
Accounts receivable for tuition and fees overstated
University recorded total adjustments of $6,479,222
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
NEED TO IMPROVE ACCOUNTS RECEIVABLE ACCOUNTING AND REPORTING
Illinois State University (University) did not exercise adequate internal control over accounts receivable.
We noted the following:
• The University overstated tuition and fees receivable by amounts originally estimated to be received from the State, but were not adjusted to reflect actual amounts received. The University recorded tuition and fees accounts receivable for entitlement scholarships awarded to eligible students based upon various State laws. The University is reimbursed for the tuition and fee revenue at a later date, based upon the availability of funds within the State's budget. In the event of insufficient appropriations, the University must bear the cost of the awards. As the State did not pay the cost of tuition and fees waived, the University did not monitor and properly account for the nonpayment, resulting in an overstatement of receivables. The University recorded a prior period adjustment of $5,189,665 for overstated receivables from FY06 to FY10 and a current period adjustment of $1,289,557 for overstated receivables occurring in FY11.
• The University does not have a formal methodology to record, review, and adjust the allowance for uncollectible accounts receivable that takes into account historical factors, such as collections, with qualitative factors. Further, the University has not reviewed the allowance for uncollectible accounts receivable since FY09.
According to University personnel, the overstatement was a result of employees not being aware that certain scholarship payments from the State were no longer collectible. (Finding 1, pages 17-18) iv
University officials agree with auditors
$5.5 million human resources system not reviewed by the University’s internal auditors
University officials agree with auditors
We recommended the University the University implement controls to periodically review accounts receivable and adopt a methodology to record, review, and adjust an allowance for uncollectible accounts receivable based upon historical collectability data, adjusted for any potential qualitative considerations.
University officials agreed with the finding, indicating they will review controls to improve the reporting and accounting for accounts receivable.
LACK OF INTERNAL AUDIT REVIEW OF MAJOR SYSTEM IMPLEMENTATION
The University’s Internal Audit Department did not review the new Human Resources system prior to its implementation.
The University implemented a Human Resources system in July 2011. The system is used to perform and track functions such as payroll, time and labor for all 3,500 faculty and personnel at the University. The initial selection process began in 2006 to replace a 20-year old system. The project appears to have had an initial budget of $3.5 million, with a subsequent addition of $2 million in 2010, for a total budget of $5.5 million. The Fiscal Control and Internal Auditing Act requires the review of major new electronic data processing systems by the University’s Internal Audit Department prior to system installation to ensure the systems provide for adequate audit trails and accountability.
According to University personnel, the Office of Internal Audit was not involved in the development of the Human Resources system (iPeople) due to a change in management and staff within the Office of Internal Auditing. (Finding 2, pages 19-20)
We recommended the University's Internal Audit Department perform a review of any major computerized system prior to its implementation and maintain documentation of its review.
University officials agreed with the finding, indicating they are enhancing communication between the University’s information technology management and the Office of Internal Audit. Further, they are planning a post-implementation audit of the new system as part of the University’s planned FY12 internal audits.v
Security policy has not been approved
2,498 user accounts with nonexpiring passwords
University officials agree with auditors
NEED TO IMPROVE CONTROLS OVER COMPUTER SECURITY ADMINISTRATION
The University had not established adequate security policies and control over its computer environment.
We reviewed the University's policies and procedures and noted the following weaknesses:
• The University's Security Policy is in draft form. At the time of testing the policy had not been approved by senior management or communicated to the appropriate individuals.
• Over 73,300 active user accounts had never been used and another 2,400 had not been used in over a year.
• The University's password expiration policy was not enforced. 2,498 accounts had nonexpiring passwords.
• An excessive number (81) of user accounts had powerful administrative access rights.
According to University personnel, this resulted from the lack of a cohesive IT Governance structure including a common, formal, and disciplined approach for managing IT. (Finding 3, pages 21-23)
We recommended the University develop standard security guidelines to ensure security controls are adequately addressed across the University.
University officials accepted the finding and stated the policy, Security of Information Technology Resources and Systems, has been approved by the Academic Senate. The policy authorizes the creation of procedures that will outline how security will be administered and how access to systems and data will be granted, maintained, reviewed, and audited.
NEED TO ENHANCE CONTROLS OVER CONFIDENTIAL INFORMATION
The University had not established adequate University-wide procedures for disposal of confidential information.vi
Risk assessment to identify and secure confidential or personal information not completed
HIPAA risk assessment to identify and secure protected health information not completed
University officials agree with auditors
Although the University had established various policies relating to the security of confidential information, the University failed to establish and implement procedures for adequately protecting and disposing of confidential information. During our review, the following weaknesses were noted:
• The University had not performed a comprehensive risk assessment to identify confidential or personal information and its location to assure such information is protected from unauthorized disclosure.
• While the University had established a uniform process for the wiping and destruction of media and data, the process had not been completely implemented.
• Although the University's Student Health Services maintained protected health information, a Health Insurance Portability and Accountability Act (HIPAA) risk assessment had not been completed.
• The University had not formally approved notification procedures in the event of a breach of security regarding personal information.
According to University personnel, this resulted from the lack of a cohesive IT Governance structure including a common, formal, and disciplined approach for managing IT. (Finding 4, pages 24-25) This finding was first reported in 2009.
We recommended the University perform a risk assessment to identify and secure all forms of confidential or personal information, implement a comprehensive process for the wiping and destruction of media, perform and document a HIPAA risk assessment for personal health information, and obtain formal approval of policies and procedures for notification following a breach of security regarding personal information.
University officials accepted the finding, indicating they the University is undertaking a risk assessment, including HIPAA, at the University that is expected to be completed by December 2012. Further, the University stated they are working to implement a coordinated vii
electronic media wiping effort and adopt breach notification procedures. (For the previous University response, see Digest Footnote #1.)
OTHER FINDING
The remaining finding is reportedly being given attention by the University. We will review the University’s progress towards the implementation of our recommendations in our next audit.
AUDITORS’ OPINION
Our auditors stated the financial statements of Illinois State University as of and for the year ended June 30, 2011 are fairly stated in all material respects.
___________________________________
WILLIAM G. HOLLAND
Auditor General
WGH:djn:rt
SPECIAL ASSISTANT AUDITORS
Our special assistant auditors for this engagement were BKD, LLP.
DIGEST FOOTNOTE
#1: NEED TO ENHANCE CONTROLS OVER CONFIDENTIAL INFORMATION
FY2010:
The University concurs with the recommendation to assess its procedures for safeguarding and subsequent disposal of all confidential information. Procedures for proper disposal of confidential information are established and will be reviewed to minimize lapses attributable to employee oversight.viii
The University concurs with the recommendation to perform a comprehensive risk assessment of its computer environment and data. The University Technology Council has finalized the Policy on Information Resource Access and Security and is in the process of obtaining formal approval. Also, a Data Stewardship and IT Services Council has been established to define standards for a master data access plan. These efforts will provide a more comprehensive identification of the University’s computer data security environment for purposes of risk assessment.
Encryption has been installed and utilized on systems storing and transmitting financial information. The University is developing data classification and corresponding security procedures for each level of data classification. The highest level will incorporate encryption technologies. Also, the University is seeking an outsourcing partner to host mainframe operations and will require encryption protection of data.