Audit of Cape Cod Community College (July 1, 2025)
July 1, 2025 · Cape Cod Community College · Read the full official report on mass.gov ↗ · official site ↗
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with hyperlinks to each page listed.”
Read the plain-English breakdown
This is a state performance audit of Cape Cod Community College covering selected activities from January 1, 2021 through December 31, 2023.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of Cape Cod Community College (CCCC) for the period January 1, 2021 through December 31, 2023.”
Auditors checked whether the college followed campus safety reporting rules under the Clery Act and whether employees completed required cybersecurity awareness training.
“In this performance audit, we examined CCCC’s compliance with certain aspects of the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act), as amended.”
If the college reports crime numbers incorrectly, students, employees, families, and the public may get a misleading picture of campus safety.
“If CCCC inaccurately reports its Clery Act crime statistics, then current and prospective students, CCCC employees, and members of the public may draw incorrect conclusions about campus safety.”
For an ordinary citizen, this report is about whether public information on campus safety and cybersecurity practices can be trusted.
“The purpose of the Clery Act is to improve transparency and accountability in campus safety.”
The college met the audit objective for including required policies in its annual security reports, but failed the objectives on accurate crime reporting, campus security authority processes, and cybersecurity training completion.
“Did CCCC include all required policies, procedures, and statements in its annual security report (ASR) in accordance with the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act) (Section 668.46[b–h] of Title 34 of the Code of Federal Regulations [CFR])?”
The Auditor’s Office said it will check back in about six months on the college’s progress on the findings.
“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
The findings matter because they touch on student safety information, legal compliance, possible federal fines, and cybersecurity risk at a public college.
“If CCCC does not ensure that all of its employees complete cybersecurity awareness training, then CCCC exposes itself to an increased risk of cybersecurity attacks, and financial and/or reputational losses.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Complied Did CCCC include all required policies, procedures, and statements in its annual security report (ASR) in accordance with the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act) (Section 668.46[b–h] of Title 34 of the Code of Federal Regulations [CFR])?
- Did not comply Did CCCC record all crimes within its Clery geography in a daily crime log and accurately report these crimes to the US Department of Education (US DOE) and in its ASR, in accordance with the Clery Act (34 CFR 668.46[c][1] and [f][1])?
- Did not comply Did CCCC have a process in place to ensure that it identified campus security authorities (CSAs) and that these employees completed training on their responsibilities as CSAs, in accordance with the Clery Act (34 CFR 668.46[a])?
- Did not comply Did CCCC ensure that its employees completed cybersecurity awareness training, in accordance with its “Cyber / Information Security Awareness Training” policy; Section 6.2.3 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Standard IS.010; and Section AT-3 of Revision 5 of the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-53?
What the Auditor found
Why it matters: Current and prospective students, employees, and the public may draw incorrect conclusions about campus safety, and the college may face federal fines.
Standard: Section 668.46(c) of Title 34 of the Code of Federal Regulations and US DOE’s Handbook for Campus Safety and Security Reporting. ( Section 668.46(c) of Title 34 of the Code of Federal Regulations; US DOE’s Handbook for Campus Safety and Security Reporting )
1 recommendation
- CCCC must make certain that all Clery Act crimes that occur within its Clery geography are accurately recorded in CCCC’s daily crime log and its ASR by establishing policies and procedures.
Agency response & Auditor reply
Agency: "The recommendations suggested in the preliminary report of OSA will allow the College to continue to make improvements to its ASR reporting process in addition to those reforms already instituted."
Auditor: "We strongly encourage CCCC to fully implement our recommendations, as doing so will help ensure compliance and improve the reliability of CCCC’s crime data."
Why it matters: The college has an increased risk of cybersecurity attacks and financial or reputational losses.
Standard: CCCC’s “Cyber / Information Security Awareness Training” policy, Section 6.2.3 of EOTSS’s Information Security Risk Standard IS.010, and Section AT-3 of NIST Special Publication 800-53 Revision 5. ( CCCC’s “Cyber / Information Security Awareness Training” policy; Section 6.2.3 of the Executive Office of Technology Services and Security’s Information Security Risk Standard IS.010; Section AT-3 of Revision 5 of the National Institute of Standards and Technology’s Special Publication 800-53 )
1 recommendation
- CCCC should develop and implement monitoring controls to ensure that all employees are enrolled in and complete initial and annual refresher cybersecurity awareness training.
Agency response & Auditor reply
Agency: "The College recognizes that during the audit period not all employees had completed cybersecurity awareness training, and the tracking of college-wide training completion has not always been complete."
Auditor: "Based on its response, CCCC is taking measures to address our concerns regarding this matter."
More audits of this entity
Other Office of the State Auditor reports on Cape Cod Community College .
- Cape Cod Community College - Student Financial Assistance ProgramsCollege / University · May 24, 2012
- Cape Cod Community CollegeCollege / University · May 12, 2011
- Audit of Cape Cod Community CollegeCollege / University · June 29, 2021
- Cape Cod Community College Examination of Annual Internal Control QuestionnaireCollege / University · July 25, 2016