Audit of the Massachusetts State College Building Authority Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of certain activities of the Massachusetts State College Building Authority (MSCBA) for the period July 1, 2022 through June 30, 2024.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of the aspects of MSCBA’s internal control environment relevant to our objectives by reviewing applicable policies and procedures, reviewing relevant contracts, and interviewing officials at MSCBA and two state universities. We evaluated the design and implementation of the internal controls related to our audit objectives. We also tested the operating effectiveness of controls related to the verification of service contracts for key safety systems in MSCBA-owned buildings. In addition, to obtain sufficient, appropriate evidence to address our audit objectives, we performed the procedures described below.

To determine whether MSCBA had a process in place to ensure that it met the fiscal year 2023 and 2024 benchmarks set by SDO for contracting with minority-, women-, and veteran-owned businesses, we took the following actions. First, we obtained a list of all 3,947 expenses, totaling $104,299,510, recorded by MSCBA during the audit period in its accounting and project management system. From this data, we identified MSCBA’s discretionary spending for fiscal years 2023 and 2024 as $43,968,982 and $41,582,622, respectively, totaling 2,752 transactions. We then determined how much of the identified discretionary spending was directed to certified minority-, women-, and veteran-owned businesses. To do this, we cross-referenced the vendors in the discretionary spending dataset with SDO’s directory of certified businesses. We calculated the total dollar amount and the percentage of discretionary spending awarded to diverse vendors during the audit period and compared it to the applicable SDO benchmarks for fiscal years 2023 and 2024.

Based on the results of our testing, we determined that MSCBA did not have a process in place to ensure that it met the benchmarks set by SDO for contracting with minority-, women-, and veteran-owned businesses during the audit period. Also, although MSCBA met the SDO benchmark for contracting with veteran-owned businesses, it did not meet the spending benchmarks for minority- and women-owned businesses. See Finding 1 for more information.

To determine to what extent MSCBA ensured that its residential buildings on university campuses met the minimum public health and safety requirements, in accordance with 780 CMR 101.3 and MSCBA’s established procedures for monitoring its properties, we took the actions described below.

We selected a random, nonstatistical⁷ sample of 20 MSCBA-owned residential properties from a population of 54 for our testing. For each property in our sample, we verified that the respective state university submitted the required Service Contract Tracking Sheet to MSCBA. We reviewed the tracking sheets submitted by the university facilities staff members to ensure that they were fully completed and that they provided vendor information for all applicable building systems. We requested executed vendor agreements and Certificates of Occupancy for each property and the service contracts listed on the tracking sheets in our sample. We examined each contract to ensure that it corresponded with the correct property and vendor listed on the tracking sheet, and we ensured that the contract dates were active during the audit period. In addition, we confirmed that the sampled universities maintained a valid Certificate of Occupancy on file for each property.

We did not identify any exceptions in our testing. Therefore, we concluded that, during the audit period, MSCBA ensured that its residential buildings on university campuses met the minimum public health and safety requirements, in accordance with 780 CMR 101.3 and MSCBA’s established procedures for monitoring its properties.

During our prior audit (Audit No. 2018-0209-3A), we found that MSCBA had not developed an effective BCP or conducted testing of its disaster recovery plan in accordance with the Executive Office of Technology Services and Security’s (EOTSS’s) Business Continuity and Disaster Recovery Standard IS.005. To determine whether MSCBA took corrective actions to address the issue identified in our prior audit (Audit No. 2018-0209-3A) regarding its BCP, we interviewed knowledgeable MSCBA staff members and inspected MSCBA’s BCP to confirm that a plan was in place during this report’s audit period and that it complied with EOTSS’s Business Continuity and Disaster Recovery Standard IS.005. Additionally, we reviewed documented test results to determine whether MSCBA’s disaster recovery plan was tested annually during the audit period.

Based on the results of our testing, we determined that MSCBA’s BCP did not include all required elements. See Finding 2 for more information. 

During our prior audit (Audit No. 2018-0209-3A), we found that MSCBA had not developed an ICP that clearly summarized all of MSCBA’s risks and the internal controls that it had in place to mitigate them. To determine whether MSCBA took corrective actions to address the issue identified in our prior audit (Audit No. 2018-0209-3A) regarding its ICP, we interviewed knowledgeable MSCBA staff members and inspected the agency’s ICP that was in effect during this report’s audit period to determine whether it had been updated to include an agency-wide risk assessment, as recommended in our prior audit. Additionally, we examined the ICP to assess whether it complied with the Office of the Comptroller of the Commonwealth’s (CTR’s) guidelines, which require inclusion of the eight components of the Committee of Sponsoring Organizations of the Treadway Commission’s enterprise risk management framework.

Based on the results of our testing, we determined that MSCBA’s ICP does not meet all of the requirements of CTR’s guidelines. See Finding 3 for more information.

We used nonstatistical sampling methods for testing and therefore did not project the results of our testing to any population. 

To determine the reliability of the list of expenses that we obtained from MSCBA’s accounting and project management system, we conducted interviews and system walkthroughs with MSCBA management and staff members who were knowledgeable about and responsible for overseeing the data. We also checked the list to ensure that there were no duplicates or missing data, and that all of the data corresponded to dates within the audit period. To confirm the completeness of the list of expenses, we selected a random sample of 20 purchase orders we inspected from MSCBA’s physical files and traced vendor names, purchase order numbers, and payment amounts to the list of expenses we received. To confirm the accuracy of the list of expenses, we selected a random sample of 20 expenses from the list and traced vendor names, payment dates, and payment amounts to invoices that we inspected from MSCBA’s records.

We also reviewed select system controls related to security management, access controls, configuration management, segregation of duties, and contingency planning. Through this testing, we found that MSCBA has not established adequate internal controls over its accounting system. See Finding 4 for more information regarding the results of our review of the information system controls.

Further, we conducted a Benford’s Law test⁸ on the list of overall expenses to detect any indication of fraud or tampering with general ledger expenses that would compromise data integrity, and we found no indication of such activity.

To determine the reliability of the list of properties owned by MSCBA that was provided to us, we interviewed MSCBA officials who were knowledgeable about the list. We checked the list for blank and duplicate records. We also confirmed that final construction dates for all listed properties occurred before the start of the audit period. Additionally, we verified the list of properties against community college and university records and MSCBA contracts. Finally, we reconciled the list of residential properties with MSCBA’s Annual Report Fiscal Year 2023.

Based on the results of the data reliability assessment procedures described above, we determined that the information we obtained was sufficiently reliable for the purposes of our audit.