Audit of Massachusetts Bay Community College Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of certain activities of Massachusetts Bay Community College (MBCC) for the period July 1, 2018 through December 31, 2019. When testing MBCC’s information technology (IT) inventory, we extended the audit period through August 28, 2020, capturing data in MBCC’s inventory database at that time. Our last physical observation of IT equipment was on January 19, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To achieve our audit objectives, we gained an understanding of MBCC’s internal control environment related to the objectives by reviewing college policies and procedures, as well as conducting inquiries with MBCC’s staff and management. During this process, we noted that MBCC did not have an information security training program (see Other Matters). We also reviewed and tested the operating effectiveness of internal controls related to P-Card transactions. To obtain sufficient, appropriate audit evidence to address our audit objectives, we conducted further audit testing as follows.

To determine whether MBCC maintained the required information on its inventory list of IT equipment and whether the list was accurate, we obtained a copy of the list as of August 28, 2020. We performed analytical procedures to determine whether all required information (purchase date, description, cost, assigned tag number, serial number, and location) was included on the list. From the list, we identified items that we felt were most vulnerable to theft (desktops, laptops, tablets, printers, and projectors). We selected a statistical random sample (with a 95% confidence level, a 0% expected error rate, and a 5% tolerable error rate) of 60 of the 2,474 vulnerable items on the list. We physically examined¹ each item in our sample to verify that it existed, was properly tagged with an MBCC asset identification number, and was accurately recorded on the list. We also asked MBCC officials whether an annual physical inventory of IT equipment had been performed during our audit period and requested documentation to substantiate that the inventory had been performed.

To determine whether disposals of surplus IT equipment were performed in accordance with the regulations of the state Operational Services Division, we requested and received a list of all 54 IT equipment items that were designated as surplus during our audit period. For each of these items, we examined MBCC supporting documentation (completed Declaration of Surplus Property Forms and email correspondence between MBCC and the State Surplus Property Office) for evidence that MBCC obtained approval from the State Surplus Property Office to transfer or dispose of each item.

In our previous audit, we found that MBCC had not immediately reported to OSA 10 missing or stolen items, totaling $12,720. To determine whether MBCC had taken corrective measures to address this issue, we interviewed the college’s vice president of finance and administration, director of procurement and business operations, comptroller, and chief of police to determine whether the college had developed and implemented policies, procedures, and monitoring controls (including the designation of an individual with the responsibility of ensuring that all unaccounted-for variances, losses, shortages, and thefts of funds or property were immediately reported to OSA) as recommended in our prior audit. The chief of police gave us the incident report for the only occurrence of lost or stolen college property that was reported to campus police during the audit period. We reconciled this incident to the Chapter 647 reports that MBCC had submitted to OSA at any point. We also reviewed other campus police incident reports from the audit period to determine whether there were any variances, losses, shortages, or thefts of funds or property that had not been reported to OSA.

To determine whether P-Card expenditures were supported by adequate documentation and restricted to college-related business in accordance with MBCC’s policies and procedures, we obtained a list of all MBCC’s P-Card transactions for the audit period from Bank of America’s electronic accounting system. Total P-Card activity for the audit period consisted of 1,413 P-Card transactions, totaling $425,851. We selected a nonstatistical judgmental sample of 40 P-Card transactions for testing. We examined MBCC’s supporting documentation (original detailed vendor receipts, purchase orders, written detailed explanations of charges, and travel request forms where applicable) to validate the nature and business purpose of the expenditures.

We used a combination of nonstatistical and statistical sampling methods for our audit objectives and did not project the sample results to any of the population.

To determine the accuracy of MBCC’s IT inventory list, we selected a judgmental sample of 20 IT items from the list and traced them to their physical locations. We also tested the data for duplicate records. To determine the completeness of MBCC’s IT inventory list, we selected a judgmental sample of 20 IT items from different locations on MBCC campuses and traced them to the list. In addition, to ascertain whether new IT equipment purchases were added to the list and tracked, we selected a judgmental sample of 20 IT equipment vendor invoices from the audit period and compared them to the items on the list.

To determine the completeness and accuracy of the college’s IT equipment surplus list, we randomly selected a sample of 10 IT equipment items disposed of during the audit period and traced the sample to hardcopy Declaration of Surplus Property Forms. In addition, we selected a judgmental sample of 10 different IT equipment items on the Declaration of Surplus Property Forms and traced them back to the surplus list.

We assessed the reliability of data obtained from Bank of America’s electronic accounting system for P-Card transactions by tracing certain electronic transactions to and from monthly credit card statements and scanning for duplicate records. We also reviewed System and Organization Controls² reports from Bank of America that covered our audit period and ensured that certain information system control tests had been performed.

Based on the data reliability procedures described above, we determined that the data obtained for our audit period were sufficiently reliable for the purposes of our audit work.