Audit of Cape Cod Community College Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of Cape Cod Community College (CCCC) for the period January 1, 2021 through December 31, 2023.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of CCCC’s internal control environment relevant to our objectives by reviewing applicable policies and procedures and by interviewing CCCC officials. We evaluated the design and implementation of the internal controls related to our audit objectives. In addition, to obtain sufficient, appropriate evidence to address our audit objectives, we performed the procedures described below.

To determine whether CCCC included all required policies, procedures, and statements in its ASR, in accordance with the Clery Act (34 CFR 668.46[b-h]), we inspected CCCC’s published ASRs for calendar years 2021, 2022, and 2023 (the audit period). These ASRs included the Clery Act–required policies, procedures, and statements for the period⁶ January 1, 2020 through December 31, 2023.

We noted no exceptions in our testing. Therefore, we concluded that CCCC included all required policies, procedures, and statements in its ASRs.

To determine whether CCCC recorded all crimes within its Clery geography in a daily crime log and accurately reported these crimes to US DOE and in its ASR, in accordance with the Clery Act (34 CFR 668.46[c][1] and [f][1]), we took the actions described below.

We inspected CCCC’s 2023 ASR and CCCC’s electronic submission to US DOE, which included Clery Act crime statistics for calendar years 2020 through 2022. We compared the Clery Act crime statistics published in CCCC’s 2023 ASR to those that CCCC submitted to US DOE to ensure that they matched.

To ensure that all cases from the daily crime log required by the Clery Act were reported in CCCC’s 2023 ASR, we took the following actions.

• We inspected a list of all 178 cases from the daily crime log we obtained from CCCC’s director of public safety and attempted to identify the total number of cases that fell within each of the four categories of Clery Act crimes (as described in the "Daily Crime Log" section of this report).
• We attempted to compare the total number of cases we identified as Clery Act crimes to the total number of Clery Act crimes CCCC included in its daily crime log and its 2023 ASR. However, we were unable to do so because the crime categories in CCCC’s daily crime log did not correspond directly to those in the ASR, making a direct comparison impossible.
• We followed up with CCCC to ask about any variances we identified (i.e., crimes reported in CCCC’s ASR that were not on the daily crime log, and crimes that were only reportable if they were hate crimes).

To ensure that all incidents from CCCC’s disciplinary action record management system that must be reported under the Clery Act were included in the daily crime log and CCCC’s 2023 ASR, we took the following actions.

• We inspected a list of all 82 incidents from the disciplinary action record management system we obtained from CCCC’s dean of students and CCCC’s associate dean of students and attempted to identify the total number of incidents that fell within each of the four categories of Clery Act crimes (as described in the "Daily Crime Log"section of this report).
• We attempted to compare the total number of incidents we identified as Clery Act crimes to the total number of Clery Act crimes CCCC included in its daily crime log and its 2023 ASR. However, we were unable to do so because the crime categories in CCCC’s disciplinary action record management system did not correspond directly to those in the ASR, making a direct comparison impossible.
• We followed up with CCCC to ask about any variances we identified (i.e., Clery Act crimes that were reported in CCCC’s ASR but not in CCCC’s disciplinary action record management system and vice versa).

Based on the results of our testing, we determined that, during the audit period, CCCC did not accurately report all required crime statistics in its ASR and to the US DOE. See Finding 1 for more information.

To determine whether CCCC had a process in place to ensure that it identified CSAs and that these employees completed training on their responsibilities as CSAs, in accordance with the Clery Act (34 CFR 668.46[a]), we took the actions described below.

• We interviewed CCCC’s vice president of Finance and operations and CCCC's director of public safety to determine how CCCC identified CSAs and trained them on their responsibilities. We were informed that, during the audit period, the former chief of police and public safety conducted some informal training for CSAs. However, CCCC could not provide documentation confirming that any training, informal or formal, was provided to employees identified as CSAs.
• We obtained a list of six CCCC employees who were identified as CSAs during the audit period.
• We compared the job titles of these six CCCC employees to the Clery Act definition of a CSA and CCCC’s definition of CSAs published in its 2021, 2022, and 2023 ASRs.
• Additionally, we reviewed the list of 571 CCCC employees provided by CCCC to determine whether there were other potential employees, based on their job titles, who met the criteria for a CSA.

Based on the results of our testing, we determined that, during the audit period, CCCC did not properly identify and train campus security authorities See Finding 2 for more information. 

To determine whether CCCC ensured that its employees completed cybersecurity awareness training, in accordance with its “Cyber / Information Security Awareness Training” policy; Section 6.2.3 of the Executive Office of Technology Services and Security’s Information Security Risk Standard IS.010; and Section AT-3 of Revision 5 of NIST’s Special Publication 800-53, we took the actions described below.

We obtained from CCCC’s vice president of finance and operations a list of 571 employees who were employed by CCCC during the audit period. We grouped these 571 CCCC employees into the following two categories: 239 CCCC employees with hire dates during the audit period (i.e., newly hired employees)—who were therefore required to complete initial cybersecurity awareness training—and 332 CCCC employees with hire dates before the audit period (i.e., existing employees)—who were therefore required to complete annual refresher cybersecurity awareness training.

