Audit

Audit  Audit of the University of Massachusetts Chan Medical School

Our office has conducted a performance audit of the University of Massachusetts (UMass) Chan Medical School (Chan) for the period July 1, 2021 through December 31, 2022.

Organization: Office of the State Auditor
Date published: September 6, 2024

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Chan Medical School (Chan) for the period July 1, 2021 through December 31, 2022.

In this performance audit, we determined whether UMass Chan executed all bank card purchases in accordance with Sections IV(A) and (B) within Appendix C of the “University of Massachusetts Business and Travel Expense Policy” (document T92-031); Articles I and II of the “University of Massachusetts Administrative Standards for Business and Travel Expense Policy”; and Sections 2, 4–8, 11, 12, 15, and 21 of the UMass Bank Card Use Standard. We also determined whether UMass Chan adhered to its “Privacy and Security Training Policy” regarding cybersecurity awareness.

Below is a summary of our findings, the effects of our findings, and recommendations, with links to each page listed.

  
Finding 1
 
UMass Chan’s bank card transactions did not always comply with UMass system policies and standards.
EffectIf UMass Chan does not reconcile and upload bank statements and supporting documents to the UMass system’s online bank card transaction repository in a timely manner or at all, then UMass Chan assumes a higher-than-acceptable risk of erroneous and potentially fraudulent bank card activity. In addition, having incomplete documentation for bank card transactions on reconciliations results in a lack of transparency.
Recommendations
 
  1. UMass Chan should ensure that travel authorization numbers are referenced on bank statements and receipts. If this is not feasible within the requirements of the current standard, then the UMass system should update the UMass Bank Card Use Standard to reflect appropriate and feasible requirements.
  2. UMass Chan should ensure that cardholders reconcile and upload all bank statements and supporting documents into the UMass system’s online bank card transaction repository within 30 days of bank statement dates.
Finding 2
 
UMass Chan did not ensure that workforce members completed cybersecurity awareness training in a timely manner.
EffectIf UMass Chan does not educate all workforce members on their responsibility to protect information assets by requiring cybersecurity awareness training, then UMass Chan is exposed to a higher-than-acceptable risk of cybersecurity attacks, which could cause financial and/or reputational losses.
Recommendation
 
UMass Chan should ensure that all workforce members who have access to its computer network complete cybersecurity awareness training in a timely manner, upon hire and annually thereafter.

Downloads

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback