Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the University of Massachusetts Dartmouth (May 2, 2024)

May 2, 2024 · University of Massachusetts - Dartmouth · Read the full official report on mass.gov ↗

Published May 2, 2024 Audit covers July 1, 2020 – December 31, 2021 Under Diana DiZoglio · 2023–present

In plain English
The audit found two main problems: UMass Dartmouth did not always follow rules for university credit-card spending, and it did not give employees required cybersecurity awareness training during the audit period.
source
“UMass Dartmouth’s bank card transactions did not always comply with UMass system policies and standards.”
Read the plain-English breakdown
What is this?

This is a state performance audit of UMass Dartmouth covering July 1, 2020 through December 31, 2021.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Dartmouth for the period July 1, 2020 through December 31, 2021.”
Why was it audited?

Auditors checked whether the university followed rules for bank-card purchases and whether employees completed cybersecurity awareness training.

“We also determined whether UMass Dartmouth ensured that its employees completed cybersecurity awareness training in accordance with Section 1 of Control 14 (Security Awareness and Skills Training) of the Center for Internet Security’s1 Critical Security Controls.2”
Why it matters

Missing receipts, late reconciliations, and incomplete records can make it harder to catch mistakes or improper spending.

“If UMass Dartmouth does not reconcile and upload bank statements and supporting documents to the UMass system’s online bank card transaction repository in a timely manner or at all, then UMass Dartmouth assumes a higher-than-acceptable risk of erroneous and potentially fraudulent bank card activity.”
What's in it for me?

As a Massachusetts resident, this matters because UMass Dartmouth receives state support, and weak controls can put public resources and university data at risk.

“During fiscal year 2021, UMass Dartmouth had $241,240,000 in revenue, which included $95,942,000 in state appropriations, and $240,186,000 in expenses.”
The bottom line

The university needs tighter follow-through on card spending records and must make cybersecurity training routine for all employees.

“UMass Dartmouth should provide cybersecurity awareness training to all employees when they are hired and annually thereafter.”
What happens next

UMass said it is moving to a new expense system, updating bank-card procedures, and creating a campus cybersecurity awareness policy.

“Based on its response, the UMass system is taking measures to address our concerns by implementing new systems and policies, but we urge UMass Dartmouth to fully implement our recommendations, as they relate to issues found at the level of the university, not the entire UMass system.”
Jargon, unpacked

A “bank card” is basically a university-paid credit card used by approved employees for certain work purchases. “Reconciliation” means checking the monthly statement against receipts and support. “Cybersecurity awareness training” means teaching employees how to handle systems and data safely.

“The UMass Bank Card is a commercial credit card.”
Identified in this audit - source-verified
$2

2 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

UMass Dartmouth’s bank card transactions lacked required documentation, timely reconciliations, tax handling, and travel authorization references.
procurement/contractsrecordkeeping/documentationinternal controls

Why it matters: The weaknesses increased the risk of erroneous or fraudulent card activity, unnecessary tax costs, and lack of transparency over bank card transactions.

Standard: UMass Bank Card Use Standard, Sections 2, 4, 11, 12, 15, and 21. ( Sections 2, 4, 11, 12, 15, and 21 of the UMass Bank Card Use Standard )

4 recommendations
  • UMass Dartmouth should ensure that cardholders reconcile and upload all bank statements and supporting documents into the UMass system’s online bank card transaction repository within 30 days of the bank statement date.
  • UMass Dartmouth should ensure that each bank card transaction receipt captures the full business purpose and that all required information is on the receipt.
  • UMass Dartmouth should ensure that state sales tax is not charged when bank card purchases are made by cardholders.
  • UMass Dartmouth should ensure that travel authorization numbers are referenced on the bank statement and receipt(s).
Agency response & Auditor reply
Agency: "As part of its ongoing efforts to innovate and constantly improve efficiency and effectiveness of its operations, UMass is implementing a new University-wide expense system, which will improve the bank card reconciliation process."
Auditor: "We commend the UMass system for implementing a new expense system for all UMass campuses and for ensuring that it will include a mandatory field for documenting the business purpose for each bank card transaction."
UMass Dartmouth did not provide required cybersecurity awareness training to employees.
cybersecurityinternal controls

Why it matters: The lack of cybersecurity awareness training exposed UMass Dartmouth to higher risk of cyberattacks and related financial or reputational losses.

Standard: Section 1 of Control 14, Security Awareness and Skills Training, of the Center for Internet Security’s Critical Security Controls. ( Section 1 of Control 14 (Security Awareness and Skills Training) of the Center for Internet Security’s Critical Security Controls )

2 recommendations
  • UMass Dartmouth should provide cybersecurity awareness training to all employees when they are hired and annually thereafter.agency: already implemented
  • UMass Dartmouth should establish and implement a cybersecurity awareness training component to its information security policy.
Agency response & Auditor reply
Agency: "All employees took the mandatory cybersecurity awareness video training in April 2023 via our learning management system."
Auditor: "Based on its response, UMass Dartmouth is taking measures to address our concerns on this matter."

Verified dollar findings

Improper payments identified $2

Money paid out that the audit found should not have been - overpayments, unallowable and nonreimbursable charges, improper claims.

$2 - unrecovered sales tax

More audits of this entity

Other Office of the State Auditor reports on University of Massachusetts - Dartmouth .

See this entity's page with all 3 audits →