Audit of Westfield State University (WSU)
April 15, 2021 · Westfield State University · Read the full official report on mass.gov ↗ · official site ↗
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
This is a state performance audit of Westfield State University covering October 1, 2018 through March 31, 2020.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Westfield State University (WSU) for the period October 1, 2018 through March 31, 2020.”
Auditors looked at whether the university handled vendor payment-information changes properly and whether system users completed required security-awareness training.
“In this performance audit, we reviewed WSU’s information system security awareness training practices to determine whether its system users had completed required information system security awareness training.”
If payment changes are not verified and documented, public money can be sent to the wrong place, even though WSU recovered the money in the incident described.
“A lack of documented verification causes a higher-than-acceptable risk of improper payments such as the one discussed above.”
For ordinary citizens, this matters because WSU receives state funding, and weak controls can put public funds and public systems at risk.
“In 2019, WSU received appropriations of $39 million from the Commonwealth.”
The auditor concluded that WSU did not fully follow required procedures for vendor file changes and did not meet required cybersecurity training standards.
“WSU did not ensure that information system security awareness training was completed as required by the Executive Office of Technology Services and Security.”
The report recommends that WSU strengthen its procedures, add supervisory checks, require security training, and monitor compliance.
“WSU should establish monitoring controls to ensure that all of its employees with access to its systems comply with these requirements.”
The report is significant because one unverified banking change led to a $1.75 million transfer to an unauthorized account, although the university recovered the full amount.
“Additionally, in February 2020, a WSU employee made a change to the banking information in a vendor/customer file without verifying the information in the change request, resulting in WSU transferring $1.75M to an unauthorized account.”
MMARS is the state’s official accounting system, and EFT means electronic fund transfer, which is direct payment into a bank account.
“Once the agency obtains this information, it is stored in a vendor/customer file in the Massachusetts Management Accounting and Reporting System (MMARS), the official accounting record of the Commonwealth.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Did not comply Does WSU comply with its procedures and the “Vendor/Customer File and W-9s” policy issued by the Office of the Comptroller of the Commonwealth (CTR) for making changes to information in state vendor/customer files in the Massachusetts Management Accounting and Reporting System (MMARS)?
- Did not comply Does WSU adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s “Information Security Risk Management Standard” for information system security awareness training?
What the Auditor found
Why it matters: This increased the risk of improper payments, including unauthorized transfers.
Standard: Office of the Comptroller of the Commonwealth’s “Vendor/Customer File and W-9s” policy and WSU’s “Bank Wire Procedures.” ( Section 4c of the Office of the Comptroller of the Commonwealth’s “Vendor/Customer File and W-9s” policy; WSU’s “Bank Wire Procedures” )
2 recommendations
- WSU should amend its procedures to ensure that verification is properly performed before creations or changes are processed and require all personnel to document the measures they take to verify the information vendors provide in requests to create or change information in their files.agency: already implemented
- WSU should implement effective monitoring controls (e.g., a supervisory review process) to ensure that its staff complies with this requirement.agency: already implemented
Agency response & Auditor reply
Agency: "The Vendor Review Procedure in Banner [WSU’s accounting system] and MMARS has been updated and implemented."
Auditor: "Based on the reply above, WSU is responding to our concerns."
Why it matters: This exposed WSU to a higher risk of cybersecurity attacks and financial or reputational losses.
Standard: Executive Office of Technology Services and Security’s “Information Security Risk Management Standard,” Sections 6.2.3 and 6.2.4. ( EOTSS’s “Information Security Risk Management Standard”; Sections 6.2.3 and 6.2.4 of EOTSS’s “Information Security Risk Management Standard” )
2 recommendations
- WSU should implement a formal information system security awareness training program requiring new users to receive training and existing users to be retrained annually.
- WSU should establish monitoring controls to ensure that all of its employees with access to its systems comply with these requirements.
Agency response & Auditor reply
Agency: "Knowing more is needed in this area, at onboarding and for periodic review, WSU has purchased and begun the implementation process of a security awareness education program software that will allow for ad-hoc, scheduled, refresher training and compliance monitoring to meet the needs for good security practice, compliance, and the ever-changing security landscape."
Auditor: "Based on the response above, WSU is responding to our concerns."
More audits of this entity
Other Office of the State Auditor reports on Westfield State University .
-
Westfield State UniversityCollege / University · November 23, 2016