We selected a random, nonstatistical⁷ sample of 35 newly hired employees from the population of 239 and another random, nonstatistical sample of 40 existing employees from the population of 332.

To determine whether CCCC ensured that its employees from our two samples completed cybersecurity awareness training—the initial training for our sample of 35 newly hired employees and the annual refresher training for our sample of 40 existing employees—we took the actions described below for each sample.

We obtained a report of all cybersecurity awareness training activity for the audit period from CCCC’s cybersecurity awareness training system. This report contained CCCC employee email addresses, training campaign names, content name (description of the training), enrollment dates, and completion dates. According to CCCC management, this is the only record of enrollment and completion of cybersecurity awareness training for CCCC employees. We inspected this report for each of the CCCC employees in both of our samples (both newly hired and existing employees) to determine whether they enrolled in and completed cybersecurity awareness training.

Additionally, for the newly hired employees in our sample, we compared their date of hire (from the CCCC employee list) to their listed completion date of initial cybersecurity awareness training (from the report of all cybersecurity awareness training activity from the audit period). We calculated the number of days it took each of the newly hired employees to complete the initial cybersecurity awareness training to determine whether the number of days for each newly hired employee was within 30 days of their hire date.

Based on the results of our testing, we determined that, during the audit period, CCCC did not ensure that all employees completed cybersecurity awareness training. See Finding 3 for more information.

We used a nonstatistical sampling method for testing and therefore did not project the results of our testing to the corresponding populations. 

Daily Crime Log

To determine the reliability of the daily crime log data maintained in CCCC’s case management system, we interviewed CCCC employees who were knowledgeable about the daily crime log data. We also tested certain general information system controls (including security management, access controls, configuration management, and contingency planning for CCCC’s case management system). We observed the director of public safety query CCCC’s case management system and extract 178 cases that were made during the audit period. The director of public safety then provided us with a list of these 178 cases in a Microsoft Excel file. We also conducted a date range analysis on the list of 178 cases that we received to ensure that the dates for these cases were within the audit period. We inspected the list of 178 cases for duplicate case numbers, for embedded data, for hidden rows and columns, and for gaps in the sequential case numbers to determine whether cases were missing or deleted from the dataset. We followed up with CCCC regarding any gaps and determined that there were valid reasons for the gaps.

Student Disciplinary Action Log

To determine the reliability of the student disciplinary action log data, we interviewed CCCC employees who were knowledgeable about the data. We observed CCCC’s dean of student affairs and student retention query CCCC’s student disciplinary action record management system and extract 82 student disciplinary actions that were made during the audit period. The dean of student affairs and student retention then provided us with a list of these 82 student disciplinary actions in a Microsoft Excel file. We conducted a date range analysis on the list of 82 student disciplinary actions that we received to ensure that the dates for these student disciplinary actions were within the audit period. Additionally, we inspected the list of 82 student disciplinary actions for duplicate file identification numbers, embedded data, and hidden rows and columns.

Cybersecurity Awareness Training

To determine the reliability of the cybersecurity awareness training data obtained from CCCC’s cybersecurity awareness training system, we interviewed CCCC employees who were knowledgeable about the data. We also tested certain general information system controls (including security management, access controls, configuration management, and contingency planning for CCCC’s cybersecurity awareness training system). We obtained a list of all 5,351 cybersecurity awareness trainings from the audit period that CCCC’s chief information officer generated from CCCC’s cybersecurity awareness training system. We conducted a date range analysis on the list of 5,351 cybersecurity awareness trainings that we received to ensure that the dates for these trainings were within the audit period. Additionally, we inspected the list of 5,351 cybersecurity awareness trainings for embedded data and hidden rows and columns. According to CCCC management, this is the only record of enrollment and completion of cybersecurity awareness training for CCCC employees.

We obtained from CCCC’s vice president of operations a list of all 571 CCCC employees who were employed by CCCC during the audit period. To determine the reliability of the list of 571 CCCC employees, we compared the employee names and employee identification numbers for each of the 571 CCCC employees to a list of individuals who were actively employed during the audit period, which we generated independently from the Commonwealth’s Human Resources Compensation Management system, the Commonwealth’s official payroll system. We also selected a random sample of 20 CCCC employees from the list of 571 CCCC employees that we received and verified their employment status with CCCC by tracing employee information (e.g., employee identification number, employee name, start date, union code, and employee title) to the employee information in the employee personnel files maintained by CCCC’s Human Resources Department. We conducted a date range analysis on the list of 571 CCCC employees to check for dates outside the audit period. We inspected the list of 571 CCCC employees for duplicate employee identification numbers, embedded data, and hidden rows and columns.

Based on the results of the data reliability assessment procedures described above, we determined that the information we obtained was sufficiently reliable for the purposes of our audit.