Audit Audit of the Cannabis Control Commission

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Cannabis Control Commission (CCC) for the period January 1, 2019 through December 31, 2020.

Organization:	Office of the State Auditor
Date published:	September 26, 2023

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Cannabis Control Commission (CCC) for the period January 1, 2019 through December 31, 2020. The purpose of our audit was to determine whether CCC ensured that recreational marijuana products sold met the safety standards required by the following:

Sections 15(a)(1) through (3) of Chapter 94G of the General Laws;
Section 500.160(1) through (4) and (10) of Title 935 of the Code of Massachusetts Regulations, which was in effect during the audit period; and
CCC’s “Protocol for Sampling and Analysis of Finished Medical Marijuana Products and Marijuana‑Infused Products for Massachusetts Registered Medical Marijuana Dispensaries.”

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1	CCC did not identify all products considered expired and prevent their sale to consumers before they were retested.
Recommendation	CCC should develop and implement monitoring controls to identify all products with materials that were last tested more than one year ago and prevent the sale of those products to consumers.
Finding 2	CCC did not ensure that marijuana establishments (MEs) and independent testing laboratories (ITLs) properly reported marijuana products that tested positive for pesticides.
Recommendations	CCC should use existing Metrc capabilities to create a report that identifies all positive pesticide tests for CCC’s Investigations and Enforcement Unit to monitor MEs’ and ITLs’ compliance with reporting requirements. CCC should develop adequate policies and procedures to ensure that ITLs’ standard operating procedures include instructions for responding to laboratory results that indicate that contaminant levels are above acceptable limits.
Finding 3	CCC did not provide cybersecurity awareness training to its employees.
Recommendation	CCC should ensure that all new employees receive initial cybersecurity awareness training and that all employees complete annual cybersecurity awareness training thereafter.

Downloads

Open PDF file, 891.8 KB, Audit of the Cannabis Control Commission (English, PDF 891.8 KB)

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.