Audit  Audit of Massachusetts Bay Community College (MBCC)

The audit found MBCC has failed to take steps previously recommended by the office to improve the tracking of valuable college property. The Community College has also done a poor job tracking and maintaining IT inventory. The audit examined the period of July 1, 2018 through December 31, 2019.

Organization: Office of the State Auditor
Date published: May 11, 2021

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of Massachusetts Bay Community College (MBCC) for the period July 1, 2018 through December 31, 2019. When testing MBCC’s information technology (IT) inventory, we extended the audit period through August 28, 2020, capturing data in MBCC’s inventory database as of the time of our fieldwork. Some testing of MBCC’s IT inventory required physically observing the then-current status of equipment at MBCC locations. Our last physical observation of IT equipment was on January 19, 2021.

In this performance audit, we examined MBCC activities related to the administration of IT equipment and procurement cards. We also followed up on an issue regarding MBCC’s compliance with the reporting requirements of Chapter 647 of the Acts of 1989, identified in our previous audit (No. 2016-0196-3E), to determine what measures MBCC’s management had taken to address the lack of reporting of missing or stolen equipment to OSA.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1a

MBCC did not maintain accurate required information on its IT inventory list, and some items were untagged or never added to the list.

Finding 1b

MBCC could not substantiate that it conducted annual inventories of its IT equipment.


  1. MBCC should review and edit its current IT inventory list to include purchase dates, costs, assigned tag numbers, locations, descriptions, and serial numbers for all items; should remove duplicate items; and should correct inaccurate data where possible.
  2. MBCC should ensure that all IT assets have inventory tags affixed to them.
  3. MBCC should enhance its current “Inventory—Tracking and Disposal Policy” to include detailed procedures for all phases of the IT inventory process. The policy should require keeping documentation supporting the annual physical inventory of IT equipment and should include guidance for relocating IT equipment.
  4. MBCC should communicate this policy to all employees and establish monitoring controls to ensure that it is consistently followed.
  5. MBCC should reevaluate its purchasing and inventory process to identify a best practice for identifying and tracking newly purchased IT equipment at the point of purchase. MBCC should determine whether incorporating its inventory process into the college’s purchasing system by using the PeopleSoft Asset Management module is a viable option.

Finding 2

MBCC has not implemented policies, procedures, and monitoring controls to ensure compliance with Chapter 647 of the Acts of 1989 as recommended in our prior audit.


  1. MBCC should develop and implement policies, procedures, and monitoring controls to ensure that all unaccounted-for variances, losses, shortages, and/or thefts of funds or property are immediately reported to OSA.
  2. MBCC should ensure that the party responsible for overseeing compliance with Chapter 647 of the Acts of 1989 understands the law’s requirements.


A PDF copy of the audit of Massachusetts Bay Community College is available here.


Post-Audit Action

In response to this audit report, MBCC provided the following comments about its post-audit actions.

The College appreciates the thoughtful review and feedback from the audit team, and the opportunity to respond to their findings. We have started the process of reviewing our policies, procedures, and systems to ensure proper monitoring and compliance. . . .

In response to the recommendation that the College provide mandatory information security training, we are pleased to report that this has successfully been impact bargained with the unions and we have begun to implement a system to provide cybersecurity training for all employees and to document program completion.





(617) 727-3014


Massachusetts State House
Room 230
Boston, MA 02133

Help Us Improve  with your feedback

Please do not include personal or contact information.