Audit of Bristol Community College (March 26, 2025)
March 26, 2025 · Bristol Community College · Read the full official report on mass.gov ↗ · official site ↗
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with links to each page listed.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of Bristol Community College covering March 1, 2020 through June 30, 2023.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Bristol Community College (BRC) for the period March 1, 2020 through June 30, 2023.”
Auditors checked whether Bristol followed rules for federal COVID education funds, updated internal controls for the pandemic, trained employees on cybersecurity, and handled employee settlements properly.
“The purpose of our audit was to determine the following:”
The problems matter because weak cybersecurity training can raise the risk of cyberattacks, and unclear settlement practices can reduce public accountability.
“If BRC does not ensure that all of its employees complete cybersecurity awareness training, then it may expose itself to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
For students, staff, and taxpayers, the audit says COVID aid spending tested by auditors was handled appropriately, but the college needs stronger safeguards for data security and settlement oversight.
“Based on the results of our testing, we determined that, during the audit period, BRC appropriately administered the institutional portion of funding (that we sampled) under the CARES Act, CRRSAA, and ARPA.”
The audit’s bottom line is that Bristol passed the COVID funding and pandemic-control checks, but failed the checks on cybersecurity training and settlement-agreement policies.
“Did BRC adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 with regard to cybersecurity awareness training?”
Bristol agreed with the recommendations and said it is improving cybersecurity training and creating a settlement policy; the auditor plans to follow up in about six months.
“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
The most serious concern is that public money and public institutions need clear oversight, especially when settlements include confidentiality-type language that could hide misconduct or appear to do so.
“Furthermore, public dollars could be abused to cover up harassment, discrimination, or other forms of misconduct, while protecting perpetrators of abuse in BRC’s employ, in reality or in appearance.”
HEERF means federal emergency higher-education relief money related to COVID-19, and Banner is Bristol’s system for administrative, accounting, and student records.
“Banner is the database system for BRC’s administrative activities, accounting, and student files.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Complied Did BRC administer the student portion of funding under Section 18004(a)(1) of the Coronavirus Aid, Relief, and Economic Security (CARES) Act in accordance with Sections C, D, and E of the United States Department of Education’s (US DOE’s) Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document?
- Complied Did BRC administer the student portion of funding under Section 314(a)(1) of the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA) and Section 2003(a)(1) of the American Rescue Plan Act (ARPA) in accordance with the HEERF II Public and Private Nonprofit Institution (a)(1) Programs (Catalog of Federal Domestic Assistance [CFDA] 84.425E and 84.425F) FAQ and HEERF III FAQ?
- Complied Did BRC administer the institutional portion of funding in accordance with US DOE’s HEERF I, II, and III FAQs?
- Did not comply Did BRC adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 with regard to cybersecurity awareness training?
What the Auditor found
Why it matters: This increased the risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010 ( Section 6.2.3 of the Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010; Section 6.2.4 of the Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010 )
2 recommendations
- BRC should ensure that all its newly hired employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.agency: agreed
- BRC should establish sufficient procedures to monitor employee cybersecurity awareness training throughout the training cycle and establish management controls to ensure that it detects issues of noncompliance.agency: agreed
Agency response & Auditor reply
Agency: "We agree with the recommendations suggested."
Auditor: "Based on its response, BRC is taking measures to address our concerns regarding this matter."
Why it matters: The college could not ensure settlements were handled ethically, legally, or appropriately, and public funds could be used to conceal misconduct.
Standard: Section 5.09 of Title 815 of the Code of Massachusetts Regulations and internal control best practices ( Section 5.09 of Title 815 of the Code of Massachusetts Regulations; US Government Accountability Office’s Standards for Internal Control in the Federal Government )
2 recommendations
- BRC should develop, document, and implement a policy related to employee settlement agreements.agency: agreed
- To help increase transparency and accountability, BRC should seek and obtain approval from its board of trustees before executing employee settlement agreements and any non-disclosure, non-disparagement, or similarly restrictive clauses in its agreements.agency: agreed
Agency response & Auditor reply
Agency: "Bristol Community College agrees that documenting a policy and procedures can help ensure consistent practices."
Auditor: "Based on its response, BRC is taking measures to address our concerns regarding this matter."
More audits of this entity
Other Office of the State Auditor reports on Bristol Community College .
-
Bristol Community CollegeCollege / University · October 3, 2011 -
Bristol Community CollegeCollege / University · November 16, 2015 -
Audit of the Bristol Community College Foundation (BCCF)College / University · July 22, 2020 -
Audit of Bristol Community CollegeCollege / University · December 20, 2019