Audit of the Commonwealth Corporation

This page, Audit of the Commonwealth Corporation , is offered by
Office of the State Auditor

Organization:	Office of the State Auditor
Date published:	July 9, 2024

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of Commonwealth Corporation (CommCorp) for the period July 1, 2020 through June 30, 2022.

The purpose of our audit was to determine the following:

whether CommCorp ensured that YouthWorks grant recipients met the program participant eligibility and reporting requirements in Sections V and IX (for fiscal year 2021) and Sections III and VII (for fiscal year 2022) of CommCorp’s YouthWorks “Program Administration and Management Guide”;
whether CommCorp tracked each YouthWorks program participant’s employment status after the completion of each program cycle to assess whether the program achieved its goal of helping program participants secure unsubsidized employment, in accordance with Section VIII (for fiscal year 2021) and Section VII (for fiscal year 2022) of CommCorp’s YouthWorks “Program Administration and Management Guide” and Section 116(b)(2)(A) of the Workforce Innovation and Opportunity Act of 2014; and
whether CommCorp ensured that its employees completed cybersecurity awareness training, in accordance with Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1	CommCorp did not consistently collect or analyze employment outcome data related to its YouthWorks program participants.
Recommendations	CommCorp should develop policies and procedures to effectively monitor the extent to which its YouthWorks program achieves its intended purpose of helping program participants secure unsubsidized employment. These policies and procedures should include information on how to routinely collect and analyze employment outcome data related to its YouthWorks program participants. CommCorp should revise its YouthWorks post-program survey to capture information regarding whether a program participant gained unsubsidized employment as a result of its YouthWorks program. CommCorp should require all YouthWorks grant recipients to report employment outcome data in the YouthWorks database.
Finding 2	CommCorp did not ensure that YouthWorks grant recipients obtained eligibility documentation and accurately recorded program participant information.
Recommendations	CommCorp should develop and implement monitoring controls to ensure that YouthWorks grant recipients obtain documentation to support program participant eligibility and accurately record program participant information in the YouthWorks database. CommCorp should review program participant Social Security numbers that are recorded in the YouthWorks database and correct any incomplete or inaccurate numbers.
Finding 3	CommCorp did not ensure that its employees completed cybersecurity awareness training.
Recommendations	CommCorp should develop, document, and implement monitoring controls to ensure that its employees complete cybersecurity awareness training within 30 days of their orientation and annually thereafter. The cybersecurity awareness training should include a test of each individual’s understanding of all policies and their role in maintaining the security of CommCorp’s information technology systems. CommCorp should maintain a record of completion of cybersecurity awareness training for each employee.
Finding 4a	CommCorp did not have documented management approval for employees’ access rights to its YouthWorks database.
Finding 4b	CommCorp could not provide evidence that it promptly revoked former employees’ access rights to its YouthWorks database.
Recommendations	CommCorp should develop, document, and implement policies and procedures for YouthWorks database user access requests that include documented management approval. CommCorp should develop, document, and implement policies and procedures for the revocation of user access to the YouthWorks database upon termination of a user’s employment. CommCorp should incorporate periodic access reviews (at least semiannually) to ensure that users’ access rights are limited to their individual job requirements.

Downloads

Open PDF file, 870.8 KB, Audit Report - Commonwealth Corporation (English, PDF 870.8 KB)

Contact

Phone

Main (617) 727-2075

Online

Auditor@MassAuditor.gov

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Directions

Contact

Office of State Auditor Diana DiZoglio

Phone

Main (617) 727-2075

Online

Auditor@MassAuditor.gov

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Directions

Commonwealth Corporation Audit Identifies Need for Improvements to YouthWorks Program

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Audit Audit of the Commonwealth Corporation

Executive Summary

Table of Contents

Downloads

Contact

Office of State Auditor Diana DiZoglio

Phone

Online

Fax

Address

Help Us Improve Mass.gov with your feedback