Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Mount Wachusett Community College (December 27, 2024)

December 27, 2024 · Mount Wachusett Community College · Read the full official report on mass.gov ↗ · official site ↗

Published December 27, 2024 Audit covers March 1, 2020 – June 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The audit found that Mount Wachusett Community College handled its federal COVID-19 student and institutional aid properly, but it had problems with internal planning, settlement agreement oversight, and proof that employees completed cybersecurity training.
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of Mount Wachusett Community College covering mostly March 1, 2020 through June 30, 2023, with a longer review period for employee settlement agreements.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Mount Wachusett Community College (MWCC) for the period March 1, 2020 through June 30, 2023.”
Why was it audited?

Auditors checked whether the college followed rules for COVID-19 relief funding, updated its internal controls for the pandemic, trained employees on cybersecurity, and properly handled employee settlement agreements.

“The purpose of our audit was to determine the following:”
Why it matters

The issues matter because weak controls, unclear settlement practices, and incomplete cybersecurity training can expose a public college to risks, including poor oversight, security attacks, and reputational harm.

“Without educating all employees on their responsibility of protecting the security of information assets, MWCC may be exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.”
What's in it for me?

If you are a student, employee, taxpayer, or local resident, the audit shows that COVID-19 aid was generally handled correctly, but it also calls for stronger safeguards around public accountability, employee settlements, and cybersecurity.

“Based on the results of our testing, we determined that, during the audit period, MWCC administered the student portion of funding under Section 2003(a)(1) of the ARPA in accordance with Section B of US DOE’s HEERF III FAQ.”
The bottom line

The college passed the audit’s tests on COVID-19 relief spending, but failed in three areas: pandemic-related internal controls, employee settlement agreement oversight, and evidence of cybersecurity training completion.

“MWCC did not update its internal control plan with a COVID-19 pandemic response plan.”
What happens next

The auditor says MWCC is taking steps to fix the problems, and the auditor’s office plans to follow up in about six months.

“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
Why it's significant

The most serious concern is not misuse of COVID-19 aid; it is that weak documentation and oversight could make it harder to prevent or detect problems in settlements, cybersecurity, and agency controls.

“If MWCC does not have a transparent and accountable process to handle employee settlement agreements, especially those containing non-disclosure, non-disparagement, or similarly restrictive clauses, it cannot ensure that employee settlement agreements are handled in an ethical, legal, or appropriate manner.”
Jargon, unpacked

An internal control plan is basically a written plan for spotting risks and setting up checks to reduce them so an agency can do its job.

“An internal control plan identifies objectives and risks and identifies control activities to mitigate risks that may prevent an agency from accomplishing its public mission.”

8 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

Mount Wachusett Community College lacked a transparent and accountable process for employee settlement agreements.
internal controlsrecordkeeping/documentation

Why it matters: Settlement agreements may not be handled in an ethical, legal, or appropriate manner, and confidentiality language could be used to obscure harassment, discrimination, poor management, or unlawful behavior.

Standard: Section 5.09 of Title 815 of the Code of Massachusetts Regulations ( Section 5.09 of Title 815 of the Code of Massachusetts Regulations )

3 recommendations
  • MWCC should develop, document, and implement a policy related to employee settlement agreements.agency: agreed
  • To help increase transparency and accountability, MWCC should track and document all employee settlements entered into by MWCC.agency: partially agreed
  • To help increase transparency and accountability, MWCC should track and document all complaints that include non-disclosure, non-disparagement, or similarly restrictive clauses in employee settlement agreements.
Agency response & Auditor reply
Agency: "Going forward and in consultation with the College’s Office of General Counsel, the College will establish written parameters to reference regarding the potential for entering settlement agreements with employees and whether such agreements should include language pertaining to non-disclosure or non-disparagement should such language be sought by any party to such an agreement."
Auditor: "We reiterate our concerns that without a fully documented process that increases oversight, there is a potential for settlements that include confidentiality language that could be misused, or possibly abused, to protect perpetrators and cover up unlawful or unethical behavior."
Mount Wachusett Community College could not prove that all users were assigned or completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: MWCC may be exposed to a higher risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 ( Section 6.2 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )

3 recommendations
  • MWCC should take steps to establish a connection between MWCC’s internal system and the systems used by the third-party training providers to ensure that all employees are assigned to take initial cybersecurity awareness training upon being hired and refresher training on an annual basis.agency: already implemented
  • MWCC should ensure that all employees complete initial and refresher cybersecurity awareness training.agency: agreed
  • MWCC should ensure that it retains certificates on file for its employees to document their completion of cybersecurity awareness training.agency: agreed
Agency response & Auditor reply
Agency: "In addition, MWCC has connected the Active Directory, location of employee accounts, with [the cybersecurity awareness training system]."
Auditor: "Based on its response, MWCC is taking measures to address our concerns regarding this matter."

More audits of this entity

Other Office of the State Auditor reports on Mount Wachusett Community College .

See this entity's page with all 4 audits →