Skip to main content
Audit

Audit  Audit of the Cape and Islands District Attorney’s Office

Our office conducted a performance audit of certain activities of the Cape and Islands District Attorney’s Office (CIDAO) for the period July 1, 2022 through June 30, 2024.

Organization: Office of the State Auditor
Date published: November 25, 2025

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Cape and Islands District Attorney’s Office (CIDAO) for the period July 1, 2022 through June 30, 2024. When examining employee settlement agreements executed by CIDAO, we extended the audit period to July 1, 2019 through June 30, 2024.

The purpose of this audit was to determine the following:

  • whether CIDAO had policies and procedures in place to participate in the statewide sexual assault evidence collection kit (SAECK) tracking system in accordance with Section 18X(g) of Chapter 6A of the General Laws;
  • whether CIDAO ensured that its employees received cybersecurity awareness training in accordance with the requirements in Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s1 Information Security Risk Management Standard IS.010;
  • whether CIDAO had internal policies and procedures in place for (a) the review and approval of employee settlement agreements, including the use of non-disclosure, non-disparagement, or similarly restrictive clauses, and (b) the reporting of employee settlement agreements to the Office of the Comptroller of the Commonwealth (CTR); and
  • whether CIDAO reported all monetary employee settlement agreements entered into from July 1, 2019 through June 30, 2024 to CTR in accordance with CTR’s Settlements and Judgments Policy and Sections 5.06 and 5.09 of Title 815 of the Code of Massachusetts Regulations.

Below is a summary of our findings, the effects of those findings, and recommendations, with hyperlinks to each page listed.

  
Finding 1
 		CIDAO  did not promptly revoke former employees’ access rights within the statewide SAECK tracking system and did not complete certain data fields in the system.
EffectIf CIDAO does not promptly revoke former employees’ access rights to the Track-Kit system, then there is a risk of unauthorized access to sensitive case and survivor information. Additionally, if CIDAO does not assign its contact information to SAECKs, then the Track-Kit System is not being used as intended under statute. Having CIDAO contact information assigned to SAECKs allows survivors to have an informed single point of contact and can streamline outreach and reduce confusion.
Recommendations
 
  1. CIDAO should assign its contact information to each SAECK within its jurisdiction in the Track-Kit system and should train its employees on how to use the system.
  2. CIDAO should develop, document, and implement policies and procedures for Track-Kit system access authorization for new users and the revocation of access upon termination of users. These policies and procedures should include periodic access reviews at least semiannually to ensure that users’ access rights are limited to their job requirements.
Finding 2
 		CIDAO should have documented internal policies or procedures regarding state employee settlement agreements and supporting records, as would be best practice.
EffectA documented, written process to handle employee settlement agreements, especially for those containing non-disclosure, non-disparagement, or similarly restrictive clauses, can help ensure that employee settlements are handled in an ethical, legal, and appropriate manner. Additionally, if CIDAO does not maintain documentation regarding severance agreements, then it cannot determine whether the severance agreements included a release of future claims clause that would then require CIDAO to report the agreements to CTR.
Recommendations
 
  1. CIDAO should develop, document, and implement a written policy related to employee settlement agreements, including prohibiting the use of non-disclosure, non-disparagement, or similarly restrictive clauses in its agreements, as recommended in the Governor’s “Executive Department Settlement Policy,” issued January 27, 2025.
  2. CIDAO should maintain all records related to all types of employee settlement and severance agreements, particularly those that include a written release of future claims against CIDAO, in accordance with Massachusetts public records laws and the Massachusetts Records Retention Schedule.
  3. CIDAO should work with CTR to ensure that CIDAO understands the reporting requirements for all types of monetary employee settlement and severance agreements and ensure that CIDAO reports those agreements to CTR.
Finding 3
 		CIDAO should ensure that all employees complete cybersecurity awareness training when hired and annually thereafter.
EffectWithout educating its employees on their responsibility to protect the security of information assets, CIDAO exposes itself to a higher risk of cybersecurity attacks and financial and/or reputational losses.
Recommendations
 
  1. CIDAO should ensure that all employees complete annual cybersecurity awareness training and that all newly hired employees complete initial training within the first 30 days of their new hire orientation.
  2. CIDAO should design and implement policies and procedures to ensure that its employees complete cybersecurity awareness training. Additionally, CIDAO should retain copies of cybersecurity awareness training certificates as evidence that its employees completed the training.


 

1.    The Executive Office of Technology Services and Security has since changed the titles and numbers of at least some of its policies and standards between the end of the audit period and the publication of this report. In this report, we reference the titles and numbers of EOTSS’s policies and/or standards as they were during the audit period (unless stated otherwise).

Table of Contents

Downloads

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback