Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

IT-Related Controls at the University of Massachusetts Amherst

April 30, 2012 · University of Massachusetts Amherst · Read the full official report (PDF) ↗

Published April 30, 2012 Audit covers July 1, 2009 – May 31, 2011 Under Suzanne M. Bump · 2011–2023

In plain English
UMass Amherst had solid controls around its key SPIRE student system, but the auditor found weaknesses in campus-wide IT oversight, long-term IT planning, and disaster recovery planning.
source
“Based on our examination, we have concluded that adequate controls were in place over UMA’s mission-critical SPIRE application to provide reasonable assurance that business objectives would be met.”
Read the plain-English breakdown
What is this?

This is a 2012 Massachusetts State Auditor report on information technology controls at UMass Amherst for July 1, 2009 through May 31, 2011.

“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, the Office of the State Auditor performed an information technology (IT) audit at UMA that covered the period July 1, 2009 through May 31, 2011.”
Why was it audited?

The auditor reviewed how UMass Amherst governed its IT, protected its critical SPIRE system, and handled related physical, environmental, security, and continuity controls.

“The audit scope included an examination of the IT governance at UMA and an evaluation of internal and general controls over the mission-critical SPIRE application system, including physical and environmental controls that directly affect UMA’s computing operations (excluding human resources and financial applications, which are hosted and operated by the UMass President’s Office in Shrewsbury).”
Why it matters

Weak IT oversight can lead to bad decisions, wasted money, failed systems, poor performance tracking, and legal or regulatory problems.

“Weak IT governance can result in IT strategic and tactical plans not aligning with UMA’s business requirements and business plans and can also lead to poor management decisions; inadequate cost determinations; uncontrolled expenditures; failed or subpar systems; lack of performance measurement; and noncompliance with laws, regulations, or contractual obligations.”
What's in it for me?

If you are a student, employee, applicant, or otherwise connected to the campus, SPIRE holds and supports important personal, academic, billing, registration, and campus-service information.

“SPIRE supports numerous administrative functions, including student course registration, academic records, advising, admissions, financial aid, student billing, admissions prospect communications, and federal reporting on foreign students and scholars.”
The bottom line

The main problem was not that everything was broken; it was that campus-wide IT management, planning, and recovery processes needed to be more formal, coordinated, and documented.

“However, as reported in the Audit Results section of this report, as of May 31, 2011, UMA needed to make improvements in the areas of IT governance, IT strategic planning, and business continuity and disaster recovery planning.”
What happens next

The report recommended stronger IT governance, a formal IT strategic planning process, and detailed disaster recovery and business continuity plans, with testing and clear responsibilities.

“UMA should strengthen its disaster recovery and business continuity planning process by:”
Jargon, unpacked

“IT governance” means the way leaders make, monitor, and enforce decisions about technology so it supports the university’s goals and manages risk.

“IT governance is how management formally decides to employ IT in supervising, monitoring, and directing an organization and is vital to overall enterprise governance.”

What the Auditor checked

What the Auditor found

UMA’s campus-wide IT governance was informal and decentralized.
cybersecurityinternal controlsdata privacy

Why it matters: Weak IT governance increases the risk of data breaches, poor IT decisions, uncontrolled expenditures, failed systems, and noncompliance.

Standard: IT governance should include executive leadership, organizational structures, processes, and control frameworks to ensure IT sustains organizational strategies and objectives. ( Chapter 11, Section 12, of the Massachusetts General Laws )

2 recommendations
  • Implement sound IT governance practices and structures to inform, direct, manage, and monitor activities toward the achievement of UMA’s business objectives.
  • Establish a general monitoring framework and approach for all data centers and application owners.
UMA’s IT strategic planning and project management procedures were not detailed enough to align IT initiatives with business objectives.
internal controlsrecordkeeping/documentation

Why it matters: The absence of a comprehensive IT strategic plan increases the risk that major systems and IT initiatives will not meet management or user expectations and may exceed time or budget estimates.

Standard: IT strategic planning should align IT activities with the organization’s business strategy and operational requirements. ( Control Objectives for Information and Related Technology (CobiT 4.1) )

2 recommendations
  • Adopt a generally accepted IT strategic planning process in which IT plans are developed in alignment with organizational business strategy.
  • Develop an IT strategic plan that defines how IT goals will contribute to UMA’s strategic objectives, costs, and risks.
Agency response & Auditor reply
Agency: "The campus has been developing a strategic plan over the past few years."
UMA lacked formal comprehensive business continuity, disaster recovery, and continuity of operations plans for mission-critical systems.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: UMA may be unable to recover mission-critical and essential business activities in an acceptable and timely manner after a disaster or major system outage.

Standard: Business continuity planning should include coordinated plans, procedures, and technical measures to recover mission-critical and essential IT systems and operations. ( International Standards Organization’s ISO/IEC 27002 on IT Security Management )

3 recommendations
  • Develop and maintain recovery strategies to regain mission-critical and essential processing within acceptable time periods.
  • Document a comprehensive disaster recovery plan with recovery strategies for various disaster scenarios.
  • Annually test the alternate processing site and document and evaluate disaster recovery test results.
Agency response & Auditor reply
Agency: "The campus is currently in the process of hiring additional staff within our Emergency Management department to support the ongoing development and refinement of campus Disaster Recovery (DR) and Business Continuity (BC) programs."

More audits of this entity

Other Office of the State Auditor reports on University of Massachusetts Amherst .

See this entity's page with all 3 audits →