Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Bristol Community College (March 26, 2025)

March 26, 2025 · Bristol Community College · Read the full official report on mass.gov ↗ · official site ↗

Published March 26, 2025 Audit covers March 1, 2020 – June 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The audit found Bristol Community College generally handled its COVID relief money properly, but it fell short in two areas: cybersecurity training for employees and transparency around employee settlement agreements.
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of Bristol Community College covering March 1, 2020 through June 30, 2023.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Bristol Community College (BRC) for the period March 1, 2020 through June 30, 2023.”
Why was it audited?

Auditors checked whether Bristol followed rules for federal COVID education funds, updated internal controls for the pandemic, trained employees on cybersecurity, and handled employee settlements properly.

“The purpose of our audit was to determine the following:”
Why it matters

The problems matter because weak cybersecurity training can raise the risk of cyberattacks, and unclear settlement practices can reduce public accountability.

“If BRC does not ensure that all of its employees complete cybersecurity awareness training, then it may expose itself to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
What's in it for me?

For students, staff, and taxpayers, the audit says COVID aid spending tested by auditors was handled appropriately, but the college needs stronger safeguards for data security and settlement oversight.

“Based on the results of our testing, we determined that, during the audit period, BRC appropriately administered the institutional portion of funding (that we sampled) under the CARES Act, CRRSAA, and ARPA.”
The bottom line

The audit’s bottom line is that Bristol passed the COVID funding and pandemic-control checks, but failed the checks on cybersecurity training and settlement-agreement policies.

“Did BRC adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 with regard to cybersecurity awareness training?”
What happens next

Bristol agreed with the recommendations and said it is improving cybersecurity training and creating a settlement policy; the auditor plans to follow up in about six months.

“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
Why it's significant

The most serious concern is that public money and public institutions need clear oversight, especially when settlements include confidentiality-type language that could hide misconduct or appear to do so.

“Furthermore, public dollars could be abused to cover up harassment, discrimination, or other forms of misconduct, while protecting perpetrators of abuse in BRC’s employ, in reality or in appearance.”
Jargon, unpacked

HEERF means federal emergency higher-education relief money related to COVID-19, and Banner is Bristol’s system for administrative, accounting, and student records.

“Banner is the database system for BRC’s administrative activities, accounting, and student files.”

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

Bristol Community College did not ensure that all employees completed required cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: This increased the risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010 ( Section 6.2.3 of the Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010; Section 6.2.4 of the Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010 )

2 recommendations
  • BRC should ensure that all its newly hired employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.agency: agreed
  • BRC should establish sufficient procedures to monitor employee cybersecurity awareness training throughout the training cycle and establish management controls to ensure that it detects issues of noncompliance.agency: agreed
Agency response & Auditor reply
Agency: "We agree with the recommendations suggested."
Auditor: "Based on its response, BRC is taking measures to address our concerns regarding this matter."
Bristol Community College lacked a transparent and accountable process for employee settlement agreements.
internal controlsrecordkeeping/documentation

Why it matters: The college could not ensure settlements were handled ethically, legally, or appropriately, and public funds could be used to conceal misconduct.

Standard: Section 5.09 of Title 815 of the Code of Massachusetts Regulations and internal control best practices ( Section 5.09 of Title 815 of the Code of Massachusetts Regulations; US Government Accountability Office’s Standards for Internal Control in the Federal Government )

2 recommendations
  • BRC should develop, document, and implement a policy related to employee settlement agreements.agency: agreed
  • To help increase transparency and accountability, BRC should seek and obtain approval from its board of trustees before executing employee settlement agreements and any non-disclosure, non-disparagement, or similarly restrictive clauses in its agreements.agency: agreed
Agency response & Auditor reply
Agency: "Bristol Community College agrees that documenting a policy and procedures can help ensure consistent practices."
Auditor: "Based on its response, BRC is taking measures to address our concerns regarding this matter."

More audits of this entity

Other Office of the State Auditor reports on Bristol Community College .

See this entity's page with all 5 audits →