Audit of the University of Massachusetts Lowell Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the University of Massachusetts (UMass) Lowell for the period July 1, 2020 through December 31, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of the aspects of UMass Lowell’s internal control environment that we determined to be relevant to our objectives by reviewing applicable UMass system policies and procedures and by interviewing UMass Lowell and UMass system management.

To obtain sufficient, appropriate evidence to address our audit objectives, we performed the following procedures.

To determine whether UMass Lowell executed bank card purchases in accordance with Sections II(A), II(D), III(A), and III(B) of the “Administrative Standards for the Business Expense Policy” within Appendix C of the “University of Massachusetts Business and Travel Expense Policy” and Sections 2, 4–‍8, 11, 12, 15, and 21 of the UMass Bank Card Use Standard, we distributed the total population of 19,556 bank card transactions made during the audit period, totaling $4,137,309, into the following five categories.

*      Each UMass Lowell bank card transaction has a unique transaction number assigned to it by the bank during the transaction process. The transactions in this category are ones that we found that shared the same transaction number with one or more other transactions. Transactions with shared transaction numbers can be attributed to various situations, such as splitting the cost of purchased items with multiple departments. For these transactions, our testing found that only one transaction amount was charged to UMass Lowell’s General Ledger.

**    This includes transactions that did not fit into the four previous categories. Examples include laboratory materials, books, subscriptions, hardware, and marketing items.

†      Discrepancy in total is due to rounding.

The method we used to select our sample, which consisted of 110 transactions and totaled $167,312, is as follows:

• From category one, we selected all 9 transactions, which totaled $146,432.
• From category two, we judgmentally selected 10 transactions (out of 140 transactions), which totaled $8,516.
• From categories three through five, we used a 95% confidence level,³ a 50% expected error rate,⁴ and a 22% desired precision range⁵ to determine that our sample should consist of, at a minimum, 85 transactions. We then increased the sample size to 91 transactions and used Audit Command Language software⁶ to randomly select the following:
• From category three, we selected 45 transactions (out of 5,106 transactions), which totaled $5,253.
• From category four, we selected 6 transactions (out of 678 transactions), which totaled $339.
• From category five, we selected 40 transactions (out of 13,623 transactions), which totaled $6,772.

Our sample of 110 transactions included 21 transactions that were made using Citibank procurement cards and 89 transactions that were made using U.S. Bank cards. For these transactions, we performed the following procedures.

Submission of Bank Card Transaction Documents

To determine whether cardholders completed Citibank statement reconciliations and submitted relevant receipts and other supporting documents to UMass Lowell management, we requested that UMass Lowell management provide us with hard copies of these documents. Once we received these documents, we recorded which documents were submitted to UMass Lowell management and which were missing.

To determine whether UMass Lowell cardholders completed timely U.S. Bank statement reconciliations and uploaded the corresponding bank statements and any supporting documents into the UMass system’s online bank card transaction repository, we met with a UPST bank card manager and observed them locating all of the requisitions for the transactions in our sample in the bank card transaction repository. We recorded the creation dates of the relevant requisitions. Then we took screenshots of each bank statement and any supporting documents within the bank card transaction repository. If any transactions in our sample were missing bank statements or receipts, because those were required to be submitted, the UPST member obtained those from the cardholders. Once all documents related to our sample were provided to us, we recorded which documents were uploaded and, for those not uploaded, which documents were retrieved from the cardholder or were attempted to be retrieved but were still missing. By comparing each requisition’s creation date and the bank statement date, we determined whether the requisition was created within 30 days after the bank statement date.

Information on Receipts and Bank Statements

To determine whether each receipt in our sample of 110 transactions contained the vendor name, the description of the item or service purchased, the transaction date, the transaction total, and the last four digits of the bank card used to make the purchase, we inspected each receipt and noted any missing information.

To determine whether each receipt related to our sample of 110 transactions contained the start and expiration dates for purchased subscriptions (e.g., online data storage and marketing software), we first determined whether the transactions were for subscriptions by inspecting the receipts for descriptions of what was purchased. We then inspected each receipt for subscription start and end dates, if applicable.

To determine whether each receipt related to our sample of 110 transactions contained a documented business purpose, if not self-evident, we inspected each receipt and/or purchase log for a documented business purpose. When a transaction’s documented business purpose was not indicated on either its corresponding receipt or purchase log, we used the Human Resources Compensation Management System (HR/CMS), which is the Commonwealth’s official payroll system, to identify the cardholder’s title. We inspected the relevant receipts and purchase logs for the type of item or service purchased. We then determined whether the description of the items or services purchased were typical purchases for that cardholder’s title and department. We also met with UMass system and UMass Lowell management to ask about the business purposes for transactions that did not have documented business purposes on their corresponding receipts and/or purchase logs.

To determine whether each of the 110 transactions in our sample was related to the goals and mission of UMass Lowell, we inspected the bank statement and supporting documents to identify the type of purchase. We considered whether the purchase had a documented business purpose and was approved by the cardholder’s supervisor. We also met with UMass system and UMass Lowell management to inquire about how the purchases related to the goals and mission the UMass Lowell.

To determine whether each of the 110 transactions in our sample required a travel authorization number—a reference number indicating that the travel was preapproved—to be documented on the related receipt(s) and bank statement, we identified which transactions were travel-related by inspecting the supporting documents for vendor names and transaction descriptions related to travel (i.e., airlines, lodging, car rentals, and gasoline). In addition, we inspected the supporting documents for a notation made by a UMass Lowell employee that would confirm that the transaction was for travel-related business purposes. We then inspected each receipt and bank statement for a travel authorization number, if applicable.

