Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Westfield State University (WSU)

April 15, 2021 · Westfield State University · Read the full official report on mass.gov ↗ · official site ↗

Published April 15, 2021 Audit covers October 1, 2018 – March 31, 2020 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found two problems at Westfield State University: it did not always prove that vendor payment information was checked before changes were made, and it did not make sure employees completed required cybersecurity training.
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a state performance audit of Westfield State University covering October 1, 2018 through March 31, 2020.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Westfield State University (WSU) for the period October 1, 2018 through March 31, 2020.”
Why was it audited?

Auditors looked at whether the university handled vendor payment-information changes properly and whether system users completed required security-awareness training.

“In this performance audit, we reviewed WSU’s information system security awareness training practices to determine whether its system users had completed required information system security awareness training.”
Why it matters

If payment changes are not verified and documented, public money can be sent to the wrong place, even though WSU recovered the money in the incident described.

“A lack of documented verification causes a higher-than-acceptable risk of improper payments such as the one discussed above.”
What's in it for me?

For ordinary citizens, this matters because WSU receives state funding, and weak controls can put public funds and public systems at risk.

“In 2019, WSU received appropriations of $39 million from the Commonwealth.”
The bottom line

The auditor concluded that WSU did not fully follow required procedures for vendor file changes and did not meet required cybersecurity training standards.

“WSU did not ensure that information system security awareness training was completed as required by the Executive Office of Technology Services and Security.”
What happens next

The report recommends that WSU strengthen its procedures, add supervisory checks, require security training, and monitor compliance.

“WSU should establish monitoring controls to ensure that all of its employees with access to its systems comply with these requirements.”
Why it's significant

The report is significant because one unverified banking change led to a $1.75 million transfer to an unauthorized account, although the university recovered the full amount.

“Additionally, in February 2020, a WSU employee made a change to the banking information in a vendor/customer file without verifying the information in the change request, resulting in WSU transferring $1.75M to an unauthorized account.”
Jargon, unpacked

MMARS is the state’s official accounting system, and EFT means electronic fund transfer, which is direct payment into a bank account.

“Once the agency obtains this information, it is stored in a vendor/customer file in the Massachusetts Management Accounting and Reporting System (MMARS), the official accounting record of the Commonwealth.”

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

Westfield State University did not always verify or document vendor/customer information before creating or changing records.
procurement/contractsrecordkeeping/documentationinternal controlsvendor oversight

Why it matters: This increased the risk of improper payments, including unauthorized transfers.

Standard: Office of the Comptroller of the Commonwealth’s “Vendor/Customer File and W-9s” policy and WSU’s “Bank Wire Procedures.” ( Section 4c of the Office of the Comptroller of the Commonwealth’s “Vendor/Customer File and W-9s” policy; WSU’s “Bank Wire Procedures” )

2 recommendations
  • WSU should amend its procedures to ensure that verification is properly performed before creations or changes are processed and require all personnel to document the measures they take to verify the information vendors provide in requests to create or change information in their files.agency: already implemented
  • WSU should implement effective monitoring controls (e.g., a supervisory review process) to ensure that its staff complies with this requirement.agency: already implemented
Agency response & Auditor reply
Agency: "The Vendor Review Procedure in Banner [WSU’s accounting system] and MMARS has been updated and implemented."
Auditor: "Based on the reply above, WSU is responding to our concerns."
Westfield State University did not ensure required information system security awareness training was completed.
cybersecurityinternal controls

Why it matters: This exposed WSU to a higher risk of cybersecurity attacks and financial or reputational losses.

Standard: Executive Office of Technology Services and Security’s “Information Security Risk Management Standard,” Sections 6.2.3 and 6.2.4. ( EOTSS’s “Information Security Risk Management Standard”; Sections 6.2.3 and 6.2.4 of EOTSS’s “Information Security Risk Management Standard” )

2 recommendations
  • WSU should implement a formal information system security awareness training program requiring new users to receive training and existing users to be retrained annually.
  • WSU should establish monitoring controls to ensure that all of its employees with access to its systems comply with these requirements.
Agency response & Auditor reply
Agency: "Knowing more is needed in this area, at onboarding and for periodic review, WSU has purchased and begun the implementation process of a security awareness education program software that will allow for ad-hoc, scheduled, refresher training and compliance monitoring to meet the needs for good security practice, compliance, and the ever-changing security landscape."
Auditor: "Based on the response above, WSU is responding to our concerns."

More audits of this entity

Other Office of the State Auditor reports on Westfield State University .

See this entity's page with all 2 audits →