Audit of the Massachusetts College of Art and Design
April 19, 2022 · Massachusetts College of Art and Design · Read the full official report on mass.gov ↗ · official site ↗
source
“MassArt does not require that all employees in its Administration and Finance Department complete cybersecurity awareness training.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of Massachusetts College of Art and Design covering March 1, 2020 through June 30, 2021.
“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, March 1, 2020 through June 30, 2021.”
Auditors checked whether MassArt followed the rules for federal COVID relief money and whether it updated internal controls and cybersecurity training practices.
“The purpose of our audit was to determine whether MassArt administered CARES Act and CRRSAA funding it received in accordance with the criteria established by US DOE and MDHE.”
The audit matters because COVID relief funds were meant to support students and college operations during the pandemic, and weak cybersecurity training can put public systems and money at risk.
“Without educating all system users on their responsibility of protecting the security of information assets, MassArt is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.”
For an ordinary citizen, the report says public COVID relief funds reviewed by auditors were administered properly, while also pointing to a cybersecurity weakness the college needed to fix.
“Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.”
The main problem found was not misuse of COVID relief funding; it was that MassArt lacked a requirement and records for cybersecurity awareness training for all relevant staff.
“Although MassArt does provide voluntary cybersecurity awareness training, the college does not maintain employee training attendance records.”
The auditor recommended that MassArt require cybersecurity training for new and current employees and keep proof that each employee completed it.
“MassArt should maintain a record of completion of cybersecurity awareness training for each employee.”
The report is significant because MassArt had millions in federal COVID-related awards, and the audit identified one governance weakness while finding the tested funding areas compliant.
“Below is a summary of MassArt’s financial activity related to federal COVID-19 funding during the audit period.”
HEERF was federal COVID emergency funding for higher education, including student aid and institutional costs related to the pandemic.
“The HEERF consists of three separate grants related to the 2019 coronavirus pandemic emergency that were directly funded from US DOE under the CARES Act (HEERF I), CRRSAA (HEERF II), and American Rescue Plan (HEERF III).”
What the Auditor checked
- Complied Did MassArt administer the student portion of funding under Section 18004(a)(1) of the Coronavirus Aid, Relief, and Economic Security (CARES) Act in accordance with Sections C, D, and E of the United States Department of Education’s (US DOE’s) Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document?
- Complied Did MassArt administer the institutional portion of CARES 18004(a)(1) funding in accordance with Section F of US DOE’s Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document?
- Complied Did MassArt administer the student portion of funding under Section 314(a)(1) of the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA) in accordance with US DOE’s Higher Education Emergency Relief Fund (HEERF) II Public and Private Nonprofit Institution (a)(1) Programs ([Catalog of Federal Domestic Assistance, or CFDA] 84.425E and 84.425F) Frequently Asked Questions?
- Complied Did MassArt administer the institutional portion of funding under Section 314(a)(1) of the CRRSAA in accordance with US DOE’s Higher Education Emergency Relief Fund (HEERF) II Public and Private Nonprofit Institution (a)(1) Programs (CFDA 84.425E and 84.425F) Frequently Asked Questions?
- Complied Did MassArt administer Governor’s Emergency Education Relief (GEER) funding in accordance with US DOE’s Frequently Asked Questions about the Governor’s Emergency Education Relief Fund (GEER Fund) and/or “Attachment A—Terms of Performance and Justifications” within the Massachusetts Department of Higher Education’s (MDHE’s) interdepartmental service agreement?
- Complied Did MassArt update its internal control plan (ICP) to address the 2019 coronavirus (COVID-19) pandemic in accordance with the Office of the Comptroller of the Commonwealth’s “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020?
- Did not comply Did MassArt employees handling COVID-19 funding in MassArt’s Administration and Finance Department complete required cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: MassArt faces a higher risk of cybersecurity attacks and financial or reputational losses.
Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 ( Section 12 of Chapter 11 of the Massachusetts General Laws; Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )
2 recommendations
- MassArt should implement a policy requiring personnel to complete new-hire and annual cybersecurity awareness training.agency: already implemented
- MassArt should maintain a record of completion of cybersecurity awareness training for each employee.agency: already implemented
Agency response & Auditor reply
Agency: "MassArt has implemented a mandatory annual cybersecurity awareness training program for all current and new employees using the KnowBE4 platform, and now records and tracks completion rates."
Auditor: "Based on its response, MassArt has taken measures to address our concerns on this matter."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts College of Art and Design .
- Massachusetts College of Art and Design-Student Financial Assistance ProgramsCollege / University · May 24, 2012
-
Massachusetts College of Art and DesignCollege / University · March 18, 2011 -
Massachusetts College of Art and DesignCollege / University · December 15, 2016