Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Northern Essex Community College

January 26, 2012 · Read the full official report (PDF) ↗ · official site ↗

Published January 26, 2012 Audit covers July 1, 2009 – May 31, 2011 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that Northern Essex Community College generally had acceptable IT controls, but needed to fix three main problems: its internal control plan was outdated or incomplete, its computer equipment inventory was unreliable, and it lacked full disaster recovery and business continuity plans.
source
“Based on our audit, we have concluded that, except as reported in the Audit Results section of this report, for the period July 1, 2009 through May 31, 2011, adequate internal controls were in place and in effect to provide reasonable assurance that IT-related control objectives would be met regarding IT organization and management, physical security and environmental protection for areas housing computer equipment, system access security, on-site and off-site storage of backup copies of magnetic media, third-party provider IT service contracts, and compliance with security requirements related to PCI and PII standards.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor review of Northern Essex Community College’s information technology controls during the period from July 1, 2009 through May 31, 2011.

“In accordance with Chapter 11, Section 12, of the General Laws, we performed an IT general controls examination at NECC for the period July 1, 2009 through May 31, 2011.”
Why was it audited?

The Auditor examined whether the college’s IT policies, procedures, staff roles, security, equipment tracking, contracts, and recovery planning were strong enough to support the college’s work and protect its systems and data.

“The primary audit objective was to determine whether NECC’s IT-related internal control environment—including policies, procedures, practices, and organizational structure—provided reasonable assurance that control objectives would be achieved to support NECC’s business functions.”
Why it matters

The issues matter because weak IT controls can make it harder to prevent, detect, or fix problems that affect college systems, records, equipment, and operations.

“As a result, the current ICP does not provide adequate guidance to ensure that appropriate information technology (IT) controls are implemented and exercised so that operational objectives are met; risks are prevented or detected and corrected in a timely manner; and the integrity, security, and availability of its systems and records and effectively protected.”
What's in it for me?

For students, staff, taxpayers, and the public, the practical concern is whether college technology, records, and equipment are protected and whether the school can keep functioning after a major disruption.

“Business continuity planning helps ensure the timely recovery and continuation of mission-critical functions should a disaster cause significant disruption to computer operations.”
The bottom line

The Auditor found three areas needing improvement: the internal control plan, inventory controls over computer equipment, and disaster recovery and business continuity planning.

“Our audit determined that NECC did not have a comprehensive disaster recovery plan (DRP) and business continuity plan (BCP) to provide for the timely restoration of mission-critical and essential business functions should IT systems be rendered inoperable or inaccessible.”
What happens next

The college said it would update its internal control plan, improve equipment inventory procedures, and create disaster recovery and business continuity plans, with target dates in 2011 and 2012.

“These plans will be properly vetted and receive Cabinet approval by June 2012.”
Why it's significant

The report is significant because the college served thousands of students and relied on major computer systems for financial, administrative, student, human resources, and financial aid work.

“SunGard’s Banner application is used to process NECC’s financial management, administrative, and student information.”
Jargon, unpacked

An Internal Control Plan is the college’s written roadmap for managing risks and making sure policies, procedures, and safeguards are actually in place and followed.

“NECC’s Internal Control Officer should work with NECC’s various departments to identify and document operational and control objectives and risks and identify existing control policies, procedures, and management control practices.”

3 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

NECC's internal control plan was not adequately updated and did not sufficiently cross-reference supporting procedures.
internal controlsrecordkeeping/documentation

Why it matters: The plan did not provide adequate guidance to ensure IT controls were implemented, monitored, and evaluated to meet objectives and address risks in a timely manner.

Standard: Office of the State Comptroller’s Internal Control Guide and Chapter 647 of the Acts of 1989 ( Chapter 647 of the Acts of 1989; Chapter 647 of the Acts of 1989, An Act Relative to Improving Internal Controls within State Agencies )

1 recommendation
  • NECC's Internal Control Officer should work with departments to document objectives, risks, controls, gaps, and a framework for additional controls, and ensure the plan addresses COSO and OSC internal control guidelines.agency: agreed
Agency response & Auditor reply
Agency: "The contents of the report are accurate, and we offer the following in response to the audit results."
NECC did not maintain complete, current, and reconciled inventory records for computer equipment.
asset/inventory controlrecordkeeping/documentationinternal controls

Why it matters: NECC could not rely on its inventory system to support IT configuration management, safeguard equipment, account for IT resources, identify missing equipment, or maintain a reliable equipment record.

Standard: Office of the State Comptroller fixed asset guidelines and Chapter 647 of the Acts of 1989 ( Chapter 647 of the Acts of 1989; OSC fixed asset guidelines )

3 recommendations
  • Record all received computer equipment within seven days and perform a complete annual physical inventory and reconciliation.agency: agreed
  • Develop formal policies and procedures requiring users assigned notebook computers to sign a responsibility and acceptable usage form.agency: agreed
  • Develop formal policies and procedures and train staff responsible for monitoring and safeguarding computer equipment to comply with Chapter 647 reporting requirements.agency: agreed
Agency response & Auditor reply
Agency: "The CFO and Director of facilities have begun to analyze the inventory process for IT equipment at the College and will develop a procedure to ensure equipment received over a certain dollar amount is entered into the accounting fixed asset management system of record (Banner) within fourteen days of receipt."
NECC lacked comprehensive disaster recovery and business continuity plans.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: NECC lacked documented and tested strategies to restore mission-critical and essential business functions if IT systems became inoperable or inaccessible.

Standard: Generally accepted practices and industry standards for computer operations ( Generally accepted practices and industry standards for computer operations )

1 recommendation
  • Complete, document, test, maintain, train on, and communicate disaster recovery and business continuity plans that include criticality and impact assessments, risk management, recovery strategies, assigned responsibilities, recovery steps, telecommunications and security issues, vendor protocol, and off-site storage of plan copies.agency: agreed
Agency response & Auditor reply
Agency: "The Policy Committee will also develop new Disaster Recovery (DR) and Business Continuity (BC) plans that encompass all divisions across the College."

More audits of this entity

Other Office of the State Auditor reports on Northern Essex Community College .

See this entity's page with all 4 audits →