Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the University of Massachusetts Chan Medical School (September 6, 2024)

September 6, 2024 · University of Massachusetts Chan Medical School · Read the full official report on mass.gov ↗

Published September 6, 2024 Audit covers July 1, 2021 – December 31, 2022 Under Diana DiZoglio · 2023–present

In plain English
The audit found two main problems at UMass Chan Medical School: some bank card paperwork was late, incomplete, or missing, and some workers did not finish required cybersecurity training on time.
source
“UMass Chan’s bank card transactions did not always comply with UMass system policies and standards.”
Read the plain-English breakdown
What is this?

This is a state performance audit of UMass Chan Medical School covering July 1, 2021 through December 31, 2022.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Chan Medical School (Chan) for the period July 1, 2021 through December 31, 2022.”
Why was it audited?

Auditors checked whether UMass Chan followed rules for bank card purchases and cybersecurity awareness training.

“We also determined whether UMass Chan adhered to its “Privacy and Security Training Policy” regarding cybersecurity awareness.”
Why it matters

Weak controls over credit card records and cybersecurity training can increase the risk of fraud, mistakes, cyberattacks, and damage to the school’s finances or reputation.

“If UMass Chan does not educate all workforce members on their responsibility to protect information assets by requiring cybersecurity awareness training, then UMass Chan is exposed to a higher-than-acceptable risk of cybersecurity attacks, which could cause financial and/or reputational losses.”
What's in it for me?

For ordinary Massachusetts residents, this matters because UMass Chan is a public institution that receives state funding and handles public resources, so its spending controls and cybersecurity practices affect public accountability.

“Also during fiscal year 2022, UMass Chan had $1,017,143,000 in revenue, which included $60,392,000 in state appropriations,1 and $1,007,677,000 in expenses.”
The bottom line

The school generally had systems in place, but auditors found gaps: some bank card records were not handled as required, and some required cybersecurity trainings were late or not completed.

“UMass Chan did not ensure that workforce members completed cybersecurity awareness training in a timely manner.”
What happens next

The auditor recommended that UMass Chan tighten its bank card documentation process and make sure all workers with network access complete cybersecurity training when required.

“UMass Chan should ensure that all workforce members who have access to its computer network complete cybersecurity awareness training in a timely manner, upon hire and annually thereafter.”
Why it's significant

The findings are significant because auditors saw repeated documentation and training issues, not just one isolated mistake: 42 sampled bank card reconciliations were late, and multiple sampled workers completed training late or not at all.

“Of the 127 requisitions related to our sample of transactions, 2 requisitions were never created in the UMass system’s online bank card transaction repository, while 42 were submitted after the allowable 30 days.”
Jargon, unpacked

A “bank card” means a university-paid commercial credit card used for approved purchases, emergency purchases, or travel costs instead of reimbursing employees later.

“The UMass Bank Card is a commercial credit card.”

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

UMass Chan’s bank card transactions did not always comply with UMass system policies and standards.
cash handlingrecordkeeping/documentationinternal controls

Why it matters: UMass Chan had a higher risk of erroneous or potentially fraudulent bank card activity and reduced transparency because documentation and reconciliations were incomplete or late.

Standard: Sections 2, 4, 15, and 21 of the UMass Bank Card Use Standard. ( Sections 2, 4, 15, and 21 of the UMass Bank Card Use Standard )

2 recommendations
  • UMass Chan should ensure that travel authorization numbers are referenced on bank statements and receipts, or the UMass system should update the bank card standard to reflect feasible requirements.
  • UMass Chan should ensure that cardholders reconcile and upload all bank statements and supporting documents into the online bank card transaction repository within 30 days of bank statement dates.agency: already implemented
Agency response & Auditor reply
Agency: "As a result, the University no longer utilizes the online repository, and the Bank Card Standard is being updated to reflect new protocols."
Auditor: "We strongly encourage UMass Chan to fully implement our recommendations regarding these matters."
UMass Chan did not ensure that workforce members completed cybersecurity awareness training on time.
cybersecurityinternal controls

Why it matters: UMass Chan was exposed to a higher risk of cybersecurity attacks that could cause financial or reputational losses.

Standard: UMass Chan’s “Privacy and Security Training Policy.” ( UMass Chan’s “Privacy and Security Training Policy” )

1 recommendation
  • UMass Chan should ensure that all workforce members who have access to its computer network complete cybersecurity awareness training in a timely manner, upon hire and annually thereafter.
Agency response & Auditor reply
Agency: "Furthermore, the few individuals who did not complete cybersecurity awareness training have since either done so or left UMass Chan."
Auditor: "Therefore, we strongly encourage UMass Chan to implement our recommendation regarding this matter."