Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Salem State University

September 30, 2011 · Read the full official report (PDF) ↗ · official site ↗

Published September 30, 2011 Audit covers July 1, 2009 – October 31, 2011 Under Suzanne M. Bump · 2011–2023

In plain English
Salem State fixed earlier weaknesses around handling tuition cash and mailed checks, but the auditor found it still had serious problems tracking computer equipment and planning how to keep key systems running after a disaster.
source
“Based on our audit, we have concluded that SSU had implemented appropriate controls to reduce the risk of loss or theft of cash and checks received at the University.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor follow-up audit of Salem State University covering July 1, 2009 through October 31, 2011.

“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, the Office of the State Auditor (OSA) performed an audit of SSU for the period July 1, 2009 through October 31, 2011.”
Why was it audited?

The auditor checked whether Salem State had corrected problems found in earlier audits, including past thefts of funds and weaknesses in IT controls.

“Our audit included follow-up testing on issues identified in two previous audits conducted by the OSA.”
Why it matters

Public universities use taxpayer-supported resources and student payments, so weak controls over money, computers, and emergency recovery can lead to lost property, missing records, or interrupted services.

“Furthermore, SSU was unaware that the 17 computers had been missing because it had not conducted physical inventories of these items.”
What's in it for me?

If you are a student, parent, employee, or taxpayer, this audit says Salem State improved safeguards over cash and checks, but still needed better protection for computers and systems people rely on.

“Our current audit determined that SSU had implemented appropriate controls to significantly reduce the risk of theft of cash and checks.”
The bottom line

The money-handling issues were largely fixed, but computer inventory controls and disaster recovery planning were still not good enough.

“However, it still needs to improve its controls over its inventory of computer equipment and enhance its disaster recovery and business continuity plans.”
What happens next

The auditor recommended Salem State record all computer equipment, do annual inventories, improve oversight, follow disposal rules, train staff, and complete and test disaster recovery and business continuity plans.

“SSU should complete a DRP and a BCP that incorporate criticality and impact assessments; business continuity planning development; risk management; and recovery plan testing, maintenance, training, and communication.”
Jargon, unpacked

A disaster recovery plan and business continuity plan are the university's playbooks for restoring important computer systems and keeping essential work going after a major outage or emergency.

“Disaster recovery planning is a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of IT systems, operations, and data.”

5 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

Salem State University did not maintain accurate and complete controls over computer equipment inventory.
asset/inventory controlinternal controlsrecordkeeping/documentation

Why it matters: SSU could not rely on its inventory system to account for computer equipment, support IT configuration management, or safeguard assets.

Standard: Chapter 647 of the Acts of 1989, Office of the State Comptroller fixed-asset guidelines, and Operational Services Division surplus property requirements. ( Chapter 647 of the Acts of 1989; 802 Code of Massachusetts Regulations (CMR) 3.00: Disposition of Surplus State Property )

9 recommendations
  • Ensure that all purchased computer equipment is properly recorded in the ITRM.
  • Complete an annual inventory and reconciliation of the inventory system of record for computer equipment.agency: already implemented
  • Develop formal policies and procedures to ensure adequate segregation of duties for inventory control of computer equipment.
  • Provide Finance and Facilities Department oversight and review SSU’s ITS inventory system and related internal control practices.
  • Develop written detailed procedures and assurance mechanisms for a complete annual physical inventory and reconciliation of computer equipment.agency: already implemented
  • Develop written policies and procedures requiring that all users assigned notebook computers sign a control sheet for their equipment.agency: already implemented
  • Comply with OSD fixed-asset regulations requiring prior written approval before disposing Commonwealth assets and maintain adequate disposal records.agency: already implemented
  • Strengthen internal controls to provide prompt notification and update the inventory record when equipment is purchased, relocated, or disposed of.
  • Develop written policies and procedures and train all staff responsible for monitoring and safeguarding computer equipment to ensure Chapter 647 reporting compliance.agency: already implemented
Agency response & Auditor reply
Agency: "A 100% physical inventory of SSU computers was initiated in November 2011 and is still continuing."
Salem State University did not have sufficiently comprehensive disaster recovery and business continuity plans.
cybersecurityinternal controls

Why it matters: SSU risked being unable to restore mission-critical business functions and IT systems within an acceptable time after a data center or IT outage.

Standard: Generally accepted practices and industry standards for computer operations requiring ongoing business continuity planning. ( Generally accepted practices and industry standards for computer operations )

4 recommendations
  • Complete a DRP and a BCP that incorporate criticality and impact assessments, planning development, risk management, testing, maintenance, training, and communication.
  • Document recovery strategies for disaster scenarios and periodically test the DRP and BCP.
  • Identify an alternate site for recovery if SSU’s data center becomes inaccessible for an extended period.
  • Reassess on-site and off-site backup media storage and increase the frequency of off-site storage.
Agency response & Auditor reply
Agency: "In 2012 Salem State will turn its attention to strengthening disaster recovery and business continuity planning in regard to the potential loss of the data center."

Prior findings revisited

Fixed
"Our current audit determined that SSU had implemented appropriate controls to significantly reduce the risk of theft of cash and checks."
Still a problem
"Our follow-up audit disclosed that SSU has not taken sufficient corrective measures to address the issues raised in a prior OSA report (No. 2004-0184-4T) regarding (a) inventory controls over computer equipment and (b) enhancements to the disaster recovery and business continuity plans, as discussed below."

More audits of this entity

Other Office of the State Auditor reports on Salem State University , including the prior audits referenced above.

See this entity's page with all 3 audits →