Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts College of Art and Design

April 19, 2022 · Massachusetts College of Art and Design · Read the full official report on mass.gov ↗ · official site ↗

Published April 19, 2022 Audit covers March 1, 2020 – June 30, 2021 Under Suzanne M. Bump · 2011–2023

In plain English
MassArt handled its COVID-related federal education funds properly, but auditors found it did not require all relevant finance staff to complete cybersecurity training.
source
“MassArt does not require that all employees in its Administration and Finance Department complete cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of Massachusetts College of Art and Design covering March 1, 2020 through June 30, 2021.

“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, March 1, 2020 through June 30, 2021.”
Why was it audited?

Auditors checked whether MassArt followed the rules for federal COVID relief money and whether it updated internal controls and cybersecurity training practices.

“The purpose of our audit was to determine whether MassArt administered CARES Act and CRRSAA funding it received in accordance with the criteria established by US DOE and MDHE.”
Why it matters

The audit matters because COVID relief funds were meant to support students and college operations during the pandemic, and weak cybersecurity training can put public systems and money at risk.

“Without educating all system users on their responsibility of protecting the security of information assets, MassArt is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.”
What's in it for me?

For an ordinary citizen, the report says public COVID relief funds reviewed by auditors were administered properly, while also pointing to a cybersecurity weakness the college needed to fix.

“Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.”
The bottom line

The main problem found was not misuse of COVID relief funding; it was that MassArt lacked a requirement and records for cybersecurity awareness training for all relevant staff.

“Although MassArt does provide voluntary cybersecurity awareness training, the college does not maintain employee training attendance records.”
What happens next

The auditor recommended that MassArt require cybersecurity training for new and current employees and keep proof that each employee completed it.

“MassArt should maintain a record of completion of cybersecurity awareness training for each employee.”
Why it's significant

The report is significant because MassArt had millions in federal COVID-related awards, and the audit identified one governance weakness while finding the tested funding areas compliant.

“Below is a summary of MassArt’s financial activity related to federal COVID-19 funding during the audit period.”
Jargon, unpacked

HEERF was federal COVID emergency funding for higher education, including student aid and institutional costs related to the pandemic.

“The HEERF consists of three separate grants related to the 2019 coronavirus pandemic emergency that were directly funded from US DOE under the CARES Act (HEERF I), CRRSAA (HEERF II), and American Rescue Plan (HEERF III).”

What the Auditor checked

What the Auditor found

MassArt did not require Administration and Finance Department employees to complete cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: MassArt faces a higher risk of cybersecurity attacks and financial or reputational losses.

Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 ( Section 12 of Chapter 11 of the Massachusetts General Laws; Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • MassArt should implement a policy requiring personnel to complete new-hire and annual cybersecurity awareness training.agency: already implemented
  • MassArt should maintain a record of completion of cybersecurity awareness training for each employee.agency: already implemented
Agency response & Auditor reply
Agency: "MassArt has implemented a mandatory annual cybersecurity awareness training program for all current and new employees using the KnowBE4 platform, and now records and tracks completion rates."
Auditor: "Based on its response, MassArt has taken measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts College of Art and Design .

See this entity's page with all 4 audits →