Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the University of Massachusetts Amherst (December 30, 2024)

December 30, 2024 · University of Massachusetts Amherst · Read the full official report on mass.gov ↗

Published December 30, 2024 Audit covers July 1, 2022 – June 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The State Auditor found that UMass Amherst had three main problems during the audit period: parts of its public website were not fully accessible, many Blackboard student features were not fully accessible, and the university did not require cybersecurity awareness training for all workers.
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a state performance audit of UMass Amherst covering July 1, 2022 through June 30, 2023.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Amherst for the period July 1, 2022 through June 30, 2023.”
Why was it audited?

Auditors checked whether UMass Amherst’s website and Blackboard met accessibility standards, and whether employees completed cybersecurity awareness training.

“The purpose of this performance audit was to determine whether UMass Amherst’s website and its learning management system (LMS), Blackboard, adhered to the accessibility standards established by the Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility.”
Why it matters

Accessibility problems can stop students, residents, and other users from getting information, using online services, watching videos with captions, or navigating systems effectively.

“Broken or faulty hyperlinks limit users from having equitable access to critical information and key online services offered by UMass Amherst and increase the likelihood that Massachusetts residents and students will either access outdated or incorrect information or be directed to webpages that no longer exist.”
What's in it for me?

If you are a student, employee, applicant, parent, or resident using UMass Amherst online services, these fixes could make pages easier to find, read, navigate, and use, especially for people with disabilities.

“WCAG ensures that all users, regardless of ability, can access the content and functions of UMass Amherst’s website and LMS.”
The bottom line

The audit says UMass Amherst needs stronger follow-through on accessibility and cybersecurity training, even though the university said it has fixed some issues and is moving from Blackboard to Canvas.

“UMass Amherst has not implemented cybersecurity awareness training in accordance with Center for Internet Security (CIS) Control 14.”
What happens next

UMass Amherst said it will require cybersecurity training for new employees and annual refresher training, and the Auditor said the office will follow up in about six months.

“We note that the requirement to provide this training is not new and will follow up on this in approximately six months as part of our post audit review process.”
Why it's significant

This matters because public universities have legal accessibility duties, and weak cybersecurity training can raise the risk of cyberattacks, financial loss, and reputational damage.

“Title II of the Americans with Disabilities Act requires that state universities’ and colleges’ websites be accessible.”
Jargon, unpacked

WCAG means web accessibility rules; LMS means a learning management system like Blackboard; WISP means the university’s written information security policy; bypass blocks are links that let keyboard users skip repeated page content and get to the main content.

“A learning management system, or LMS, is a web-based application that functions like a website.”

What the Auditor checked

What the Auditor found

UMass Amherst’s website was not fully accessible for all Massachusetts residents and users.
data privacyinternal controlsrecordkeeping/documentation

Why it matters: Users may be unable to access critical information, may be directed to outdated or nonexistent webpages, may be unable to engage meaningfully with videos, and may have difficulty locating relevant information.

Standard: Web Content Accessibility Guidelines 2.1 Success Criteria 2.4.5, 1.2.2, and 1.4.1. ( Web Accessibility Initiative’s WCAG 2.1 Success Criteria 2.4.5; Web Accessibility Initiative’s WCAG 2.1 Success Criteria 1.2.2; Web Accessibility Initiative’s WCAG 2.1 Success Criteria 1.4.1 )

1 recommendation
  • The university should continually review its webpages to ensure that all hyperlinks lead to related information and have sufficient contrast with surrounding text, and should adopt procedures to ensure videos have captioning features enabled when posted to the umass.edu website.agency: already implemented
Agency response & Auditor reply
Agency: "Also, the campus has fixed all accessibility issues identified in the audit."
Auditor: "Based on its response, UMass Amherst has taken, and continues to take, measures to address our concerns regarding this matter."
UMass Amherst’s learning management system, Blackboard, was not fully accessible for all students.
vendor oversightinternal controlsrecordkeeping/documentation

Why it matters: Students may be unable to access critical LMS information, navigate Blackboard, read content, use mobile course content effectively, use keyboard navigation, understand screen reader output, or identify input errors.

Standard: Web Content Accessibility Guidelines 2.1 Success Criteria 1.3.4, 1.4.10, 1.4.4, 2.1.1, 2.1.2, 2.4.1, 2.4.5, 3.3.1, and 1.4.1. ( Web Accessibility Initiative’s WCAG 2.1 Success Criterion 1.3.4 Orientation (Level AA); Web Accessibility Initiative’s WCAG 2.1 Success Criterion 2.1.1 Keyboard (Level A); Web Accessibility Initiative’s WCAG 2.1 Success Criterion 3.3.1 Error Identification (Level A) )

1 recommendation
  • UMass Amherst should review the accessibility statements and reports of its LMS vendor to determine instances of WCAG noncompliance and work with the LMS vendor to resolve potential noncompliance.
Agency response & Auditor reply
Agency: "It will continue to review Canvas’ accessibility statements and reports to determine if it meets accessibility requirements since the vendor is responsible for maintaining their LMS’ accessibility."
Auditor: "Based on our audit results, and even with a new vendor for this service (Canvas), we recommend that UMass Amherst implement our recommendation in order to be in compliance with WCAG."
UMass Amherst had not implemented workforce cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: UMass Amherst is exposed to an elevated risk of cybersecurity attacks that may cause financial and reputational losses.

Standard: Center for Internet Security Critical Security Controls, Control 14, Section 1. ( Center for Internet Security Critical Security Controls, Control 14, Section 1 )

1 recommendation
  • UMass Amherst should update its WISP to require cybersecurity training at hire and annually, monitor compliance, and enroll all employees, contractors, and interns in cybersecurity awareness training.agency: agreed
Agency response & Auditor reply
Agency: "UMass Amherst will update its WISP to reflect the new cybersecurity awareness training requirements."
Auditor: "Based on its response, UMass Amherst will take measures to address our concerns regarding this matter."

More audits of this entity

Other Office of the State Auditor reports on University of Massachusetts Amherst .

See this entity's page with all 3 audits →