Audit of the University of Massachusetts Dartmouth (May 2, 2024)
May 2, 2024 · University of Massachusetts - Dartmouth · Read the full official report on mass.gov ↗
source
“UMass Dartmouth’s bank card transactions did not always comply with UMass system policies and standards.”
Read the plain-English breakdown
This is a state performance audit of UMass Dartmouth covering July 1, 2020 through December 31, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Dartmouth for the period July 1, 2020 through December 31, 2021.”
Auditors checked whether the university followed rules for bank-card purchases and whether employees completed cybersecurity awareness training.
“We also determined whether UMass Dartmouth ensured that its employees completed cybersecurity awareness training in accordance with Section 1 of Control 14 (Security Awareness and Skills Training) of the Center for Internet Security’s1 Critical Security Controls.2”
Missing receipts, late reconciliations, and incomplete records can make it harder to catch mistakes or improper spending.
“If UMass Dartmouth does not reconcile and upload bank statements and supporting documents to the UMass system’s online bank card transaction repository in a timely manner or at all, then UMass Dartmouth assumes a higher-than-acceptable risk of erroneous and potentially fraudulent bank card activity.”
As a Massachusetts resident, this matters because UMass Dartmouth receives state support, and weak controls can put public resources and university data at risk.
“During fiscal year 2021, UMass Dartmouth had $241,240,000 in revenue, which included $95,942,000 in state appropriations, and $240,186,000 in expenses.”
The university needs tighter follow-through on card spending records and must make cybersecurity training routine for all employees.
“UMass Dartmouth should provide cybersecurity awareness training to all employees when they are hired and annually thereafter.”
UMass said it is moving to a new expense system, updating bank-card procedures, and creating a campus cybersecurity awareness policy.
“Based on its response, the UMass system is taking measures to address our concerns by implementing new systems and policies, but we urge UMass Dartmouth to fully implement our recommendations, as they relate to issues found at the level of the university, not the entire UMass system.”
A “bank card” is basically a university-paid credit card used by approved employees for certain work purchases. “Reconciliation” means checking the monthly statement against receipts and support. “Cybersecurity awareness training” means teaching employees how to handle systems and data safely.
“The UMass Bank Card is a commercial credit card.”
2 figure(s) pending source verification - not shown
What the Auditor checked
- Did not comply Did UMass Dartmouth execute all bank card purchases in accordance with Sections II(A), II(D), III(A), and III(B) of the “Administrative Standards for the Business Expense Policy” within Appendix C of the “University of Massachusetts Business and Travel Expense Policy” (document T92-031) and Sections 2, 4–8, 11, 12, 15, and 21 of the UMass Bank Card Use Standard?
- Did not comply Did UMass Dartmouth ensure that its employees completed cybersecurity awareness training in accordance with Section 1 of Control 14 (Security Awareness and Skills Training) of the Center for Internet Security’s Critical Security Controls?
What the Auditor found
Why it matters: The weaknesses increased the risk of erroneous or fraudulent card activity, unnecessary tax costs, and lack of transparency over bank card transactions.
Standard: UMass Bank Card Use Standard, Sections 2, 4, 11, 12, 15, and 21. ( Sections 2, 4, 11, 12, 15, and 21 of the UMass Bank Card Use Standard )
4 recommendations
- UMass Dartmouth should ensure that cardholders reconcile and upload all bank statements and supporting documents into the UMass system’s online bank card transaction repository within 30 days of the bank statement date.
- UMass Dartmouth should ensure that each bank card transaction receipt captures the full business purpose and that all required information is on the receipt.
- UMass Dartmouth should ensure that state sales tax is not charged when bank card purchases are made by cardholders.
- UMass Dartmouth should ensure that travel authorization numbers are referenced on the bank statement and receipt(s).
Agency response & Auditor reply
Agency: "As part of its ongoing efforts to innovate and constantly improve efficiency and effectiveness of its operations, UMass is implementing a new University-wide expense system, which will improve the bank card reconciliation process."
Auditor: "We commend the UMass system for implementing a new expense system for all UMass campuses and for ensuring that it will include a mandatory field for documenting the business purpose for each bank card transaction."
Why it matters: The lack of cybersecurity awareness training exposed UMass Dartmouth to higher risk of cyberattacks and related financial or reputational losses.
Standard: Section 1 of Control 14, Security Awareness and Skills Training, of the Center for Internet Security’s Critical Security Controls. ( Section 1 of Control 14 (Security Awareness and Skills Training) of the Center for Internet Security’s Critical Security Controls )
2 recommendations
- UMass Dartmouth should provide cybersecurity awareness training to all employees when they are hired and annually thereafter.agency: already implemented
- UMass Dartmouth should establish and implement a cybersecurity awareness training component to its information security policy.
Agency response & Auditor reply
Agency: "All employees took the mandatory cybersecurity awareness video training in April 2023 via our learning management system."
Auditor: "Based on its response, UMass Dartmouth is taking measures to address our concerns on this matter."
Verified dollar findings
Money paid out that the audit found should not have been - overpayments, unallowable and nonreimbursable charges, improper claims.
More audits of this entity
Other Office of the State Auditor reports on University of Massachusetts - Dartmouth .
-
University of Massachusetts - DartmouthCollege / University · February 22, 2012 -
Audit of the University of Massachusetts DartmouthCollege / University · April 9, 2018