Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Fitchburg State University (September 15, 2023)

September 15, 2023 · Fitchburg State University · Read the full official report on mass.gov ↗ · official site ↗

Published September 15, 2023 Audit covers March 1, 2020 – December 31, 2021 Under Diana DiZoglio · 2023–present

In plain English
The audit found that Fitchburg State University generally handled its COVID-19 relief money properly, but it could not prove that some employees who managed those funds completed required cybersecurity training.
source
“FSU was unable to provide complete documentation that its employees responsible for the management of COVID-19 funds completed cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of Fitchburg State University covering March 1, 2020 through December 31, 2021.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Fitchburg State University (FSU) for the period March 1, 2020 through December 31, 2021.”
Why was it audited?

Auditors checked whether the university followed federal and state rules when using COVID-19 education relief funds, and whether it had proper controls and cybersecurity training.

“The purpose of our audit was to determine whether FSU administered the CARES Act, CRRSAA, and ARP Act funding it received in accordance with the criteria established by the Massachusetts Department of Higher Education and US DOE, as well as with its own student grant distribution method.”
Why it matters

The issue matters because employees who are not confirmed as trained may make mistakes that put protected information at risk.

“If FSU does not retain documentation to confirm that its employees complete cybersecurity awareness training, it cannot ensure that employees complete this training, which may lead to user error and compromise the integrity and security of protected information in FSU’s information security systems.”
What's in it for me?

For students and taxpayers, the audit provides some assurance that the COVID-19 aid reviewed was used for allowed purposes, while also pointing out a records problem the university needs to fix.

“We noted no exceptions in our testing; therefore, we conclude that the CARES Act student-portion funding that we tested was used for its allowable and intended purposes.”
The bottom line

The only finding was about missing proof of cybersecurity training completion, not misuse of the COVID-19 funds tested.

“Although Fitchburg State University (FSU) provided us some documentation, such as attendance sheets, to confirm that the employees responsible for handling COVID-19 funds completed cybersecurity awareness training, this documentation was incomplete.”
What happens next

The auditor recommended that FSU keep attendance records and monitor that those records are retained; FSU said it has already started using online cybersecurity training software.

“FSU should implement monitoring controls to ensure that it retains attendance sheets for its cybersecurity awareness training.”
Why it's significant

The audit found that FSU received about $22.5 million in COVID-19 education relief awards and had disbursed about $19.4 million during the audit period, so the oversight covered a large amount of public funding.

“Below is a summary of FSU’s financial activity related to COVID-19 funding during the audit period.”
Jargon, unpacked

HEERF means federal emergency higher-education relief money tied to COVID-19, including grants from the CARES Act, CRRSAA, and ARP Act.

“The Higher Education Emergency Relief Fund (HEERF) consists of three separate grants related to the COVID-19 pandemic that were directly funded from US DOE under the CARES Act (HEERF I), CRRSAA (HEERF II), and ARP Act (HEERF III).”

What the Auditor checked

What the Auditor found

Fitchburg State University could not provide complete documentation that employees managing COVID-19 funds completed cybersecurity awareness training.
cybersecurityrecordkeeping/documentationinternal controls

Why it matters: Without retained documentation, FSU cannot ensure employees completed required training, increasing the risk of user error and compromised protected information.

Standard: Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 ( Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010, Section 6.2.3; Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010, Section 6.2.4 )

2 recommendations
  • FSU should retain attendance sheets to provide evidence that its employees completed cybersecurity awareness training.agency: already implemented
  • FSU should implement monitoring controls to ensure that it retains attendance sheets for its cybersecurity awareness training.agency: already implemented
Agency response & Auditor reply
Agency: "We have addressed the noted finding related to the documentation of cyber security training and attendance tracking and have already implemented the necessary process to ensure compliance."
Auditor: "Based on its response, FSU is taking measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Fitchburg State University .

See this entity's page with all 4 audits →