Audit

Audit  Audit of Cape Cod Community College

Our office conducted a performance audit of certain activities of Cape Cod Community College (CCCC) for the period January 1, 2021 through December 31, 2023.

Organization: Office of the State Auditor
Date published: July 1, 2025

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of Cape Cod Community College (CCCC) for the period January 1, 2021 through December 31, 2023.

In this performance audit, we examined CCCC’s compliance with certain aspects of the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act), as amended. The Clery Act was enacted in 1990 to ensure that colleges and universities maintain transparency and accountability about crime prevention and response on their campuses. It requires educational institutions participating in federal student aid programs to publish an annual security report (ASR) that discloses campus crime statistics and security information. In addition, we reviewed CCCC’s cybersecurity awareness training program for employees.

The purpose of our audit was to determine the following:

  • whether CCCC included all required policies, procedures, and statements in its ASR, in accordance with the Clery Act (Section 668.46[b–h] of Title 34 of the Code of Federal Regulations [CFR]);
  • whether CCCC recorded all crimes within its Clery geography in a daily crime log and accurately reported these crimes to the US Department of Education (US DOE) and in its ASR in accordance with the Clery Act (34 CFR 668.46[c][1] and [f][1]);
  • whether CCCC had a process in place to ensure that it identified campus security authorities (CSAs) and that these employees completed training on their responsibilities as CSAs, in accordance with the Clery Act (34 CFR 668.46[a]); and
  • whether CCCC ensured that its employees completed cybersecurity awareness training, in accordance with its “Cyber / Information Security Awareness Training” policy; Section 6.2.3 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Standard IS.010; and Section AT-3 of Revision 5 of the National Institute of Standards and Technology’s Special Publication 800-53.

Below is a summary of our findings, the effects of those findings, and our recommendations, with hyperlinks to each page listed.

  
Finding 1
 
CCCC did not accurately report all required crime statistics in its ASR and to US DOE.
EffectIf CCCC inaccurately reports its Clery Act crime statistics, then current and prospective students, CCCC employees, and members of the public may draw incorrect conclusions about campus safety. Additionally, not complying with the Clery Act’s ASR reporting requirements may result in CCCC having to pay fines to US DOE.
Recommendation
 

CCCC must make certain that all Clery Act crimes that occur within its Clery geography are accurately recorded in CCCC’s daily crime log and its ASR by establishing policies and procedures to ensure that the following occur:

  • cases are recorded accurately in CCCC’s daily crime log, and are also identified as Clery Act crimes where applicable;
  • Clery Act crimes are accurately documented in CCCC’s disciplinary action records management system and reported to CCCC’s Department of Public Safety so that they can be properly investigated and included in CCCC’s ASR;
  • a verification process is developed, documented, and implemented by CCCC that includes supervisory review and sign-off of the disciplinary action records on a regular basis;
  • Clery Act crime data is accurately reported to US DOE; and
  • as required by law, all supporting documentation for CCCC’s Clery Act crime statistics is retained by CCCC’s Department of Public Safety, including the daily crime log statistics, student disciplinary action log statistics, and any other records used to complete CCCC’s ASR for at least three years.
Finding 2
 
CCCC did not properly identify and train campus security authorities (CSAs) in their duties as CSAs.
EffectIf CCCC does not properly designate and train all CSAs, then CCCC’s ability to compile and report accurate annual crime statistics is limited, and, with inaccurately reported crime statistics, current and prospective students, CCCC employees, and members of the public may be misinformed or draw incorrect conclusions about campus safety.
Recommendations
 
  1.  CCCC should establish a process for its Human Resources Department and Department of Public Safety to identify individuals who meet the definition of a CSA.
  2.  CCCC should maintain and regularly update a list of identified CSAs.
  3.  CCCC should notify identified CSAs and train them on their responsibilities as CSAs at least annually and retain records of training completion for all CSAs.
Finding 3
 
CCCC did not ensure that all of its employees completed cybersecurity awareness training.
EffectIf CCCC does not ensure that all of its employees complete cybersecurity awareness training, then CCCC exposes itself to an increased risk of cybersecurity attacks, and financial and/or reputational losses.
Recommendation
 
CCCC should develop and implement monitoring controls to ensure that all employees are enrolled in and complete initial and annual refresher cybersecurity awareness training.

Appendix

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback