Audit

Audit  Audit of the University of Massachusetts Lowell

Our office conducted a performance audit of the University of Massachusetts (UMass) Lowell for the period July 1, 2020 through December 31, 2021.

Organization: Office of the State Auditor
Date published: April 19, 2024

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Lowell for the period July 1, 2020 through December 31, 2021.

In this performance audit, we determined whether UMass Lowell executed all bank card purchases in accordance with Sections II(A), II(D), III(A), and III(B) of the “Administrative Standards for the Business Expense Policy” within Appendix C of the “University of Massachusetts Business and Travel Expense Policy” (document T92-031) and Sections 2, 4–8, 11, 12, 15, and 21 of the UMass Bank Card Use Standard. We also determined whether UMass Lowell adhered to its “Security Awareness Policy IT-5-112” regarding cybersecurity awareness training for nonfaculty employees.

Below is a summary of our findings and recommendations, with links to each page listed.

  
Finding 1
 
UMass Lowell’s bank card transactions did not always comply with UMass system policies and standards.
Recommendations
 
  1. UMass Lowell should ensure that cardholders reconcile and upload all bank statements and supporting documents into the UMass system’s online bank card transaction repository within 30 days of the bank statement date.
  2. UMass Lowell should ensure that each bank card transaction receipt captures the full business purpose and that all required information is on the receipt. If this is not feasible within the requirements of the current standard, then the UMass system should update the UMass Bank Card Use Standard to reflect appropriate and feasible requirements.
  3. UMass Lowell should ensure that state sales tax is not charged when bank card purchases are made by cardholders. If this is not feasible within the requirements of the current standard, then the UMass system should update the UMass Bank Card Use Standard to reflect appropriate and feasible requirements.
  4. UMass Lowell should ensure that travel authorization numbers are referenced on the bank statement and receipt(s). If this is not feasible within the requirements of the current standard, then the UMass system should update the UMass Bank Card Use Standard to reflect appropriate and feasible requirements.
Finding 2
 
UMass Lowell’s cybersecurity awareness training documentation was missing crucial information, and the university did not ensure that all nonfaculty employees completed cybersecurity awareness training.
Recommendations
 
  1. UMass Lowell should configure its cybersecurity awareness training platform so that it has the ability to monitor the assignment and completion of the trainings.
  2. UMass Lowell should ensure that its nonfaculty employees complete cybersecurity awareness training when they are hired and annually thereafter.
  3. UMass Lowell should retain sufficient cybersecurity awareness training documentation.

Downloads

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback