Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Springfield Technical Community College (STCC)

August 18, 2021 · Springfield Technical Community College · Read the full official report on mass.gov ↗ · official site ↗

Published August 18, 2021 Audit covers March 1, 2020 – September 30, 2020 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found STCC generally followed the rules for the COVID relief money it reviewed, but the auditor recommended stronger cybersecurity training.
source
“Our audit revealed no significant instances of noncompliance by STCC that must be reported under generally accepted government auditing standards.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of Springfield Technical Community College covering March 1, 2020 through September 30, 2020.

“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, March 1, 2020 through September 30, 2020.”
Why was it audited?

The auditor checked whether STCC handled federal and state COVID education relief money according to the rules.

“The purpose of our audit was to determine whether STCC administered the CARES Act funds it received according to the criteria established by US DOE and MDHE.”
Why it matters

This money was meant to help schools and students respond to COVID-19, so the public has an interest in whether it was used properly.

“The Coronavirus Aid, Relief, and Economic Security (CARES) Act, enacted by Congress on March 27, 2020, provided $30.75 billion for an Education Stabilization Fund (ESF) to prevent, prepare for, and respond to the impact of the 2019 coronavirus (COVID-19) pandemic.”
What's in it for me?

For students, some of the money could help with real-life costs such as tuition, food, housing, healthcare, childcare, course materials, and technology.

“The student portion was to provide funding for items related to students’ cost of attendance, such as tuition, course materials, technology, food, housing, healthcare, and childcare.”
The bottom line

The auditor answered yes to each main question about whether STCC received and used the reviewed CARES and GEER funds according to the applicable guidance.

“Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.”
What happens next

STCC said it is moving toward mandatory information security training for employees.

“STCC is currently working towards providing mandatory information security training for all employees as recommended.”
Why it's significant

Even though the spending review did not find major compliance problems, weak cybersecurity training could expose the college to cyberattacks and losses.

“Without educating all system users on their responsibility of helping protect the security of information assets by requiring training, STCC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.”
Jargon, unpacked

CARES, HEERF, and GEER are names for COVID-era education relief funding streams; in this audit, STCC received money directly from the federal education department and through the state higher education department.

“STCC received grant funds under two components of the CARES Act’s Education Stabilization Fund: direct funding from the United States Department of Education (US DOE), provided through the Higher Education Emergency Relief Fund and funding from the Massachusetts Department of Higher Education (MDHE), allocated through the Governor’s Emergency Education Relief Fund.”

What the Auditor checked

What the Auditor found

Springfield Technical Community College did not require information security training for all system users.
cybersecurityinternal controls

Why it matters: The college faces increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Information Security Risk Management Standard IS.010, issued by the Enterprise Security Office within the Executive Office of Technology Services and Security ( Information Security Risk Management Standard IS.010 )

1 recommendation
  • Require information security training for all new employees and annual refresher training for all personnel.agency: agreed
Agency response & Auditor reply
Agency: "STCC is currently working towards providing mandatory information security training for all employees as recommended."

More audits of this entity

Other Office of the State Auditor reports on Springfield Technical Community College .

See this entity's page with all 2 audits →