Audit of the University of Massachusetts Dartmouth Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the University of Massachusetts (UMass) Dartmouth for the period July 1, 2020 through December 31, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of the aspects of UMass Dartmouth’s internal control environment that we determined to be relevant to our objectives by reviewing applicable UMass system policies and procedures and by interviewing UMass Dartmouth and UMass system management.

To obtain sufficient, appropriate evidence to address our audit objectives, we performed the following procedures.

To determine whether UMass Dartmouth executed bank card purchases in accordance with Sections II(A), II(D), III(A), and III(B) of the “Administrative Standards for the Business Expense Policy” within Appendix C of the “University of Massachusetts Business and Travel Expense Policy” and Sections 2, 4–8, 11, 12, 15, and 21 of the UMass Bank Card Use Standard, we distributed the total population of 8,596 bank card transactions made during the audit period, totaling $1,435,388, into the following five categories.

*      Each UMass Dartmouth bank card transaction has a unique transaction number assigned to it by the bank during the transaction process. The transactions in this category are ones that we found that shared the same transaction number with one or more other transactions. Transactions with shared transaction numbers can be attributed to various situations, such as splitting the cost of purchased items with multiple departments. For these transactions, our testing found that only one transaction amount was charged to UMass Dartmouth’s General Ledger.

**    This includes transactions that did not fit into the four previous categories. Examples include laboratory materials, books, subscriptions, hardware, and marketing items.

The method we used to select our sample, which consisted of 110 transactions and totaled $59,410, is as follows:

• From category one, we selected all 10 transactions, which totaled $41,754.
• From category two, we judgmentally selected 10 transactions (out of 306 transactions), which totaled $7,549.
• From categories three through five, we used a 95% confidence level,⁵ a 50% expected error rate,⁶ and a 22% desired precision range⁷ to determine that our sample should consist of, at a minimum, 85 transactions. We then increased the sample size to 90 transactions and used Audit Command Language software⁸ to randomly select the following:
• From category three, we selected 45 transactions (out of 2,471 transactions), which totaled $3,171.
• From category four, we selected 5 transactions (out of 259 transactions), which totaled $824.
• From category five, we selected 40 transactions (out of 5,550 transactions), which totaled $6,112.

Our sample of 110 transactions included 26 transactions that were made using Citibank procurement cards and 84 transactions that were made using U.S. Bank cards. For these transactions, we performed the following procedures.

Submission of Bank Card Transaction Documents

To determine whether cardholders completed Citibank statement reconciliations and submitted relevant receipts and other supporting documents to UMass Dartmouth management, we requested that UMass Dartmouth management provide us with hard copies of these documents. Once we received these documents, we recorded which documents were submitted to UMass Dartmouth management and which were missing.

To determine whether UMass Dartmouth cardholders completed timely U.S. Bank statement reconciliations and uploaded the corresponding bank statements and any supporting documents into the UMass system’s online bank card transaction repository, we met with a UPST bank card manager and observed them locating all of the requisitions for the transactions in our sample in the bank card transaction repository. We recorded the creation dates of the relevant requisitions. Then, we took screenshots of each bank statement and any supporting documents within the bank card transaction repository. If any transactions in our sample were missing bank statements or receipts, since those were required to be submitted, the UPST member obtained those from the cardholders. Once all documents related to our sample were provided to us, we recorded which documents were uploaded and, for those not uploaded, which documents were retrieved from the cardholder or were attempted to be retrieved but were still missing. By comparing each requisition’s creation date and the bank statement date, we determined whether the requisition was created within 30 days after the bank statement date.

Information on Receipts and Bank Statements

To determine whether each receipt in our sample of 110 transactions contained the vendor name, the description of the item or service purchased, the transaction date, the transaction total, and the last four digits of the bank card used to make the purchase, we inspected each receipt and noted any missing information.

To determine whether each receipt related to our sample of 110 transactions contained the start and expiration dates for purchased subscriptions (e.g., marketing software and access to online news websites), we first determined whether the transactions were for subscriptions by inspecting the receipts for descriptions of what was purchased. We then inspected each receipt for subscription start and end dates, if applicable.

To determine whether each receipt related to our sample of 110 transactions contained a documented business purpose, if not self-evident, we inspected each receipt and/or purchase log for a documented business purpose. When a transaction’s documented business purpose was not indicated on either its corresponding receipt or purchase log, we used the Human Resources Compensation Management System (HR/CMS), which is the Commonwealth’s official payroll system, to identify the cardholder’s title. We inspected the relevant receipts and purchase logs for the type of item or service purchased. We then determined whether the description of the items or services purchased were typical purchases for that cardholder’s title and department. We also met with UMass system and UMass Dartmouth management to ask about the business purposes for transactions that did not have documented business purposes on their corresponding receipts and/or purchase logs.

