• This page, Audit of the Westfield State University Objectives, Scope, and Methodology, is offered by
  • Office of the State Auditor

Audit of the Westfield State University Objectives, Scope, and Methodology

An overview of the purpose and process of auditing the Westfield State University.

Table of Contents


In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of Westfield State University (WSU) for the period October 1, 2018 through March 31, 2020.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and where each objective is discussed in the audit findings.



  1. Does WSU comply with its procedures and the “Vendor/Customer File and W-9s” policy issued by the Office of the Comptroller of the Commonwealth (CTR) for making changes to information in state vendor/customer files in the Massachusetts Management Accounting and Reporting System (MMARS)?

No; see Finding 1

  1. Does WSU adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s “Information Security Risk Management Standard” for information system security awareness training?

No; see Finding 2


To achieve our objectives, we gained an understanding of WSU’s internal control environment related to the objectives by reviewing policies and procedures, as well as conducting inquiries with WSU officials. In addition, we performed the following procedures to address our audit objectives.

Initially, we requested from WSU a list1 of all information about the 15 requests made by WSU vendors for creations of, or changes to, vendor/customer files during the audit period. WSU officials told us during discussions that in 2 of these 15 instances, no changes had been made and the requests had been discarded. We confirmed that the 2 discarded files did not appear in the list of vendors in MMARS.  

For the other 13 requests, we confirmed WSU’s compliance with its procedures and CTR’s “Vendor/Customer File and W-9s” policy. To do this, we reviewed each file to see whether it included the following: a completed Internal Revenue Service (IRS) W-9 form (“Request for Taxpayer Identification Number and Certification”), electronic fund transfer (EFT) forms, information from the IRS website about the vendor (e.g., tax identification number, address, and legal name), a business entity summary2 from the Secretary of the Commonwealth’s website to verify the vendor’s information, and a letter to CTR detailing the file creation or change. Using the evidence in each vendor/customer file, we determined whether WSU collected the W-9 and/or EFT forms. In addition, we reviewed each vendor/customer file for evidence of WSU verifying the information on the W-9 or EFT against independent sources (IRS or Secretary of the Commonwealth website) and notifying CTR of the creation or change.

We conducted inquiries with the head of the Human Resources Department, the vice president of administration and finance, and the chief information officer to determine whether information system security awareness training was provided to employees with access to WSU information systems.

Data Reliability

In 2018, OSA conducted an assessment of MMARS (Project #2017-8020-14O) the focus of which was on testing selected system controls, including access controls, application controls, configuration management, contingency planning, and segregation of duties, for the period April 1, 2017 through March 31, 2018. During our current audit, we reviewed policies and procedures for security awareness training and personnel, and we conducted testing to verify that personnel with access to the systems were screened before they were given access.  

In addition, WSU compiled for us a list of vendor creations and changes made in MMARS during the audit period, showing the vendor name, date of occurrence, and description for each change. We traced all of the creations and changes from the Commonwealth Information Warehouse3 vendor table (which contains all vendor information entered in MMARS and provides details on any changes made to vendor information) to the WSU-compiled list for completeness. We also verified the accuracy of the vendor list by tracing the information on the list back to the supporting documentation (i.e., W-9 forms, letters written to CTR detailing the creation or change, and EFT forms). We determined that the list of vendor creations and changes in MMARS was sufficiently reliable for our audit purposes.

1.     The information was not generated by a system; rather, it was produced from university documentation (e.g., Internal Revenue Service W-9 forms submitted by vendors to the university to provide identifying information to help the university prepare information return filings with the Internal Revenue Service).  

2.     A business entity summary details information about an organization, including tax identification number, legal name, and address.

3.     According to the website of the Executive Office for Administration and Finance, the Commonwealth Information Warehouse is a repository of "financial, budgetary, human resource, payroll and time reporting information."

Date published: April 15, 2021

Help Us Improve Mass.gov with your feedback