Audit of Massachusetts Bay Community College (MBCC)
May 11, 2021 · Massachusetts Bay Community College · Read the full official report on mass.gov ↗ · official site ↗
source
“Massachusetts Bay Community College did not properly administer its inventory of information technology equipment.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of MassBay Community College covering July 1, 2018 through December 31, 2019, with some IT inventory work extending later.
“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2018 through December 31, 2019.”
Auditors looked at how the college tracked IT equipment, used procurement cards, and handled a previously identified duty to report missing or stolen property.
“In this performance audit, we examined MBCC activities related to the administration of IT equipment and procurement cards.”
If the college does not know exactly what equipment it owns or where it is, public assets can be misplaced, misused, or stolen without being detected quickly.
“As a result of these issues, MBCC cannot be certain that all its IT equipment is accurately accounted for and adequately safeguarded against misuse or that it can effectively detect lost, missing, or stolen items.”
MassBay serves thousands of students in the greater Boston and Metrowest area, so weak controls affect a public institution that residents fund and use.
“According to its website, MBCC serves approximately 6,000 full-time and part-time students from greater Boston and the Metrowest region on its campuses in Wellesley Hills, Framingham, and Ashland.”
The college’s purchasing card spending passed the audit tests, but IT inventory tracking and required reporting of missing or stolen property needed fixes.
“Are procurement card (P-Card) expenditures supported by adequate documentation and restricted to college-related business in accordance with MBCC’s policies and procedures?”
MassBay said it had begun reviewing its policies, procedures, and systems, and planned changes to inventory tracking and Chapter 647 reporting.
“We have started the process of reviewing our policies, procedures, and systems to ensure proper monitoring and compliance. . . .”
The same reporting problem had appeared before, and the audit found MassBay still had not put the needed policies and monitoring controls in place.
“MBCC has not implemented policies, procedures, and monitoring controls to ensure compliance with Chapter 647 of the Acts of 1989 as recommended in our prior audit.”
Chapter 647 is the state rule requiring agencies to promptly tell the State Auditor when public money or property is missing, short, lost, or stolen.
“All unaccounted for variances, losses, shortages or theft of funds or property shall be immediately reported to the state auditor’s office.”
3 figure(s) pending source verification - not shown
What the Auditor checked
- Complied Does MBCC obtain approval from the State Surplus Property Office when disposing of surplus IT equipment as required by Section3.04(6) of Title 802 of the Code of Massachusetts Regulations?
- Did not comply Has MBCC implemented the recommendation of our prior audit regarding compliance with the reporting requirements of Chapter 647 of the Acts of 1989?
- Complied Are procurement card (P-Card) expenditures supported by adequate documentation and restricted to college-related business in accordance with MBCC’s policies and procedures?
What the Auditor found
Why it matters: MBCC could not be certain that all IT equipment was accurately accounted for and adequately safeguarded against misuse or that it could detect lost, missing, or stolen items.
Standard: Office of the Comptroller of the Commonwealth fixed asset guidance and MBCC’s Inventory—Tracking and Disposal Policy. ( CTR’s “Fixed Assets—Acquisition Policy”; MBCC’s “Inventory—Tracking and Disposal Policy” )
3 recommendations
- MBCC should review and edit its current IT inventory list to include purchase dates, costs, assigned tag numbers, locations, descriptions, and serial numbers for all items; should remove duplicate items; and should correct inaccurate data where possible.agency: partially agreed
- MBCC should ensure that all IT assets have inventory tags affixed to them.agency: agreed
- MBCC should reevaluate its purchasing and inventory process to identify a best practice for identifying and tracking newly purchased IT equipment at the point of purchase.agency: agreed
Agency response & Auditor reply
Agency: "MassBay is updating the inventory list to include the Commonwealth’s Fixed Assets Acquisition Policy—date of purchase, amount, description, location, and disposition status, and correcting duplicate and inaccurate records."
Auditor: "Based on its response, MBCC is taking measures that respond to our concerns and will allow it to account for its assets more effectively."
Why it matters: Without documentation of annual physical inventories, MBCC could not verify the existence and location of IT assets or reconcile inventory records.
Standard: CTR’s Fixed Assets—Accounting and Management Policy and MBCC’s Inventory—Tracking and Disposal Policy require annual physical inventories. ( CTR’s “Fixed Assets—Accounting and Management Policy”; MBCC’s “Inventory—Tracking and Disposal Policy” )
2 recommendations
- MBCC should enhance its current “Inventory—Tracking and Disposal Policy” to include detailed procedures for all phases of the IT inventory process.agency: agreed
- MBCC should communicate this policy to all employees and establish monitoring controls to ensure that it is consistently followed.agency: agreed
Agency response & Auditor reply
Agency: "The policy will include technology and procedures necessary to capture and retain the details of the annual physical inventory, to reconcile discrepancies found during the annual inventory, and the actions to be taken to remedy the discrepancies found including Chapter 647 reporting when applicable."
Auditor: "Based on its response, MBCC is taking measures that respond to our concerns and will allow it to account for its assets more effectively."
Why it matters: OSA did not have the opportunity to identify the internal control weakness that might have contributed to or caused the loss, or to recommend corrective action to reduce future theft or losses.
Standard: Chapter 647 of the Acts of 1989 requires immediate reporting of unaccounted-for variances, losses, shortages, or thefts of funds or property to the State Auditor’s office. ( Chapter 647 of the Acts of 1989 )
2 recommendations
- MBCC should develop and implement policies, procedures, and monitoring controls to ensure that all unaccounted-for variances, losses, shortages, and/or thefts of funds or property are immediately reported to OSA.agency: agreed
- MBCC should ensure that the party responsible for overseeing compliance with Chapter 647 of the Acts of 1989 understands the law’s requirements.agency: agreed
Agency response & Auditor reply
Agency: "In response to this finding, MassBay will implement training and reporting procedures to ensure ongoing compliance with Chapter 647 of the Acts of 1989."
Auditor: "Based on its response, MBCC is taking measures to address our concerns in this area."
Prior findings revisited
"MBCC has not implemented policies, procedures, and monitoring controls to ensure compliance with Chapter 647 of the Acts of 1989 as recommended in our prior audit."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Bay Community College , including the prior audits referenced above.
-
Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Massachusetts Bay Community CollegeCollege / University · November 8, 2024 -
Massachusetts Bay Community CollegeCollege / University · May 23, 2016 -
Massachusetts Bay Community CollegeCollege / University · May 12, 2011 -
Massachusetts Bay Community CollegeCollege / University