To determine whether each of the 110 transactions in our sample was related to the goals and mission of UMass Dartmouth, we inspected the bank statement and supporting documents to identify the type of purchase. We considered whether the purchase had a documented business purpose and was approved by the cardholder’s supervisor. We also met with UMass system and UMass Dartmouth management to inquire about how the purchases related to the goals and mission of UMass Dartmouth.

To determine whether each of the 110 transactions in our sample required a travel authorization number—a reference number indicating the travel was preapproved—to be documented on the related receipt(s) and bank statement, we identified which transactions were travel-related by inspecting the supporting documents for vendor names and transaction descriptions related to travel (i.e., airlines, lodging, car rentals, and gasoline). In addition, we inspected the supporting documents for a notation made by a UMass Dartmouth employee that would confirm that the transaction was for travel-related business purposes. We then inspected each receipt and bank statement for a travel authorization number, if applicable.

To determine whether cardholders and supervisors signed the bank statements related to the 110 transactions in our sample, we inspected the bank statements for these signatures.

Allowable Purchases

To determine whether each of the 110 transactions in our sample was for an allowable purchase, we inspected the supporting documents for the type of item(s) or service(s) purchased. To determine whether a transaction was a foreign expense,⁹ we inspected each receipt for a vendor address outside of the Unites States and for any foreign expense fees. To determine whether each transaction was for out-of-state travel, we inspected the relevant supporting documents for vendor addresses that were out of state and for any notations that the transaction was for travel or travel-related meals.

To determine whether each transaction was related to a business function, we inspected the relevant receipts and purchase logs for purchases such as conference registration fees, conference supplies (e.g., table settings, flowers, and snacks), and for any notation that these purchases were for a business function. We also inspected each receipt to determine whether sales tax was charged. If sales tax was charged, we inspected the related bank statement and general ledger to determine whether sales tax was refunded by the vendor to UMass Dartmouth. For each transaction that was made during the audit period by a cardholder whose employment was terminated during the audit period, we inspected the related bank statement for purchase dates and compared these dates to the cardholder’s termination date, which we obtained from HR/CMS.

Please see Finding 1 for information about the results of this testing.

To determine whether UMass Dartmouth adhered to Section 1 of Control 14 of the Center for Internet Security’s Critical Security Controls regarding cybersecurity awareness training, we asked members of UMass Dartmouth management who were responsible for cybersecurity awareness training whether UMass Dartmouth ensured that all employees received initial and annual cybersecurity awareness training during the audit period.

Please see Finding 2 for information about the results of this testing.

To determine the reliability of the bank card transaction data, we interviewed UMass system management who were knowledgeable about the data. We also reviewed the access controls for UMass Dartmouth’s computer network. To determine the completeness of the bank card transaction data, we observed the UPST bank card manager query the UMass system’s finance system and extract 28,152 bank card transactions that were made during the audit period. The UPST bank card manager then provided these 28,152 bank card transactions to us in a Microsoft Excel spreadsheet. We ensured that the total number of bank card transactions we observed within the finance system matched the total number of bank card transactions from the Excel spreadsheet. We inspected the bank card transaction data for hidden rows and columns, embedded data,¹⁰ and invisible content. We also inspected the bank card transaction data for duplicates, identifying whether a transaction number appeared more than once within the data. We also met with UMass system management to understand any inconsistencies we found while analyzing the bank card transaction data.

To determine the completeness of the population of 28,152 transactions, we judgmentally selected a sample of 20 transactions listed on bank statements and compared them to the 28,152 bank card transactions that were made during the audit period, which were listed in the UMass system’s finance system data. To determine the accuracy of this population, we judgmentally selected a sample of 20 bank card transactions from the 28,152 bank card transactions from the finance system that were made during the audit period and traced the cardholders’ names, the last four digits of the bank cards’ numbers, the transaction dates, the vendor names, the dollar amount of the transactions, and the transaction numbers to the 20 transactions listed on relevant bank statements. From the 28,152 transactions from the finance system, we identified a total population of 8,596 UMass Dartmouth bank card transactions that were made during our audit period.¹¹ We then verified that all cardholders relevant to this population of 8,596 UMass Dartmouth bank card transactions were UMass Dartmouth employees by tracing their names to a list of all UMass Dartmouth employees from HR/CMS.

Based on the results of the data reliability assessment procedures described above, we determined that the information obtained for our audit period was sufficiently reliable for the purposes of our audit.