Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the University of Massachusetts Lowell ( April 19, 2024)

April 19, 2024 · University of Massachusetts Lowell ( April 19, 2024) · Read the full official report on mass.gov ↗

Published April 19, 2024 Audit covers July 1, 2020 – December 31, 2021 Under Diana DiZoglio · 2023–present

In plain English
The audit found two main problems at UMass Lowell: some bank card purchases did not follow required rules, and cybersecurity training records were incomplete or showed some employees did not finish required training.
source
“UMass Lowell’s bank card transactions did not always comply with UMass system policies and standards.”
Read the plain-English breakdown
What is this?

This is a State Auditor performance audit of UMass Lowell covering July 1, 2020 through December 31, 2021.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the University of Massachusetts (UMass) Lowell for the period July 1, 2020 through December 31, 2021.”
Why was it audited?

Auditors checked whether UMass Lowell followed rules for bank card purchases and cybersecurity awareness training for nonfaculty employees.

“We also determined whether UMass Lowell adhered to its “Security Awareness Policy IT-5-112” regarding cybersecurity awareness training for nonfaculty employees.”
Why it matters

Weak purchase controls can make mistakes or fraud harder to catch, and weak cybersecurity training can increase the risk of cyberattacks.

“If UMass Lowell does not educate all employees on their responsibility to protect its information assets by requiring cybersecurity awareness training, then UMass Lowell is exposed to a higher-than-acceptable risk of cybersecurity attacks, which could cause financial and/or reputational losses.”
What's in it for me?

For ordinary Massachusetts residents, this matters because UMass Lowell receives public money, and poor controls can waste resources or expose public institutions to avoidable risks.

“During fiscal year 2021, UMass Lowell had $474,927,000 in revenue, which included $133,768,000 in state appropriations, and $463,883,000 in expenses.”
The bottom line

The auditor found compliance problems, but UMass Lowell and the UMass system said they are updating systems and procedures to address them.

“Based on its response, the UMass system is taking measures to address our concerns by implementing new systems and policies, but we urge UMass Lowell to fully implement our recommendations, as they relate to issues found at the level of the university, not the entire UMass system.”
What happens next

UMass Lowell is expected to improve how it tracks bank card purchases, sales tax, travel documentation, and cybersecurity training completion records.

“UMass Lowell Information Technology will collect and retain all cybersecurity awareness training records.”
Jargon, unpacked

A bank card is a university credit card used for certain purchases; cardholders must keep receipts, reconcile statements, and document why purchases were made.

“The UMass Bank Card is a commercial credit card.”
Identified in this audit - source-verified
$1,400

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

UMass Lowell bank card transactions lacked required documentation, timely reconciliation, tax controls, and travel authorization references.
cash handlingprocurement/contractsrecordkeeping/documentationinternal controls

Why it matters: The weaknesses increased the risk of erroneous or fraudulent bank card activity, unnecessary tax costs, and lack of transparency.

Standard: UMass Bank Card Use Standard Sections 2, 4, 11, 12, 15, and 21. ( Section 12 of Chapter 11 of the Massachusetts General Laws; Sections 2, 4, 11, 12, 15, and 21 of the UMass Bank Card Use Standard )

4 recommendations
  • UMass Lowell should ensure that cardholders reconcile and upload all bank statements and supporting documents into the UMass system’s online bank card transaction repository within 30 days of the bank statement date.
  • UMass Lowell should ensure that each bank card transaction receipt captures the full business purpose and that all required information is on the receipt.
  • UMass Lowell should ensure that state sales tax is not charged when bank card purchases are made by cardholders.
  • UMass Lowell should ensure that travel authorization numbers are referenced on the bank statement and receipt(s).
Agency response & Auditor reply
Agency: "As part of its ongoing efforts to innovate and constantly improve efficiency and effectiveness of its operations, UMass is implementing a new University-wide expense system, which will improve the bank card reconciliation process."
Auditor: "We commend the UMass system for implementing a new expense system for all UMass campuses and for ensuring that it will include a mandatory field for documenting the business purpose for each bank card transaction."
UMass Lowell lacked complete cybersecurity awareness training records and did not ensure all nonfaculty employees completed required training.
cybersecurityrecordkeeping/documentationinternal controls

Why it matters: The weakness exposed UMass Lowell to a higher-than-acceptable risk of cybersecurity attacks and possible financial or reputational losses.

Standard: UMass Lowell Security Awareness Policy IT-5-112 and the Massachusetts Statewide Records Retention Schedule. ( UMass Lowell’s “Security Awareness Policy IT-5-112”; Massachusetts Statewide Records Retention Schedule, E04-08 )

3 recommendations
  • UMass Lowell should configure its cybersecurity awareness training platform so that it has the ability to monitor the assignment and completion of the trainings.
  • UMass Lowell should ensure that its nonfaculty employees complete cybersecurity awareness training when they are hired and annually thereafter.
  • UMass Lowell should retain sufficient cybersecurity awareness training documentation.
Agency response & Auditor reply
Agency: "UMass Lowell Information Technology is working with Human Resources to implement a new employee learning management platform that will track the completion of cybersecurity awareness training."
Auditor: "Based on its response, UMass Lowell is taking measures to address our concerns on this matter."

Verified dollar findings

Improper payments identified $1,400

Money paid out that the audit found should not have been - overpayments, unallowable and nonreimbursable charges, improper claims.

$1,400 - unrecovered sales tax