Organization: | Office of the State Auditor |
---|---|
Date published: | September 6, 2024 |
Executive Summary
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Chan Medical School (Chan) for the period July 1, 2021 through December 31, 2022.
In this performance audit, we determined whether UMass Chan executed all bank card purchases in accordance with Sections IV(A) and (B) within Appendix C of the “University of Massachusetts Business and Travel Expense Policy” (document T92-031); Articles I and II of the “University of Massachusetts Administrative Standards for Business and Travel Expense Policy”; and Sections 2, 4–8, 11, 12, 15, and 21 of the UMass Bank Card Use Standard. We also determined whether UMass Chan adhered to its “Privacy and Security Training Policy” regarding cybersecurity awareness.
Below is a summary of our findings, the effects of our findings, and recommendations, with links to each page listed.
Finding 1 | UMass Chan’s bank card transactions did not always comply with UMass system policies and standards. |
Effect | If UMass Chan does not reconcile and upload bank statements and supporting documents to the UMass system’s online bank card transaction repository in a timely manner or at all, then UMass Chan assumes a higher-than-acceptable risk of erroneous and potentially fraudulent bank card activity. In addition, having incomplete documentation for bank card transactions on reconciliations results in a lack of transparency. |
Recommendations |
|
Finding 2 | UMass Chan did not ensure that workforce members completed cybersecurity awareness training in a timely manner. |
Effect | If UMass Chan does not educate all workforce members on their responsibility to protect information assets by requiring cybersecurity awareness training, then UMass Chan is exposed to a higher-than-acceptable risk of cybersecurity attacks, which could cause financial and/or reputational losses. |
Recommendation | UMass Chan should ensure that all workforce members who have access to its computer network complete cybersecurity awareness training in a timely manner, upon hire and annually thereafter. |