Audit of Quinsigamond Community College (April 4, 2025)
April 4, 2025 · Quinsigamond Community College · Read the full official report on mass.gov ↗ · official site ↗
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with links to each page listed.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of Quinsigamond Community College covering mostly March 1, 2020 through June 30, 2023, with a longer review period for employee settlements.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Quinsigamond Community College (QCC) for the period March 1, 2020, through June 30, 2023.”
The audit checked whether QCC properly handled federal COVID relief money, updated its internal controls for the pandemic, trained employees on cybersecurity, and followed rules for employee settlements.
“The purpose of our audit was to determine the following:”
The findings matter because weak cybersecurity training, weak system controls, and unclear settlement practices can expose the college to security, financial, legal, ethical, and reputational risks.
“Deficiencies in information system general controls can lead to potential operational issues, which could negatively impact QCC’s reputation, information system security, and/or financial stability.”
If you are a student, employee, taxpayer, or community member, this report shows whether public money and college systems were being managed carefully and whether QCC has steps to improve accountability.
“As of the fall 2023 semester, 13,000 students were enrolled at QCC, and it offered 115 programs.”
The main conclusion is that QCC had several management and control weaknesses, even though auditors did not find major exceptions in the tested COVID funding samples.
“We noted no significant exceptions in testing.”
The auditor says the office will check back in about six months to see whether QCC has addressed the findings.
“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
The most significant concerns were that many employees did not complete cybersecurity training on time, system controls had gaps, and employee settlement agreements lacked a clear documented process.
“QCC did not have a documented, transparent, or accountable process related to employee settlement agreements, including those containing non-disclosure, non-disparagement, or similarly restrictive clauses.”
A performance audit is a review of whether an organization followed rules and managed programs properly; here, it looked at objectives, scope, methods, findings, and recommendations.
“As is typically the case, this report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, March 1, 2020 through June 30, 2023.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Partially Did QCC administer Education Stabilization Funds authorized through the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA), and the American Rescue Plan Act (ARPA), in accordance with the guidance that was provided by the respective funding entities?
- Complied Did QCC update its internal control plan (ICP) as required by the Office of the Comptroller of the Commonwealth’s (CTR’s) “COVID-19 Pandemic Response Internal Controls Guidance”?
- Did not comply Did QCC provide its employees cybersecurity awareness training in accordance with Section 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010, effective October 15, 2018?
- Did not comply Does QCC record and process settlement agreements in accordance with the Office of the State Comptroller’s policy, updated February 10, 2020, for the period of January 1, 2019 through December 30, 2023?
What the Auditor found
Why it matters: QCC may face higher risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, effective October 15, 2018. ( Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010, effective October 15, 2018 )
2 recommendations
- QCC should ensure that all employees complete annual cybersecurity awareness training and that all newly hired employees complete the initial training within the first 30 days of orientation.agency: agreed
- QCC should design and implement a monitoring control to track the completion of cybersecurity awareness training.agency: agreed
Agency response & Auditor reply
Agency: "QCC is dedicated to educating its users about the cybersecurity risks that affect us all."
Auditor: "Based on its response, QCC is taking measures to address our concerns regarding this matter."
Why it matters: Weak information system controls could harm QCC’s operations, reputation, system security, or financial stability.
Standard: US Government Accountability Office data reliability guidance and EOTSS access management and logging standards cited as best practices. ( EOTSS’s Access Management Policy IS.003, effective October 15, 2018; EOTSS’s Logging and Event Monitoring Standard IS.011, effective October 15, 2018 )
2 recommendations
- QCC should revisit and enhance its information systems general controls surrounding the campus-wide administrative database and financial system, as well as human resources records.agency: agreed
- QCC should establish a policy to monitor the accuracy of data, the removal of terminated employees from the data systems, and record retention.agency: agreed
Agency response & Auditor reply
Agency: "The College seeks to utilize sound and reasonable practices to ensure information systems general controls, database integrity, and accuracy of data contained within databases."
Auditor: "Overall, based on its response, QCC appears to be taking measures to address our concerns regarding this matter."
Why it matters: QCC cannot ensure settlement agreements are handled ethically, legally, or appropriately, and may rehire former employees whose settlements said they should not be rehired.
Standard: Section 5.09 of Title 815 of the Code of Massachusetts Regulations and CTR settlement reporting practices. ( Section 5.09 of Title 815 of the Code of Massachusetts Regulations )
2 recommendations
- QCC should develop, document, and implement a policy related to employee settlement agreements, including those with no reemployment clauses.agency: agreed
- QCC should track and document all complaints that include non-disclosure, non-disparagement, or similarly restrictive clauses in employee settlement agreements.agency: agreed
Agency response & Auditor reply
Agency: "Going forward and in consultation with the College’s Office of General Counsel, the College will establish written parameters to reference regarding the potential for entering settlement agreements with employees and whether such agreements should include language pertaining to non-disclosure, nondisparaging, non-publication, or ”similarly restrictive” clauses should such language be sought by any party to such an agreement."
Auditor: "Based on its response, QCC is taking measures to address our concerns regarding this matter."
More audits of this entity
Other Office of the State Auditor reports on Quinsigamond Community College .
-
Quinsigamond Community CollegeCollege / University · October 22, 2015 -
Audit of Quinsigamond Community College (QCC)College / University · March 26, 2020 - Quinsigamond Community College's use of American Recovery and Reinvestment FundsCollege / University · April 30, 2012