Audit of Mount Wachusett Community College (December 27, 2024)
December 27, 2024 · Mount Wachusett Community College · Read the full official report on mass.gov ↗ · official site ↗
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with links to each page listed.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of Mount Wachusett Community College covering mostly March 1, 2020 through June 30, 2023, with a longer review period for employee settlement agreements.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Mount Wachusett Community College (MWCC) for the period March 1, 2020 through June 30, 2023.”
Auditors checked whether the college followed rules for COVID-19 relief funding, updated its internal controls for the pandemic, trained employees on cybersecurity, and properly handled employee settlement agreements.
“The purpose of our audit was to determine the following:”
The issues matter because weak controls, unclear settlement practices, and incomplete cybersecurity training can expose a public college to risks, including poor oversight, security attacks, and reputational harm.
“Without educating all employees on their responsibility of protecting the security of information assets, MWCC may be exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.”
If you are a student, employee, taxpayer, or local resident, the audit shows that COVID-19 aid was generally handled correctly, but it also calls for stronger safeguards around public accountability, employee settlements, and cybersecurity.
“Based on the results of our testing, we determined that, during the audit period, MWCC administered the student portion of funding under Section 2003(a)(1) of the ARPA in accordance with Section B of US DOE’s HEERF III FAQ.”
The college passed the audit’s tests on COVID-19 relief spending, but failed in three areas: pandemic-related internal controls, employee settlement agreement oversight, and evidence of cybersecurity training completion.
“MWCC did not update its internal control plan with a COVID-19 pandemic response plan.”
The auditor says MWCC is taking steps to fix the problems, and the auditor’s office plans to follow up in about six months.
“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
The most serious concern is not misuse of COVID-19 aid; it is that weak documentation and oversight could make it harder to prevent or detect problems in settlements, cybersecurity, and agency controls.
“If MWCC does not have a transparent and accountable process to handle employee settlement agreements, especially those containing non-disclosure, non-disparagement, or similarly restrictive clauses, it cannot ensure that employee settlement agreements are handled in an ethical, legal, or appropriate manner.”
An internal control plan is basically a written plan for spotting risks and setting up checks to reduce them so an agency can do its job.
“An internal control plan identifies objectives and risks and identifies control activities to mitigate risks that may prevent an agency from accomplishing its public mission.”
8 figure(s) pending source verification - not shown
What the Auditor checked
- Complied Did MWCC administer the student portion of funding under Section 18004(a)(1) of the Coronavirus Aid, Relief, and Economic Security (CARES) Act in accordance with Sections C, D, and E of the United States Department of Education’s (US DOE’s) Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document?
- Complied Did MWCC administer the institutional portion of funding under Section 18004(a)(1) of the CARES Act in accordance with Section F of US DOE’s HEERF FAQ Rollup Document?
- Complied Did MWCC administer the student portion of funding under Section 314(a)(1) of the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA) in accordance with US DOE’s HEERF ll Public and Private Nonprofit Institution (a)(1) Programs ([Catalog of Federal Domestic Assistance, or CFDA] 84.425E and 84.425F) FAQ?
- Complied Did MWCC administer the institutional portion of funding under Section 314(a)(1) of the CRRSAA in accordance with US DOE’s HEERF II Public and Private Nonprofit Institution (a)(1) Programs (CFDA 84.425E and 84.425F) FAQ?
- Complied Did MWCC administer the student portion of funding under Section 2003(a)(1) of the American Rescue Plan Act (ARPA) in accordance with Section B of US DOE’s HEERF lll FAQ?
- Complied Did MWCC administer the institutional portion of funding under Section 2003(a)(1) of the ARPA in accordance with Section C of US DOE’s HEERF lll FAQ?
- Did not comply Did all MWCC employees receive cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010?
- Did not comply Did MWCC have internal policies and procedures in place for (a) the review and approval of employee settlement agreements, including the language used, and (b) the reporting of employee settlement agreements to CTR? For employee settlement agreements entered into from January 1, 2019 through December 31, 2023, did MWCC follow these policies and did it use non-disclosure, non-disparagement, or similarly restrictive clauses as part of employee settlement agreement language?
What the Auditor found
Why it matters: Settlement agreements may not be handled in an ethical, legal, or appropriate manner, and confidentiality language could be used to obscure harassment, discrimination, poor management, or unlawful behavior.
Standard: Section 5.09 of Title 815 of the Code of Massachusetts Regulations ( Section 5.09 of Title 815 of the Code of Massachusetts Regulations )
3 recommendations
- MWCC should develop, document, and implement a policy related to employee settlement agreements.agency: agreed
- To help increase transparency and accountability, MWCC should track and document all employee settlements entered into by MWCC.agency: partially agreed
- To help increase transparency and accountability, MWCC should track and document all complaints that include non-disclosure, non-disparagement, or similarly restrictive clauses in employee settlement agreements.
Agency response & Auditor reply
Agency: "Going forward and in consultation with the College’s Office of General Counsel, the College will establish written parameters to reference regarding the potential for entering settlement agreements with employees and whether such agreements should include language pertaining to non-disclosure or non-disparagement should such language be sought by any party to such an agreement."
Auditor: "We reiterate our concerns that without a fully documented process that increases oversight, there is a potential for settlements that include confidentiality language that could be misused, or possibly abused, to protect perpetrators and cover up unlawful or unethical behavior."
Why it matters: MWCC may be exposed to a higher risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 ( Section 6.2 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )
3 recommendations
- MWCC should take steps to establish a connection between MWCC’s internal system and the systems used by the third-party training providers to ensure that all employees are assigned to take initial cybersecurity awareness training upon being hired and refresher training on an annual basis.agency: already implemented
- MWCC should ensure that all employees complete initial and refresher cybersecurity awareness training.agency: agreed
- MWCC should ensure that it retains certificates on file for its employees to document their completion of cybersecurity awareness training.agency: agreed
Agency response & Auditor reply
Agency: "In addition, MWCC has connected the Active Directory, location of employee accounts, with [the cybersecurity awareness training system]."
Auditor: "Based on its response, MWCC is taking measures to address our concerns regarding this matter."
More audits of this entity
Other Office of the State Auditor reports on Mount Wachusett Community College .
-
Audit of Mount Wachusett Community CollegeCollege / University · March 31, 2020 - Audit of the Mount Wachusett Community College Foundation, Inc. (MWCCF)College / University · April 13, 2020
-
Mount Wachusett Community CollegeCollege / University