| Organization: | Office of the State Auditor |
|---|---|
| Date published: | June 9, 2023 |
Executive Summary
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Committee for Public Counsel Services (CPCS) for the period January 1, 2019 through December 31, 2021. The objectives of this audit were to determine the following:
- whether CPCS employees received cybersecurity awareness training and whether employees signed acknowledgment forms regarding computer usage in accordance with Sections 6.2.3, 6.2.4, and 6.2.8 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010, effective October 15, 2018;
- whether CPCS updated its business continuity and disaster recovery plan in accordance with Section 6.1.1.4 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, effective October 15, 2018; and
- whether CPCS updated its internal control plan (ICP), as required by the Office of the Comptroller of the Commonwealth’s “[2019 Coronavirus, or COVID-19] Pandemic Response Internal Controls Guidance.”
Below is a summary of our findings and recommendations, with links to each page listed.
|
Finding 1 |
CPCS did not ensure that interns receive cybersecurity awareness training. |
|
Recommendations |
|
|
Finding 2 |
CPCS did not have a business continuity and disaster recovery plan. |
|
Recommendation |
CPCS should develop, document, and test a business continuity and disaster recovery plan to implement. |
|
Finding 3 |
CPCS’s ICP was not updated with a COVID-19 component. |
|
Recommendation |
CPCS should establish policies and procedures to ensure that its ICP is updated annually and when significant changes occur. |