Audit of the Department of Higher Education Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of certain activities of the Department of Higher Education (DHE) for the period March 27, 2020 through February 28, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To achieve our audit objectives, we gained an understanding of the DHE internal controls we deemed relevant to the objectives by reviewing agency policies and procedures, as well as conducting interviews with DHE employees who were responsible for administering and managing the areas under audit.

To determine whether DHE ensured that each IHE signed an ISA or SCF for the amount of GEER funding it was to receive, we performed the following procedures:

• We received from DHE the forms and attachments for all 66 ISAs and SCFs for GEER funding that were executed during the audit period, as well as DHE’s Office of Student Financial Assistance (OSFA) payment schedule for the 15 IHEs that received emergency financial aid.
• We inspected each of the 66 ISAs and SCFs to ensure that the amount disbursed by DHE did not exceed the maximum obligation and that the agreement or form was signed and dated by the IHE and DHE.
• We inspected emails between DHE and the 15 IHEs that received GEER funding for emergency financial aid to ensure that each IHE was notified of its eligibility for, and allocation of, emergency financial aid. We reviewed the OSFA payment schedule to ensure that the amount disbursed by DHE to each IHE did not exceed the IHE’s allocated amount for emergency financial aid.

To determine whether DHE ensured that it incorporated the guidance for the appropriate use of GEER funding into the ISAs and SCFs with the IHEs, we performed the following procedure:

• For the same population of 66 ISAs and SCFs and 15 IHEs that received emergency financial aid, we inspected the forms and attachments provided to ensure that a “Terms of Performance and Justifications” attachment was included. We then inspected these terms to ensure that they contained guidance on grantee eligibility and allowable uses of grant funds.
• In one instance, DHE could not locate the attachments for an ISA. We verbally recommended to DHE that it retain all grant and contract forms and attachments.

To determine whether DHE had updated its ICP, we performed the following procedure:

• We received from DHE the ICP that was in effect during the audit period and inspected it to ensure that DHE had updated it to reflect the effect of the COVID-19 pandemic on its business and operating processes.

To determine whether DHE ensured that each employee who was responsible for administering or managing GEER funding completed cybersecurity awareness training, we performed the following procedure:

• We obtained from DHE a list of the 10 employees who were responsible for administering or managing GEER funding during the audit period. We received the training records for these employees and inspected their records to determine whether they had completed the required training during the audit period.

To determine whether DHE had met with CCAB to review the MassTransfer Commonwealth Commitment Program and submitted a report about that review to BHE, we performed the following procedures:

• We asked DHE officials about their oversight and process for scheduling and documenting meetings with CCAB to review the MassTransfer Commonwealth Commitment Program, as well as how DHE documented and reported the results of CCAB’s review and reported any recommendations to BHE.
• We requested all agendas and minutes for CCAB meetings during the audit period and inspected the documentation provided to identify the topics discussed and determine whether all aspects of the MassTransfer Commonwealth Commitment Program had been reviewed.
• We requested all reports and communications from DHE to BHE regarding CCAB’s review of the MassTransfer Commonwealth Commitment Program.

In 2018, OSA performed a data reliability assessment of the Massachusetts Management Accounting and Reporting System (MMARS) for the period April 1, 2017 through March 31, 2018. The assessment focused on reviewing selected system controls, including access, security awareness, audit and accountability, configuration management, identification and authentication, and personnel security. During the current audit, we performed electronic testing of MMARS data to test for duplicates and blank fields and to ensure that the dates of DHE’s expenses were within the audit period. Additionally, we traced the amounts on all 66 ISAs and SCFs, and the amounts of the aforesaid 15 IHEs’ financial aid payments, from DHE’s grant tracking file to the transaction data in MMARS by comparing the data fields “Institution Name,” “Grant Type,” and “Expenditure Amount” in DHE’s grant tracking file to the data fields “Legal Name,” “Accounting Line Description,” and “Cash Expense Amount” in MMARS, respectively, to ensure that the data fields in the two sources matched.

We obtained a list of all DHE employees during the audit period from the state’s Human Resources Compensation Management System (HR/CMS). To determine the accuracy of the data on the list, we performed electronic testing to identify duplicates and blank fields and ensure that the data were within the audit period. We also traced the employee names from the list of 10 that DHE had given us to the information in HR/CMS to ensure that all 10 listed individuals were DHE employees during the audit period.

Based on the results of our data reliability assessments, we determined that the information obtained for our audit period was sufficiently reliable for the purpose of our audit objectives.