Northern Essex Community College
January 26, 2012 · Read the full official report (PDF) ↗ · official site ↗
source
“Based on our audit, we have concluded that, except as reported in the Audit Results section of this report, for the period July 1, 2009 through May 31, 2011, adequate internal controls were in place and in effect to provide reasonable assurance that IT-related control objectives would be met regarding IT organization and management, physical security and environmental protection for areas housing computer equipment, system access security, on-site and off-site storage of backup copies of magnetic media, third-party provider IT service contracts, and compliance with security requirements related to PCI and PII standards.”
Read the plain-English breakdown
This is a Massachusetts State Auditor review of Northern Essex Community College’s information technology controls during the period from July 1, 2009 through May 31, 2011.
“In accordance with Chapter 11, Section 12, of the General Laws, we performed an IT general controls examination at NECC for the period July 1, 2009 through May 31, 2011.”
The Auditor examined whether the college’s IT policies, procedures, staff roles, security, equipment tracking, contracts, and recovery planning were strong enough to support the college’s work and protect its systems and data.
“The primary audit objective was to determine whether NECC’s IT-related internal control environment—including policies, procedures, practices, and organizational structure—provided reasonable assurance that control objectives would be achieved to support NECC’s business functions.”
The issues matter because weak IT controls can make it harder to prevent, detect, or fix problems that affect college systems, records, equipment, and operations.
“As a result, the current ICP does not provide adequate guidance to ensure that appropriate information technology (IT) controls are implemented and exercised so that operational objectives are met; risks are prevented or detected and corrected in a timely manner; and the integrity, security, and availability of its systems and records and effectively protected.”
For students, staff, taxpayers, and the public, the practical concern is whether college technology, records, and equipment are protected and whether the school can keep functioning after a major disruption.
“Business continuity planning helps ensure the timely recovery and continuation of mission-critical functions should a disaster cause significant disruption to computer operations.”
The Auditor found three areas needing improvement: the internal control plan, inventory controls over computer equipment, and disaster recovery and business continuity planning.
“Our audit determined that NECC did not have a comprehensive disaster recovery plan (DRP) and business continuity plan (BCP) to provide for the timely restoration of mission-critical and essential business functions should IT systems be rendered inoperable or inaccessible.”
The college said it would update its internal control plan, improve equipment inventory procedures, and create disaster recovery and business continuity plans, with target dates in 2011 and 2012.
“These plans will be properly vetted and receive Cabinet approval by June 2012.”
The report is significant because the college served thousands of students and relied on major computer systems for financial, administrative, student, human resources, and financial aid work.
“SunGard’s Banner application is used to process NECC’s financial management, administrative, and student information.”
An Internal Control Plan is the college’s written roadmap for managing risks and making sure policies, procedures, and safeguards are actually in place and followed.
“NECC’s Internal Control Officer should work with NECC’s various departments to identify and document operational and control objectives and risks and identify existing control policies, procedures, and management control practices.”
3 figure(s) pending source verification - not shown
What the Auditor checked
- Partially Determine whether NECC's IT-related internal control environment provided reasonable assurance that control objectives would be achieved to support NECC's business functions.
- Partially Determine whether roles and responsibilities for IT staff were clearly defined, points of accountability were established, appropriate organizational controls were in place and in effect, and whether policies and procedures were appropriate.
- Unable to determine Determine whether NECC had an IT strategic planning process in place from which IT strategic and tactical plans would be developed to help direct the use of technology to fulfill NECC's mission and goals.
What the Auditor found
Why it matters: The plan did not provide adequate guidance to ensure IT controls were implemented, monitored, and evaluated to meet objectives and address risks in a timely manner.
Standard: Office of the State Comptroller’s Internal Control Guide and Chapter 647 of the Acts of 1989 ( Chapter 647 of the Acts of 1989; Chapter 647 of the Acts of 1989, An Act Relative to Improving Internal Controls within State Agencies )
1 recommendation
- NECC's Internal Control Officer should work with departments to document objectives, risks, controls, gaps, and a framework for additional controls, and ensure the plan addresses COSO and OSC internal control guidelines.agency: agreed
Agency response & Auditor reply
Agency: "The contents of the report are accurate, and we offer the following in response to the audit results."
Why it matters: NECC could not rely on its inventory system to support IT configuration management, safeguard equipment, account for IT resources, identify missing equipment, or maintain a reliable equipment record.
Standard: Office of the State Comptroller fixed asset guidelines and Chapter 647 of the Acts of 1989 ( Chapter 647 of the Acts of 1989; OSC fixed asset guidelines )
3 recommendations
- Record all received computer equipment within seven days and perform a complete annual physical inventory and reconciliation.agency: agreed
- Develop formal policies and procedures requiring users assigned notebook computers to sign a responsibility and acceptable usage form.agency: agreed
- Develop formal policies and procedures and train staff responsible for monitoring and safeguarding computer equipment to comply with Chapter 647 reporting requirements.agency: agreed
Agency response & Auditor reply
Agency: "The CFO and Director of facilities have begun to analyze the inventory process for IT equipment at the College and will develop a procedure to ensure equipment received over a certain dollar amount is entered into the accounting fixed asset management system of record (Banner) within fourteen days of receipt."
Why it matters: NECC lacked documented and tested strategies to restore mission-critical and essential business functions if IT systems became inoperable or inaccessible.
Standard: Generally accepted practices and industry standards for computer operations ( Generally accepted practices and industry standards for computer operations )
1 recommendation
- Complete, document, test, maintain, train on, and communicate disaster recovery and business continuity plans that include criticality and impact assessments, risk management, recovery strategies, assigned responsibilities, recovery steps, telecommunications and security issues, vendor protocol, and off-site storage of plan copies.agency: agreed
Agency response & Auditor reply
Agency: "The Policy Committee will also develop new Disaster Recovery (DR) and Business Continuity (BC) plans that encompass all divisions across the College."
More audits of this entity
Other Office of the State Auditor reports on Northern Essex Community College .
-
Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Northern Essex Community CollegeCollege / University · November 8, 2024 -
Northern Essex Community CollegeCollege / University · November 30, 2016 -
Audit of Northern Essex Community College (NECC)College / University · June 30, 2021