Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the University of Massachusetts Boston (December 26, 2024)

December 26, 2024 · University of Massachusetts Boston · Read the full official report on mass.gov ↗

Published December 26, 2024 Audit covers July 1, 2022 – August 31, 2023 Under Diana DiZoglio · 2023–present

In plain English
The State Auditor found that UMass Boston’s website and Blackboard system were not fully accessible, and that many employees had not completed required cybersecurity training.
source
“UMass Boston’s website is not fully accessible for all Massachusetts residents and users.”
Read the plain-English breakdown
What is this?

This is a state performance audit of UMass Boston covering July 1, 2022 through August 31, 2023.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Boston for the period July 1, 2022 through August 31, 2023.”
Why was it audited?

Auditors checked whether UMass Boston’s website and Blackboard met accessibility standards and whether employees completed required cybersecurity awareness training.

“The purpose of this performance audit was to determine whether UMass Boston’s website and its learning management system (LMS), Blackboard, adhered to the accessibility standards established by the Web Content Accessibility Guidelines (WCAG) 2.0 and 2.1, respectively, for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility.”
Why it matters

Accessibility problems can block students and residents from getting important online information and services; weak training compliance can raise cybersecurity risk.

“Broken or faulty hyperlinks limit users from having equitable access to critical information and key online services offered by UMass Boston.”
What's in it for me?

If you are a student, employee, applicant, parent, or resident using UMass Boston online services, the audit is about whether you can access information reliably and whether the university is protecting its systems.

“WCAG ensures that all users, regardless of ability, can access the content and functions of UMass Boston’s website and LMS.”
The bottom line

The audit found three main problems: website accessibility issues, Blackboard accessibility issues, and incomplete cybersecurity training.

“UMass Boston did not always ensure that its employees completed cybersecurity awareness training.”
What happens next

The Auditor recommends that UMass Boston keep checking its webpages, work with its learning system vendor on accessibility, and enforce cybersecurity training requirements.

“UMass Boston should revise its policy to implement a mechanism that requires employees to complete cybersecurity awareness training at hire and at least annually thereafter; UMass Boston should consider cutting off user access if an employee does not complete their training by a stated deadline.”
Why it's significant

This matters because UMass Boston is a public university serving thousands of students and employees, and its online systems are central to learning, services, and security.

“As of fall 2023, UMass Boston had a total enrollment of 15,671 students (12,234 undergraduate and 3,437 graduate students), and approximately 2,579 employees (1,816 full-time and 763 part-time employees).”
Jargon, unpacked

WCAG means web accessibility rules meant to help people with disabilities use websites and online tools.

“In 1999, the World Wide Web Consortium (W3C), an international organization overseeing internet standards, released WCAG 1.0.”

What the Auditor checked

What the Auditor found

UMass Boston’s website had broken hyperlinks and was not fully accessible.
internal controlsrecordkeeping/documentation

Why it matters: Broken or faulty hyperlinks can prevent equitable access to critical information and services and may direct users to outdated, incorrect, or nonexistent pages.

Standard: Web Accessibility Initiative’s WCAG 2.0, Success Criteria 2.4.5 ( Web Accessibility Initiative’s WCAG 2.0, Success Criteria 2.4.5 )

1 recommendation
  • UMass Boston should continually review its webpages to ensure that all hyperlinks lead to related information and provide equitable access to critical information and services offered online by UMass Boston.agency: already implemented
Agency response & Auditor reply
Agency: "Also, the campus has fixed all hyperlink issues identified in the audit."
Auditor: "Based on its response, UMass Boston is taking measures to address our concerns regarding this matter."
UMass Boston’s Blackboard learning management system was not fully accessible for students.
vendor oversightinternal controls

Why it matters: Accessibility problems could limit equitable access, prevent navigation, reduce readability, impair use on mobile devices, block keyboard users, reduce screen reader comprehension, and prevent users from identifying errors.

Standard: Web Accessibility Initiative’s WCAG 2.1 ( Web Accessibility Initiative’s WCAG 2.1, Success Criterion 1.3.4 Orientation; Web Accessibility Initiative’s WCAG 2.1, Success Criterion 2.1.1 Keyboard; Web Accessibility Initiative’s WCAG 2.1, Success Criterion 3.3.1 Error Identification )

2 recommendations
  • UMass management should review the accessibility statements and reports of its LMS vendor to determine instances of WCAG noncompliance.agency: agreed
  • UMass management should work with its LMS vendor to ensure that any potential instances of WCAG noncompliance are resolved.agency: agreed
Agency response & Auditor reply
Agency: "It will continue to review Canvas’ accessibility statements and reports to determine if it meets accessibility requirements since the vendor is responsible for maintaining their LMS’ accessibility."
Auditor: "Based on our audit results, and even with a new vendor for this service (Canvas), we recommend that UMass Boston implement our recommendation in order to be in compliance with WCAG."
UMass Boston did not ensure that employees completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: Without required cybersecurity awareness training, UMass Boston has a higher-than-acceptable risk of cybersecurity attacks that may cause financial or reputational losses.

Standard: UMass Boston’s “Information Security Training and Awareness Policy” ( UMass Boston’s “Information Security Training and Awareness Policy” )

1 recommendation
  • UMass Boston should revise its policy to implement a mechanism that requires employees to complete cybersecurity awareness training at hire and at least annually thereafter; UMass Boston should consider cutting off user access if an employee does not complete their training by a stated deadline.agency: already implemented
Agency response & Auditor reply
Agency: "UMass Boston has updated its Security Education Training and Awareness policy that reflects the new cybersecurity awareness training requirements."
Auditor: "Therefore, we reiterate our recommendation for UMass Boston to implement a mechanism that requires employees to complete cybersecurity awareness training at hire and at least annually thereafter."

More audits of this entity

Other Office of the State Auditor reports on University of Massachusetts Boston .

See this entity's page with all 2 audits →