Audit of the University of Massachusetts Chan Medical School Overview of Audited Entity

The University of Massachusetts (UMass) Chan Medical School (Chan), formerly known as UMass Medical School, was established by the Commonwealth in July 1962. UMass Chan, which is located in Worcester, is one of five campuses (along with Amherst, Boston, Dartmouth, and Lowell) in the UMass system. The UMass system was established under Section 1 of Chapter 75 of the Massachusetts General Laws. A president oversees the UMass system, while individual chancellors oversee each campus. The president and a 22-member board of trustees provide governance to the UMass system.

UMass Chan is a member of the Massachusetts public higher education system, which consists of 15 community colleges, nine state universities, and the five UMass campuses. According to UMass Chan’s website, it is “the commonwealth’s first and only public academic health sciences center.”

During fiscal year 2022, UMass Chan had a student population of approximately 1,246 and an employee population of 3,775. Also during fiscal year 2022, UMass Chan had $1,017,143,000 in revenue, which included $60,392,000 in state appropriations,¹ and $1,007,677,000 in expenses.

According to the UMass Chan Strategic Plan 2020–2025,

Our mission is to advance the health and wellness of our diverse communities throughout Massachusetts and across the world by leading and innovating in education, research, health care delivery and public service.

The UMass Chan Strategic Plan 2020–2025 also lists the following as UMass Chan’s strategic goals:

Education: Advance practice, learning and leading by engaging fully with our communities to be the destination of choice for learners interested in interprofessional, team-based care and biomedical entrepreneurship

Basic Science Research: Enable the engine of discovery to generate groundbreaking scientific knowledge, with continued focus on areas of world-class strength

Translational Research: Enhance innovation and increase impact by advancing the science of translation and channeling more discoveries into development and practice

Community and Global Impact: Measurably improve the health and welfare of the residents of Massachusetts and the citizens of the world by investing in an enhanced social mission that engages community partners, advances health equity research and promotes public health interventions for the benefit of those greatest in need

Operational Excellence and Financial Stewardship: Establish models for outstanding support services, vibrant working environments and highly efficient infrastructure to propel UMass Chan to new heights

Diversity, Equity and Inclusion: Create more inclusive, equitable environments across the entirety of the medical school so that UMass Chan can better attract, support and advance diverse staff, faculty and learners

In January 2020, the UMass system established the Unified Procurement Services Team (UPST). According to the website for the Office of the President of the UMass system,

The Unified Procurement Services Team (“UPST”) is established and under the direction of the Chief Procurement Officer and is responsible for the implementation of the Standards applicable to the University’s campuses and the President’s Office. . . .

The Unified Procurement Services Team (UPST) was created to provide purchasing, accounts payable, bid execution (sourcing), contracts, and supplier management services to the University of Massachusetts and our partner/ supplier community. We are professionals gathered from all the various UMass campuses to provide high-quality service while driving transaction efficiency.

We manage an average of $1 billion in third-party spend annually, and 17,000+ suppliers/partners.

The UPST also administers the UMass Bank Card Program, which is described below, for the UMass system.

According to the UMass Bank Card Use Standard,

The purpose of the University of Massachusetts Bank Card program . . . is to offer a payment method for those vendors that do not accept a Purchase Order, a mechanism for emergency purchases, and a payment method in lieu of employee Travel reimbursement. . . . The UMass Bank Card is a commercial credit card. The card works in much the same way as your personal credit card except the monthly statement amount is paid for by the University. Each card has specific spending limits and card controls.

The UPST issues these bank cards to employees who are first approved by their UMass Chan department supervisor or manager and have, according to the UMass Bank Card Use Standard, “a frequent need to make purchases on behalf of their department.”

The rollout of the UMass Bank Card Program started in October 2020 and finished in January 2021. This UMass Bank Card Program transitioned the UMass system away from using a procurement card administered through Citibank to using a bank card administered through U.S. Bank.

After the transition from the procurement card to the bank card, the UMass Bank Card Program created a new process for reviewing cardholders’ bank statement reconciliations. Previously, for Citibank cardholders, the process consisted of submitting all reconciled bank statements and supporting documents² to UMass Chan management, who then kept these documents on file. The new process for U.S. Bank cardholders is to upload all reconciled bank statements and supporting documents into the UMass system’s online bank card transaction repository.³ According to the UMass Bank Card Use Standard, the steps the cardholder must take include the following.

