Audit of the University of Massachusetts Dartmouth

This page, Audit of the University of Massachusetts Dartmouth, is offered by
Office of the State Auditor

Organization:	Office of the State Auditor
Date published:	May 2, 2024

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Dartmouth for the period July 1, 2020 through December 31, 2021.

In this performance audit, we determined whether UMass Dartmouth executed all bank card purchases in accordance with Sections II(A), II(D), III(A), and III(B) of the “Administrative Standards for the Business Expense Policy” within Appendix C of the “University of Massachusetts Business and Travel Expense Policy” (document T92-031) and Sections 2, 4–8, 11, 12, 15, and 21 of the UMass Bank Card Use Standard. We also determined whether UMass Dartmouth ensured that its employees completed cybersecurity awareness training in accordance with Section 1 of Control 14 (Security Awareness and Skills Training) of the Center for Internet Security’s¹ Critical Security Controls.²

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1	UMass Dartmouth’s bank card transactions did not always comply with UMass system policies and standards.
Recommendations	UMass Dartmouth should ensure that cardholders reconcile and upload all bank statements and supporting documents into the UMass system’s online bank card transaction repository within 30 days of the bank statement date. UMass Dartmouth should ensure that each bank card transaction receipt captures the full business purpose and that all required information is on the receipt. If this is not feasible within the requirements of the current standard, then the UMass system should update the UMass Bank Card Use Standard to reflect appropriate and feasible requirements. UMass Dartmouth should ensure that state sales tax is not charged when bank card purchases are made by cardholders. If this is not feasible within the requirements of the current standard, then the UMass system should update the UMass Bank Card Use Standard to reflect appropriate and feasible requirements. UMass Dartmouth should ensure that travel authorization numbers are referenced on the bank statement and receipt(s). If this is not feasible within the requirements of the current standard, then the UMass system should update the UMass Bank Card Use Standard to reflect appropriate and feasible requirements.
Finding 2	UMass Dartmouth did not provide cybersecurity awareness training for any of its employees.
Recommendations	UMass Dartmouth should provide cybersecurity awareness training to all employees when they are hired and annually thereafter. UMass Dartmouth should establish and implement a cybersecurity awareness training component to its information security policy. This component should include documented procedures, monitoring controls, and record retention requirements.

1. According to its website, the Center for Internet Security is a nonprofit entity with the mission “to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.”

2. According to the Center for Internet Security’s website, the “Critical Security Controls . . . are a prescriptive, prioritized, and simplified set of best practices that you can use to strengthen your cybersecurity posture. Today, thousands of cybersecurity practitioners from around the world use the [Critical Security Controls] and/or contribute to their development via a community consensus process.”

Downloads

Open PDF file, 783.31 KB, Audit of the University of Massachusetts Dartmouth (English, PDF 783.31 KB)

Contact

Phone

Main (617) 727-2075

Online

Auditor@MassAuditor.gov

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Directions

Contact

Office of State Auditor Diana DiZoglio

Phone

Main (617) 727-2075

Online

Auditor@MassAuditor.gov

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Directions

UMass Dartmouth Audit Finds Missing Bank Card Transaction Documents and Lack of Cybersecurity Training

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Audit Audit of the University of Massachusetts Dartmouth

Executive Summary

Table of Contents

Downloads

Contact

Office of State Auditor Diana DiZoglio

Phone

Online

Fax

Address

Help Us Improve Mass.gov with your feedback