Audit of the Westfield State University Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of Westfield State University (WSU) for the period October 1, 2018 through March 31, 2020.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and where each objective is discussed in the audit findings.

To achieve our objectives, we gained an understanding of WSU’s internal control environment related to the objectives by reviewing policies and procedures, as well as conducting inquiries with WSU officials. In addition, we performed the following procedures to address our audit objectives.

Initially, we requested from WSU a list¹ of all information about the 15 requests made by WSU vendors for creations of, or changes to, vendor/customer files during the audit period. WSU officials told us during discussions that in 2 of these 15 instances, no changes had been made and the requests had been discarded. We confirmed that the 2 discarded files did not appear in the list of vendors in MMARS.  

For the other 13 requests, we confirmed WSU’s compliance with its procedures and CTR’s “Vendor/Customer File and W-9s” policy. To do this, we reviewed each file to see whether it included the following: a completed Internal Revenue Service (IRS) W-9 form (“Request for Taxpayer Identification Number and Certification”), electronic fund transfer (EFT) forms, information from the IRS website about the vendor (e.g., tax identification number, address, and legal name), a business entity summary² from the Secretary of the Commonwealth’s website to verify the vendor’s information, and a letter to CTR detailing the file creation or change. Using the evidence in each vendor/customer file, we determined whether WSU collected the W-9 and/or EFT forms. In addition, we reviewed each vendor/customer file for evidence of WSU verifying the information on the W-9 or EFT against independent sources (IRS or Secretary of the Commonwealth website) and notifying CTR of the creation or change.

We conducted inquiries with the head of the Human Resources Department, the vice president of administration and finance, and the chief information officer to determine whether information system security awareness training was provided to employees with access to WSU information systems.

In 2018, OSA conducted an assessment of MMARS (Project #2017-8020-14O) the focus of which was on testing selected system controls, including access controls, application controls, configuration management, contingency planning, and segregation of duties, for the period April 1, 2017 through March 31, 2018. During our current audit, we reviewed policies and procedures for security awareness training and personnel, and we conducted testing to verify that personnel with access to the systems were screened before they were given access.  

In addition, WSU compiled for us a list of vendor creations and changes made in MMARS during the audit period, showing the vendor name, date of occurrence, and description for each change. We traced all of the creations and changes from the Commonwealth Information Warehouse³ vendor table (which contains all vendor information entered in MMARS and provides details on any changes made to vendor information) to the WSU-compiled list for completeness. We also verified the accuracy of the vendor list by tracing the information on the list back to the supporting documentation (i.e., W-9 forms, letters written to CTR detailing the creation or change, and EFT forms). We determined that the list of vendor creations and changes in MMARS was sufficiently reliable for our audit purposes.