1. After the cardholder reconciles their monthly bank statement, they fill out the bank card form in the UMass system’s online bank card transaction repository. This opens a requisition, which is a folder that contains any supporting documents, within the bank card transaction repository.
2. The cardholder then uploads the bank statement and any supporting documents to the requisition.

• Cardholders who are engaged in out-of-state travel must take specific steps. A UMass Chan cardholder needs to generate a travel authorization number for any out-of-state travel-related transactions. A travel authorization number is a reference number indicating that the travel was preapproved. This travel authorization number then needs to be marked on the bank statement and any receipt(s) that correspond to the out-of-state travel in question.

3. The cardholder submits their requisition to their UMass Chan supervisor for approval.⁴ The bank card transaction repository timestamps the requisition upon its submission. The requisition, which should be submitted within 30 days of the bank statement date, is considered complete after the cardholder’s supervisor approves it, at which time the bank card transaction repository timestamps the requisition again.

During the audit period, there were 553 UMass Chan cardholders, whose spending on goods and services totaled approximately $12.3 million. This figure encompasses the following data points:

• an average of $295 per bank card transaction;
• a total of 7,900 transactions that cost $25 or less;
• a total of 25 transactions that cost $7,500 or more; and
• a grand total of 41,848 transactions.

UMass Chan’s “Privacy and Security Training Policy” states, “This policy affects all UMass Chan ‘Workforce,’ defined for this policy as faculty, staff, contingent workers, contractors and students engaged with all UMass Chan schools, departments, centers and business units.”

UMass Chan requires all of its workforce members who receive UMass Chan computer network access to complete cybersecurity awareness training. Specifically, UMass Chan’s “Privacy and Security Training Policy” states,

Initial training must be completed within fourteen (14) days after receiving access to UMass Chan networks or systems for all Workforce members. . . .

Annual Security and Privacy training for all Workforce members must be completed within sixty (60) days.

UMass Chan provides cybersecurity awareness training through a web-based, third-party platform. The cybersecurity awareness training platform tracks and records all activities and documentation (e.g., assignment status, automatic reminders, completion status, and training completion certificates) regarding cybersecurity awareness training for each workforce member.

According to the “Privacy and Security Training Policy” and UMass Chan officials, UMass Chan’s Information Technology Department, using the cybersecurity awareness training platform, tracks and monitors the training completion status for each workforce member. For workforce members who do not complete cybersecurity awareness training within the specified timeframe, the “Privacy and Security Training Policy” states that the escalation process occurs as follows:

• Initial training: . . .
  • If initial training is not completed after fourteen (14) days, users will receive a written reminder.
  • If the initial training has not been completed within thirty (30) days, the Workforce member’s manager or supervisor will be notified. Escalation to Department Chairs / Business Unit Leaders may result.
  • If initial training is still incomplete after sixty (60) days, Umass Chan Department Unit Heads and Senior Management will be made aware and disciplinary actions may result, including counseling, verbal warning, and/or suspension from or use of UMass Chan systems.
• Annual training: . . .
• If the user does not complete the training [within sixty (60) days], the following shall occur:
  • Sixty (60) days from receiving the training assignment, users will receive a written reminder to complete the training.
  • If the training has not been completed within ninety (90) days, the Workforce member’s manager or supervisor will be notified. Escalation to Department Chairs/ Business Unit Leaders may result.
  • If training is still incomplete after one hundred twenty (120) days, UMass Chan Department Unit Heads and Senior Management will be made aware and disciplinary actions may result, including counseling, verbal warning, and/or suspension from or use of UMass Chan systems.

According to UMass Chan officials, UMass Chan has an automated lockout control that suspends access to UMass Chan’s computer network for any workforce member who does not complete the training after 60 days past the initial training assignment date and 120 days past the annual refresher training assignment date.

If a workforce member is locked out of UMass Chan’s computer network system due to noncompliance with the cybersecurity awareness training policy, then that workforce member must contact the UMass Chan Information Technology Department to unlock their UMass Chan account. The workforce member then receives limited computer network access that only includes authorization to the cybersecurity awareness training platform so they can complete the outstanding training. Once the workforce member completes their outstanding training, UMass Chan’s Information Technology Department manually reactivates that workforce member’s access to UMass Chan’s computer network.