Audit

Audit  Audit of the University of Massachusetts Dartmouth

Our office conducted a performance audit of the University of Massachusetts (UMass) Dartmouth for the period July 1, 2020 through December 31, 2021.

Organization: Office of the State Auditor
Date published: May 2, 2024

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Dartmouth for the period July 1, 2020 through December 31, 2021.

In this performance audit, we determined whether UMass Dartmouth executed all bank card purchases in accordance with Sections II(A), II(D), III(A), and III(B) of the “Administrative Standards for the Business Expense Policy” within Appendix C of the “University of Massachusetts Business and Travel Expense Policy” (document T92-031) and Sections 2, 4–8, 11, 12, 15, and 21 of the UMass Bank Card Use Standard. We also determined whether UMass Dartmouth ensured that its employees completed cybersecurity awareness training in accordance with Section 1 of Control 14 (Security Awareness and Skills Training) of the Center for Internet Security’s1 Critical Security Controls.2

Below is a summary of our findings and recommendations, with links to each page listed.

  
Finding 1
 
UMass Dartmouth’s bank card transactions did not always comply with UMass system policies and standards.
Recommendations
 
  1. UMass Dartmouth should ensure that cardholders reconcile and upload all bank statements and supporting documents into the UMass system’s online bank card transaction repository within 30 days of the bank statement date.
  2. UMass Dartmouth should ensure that each bank card transaction receipt captures the full business purpose and that all required information is on the receipt. If this is not feasible within the requirements of the current standard, then the UMass system should update the UMass Bank Card Use Standard to reflect appropriate and feasible requirements.
  3. UMass Dartmouth should ensure that state sales tax is not charged when bank card purchases are made by cardholders. If this is not feasible within the requirements of the current standard, then the UMass system should update the UMass Bank Card Use Standard to reflect appropriate and feasible requirements.
  4. UMass Dartmouth should ensure that travel authorization numbers are referenced on the bank statement and receipt(s). If this is not feasible within the requirements of the current standard, then the UMass system should update the UMass Bank Card Use Standard to reflect appropriate and feasible requirements.
Finding 2
 
UMass Dartmouth did not provide cybersecurity awareness training for any of its employees.
Recommendations
 
  1. UMass Dartmouth should provide cybersecurity awareness training to all employees when they are hired and annually thereafter.
  2. UMass Dartmouth should establish and implement a cybersecurity awareness training component to its information security policy. This component should include documented procedures, monitoring controls, and record retention requirements.

1.   According to its website, the Center for Internet Security is a nonprofit entity with the mission “to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.”

2.   According to the Center for Internet Security’s website, the “Critical Security Controls . . . are a prescriptive, prioritized, and simplified set of best practices that you can use to strengthen your cybersecurity posture. Today, thousands of cybersecurity practitioners from around the world use the [Critical Security Controls] and/or contribute to their development via a community consensus process.”

Downloads

Contact

Phone

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback