Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Quinsigamond Community College (April 4, 2025)

April 4, 2025 · Quinsigamond Community College · Read the full official report on mass.gov ↗ · official site ↗

Published April 4, 2025 Audit covers March 1, 2020 – June 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
Auditors found that Quinsigamond Community College handled most COVID-related education funds appropriately, but had problems with cybersecurity training, information system controls, employee settlement processes, and grant oversight.
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of Quinsigamond Community College covering mostly March 1, 2020 through June 30, 2023, with a longer review period for employee settlements.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Quinsigamond Community College (QCC) for the period March 1, 2020, through June 30, 2023.”
Why was it audited?

The audit checked whether QCC properly handled federal COVID relief money, updated its internal controls for the pandemic, trained employees on cybersecurity, and followed rules for employee settlements.

“The purpose of our audit was to determine the following:”
Why it matters

The findings matter because weak cybersecurity training, weak system controls, and unclear settlement practices can expose the college to security, financial, legal, ethical, and reputational risks.

“Deficiencies in information system general controls can lead to potential operational issues, which could negatively impact QCC’s reputation, information system security, and/or financial stability.”
What's in it for me?

If you are a student, employee, taxpayer, or community member, this report shows whether public money and college systems were being managed carefully and whether QCC has steps to improve accountability.

“As of the fall 2023 semester, 13,000 students were enrolled at QCC, and it offered 115 programs.”
The bottom line

The main conclusion is that QCC had several management and control weaknesses, even though auditors did not find major exceptions in the tested COVID funding samples.

“We noted no significant exceptions in testing.”
What happens next

The auditor says the office will check back in about six months to see whether QCC has addressed the findings.

“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
Why it's significant

The most significant concerns were that many employees did not complete cybersecurity training on time, system controls had gaps, and employee settlement agreements lacked a clear documented process.

“QCC did not have a documented, transparent, or accountable process related to employee settlement agreements, including those containing non-disclosure, non-disparagement, or similarly restrictive clauses.”
Jargon, unpacked

A performance audit is a review of whether an organization followed rules and managed programs properly; here, it looked at objectives, scope, methods, findings, and recommendations.

“As is typically the case, this report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, March 1, 2020 through June 30, 2023.”

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

Quinsigamond Community College did not ensure that all employees completed required cybersecurity awareness training on time.
cybersecurityinternal controls

Why it matters: QCC may face higher risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, effective October 15, 2018. ( Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010, effective October 15, 2018 )

2 recommendations
  • QCC should ensure that all employees complete annual cybersecurity awareness training and that all newly hired employees complete the initial training within the first 30 days of orientation.agency: agreed
  • QCC should design and implement a monitoring control to track the completion of cybersecurity awareness training.agency: agreed
Agency response & Auditor reply
Agency: "QCC is dedicated to educating its users about the cybersecurity risks that affect us all."
Auditor: "Based on its response, QCC is taking measures to address our concerns regarding this matter."
Quinsigamond Community College lacked key information system controls over administrative, financial, and human resources records.
cybersecurityrecordkeeping/documentationinternal controlsdata privacy

Why it matters: Weak information system controls could harm QCC’s operations, reputation, system security, or financial stability.

Standard: US Government Accountability Office data reliability guidance and EOTSS access management and logging standards cited as best practices. ( EOTSS’s Access Management Policy IS.003, effective October 15, 2018; EOTSS’s Logging and Event Monitoring Standard IS.011, effective October 15, 2018 )

2 recommendations
  • QCC should revisit and enhance its information systems general controls surrounding the campus-wide administrative database and financial system, as well as human resources records.agency: agreed
  • QCC should establish a policy to monitor the accuracy of data, the removal of terminated employees from the data systems, and record retention.agency: agreed
Agency response & Auditor reply
Agency: "The College seeks to utilize sound and reasonable practices to ensure information systems general controls, database integrity, and accuracy of data contained within databases."
Auditor: "Overall, based on its response, QCC appears to be taking measures to address our concerns regarding this matter."
Quinsigamond Community College did not have a documented and accountable process for employee settlement agreements.
internal controlsrecordkeeping/documentation

Why it matters: QCC cannot ensure settlement agreements are handled ethically, legally, or appropriately, and may rehire former employees whose settlements said they should not be rehired.

Standard: Section 5.09 of Title 815 of the Code of Massachusetts Regulations and CTR settlement reporting practices. ( Section 5.09 of Title 815 of the Code of Massachusetts Regulations )

2 recommendations
  • QCC should develop, document, and implement a policy related to employee settlement agreements, including those with no reemployment clauses.agency: agreed
  • QCC should track and document all complaints that include non-disclosure, non-disparagement, or similarly restrictive clauses in employee settlement agreements.agency: agreed
Agency response & Auditor reply
Agency: "Going forward and in consultation with the College’s Office of General Counsel, the College will establish written parameters to reference regarding the potential for entering settlement agreements with employees and whether such agreements should include language pertaining to non-disclosure, nondisparaging, non-publication, or ”similarly restrictive” clauses should such language be sought by any party to such an agreement."
Auditor: "Based on its response, QCC is taking measures to address our concerns regarding this matter."

More audits of this entity

Other Office of the State Auditor reports on Quinsigamond Community College .

See this entity's page with all 4 audits →