Audit of the Bunker Hill Community College
June 13, 2022 · Bunker Hill Community College · Read the full official report on mass.gov ↗ · official site ↗
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of Bunker Hill Community College covering March 1, 2020 through June 30, 2021.
“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, March 1, 2020 through June 30, 2021.”
Auditors reviewed how BHCC handled federal COVID-19 education relief money, whether it updated its internal control plan for pandemic operations, and whether it provided cybersecurity awareness training.
“In this performance audit, we reviewed financial activity from federal funding provided by the Coronavirus Aid, Relief, and Economic Security Act, the Coronavirus Response and Relief Supplemental Appropriations Act, and the Governor’s Emergency Education Relief (GEER) Fund.”
If federal funds are mixed together instead of tracked separately, it becomes harder to prove the money was used correctly and could put future funding at risk.
“By commingling federal funds, BHCC creates a risk that they may not be used for their intended purpose, restricts its ability to report accurately, and may jeopardize future federal funding eligibility.”
For students, staff, and taxpayers, the audit is about whether emergency education money and college operations were managed responsibly during COVID-19.
“Bunker Hill Community College serves as an educational and economic asset for the Commonwealth of Massachusetts by offering associate degrees and certificate programs that prepare students for further education and fulfilling careers.”
The main problems were inaccurate recording and reporting of some pandemic funds, failure to update pandemic-related internal controls, and no college-wide cybersecurity awareness training program during the audit period.
“BHCC did not accurately record and report the institutional portion of Higher Education Emergency Relief Funds and the GEER Fund.”
BHCC agreed with the recommendations and said it was making changes, including better grant setup, training, an updated COVID-19 appendix to its internal control plan, and cybersecurity training.
“Based on the response above, BHCC is taking measures to address our concerns.”
An internal control plan is the college’s written system for spotting risks and setting up checks to reduce them.
“An ICP identifies objectives and risks and identifies control activities to mitigate risks that will prevent an agency from accomplishing its objectives.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Complied Did BHCC administer the student portion of funding under the Coronavirus Aid, Relief, and Economic Security (CARES) Act and the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA) in accordance with Sections C(13), (14), and (15); D(18); and E(19), (20), and (21) of the United States Department of Education’s (US DOE’s) Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document and Question 6 of US DOE’s Higher Education Emergency Relief Fund (HEERF II) Public and Private Nonprofit Institution (a)(1) Programs ([Catalog of Federal Domestic Assistance, or CFDA] 84.425E and 84.425F) Frequently Asked Questions?
- Did not comply Did BHCC record and report the institutional portions of CARES Act, CRRSAA, and Governor’s Emergency Education Relief (GEER) funding in accordance with Sections 200.302(b)(1) and (b)(2) of Title 2 of the Code of Federal Regulations (CFR), which the federal Office of Management and Budget (OMB) uses in its Uniform Guidance (2014)?
- Complied Did BHCC calculate lost revenue that it recovered in accordance with Questions 9 and 10 of US DOE’s Higher Education Emergency Relief Fund (HEERF I, II, and III) Lost Revenue Frequently Asked Questions?
- Complied Did BHCC provide the student portion of GEER funding to eligible students in accordance with Attachment A of the interdepartmental service agreement (ISA) between the Massachusetts Executive Office of Education (EOE) and the Massachusetts Department of Higher Education?
- Did not comply Did BHCC update its internal control plan (ICP) to address the impact of the 2019 coronavirus (COVID-19) pandemic as required by the Office of the Comptroller of the Commonwealth’s (CTR’s) “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020?
- Did not comply Did BHCC implement an enterprise-wide cybersecurity awareness training program as required by Sections 6.2.1.1 and 6.2.1.2 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: Without updating its internal control plan, BHCC may not identify or mitigate risks caused by the pandemic.
Standard: Office of the Comptroller of the Commonwealth’s COVID-19 Pandemic Response Internal Controls Guidance. ( Office of the Comptroller of the Commonwealth’s “COVID-19 Pandemic Response Internal Controls Guidance” )
2 recommendations
- BHCC should update its internal control plan whenever significant changes occur.
- BHCC should determine whether its designated internal control officer is the correct staff member to receive and respond to internal control communication from the Office of the Comptroller of the Commonwealth.
Agency response & Auditor reply
Agency: "Although the above-mentioned request and the attached guidance were not received in May 2020, the College leadership took and continues to take steps to identify risks, to put adequate controls in place to assess the impact of the pandemic, to reduce disruptions, to mitigate risks, and to develop safety protocols."
Auditor: "Based on the response above, BHCC is taking measures to address our concerns."
Why it matters: Without cybersecurity awareness training, BHCC has a higher risk of cybersecurity attacks that may cause financial or reputational losses.
Standard: Sections 6.2.1.1 and 6.2.1.2 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010. ( Section 6.2.1 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )
2 recommendations
- BHCC officials should implement an enterprise-wide cybersecurity awareness training program.agency: already implemented
- BHCC officials should negotiate with union officials to establish cybersecurity awareness training requirements for personnel and, where relevant, contractors and temporary staff members.
Agency response & Auditor reply
Agency: "Cybersecurity training was rolled out to all staff, [full-time] and adjunct faculty in November 2021."
Auditor: "Based on the response above, BHCC is taking measures to address our concerns."
More audits of this entity
Other Office of the State Auditor reports on Bunker Hill Community College .
- Bunker Hill Community CollegeCollege / University · August 15, 2017