Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Greenfield Community College (GCC)

July 12, 2021 · Greenfield Community College · Read the full official report on mass.gov ↗

Published July 12, 2021 Audit covers March 1, 2020 – September 30, 2020 Under Suzanne M. Bump · 2011–2023

In plain English
The auditor found that Greenfield Community College generally handled its COVID relief funds properly, with no major compliance problems to report.
source
“Our audit revealed no significant instances of noncompliance by GCC that must be reported under generally accepted government auditing standards.”
Read the plain-English breakdown
What is this?

This is a state performance audit of Greenfield Community College covering how it handled certain activity from March 1, 2020 through September 30, 2020.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Greenfield Community College (GCC) for the period March 1, 2020 through September 30, 2020.”
Why was it audited?

The audit checked whether the college followed federal and state rules when using CARES Act education relief money.

“The purpose of our audit was to determine whether GCC administered the CARES Act funds it received according to the criteria established by US DOE and MDHE.”
Why it matters

These were public emergency funds meant to help schools and students respond to COVID-19, so the state checked whether the money was used as allowed.

“The Coronavirus Aid, Relief, and Economic Security (CARES) Act, enacted by Congress on March 27, 2020, provided $30.75 billion for an Education Stabilization Fund (ESF) to prevent, prepare for, and respond to the impact of the 2019 coronavirus (COVID-19) pandemic.”
What's in it for me?

For students, the money could help cover emergency costs like tuition, food, housing, healthcare, childcare, course materials, and technology.

“The student portion was to provide funding for items related to students’ cost of attendance, such as tuition, course materials, technology, food, housing, healthcare, and childcare.”
The bottom line

The college passed the main compliance review, but the auditor pointed out two issues to watch: updated federal rules on lost revenue and the need for stronger cybersecurity training.

“However, in the “Other Matters” section of this report, we discuss modified guidance from US DOE that provides increased flexibility regarding the use of funds received from the HEERF award.”
What happens next

The auditor urged the college to make information security training required for new employees and repeated every year for staff.

“We strongly encourage GCC to require information security training for all new employees and annual refresher training for all personnel.”
Why it's significant

The report matters because even though the spending review found no major problems, the auditor warned that weak security training could leave the college more exposed to cyberattacks and losses.

“Without educating all system users on their responsibility of helping protect the security of information assets by requiring training, GCC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.”
Jargon, unpacked

CARES Act funds were federal COVID emergency money; HEERF was higher-education relief money; GEER was emergency education relief money sent through the state; GCC means Greenfield Community College.

“GCC received grant funds under two components of the CARES Act’s Education Stabilization Fund: direct funding from the United States Department of Education (US DOE), provided through the Higher Education Emergency Relief Fund (HEERF), and funding from the Massachusetts Department of Higher Education (MDHE), allocated through the Governor’s Emergency Education Relief Fund.”

What the Auditor checked

What the Auditor found

Two institutional CARES Act expense transactions were initially charged for revenue recovery under guidance that did not allow that use.
grants managementinternal controls

Why it matters: The transactions were exceptions under the guidance in effect during testing, but the auditor did not report them as findings because GCC transferred them to Title III funding and later federal guidance allowed lost revenue reimbursement retroactively.

Standard: United States Department of Education guidance for CARES 18004(a)(1) institutional funds ( Section 18004(a)(1) of the Coronavirus Aid, Relief, and Economic Security Act )

Agency response & Auditor reply
Agency: "Upon discussion with management at Greenfield Community College (GCC), we noted that both transactions were identified by management and subsequently transferred to CARES 18004(a)(2) Title III funding."
Auditor: "Although we identified the 2 transactions mentioned above as exceptions during our testing, we subsequently determined that disclosing them as findings would not be appropriate because of the modified guidance."
Greenfield Community College did not require information security training for new employees or annual refresher training for employees.
cybersecurityinternal controls

Why it matters: Without mandatory information security training, GCC has a higher risk of cybersecurity attacks and financial or reputational losses.

Standard: Information Security Risk Management Standard IS.010 issued by the Enterprise Security Office within the Executive Office of Technology Services and Security and National Institute of Standards and Technology Special Publication 800-53r5 ( Information Security Risk Management Standard IS.010; National Institute of Standards and Technology’s Special Publication 800-53r5 )

1 recommendation
  • Require information security training for all new employees and annual refresher training for all personnel.

More audits of this entity

Other Office of the State Auditor reports on Greenfield Community College .

See this entity's page with all 4 audits →