Audit of the University of Massachusetts Lowell ( April 19, 2024)
April 19, 2024 · University of Massachusetts Lowell ( April 19, 2024) · Read the full official report on mass.gov ↗
source
“UMass Lowell’s bank card transactions did not always comply with UMass system policies and standards.”
Read the plain-English breakdown
This is a State Auditor performance audit of UMass Lowell covering July 1, 2020 through December 31, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Lowell for the period July 1, 2020 through December 31, 2021.”
Auditors checked whether UMass Lowell followed rules for bank card purchases and cybersecurity awareness training for nonfaculty employees.
“We also determined whether UMass Lowell adhered to its “Security Awareness Policy IT-5-112” regarding cybersecurity awareness training for nonfaculty employees.”
Weak purchase controls can make mistakes or fraud harder to catch, and weak cybersecurity training can increase the risk of cyberattacks.
“If UMass Lowell does not educate all employees on their responsibility to protect its information assets by requiring cybersecurity awareness training, then UMass Lowell is exposed to a higher-than-acceptable risk of cybersecurity attacks, which could cause financial and/or reputational losses.”
For ordinary Massachusetts residents, this matters because UMass Lowell receives public money, and poor controls can waste resources or expose public institutions to avoidable risks.
“During fiscal year 2021, UMass Lowell had $474,927,000 in revenue, which included $133,768,000 in state appropriations, and $463,883,000 in expenses.”
The auditor found compliance problems, but UMass Lowell and the UMass system said they are updating systems and procedures to address them.
“Based on its response, the UMass system is taking measures to address our concerns by implementing new systems and policies, but we urge UMass Lowell to fully implement our recommendations, as they relate to issues found at the level of the university, not the entire UMass system.”
UMass Lowell is expected to improve how it tracks bank card purchases, sales tax, travel documentation, and cybersecurity training completion records.
“UMass Lowell Information Technology will collect and retain all cybersecurity awareness training records.”
A bank card is a university credit card used for certain purchases; cardholders must keep receipts, reconcile statements, and document why purchases were made.
“The UMass Bank Card is a commercial credit card.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Did not comply Did UMass Lowell execute all bank card purchases in accordance with Sections II(A), II(D), III(A), and III(B) of the “Administrative Standards for the Business Expense Policy” within Appendix C of the “University of Massachusetts Business and Travel Expense Policy” (document T92-031) and Sections 2, 4–8, 11, 12, 15, and 21 of the UMass Bank Card Use Standard?
- Did not comply Did UMass Lowell adhere to its “Security Awareness Policy IT-5-112” regarding cybersecurity awareness training for nonfaculty employees?
What the Auditor found
Why it matters: The weaknesses increased the risk of erroneous or fraudulent bank card activity, unnecessary tax costs, and lack of transparency.
Standard: UMass Bank Card Use Standard Sections 2, 4, 11, 12, 15, and 21. ( Section 12 of Chapter 11 of the Massachusetts General Laws; Sections 2, 4, 11, 12, 15, and 21 of the UMass Bank Card Use Standard )
4 recommendations
- UMass Lowell should ensure that cardholders reconcile and upload all bank statements and supporting documents into the UMass system’s online bank card transaction repository within 30 days of the bank statement date.
- UMass Lowell should ensure that each bank card transaction receipt captures the full business purpose and that all required information is on the receipt.
- UMass Lowell should ensure that state sales tax is not charged when bank card purchases are made by cardholders.
- UMass Lowell should ensure that travel authorization numbers are referenced on the bank statement and receipt(s).
Agency response & Auditor reply
Agency: "As part of its ongoing efforts to innovate and constantly improve efficiency and effectiveness of its operations, UMass is implementing a new University-wide expense system, which will improve the bank card reconciliation process."
Auditor: "We commend the UMass system for implementing a new expense system for all UMass campuses and for ensuring that it will include a mandatory field for documenting the business purpose for each bank card transaction."
Why it matters: The weakness exposed UMass Lowell to a higher-than-acceptable risk of cybersecurity attacks and possible financial or reputational losses.
Standard: UMass Lowell Security Awareness Policy IT-5-112 and the Massachusetts Statewide Records Retention Schedule. ( UMass Lowell’s “Security Awareness Policy IT-5-112”; Massachusetts Statewide Records Retention Schedule, E04-08 )
3 recommendations
- UMass Lowell should configure its cybersecurity awareness training platform so that it has the ability to monitor the assignment and completion of the trainings.
- UMass Lowell should ensure that its nonfaculty employees complete cybersecurity awareness training when they are hired and annually thereafter.
- UMass Lowell should retain sufficient cybersecurity awareness training documentation.
Agency response & Auditor reply
Agency: "UMass Lowell Information Technology is working with Human Resources to implement a new employee learning management platform that will track the completion of cybersecurity awareness training."
Auditor: "Based on its response, UMass Lowell is taking measures to address our concerns on this matter."
Verified dollar findings
Money paid out that the audit found should not have been - overpayments, unallowable and nonreimbursable charges, improper claims.