Skip to main content
Audit

Audit  Audit of the Massachusetts State College Building Authority

Our office conducted a performance audit of the Massachusetts State College Building Authority (MSCBA) for the period July 1, 2022 through June 30, 2024.

Organization: Office of the State Auditor
Date published: June 18, 2025

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of the Massachusetts State College Building Authority (MSCBA) for the period July 1, 2022 through June 30, 2024.

The purpose of our audit was to determine the following:

  • whether MSCBA had a process in place to ensure that it met the fiscal years 2023 and 2024 benchmarks set by the Supplier Diversity Office (SDO) for contracting with minority-, women-, and veteran-owned businesses;
  • to what extent MSCBA ensured that its residential buildings on university campuses met the minimum public health and safety requirements, in accordance with Section 101.3 of Title 780 of the Code of Massachusetts Regulations and MSCBA’s established procedures for monitoring its properties;
  • whether MSCBA took corrective actions to address the issue identified in the prior OSA audit (Audit No. 2018-0209-3A) regarding its business continuity plan (BCP); and
  • whether MSCBA took corrective actions to address the issue identified in the prior OSA audit (Audit No. 2018-0209-3A) regarding its internal control plan (ICP).

Below is a summary of our findings, the effects of those findings, and our recommendations, with hyperlinks to each page listed.

  
Finding 1MSCBA did not ensure that it met the annual benchmarks for diverse supplier spending set by SDO.
EffectMSCBA has demonstrated a commitment to promoting diversity in its procurement process by voluntarily participating in the Supplier Diversity Program (SDP). However, because MSCBA did not have an established process for meeting these spending benchmarks, MSCBA limited its ability to evaluate and improve the effectiveness of its efforts to promote diversity in its procurement process.
Recommendations
  1. MSCBA should develop, document, and implement policies and procedures to effectively monitor the extent to which it achieves SDO annual benchmarks for diverse supplier spending. These policies should incorporate the updated requirements of the SDP, which, effective July 1, 2024, include spending benchmarks for businesses owned by LGBTQ individuals and individuals with disabilities.
  2. MSCBA should develop strategies aimed at enhancing the participation of diverse businesses in its procurement process. This could include expanding targeted outreach to certified diverse vendors to increase their participation as both prime contractors and subcontractors.
Finding 2MSCBA’s BCP was missing critical components.
EffectWithout a comprehensive BCP, MSCBA cannot ensure that it has adequate procedures in place to protect critical information assets or to recover essential operations in the event of a disruption or disaster.
RecommendationMSCBA should update its BCP to include all critical components outlined by the Executive Office of Technology Services and Security.
Finding 3MSCBA’s ICP was not based on an agency-wide risk assessment and was missing key elements of enterprise risk management.
EffectWithout a sufficiently developed ICP based on an agency-wide risk assessment, MSCBA is limited in its ability to identify vulnerabilities, which could prevent it from achieving organizational goals.
Recommendations
  1.  MSCBA should develop an ICP based on a current agency-wide risk assessment that includes all aspects of its business activities. MSCBA should ensure that its ICP includes all the critical components of enterprise risk management.
  2. After completing its ICP, MSCBA should ensure that the ICP is communicated to all employees, used within its operations, and reviewed and updated at least annually.
Finding 4aMSCBA did not adequately manage employee access rights.
EffectWithout management approval, MSCBA does not have sufficient verification that system users were approved to access the system at all or that user accounts were limited to the fewest privileges necessary for the employees’ job duties.
Finding 4bMSCBA could not provide evidence that its employees completed cybersecurity awareness training.
EffectIf MSCBA does not ensure that its employees complete cybersecurity awareness training, then it is exposed to an increased risk of cyberattacks and financial and/or reputational losses.
Finding 4cMSCBA was missing documentation for a completed background check.
EffectWithout proper screening, MSCBA assumes a higher-than-acceptable risk of hiring individuals who may pose security threats to its systems and data.
Finding 4dMSCBA did not promptly revoke access rights to its accounting and project management system.
EffectIf MSCBA does not promptly revoke former employees’ access rights to its system, then there is an increased risk that former employees could improperly access and/or change information in the system.
Finding 4eMSCBA did not have session lock mechanisms in place.
EffectIf MSCBA does not have session lock mechanisms in place, then employees may remain logged on indefinitely, increasing the risk of unauthorized access and reducing the organization’s ability to effectively monitor and control system activity.
Finding 4fMSCBA did not have a documented configuration management policy.
EffectWithout a configuration management policy, MSCBA makes its accounting and project management system vulnerable to misconfigurations, security threats, and performance issues.
Finding 4gMSCBA did not have established procedures to review audit logs.
EffectIf MSCBA does not run regular audit logs of its accounting and project management system, then it exposes itself to a higher-than-acceptable risk of unauthorized user activity. It also exposes itself to a higher-than-acceptable risk that security incidents and policy violations go undetected by MSCBA management.
Recommendations
  1.  MSCBA should ensure that documented records are kept to evidence supervisory approval for system user rights for its accounting and project management system.
  2. MSCBA should develop and implement policies and procedures to ensure that all employees receive cybersecurity awareness training within 30 days of orientation and annually thereafter. Also, MSCBA should maintain certificates of completion of these trainings for all of its employees.
  3.  MSCBA should ensure that all employees with access to confidential information undergo background checks, as required by its policy. MSCBA should maintain documentation of these screenings to ensure accountability and compliance.
  4.  MSCBA should ensure that system privileges are revoked within 24 business hours of termination. Additionally, MSCBA should consider temporarily suspending employees’ privileges when they are on leaves of absence.
  5.  MSCBA should configure both its network and its accounting and project management system to lock out after a five-minute period of inactivity.
  6.  MSCBA should establish controls to ensure that configuration management procedures are in place to safeguard its accounting and project management system.
  7.  MSCBA should ensure that audit logs are run for its accounting and project management system on a regular basis, so that system user activity is tracked.

Table of Contents

Downloads

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback