In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of Holyoke Community College (HCC) for the period July 1, 2017 through March 31, 2019.
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Below is our audit objective, indicating the question we intended our audit to answer, the conclusion we reached regarding the objective, and where the objective is discussed in the audit findings.
No; see Finding 1
To achieve our objective, we gained an understanding of the internal controls related to the objective by reviewing applicable policies and conducting interviews with HCC officials. In addition, we performed the following procedures to address our audit objective.
To determine whether HCC had administered an information security training and awareness program that was consistent with Commonwealth and industry standards, we obtained a list of the 813 users of HCC’s Banner operating system who had active user accounts during the audit period. From this list, we selected a nonstatistical random sample of 60 users. For each user in our sample, we reviewed the electronic records maintained in HCC’s information security training and awareness program, noting the date training was assigned and the date it was completed. We noted that HCC had implemented information security training in October 2018 and had allowed users 60 days to complete initial training. We examined the documentation and tested to determine whether each user was assigned initial information security training in October 2018 or, if s/he was hired after October 2018, within 30 days of his/her hire date in accordance with EOTSS’s Information Security Risk Management Standard IS.010. We compared the assigned training date to the completion date to determine whether each user who was assigned training had completed it in the required timeframe.
To determine whether users had signed acceptable use policies, we requested acceptable use policies from the Human Resources Department for each system user in this same sample. We reviewed the acceptable use policies to ensure that all users had signed them, noting their agreement with HCC’s acceptable use terms.
Because we used a nonstatistical approach for our audit sample, we could not project our results to the entire population of system users.
We obtained a list of Banner users from the Information Technology Department and assessed its reliability by comparing it to the Human Resources Department’s list of personnel employed during the audit period. As a result of our data reliability analysis and trace testing, we found that the data in the Banner user list were reliable for the purpose of our audit objectives.
|Date published:||August 11, 2020|