Westfield State University Did Not Always Perform or Document a Verification of Vendor/Customer Information.

For 10 of the 13 vendor/customer creations or changes during our audit period, there was no documentation to substantiate that Westfield State University (WSU) personnel verified the accuracy of information on an Internal Revenue Service W-9 form or electronic fund transfer (EFT) form obtained from the vendor/customer before making or changing entries in the Massachusetts Management Accounting and Reporting System (MMARS). These changes were based on requests to create vendor/customer files or to change vendors’ legal names, legal addresses, and/or EFT information.

Additionally, in February 2020, a WSU employee made a change to the banking information in a vendor/customer file without verifying the information in the change request, resulting in WSU transferring $1.75M to an unauthorized account. Upon discovering the transfer, WSU immediately reported it to the Office of the State Auditor in accordance with Chapter 647 of the Acts of 1989, as well as to other proper authorities. WSU recovered all the funds, so there was no loss. WSU officials told us it was their understanding that the event was still under investigation by state and federal authorities.

A lack of documented verification causes a higher-than-acceptable risk of improper payments such as the one discussed above.

WSU’s internal control plan states,

Each Commonwealth Department Head (the University President) has the responsibility to ensure that the department conducts all fiscal business in accordance with state finance law, including but not limited to . . . policies and procedures of the Office of the Comptroller (CTR).

Section 4c of the Office of the Comptroller of the Commonwealth’s (CTR’s) “Vendor/Customer File and W-9s” policy describes the process that state agency personnel must follow when changing information in vendor/customer files:

Verification of [created or modified vendor/customer] information should not be done solely through email, but should be followed up with a phone call and verified with an authorized signatory, or whatever other actions are necessary to document that the Department has investigated that the . . . change or additional remittance address is appropriate and properly authorized.

CTR’s “Vendor/Customer File and W-9s” policy states,

Departments must ensure the legal and remittance address, classification and [Social Security number or employer identification number] are recorded correctly . . . in MMARS.

Additionally, WSU’s “Bank Wire Procedures” require verification, with an authorized signatory of the vendor, of the validity of requested changes to banking information in vendor/customer files:

If [banking] information has changed since the last time a [payment] was initiated to the [vendor], Financial Accounting verifies this information with the vendor through means other than email (i.e. a telephone call using publicly published information) not just from the information provided by the requestor.

WSU officials told us that although there is no documentation, university personnel did verify the accuracy of the 10 vendor-requested creations or changes in question before making the changes in MMARS. However, without documentation, there is nothing to substantiate to what extent, if any, the required verification process was conducted. WSU officials told us they were not aware that the verification needed to be documented. The university’s procedures for changes to, or creation of, vendor/customer files do not require personnel to document the measures they take to verify the information a vendor provides in its creation or change request.

WSU also does not have any monitoring controls (e.g., a supervisory review process) to ensure that the verification is performed.

Regarding the instance of an employee not following WSU verification procedures, WSU officials stated that the employee attempted to call the vendor to verify the information, but could not reach anyone, and the employee decided to process the requested change anyway.

1. WSU should amend its procedures to ensure that verification is properly performed before creations or changes are processed and require all personnel to document the measures they take to verify the information vendors provide in requests to create or change information in their files.
2. WSU should implement effective monitoring controls (e.g., a supervisory review process) to ensure that its staff complies with this requirement.

The Vendor Review Procedure in Banner [WSU’s accounting system] and MMARS has been updated and implemented. This procedure complies with the Commonwealth of Massachusetts, Office of the Comptroller, Vendor/Customer File and W-9’s Policy. This procedure also includes steps that document this process coupled with supervisory review.

The University’s procedures have been updated to require actions to be documented on a newly created form entitled Vendor Electronic Payment Instructions—Addition/Change Documentation Form, which requires a review and approval process when updating or adding vendor banking information.

Based on the reply above, WSU is responding to our concerns.