Audit of Fitchburg State University (September 15, 2023)
September 15, 2023 · Fitchburg State University · Read the full official report on mass.gov ↗ · official site ↗
source
“FSU was unable to provide complete documentation that its employees responsible for the management of COVID-19 funds completed cybersecurity awareness training.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of Fitchburg State University covering March 1, 2020 through December 31, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Fitchburg State University (FSU) for the period March 1, 2020 through December 31, 2021.”
Auditors checked whether the university followed federal and state rules when using COVID-19 education relief funds, and whether it had proper controls and cybersecurity training.
“The purpose of our audit was to determine whether FSU administered the CARES Act, CRRSAA, and ARP Act funding it received in accordance with the criteria established by the Massachusetts Department of Higher Education and US DOE, as well as with its own student grant distribution method.”
The issue matters because employees who are not confirmed as trained may make mistakes that put protected information at risk.
“If FSU does not retain documentation to confirm that its employees complete cybersecurity awareness training, it cannot ensure that employees complete this training, which may lead to user error and compromise the integrity and security of protected information in FSU’s information security systems.”
For students and taxpayers, the audit provides some assurance that the COVID-19 aid reviewed was used for allowed purposes, while also pointing out a records problem the university needs to fix.
“We noted no exceptions in our testing; therefore, we conclude that the CARES Act student-portion funding that we tested was used for its allowable and intended purposes.”
The only finding was about missing proof of cybersecurity training completion, not misuse of the COVID-19 funds tested.
“Although Fitchburg State University (FSU) provided us some documentation, such as attendance sheets, to confirm that the employees responsible for handling COVID-19 funds completed cybersecurity awareness training, this documentation was incomplete.”
The auditor recommended that FSU keep attendance records and monitor that those records are retained; FSU said it has already started using online cybersecurity training software.
“FSU should implement monitoring controls to ensure that it retains attendance sheets for its cybersecurity awareness training.”
The audit found that FSU received about $22.5 million in COVID-19 education relief awards and had disbursed about $19.4 million during the audit period, so the oversight covered a large amount of public funding.
“Below is a summary of FSU’s financial activity related to COVID-19 funding during the audit period.”
HEERF means federal emergency higher-education relief money tied to COVID-19, including grants from the CARES Act, CRRSAA, and ARP Act.
“The Higher Education Emergency Relief Fund (HEERF) consists of three separate grants related to the COVID-19 pandemic that were directly funded from US DOE under the CARES Act (HEERF I), CRRSAA (HEERF II), and ARP Act (HEERF III).”
What the Auditor checked
- Complied Did FSU administer the student portion of funding under Section 18004(a)(1) of the Coronavirus Aid, Relief, and Economic Security (CARES) Act in accordance with Sections C, D, and E of the United States Department of Education’s (US DOE’s) Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document?
- Complied Did FSU administer the institutional portion of funding under Section 18004(a)(1) of the CARES Act in accordance with Section F of US DOE’s Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document?
- Complied Did FSU administer the student portion of funding under Section 314(a)(1) of the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA) in accordance with US DOE’s Higher Education Emergency Relief Fund (HEERF) ll Public and Private Nonprofit Institution (a)(1) Programs ([Catalog of Federal Domestic Assistance (CFDA)] 84.425E and 84.425F) Frequently Asked Questions?
- Complied Did FSU administer the institutional portion of funding under Section 314(a)(1) of the CRRSAA in accordance with US DOE’s Higher Education Emergency Relief Fund (HEERF) II Public and Private Nonprofit Institution (a)(1) Programs (CFDA 84.425E and 84.425F) Frequently Asked Questions?
- Complied Did FSU administer the student portion of funding under Section 2003(a)(1) of the American Rescue Plan (ARP) Act in accordance with Section B of US DOE’s Higher Education Emergency Relief Fund lll Frequently Asked Questions?
- Complied Did FSU administer the institutional portion of funding under Section 2003(a)(1) of the ARP Act in accordance with Section C of US DOE’s Higher Education Emergency Relief Fund lll Frequently Asked Questions?
- Complied Did FSU administer Governor’s Emergency Education Relief (GEER) funding in accordance with US DOE’s Frequently Asked Questions about the Governor's Emergency Education Relief Fund (GEER Fund) and/or Attachment A—Terms of Performance and Justifications of its interdepartmental service agreement with the Massachusetts Department of Higher Education?
- Did not comply Did FSU employees responsible for the management of COVID-19 funds within the Administration and Finance Department, Student Accounts Department, Financial Aid Department, and the Registrar’s Office receive cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: Without retained documentation, FSU cannot ensure employees completed required training, increasing the risk of user error and compromised protected information.
Standard: Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 ( Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010, Section 6.2.3; Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010, Section 6.2.4 )
2 recommendations
- FSU should retain attendance sheets to provide evidence that its employees completed cybersecurity awareness training.agency: already implemented
- FSU should implement monitoring controls to ensure that it retains attendance sheets for its cybersecurity awareness training.agency: already implemented
Agency response & Auditor reply
Agency: "We have addressed the noted finding related to the documentation of cyber security training and attendance tracking and have already implemented the necessary process to ensure compliance."
Auditor: "Based on its response, FSU is taking measures to address our concerns on this matter."
More audits of this entity
Other Office of the State Auditor reports on Fitchburg State University .
-
Fitchburg State UniversityCollege / University · November 16, 2015 -
Audit of Fitchburg State University (FSU)College / University · June 28, 2019 - Fitchburg State University's Use of American Recovery and Reinvestment Act FundsCollege / University · December 15, 2011