• This page, Audit of Holyoke Community College Objectives, Scope, and Methodology, is offered by
  • Office of the State Auditor

Audit of Holyoke Community College Objectives, Scope, and Methodology

An overview of the purpose and process of auditing Holyoke Community College.

Table of Contents

Overview

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of Holyoke Community College (HCC) for the period July 1, 2017 through March 31, 2019.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is our audit objective, indicating the question we intended our audit to answer, the conclusion we reached regarding the objective, and where the objective is discussed in the audit findings.

Objective

Conclusion

  1. Does HCC administer an information security training and awareness program, for individuals who have access to its computer system, that is in accordance with Section 6 of the Commonwealth’s Executive Order 504; Sections 6.2.3 and 6.2.8 of the Executive Office of Technology Services and Security (EOTSS) Information Security Risk Management Standard IS.010; and Controls AT-1(a)(1), AT-2(a), and PS-6 within the National Institute of Standards and Technology2 Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations?

No; see Finding 1 

 

To achieve our objective, we gained an understanding of the internal controls related to the objective by reviewing applicable policies and conducting interviews with HCC officials. In addition, we performed the following procedures to address our audit objective.

To determine whether HCC had administered an information security training and awareness program that was consistent with Commonwealth and industry standards, we obtained a list of the 813 users of HCC’s Banner operating system who had active user accounts during the audit period. From this list, we selected a nonstatistical random sample of 60 users. For each user in our sample, we reviewed the electronic records maintained in HCC’s information security training and awareness program, noting the date training was assigned and the date it was completed. We noted that HCC had implemented information security training in October 2018 and had allowed users 60 days to complete initial training. We examined the documentation and tested to determine whether each user was assigned initial information security training in October 2018 or, if s/he was hired after October 2018, within 30 days of his/her hire date in accordance with EOTSS’s Information Security Risk Management Standard IS.010. We compared the assigned training date to the completion date to determine whether each user who was assigned training had completed it in the required timeframe.

To determine whether users had signed acceptable use policies, we requested acceptable use policies from the Human Resources Department for each system user in this same sample. We reviewed the acceptable use policies to ensure that all users had signed them, noting their agreement with HCC’s acceptable use terms.

Because we used a nonstatistical approach for our audit sample, we could not project our results to the entire population of system users.

Data Reliability

We obtained a list of Banner users from the Information Technology Department and assessed its reliability by comparing it to the Human Resources Department’s list of personnel employed during the audit period. As a result of our data reliability analysis and trace testing, we found that the data in the Banner user list were reliable for the purpose of our audit objectives.

2. According to its website, the National Institute of Standards and Technology promotes industry best practices in “innovation and industrial competitiveness by advancing . . . technology through research and development in ways that enhance economic security.”

Date published: August 11, 2020
Feedback