Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Middlesex Community College

May 31, 2022 · Middlesex Community College · Read the full official report on mass.gov ↗

Published May 31, 2022 Audit covers March 1, 2020 – June 30, 2021 Under Suzanne M. Bump · 2011–2023

In plain English
The auditor found that Middlesex Community College generally handled its pandemic relief money properly, but it failed to make sure some staff with access to finance or financial aid systems completed required cybersecurity training.
source
“MCC did not ensure that its users who had access to the finance and/or financial aid modules in Banner completed cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a state performance audit of Middlesex Community College covering March 1, 2020 through June 30, 2021.

“I am pleased to provide this performance audit of Middlesex Community College.”
Why was it audited?

The audit checked whether the college followed rules for federal COVID relief funding and whether it met certain internal control and cybersecurity requirements.

“The purpose of our audit was to determine whether MCC administered the CARES Act, CRRSAA, and ARP Act funding it received in accordance with the criteria established by US DOE and MDHE, as well as its own student award criteria.”
Why it matters

If people with access to sensitive finance and financial aid systems do not complete cybersecurity training, the college faces more risk of cyberattacks, financial harm, and damage to its reputation.

“Without educating all system users on their responsibility of protecting the security of information assets, MCC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.”
What's in it for me?

For students, families, taxpayers, and employees, the report gives some assurance that pandemic relief funds were reviewed, while also pointing out a security weakness that could affect sensitive information.

“In fiscal year 2021, 11,936 students were enrolled at MCC.”
The bottom line

The main problem found was not about misspent COVID relief money; it was that 15 of 35 sampled system users did not complete required cybersecurity training.

“Fifteen of the 35 sampled users did not complete cybersecurity awareness training as required: 13 were assigned the training but did not complete it, and 2 were not assigned the training.”
What happens next

The auditor recommended that the college set clearer cybersecurity training rules and monitor whether users actually finish the training.

“MCC should implement monitoring controls to ensure that users complete the cybersecurity awareness training modules assigned to them.”
Why it's significant

This matters because MCC received and spent millions in federal pandemic-related education funding, and the audit found the funding areas reviewed were compliant while cybersecurity training needed improvement.

“Below is a summary of MCC’s financial activity related to federal COVID-19 funding during the audit period.”
Jargon, unpacked

Banner is the college’s main administrative database system, including records tied to accounting, student files, registration, billing, and financial aid.

“Banner is the database system for MCC’s administrative activities, accounting, and student files.”

What the Auditor checked

What the Auditor found

Middlesex Community College did not ensure that Banner finance and financial aid users completed required cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: Without cybersecurity awareness training for all system users, the college had a higher risk of cybersecurity attacks and financial or reputational losses.

Standard: Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 requires all personnel to complete annual security awareness training. ( Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • MCC should implement policies and procedures that clearly define the contents and administration of its cybersecurity awareness training program.agency: agreed
  • MCC should implement monitoring controls to ensure that users complete the cybersecurity awareness training modules assigned to them.agency: agreed
Agency response & Auditor reply
Agency: "Middlesex Community College agrees with the Auditor’s Report Findings, and the implementation of policies, procedures, and monitoring controls to ensure users complete cybersecurity awareness training, that are outlined by MCC in the following response to the Draft Audit Report."
Auditor: "Based on its response, MCC is taking steps to address this issue."

More audits of this entity

Other Office of the State Auditor reports on Middlesex Community College .

See this entity's page with all 2 audits →