To determine whether cardholders and supervisors signed the bank statements related to the 110 transactions in our sample, we inspected the bank statements for these signatures.

Allowable Purchases

To determine whether each of the 110 transactions in our sample was for an allowable purchase, we inspected the supporting documents for the type of item(s) or service(s) purchased. To determine whether a transaction was a foreign expense,⁷ we inspected each receipt for a vendor address outside of the Unites States and for any foreign expense fees. To determine whether each transaction was for out-of-state travel, we inspected the relevant supporting documents for vendor addresses that were out of state and for any notations that the transaction was for travel or travel-related meals.

To determine whether each transaction was related to a business function, we inspected the relevant receipts and purchase logs for purchases such as conference registration fees, conference supplies (e.g., table settings, flowers, and snacks), and for any notation that these purchases were for a business function. We also inspected each receipt to determine whether sales tax was charged. If sales tax was charged, we inspected the related bank statement and general ledger to determine whether sales tax was refunded by the vendor to UMass Lowell. For each transaction that was made during the audit period by a cardholder whose employment was terminated during the audit period, we inspected the related bank statement for purchase dates and compared these dates to the cardholder’s termination date, which we obtained from HR/CMS.

Please see Finding 1 for information about the results of this testing.

To determine whether UMass Lowell adhered to its “Security Awareness Policy IT-5-112” and provided cybersecurity awareness training to nonfaculty employees, using the population of 1,137 nonfaculty employees who had computer network access during the audit period, we took the following actions.

We distributed the 1,137 nonfaculty employees into the following two categories: 121 nonfaculty employees who were hired during the audit period (i.e., newly hired employees) and were required to complete initial cybersecurity awareness training, and 1,016 nonfaculty employees who were hired before the audit period (i.e., existing nonfaculty employees) and were required to complete annual cybersecurity awareness training during the audit period. We selected a random, statistical sample of 80 nonfaculty employees from our population of 1,137, using a 95% confidence level, 0% expected error rate, and a 5% tolerable error rate.⁸ The sample of 80 consisted of 20 newly hired employees and 60 existing nonfaculty employees. We obtained evidence (i.e., screenshots of employee cybersecurity awareness training activity) from UMass Lowell’s cybersecurity awareness training platform, which assigns and tracks the completion of cybersecurity awareness training, and we determined whether our sampled nonfaculty employees completed the required initial or annual cybersecurity awareness training by inspecting each assignment date and completion date recorded in UMass Lowell’s cybersecurity awareness training platform.

Please see Finding 2 for information about the results of this testing.

To determine the reliability of the bank card transaction data, we interviewed UMass system management who were knowledgeable about the data. We also reviewed the access controls for UMass Lowell’s computer network. To determine the completeness of the bank card transaction data, we observed the UPST bank card manager query the UMass system’s finance system and extract 28,152 bank card transactions that were made during the audit period. The UPST bank card manager then provided these 28,152 bank card transactions to us in a Microsoft Excel spreadsheet. We ensured that the total number of bank card transactions we observed within the finance system matched the total number of bank card transactions from the Excel spreadsheet. We inspected the bank card transaction data for hidden rows and columns, embedded data,⁹ and invisible content. We also inspected the bank card transaction data for duplicates, identifying whether a transaction number appeared more than once within the data. We also met with UMass system management to understand any inconsistencies we found while analyzing the bank card transaction data.

To determine the completeness of the population of 28,152 transactions, we judgmentally selected a sample of 20 transactions listed on bank statements and compared them to the 28,152 bank card transactions that were made during the audit period, which were listed in the UMass system’s finance system data. To determine the accuracy of this population, we judgmentally selected a sample of 20 bank card transactions from the 28,152 bank card transactions from the finance system that were made during the audit period and traced the cardholders’ names, the last four digits of the bank cards’ numbers, the transaction dates, the vendor names, the dollar amount of the transactions, and the transaction numbers to the 20 transactions listed on relevant bank statements. From the 28,152 transactions from the finance system, we identified a total population of 19,556 UMass Lowell bank card transactions that were made during our audit period.¹⁰ We then verified that all cardholders relevant to this population of 19,556 UMass Lowell bank card transactions were UMass Lowell employees by tracing their names to a list of all UMass Lowell employees from HR/CMS.

To determine the reliability of the list of computer network users who had access to UMass Lowell’s computer network, we obtained a list of the 2,071 computer network users who were able to access the computer network during our audit period. We inspected the list of 2,071 computer network users for hidden rows and columns, embedded data, and invisible content. From the 2,071 computer network users, we identified a population of 1,137 nonfaculty employees who were required to have cybersecurity awareness training during our audit period. To determine whether the list of computer network users was accurate and complete, we selected a sample of 20 computer network users from the population of 1,137 nonfaculty employees. We then verified the employment status for each computer network user in our sample by tracing their names to the list of all UMass Lowell employees from HR/CMS. Further, we tested certain security management and access controls over UMass Lowell’s cybersecurity awareness training platform, and we reviewed a System and Organization Control 2 report¹¹ (which is called A Type 2 Independent Service Auditor’s Report on Controls Relevant to Security, Availability, and Confidentiality) on UMass Lowell’s cybersecurity awareness training platform.

Based on the results of the data reliability assessment procedures described above, we determined that the information obtained for our audit period was sufficiently reliable for the purposes of our audit.