Skip to main content
Audit

Audit  Audit of the Department of Transitional Assistance

Our office has conducted a performance audit of the Department of Transitional Assistance (DTA) for the period July 1, 2021 through June 30, 2023.

Organization: Office of the State Auditor
Date published: January 30, 2026

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Department of Transitional Assistance (DTA) for the period July 1, 2021 through June 30, 2023. When examining inventory and physical security controls over blank Electronic Benefits Transfer (EBT) cards for all Transitional Assistance Offices (TAOs) and the EBT central processing center for regular EBT cards, we used the period August 12, 2022 through June 30, 2023 and, for emergency EBT cards, we used the period October 29, 2021 through June 30, 2023. See the “Physical and Security over Blank EBT Cards” section for details about how these dates were determined.

The purpose of our audit was to determine whether DTA did the following:

  • administered its Transitional Aid to Families with Dependent Children (TAFDC) Pathways to Work (PTW) program in accordance with Section 707.000 of Title 106 of the Code of Massachusetts Regulations (CMR);
  • developed Employment Development Plans (EDPs) for participants in the PTW program in accordance with 106 CMR 707.110;
  • designed and implemented a comprehensive security program1 to protect the personally identifiable information (PII) of program participants in accordance with 201 CMR 17.03 and 17.04; and
  • implemented inventory and physical security controls over blank EBT cards in accordance with Step 4 of Section IV of its “TAO Card Issuance System (CIS) Security & Handling Procedures.”

Below is a summary of our findings, the effects of our findings, and our recommendations, with hyperlinks to each page listed.

  
Finding 1
 		DTA did not always provide EDPs for its PTW program participants as required by 106 CMR 707.110.
EffectIf DTA does not provide participants with EDPs, then there is a risk that some individuals may be placed in programs that do not meet their needs. This can result in an ineffective use of resources and funding, ultimately undermining the program’s objectives and wasting valuable financial support that could have been directed toward more suitable programs for participants. It is essential for DTA to ensure that participants receive comprehensive and tailored EDPs to optimize their outcomes and effectively use available funding.
Recommendations
 
  1. DTA should consistently provide EDPs for all TAFDC PTW program participants.
  2. DTA should ensure that its FEWs follow DTA policies and procedures when developing and maintaining EDPs for participants.
  3. DTA should implement monitoring controls to ensure that each participant’s file includes all required documents that should be stored within the Benefit Eligibility and Control Online Network (BEACON) system.
Finding 2
 		Without consistently retaining Criminal Offender Record Information (CORI) background checks and cybersecurity training records, the DTA could jeopardize the security of its participants’ PII.
EffectIf DTA does not ensure that it conducts CORI background checks, and that its employees complete cybersecurity awareness training before they are granted access to DTA systems, then there is a higher-than-acceptable risk of unauthorized access to program participants’ PII, and DTA cannot ensure the security of all participants’ information. Recipients entrust DTA with their personal information in order to access their benefits, and a breach would be a violation of that trust. Misuse of PII can not only have severe long-term consequences for program participants but also for DTA and the Commonwealth of Massachusetts. A breach of PII could expose the government to regulatory fines and costly litigation.
Recommendations
 
  1. DTA should coordinate with EOHHS and the Human Resources Division to maintain copies of each employee’s CORI background check documentation in DTA employee files for seven years from the last date of employment or the date of the final decision regarding employment.
  2. DTA should regularly review and maintain employee files to ensure that required documents, such as CORI background checks, are retained.
  3. DTA should implement monitoring controls to ensure that its employees complete cybersecurity awareness training at least annually.
  4. DTA should suspend user access if an employee does not complete their cybersecurity awareness training by a required deadline.
Finding 3
 		DTA could not ensure that issued EBT cards were reconciled to the benefit eligibility data.
EffectDTA’s failure to reconcile the BEACON and Electronic Payment Process Internal Control (EPPIC) systems prevents DTA from ensuring that families with low incomes are receiving the Supplemental Nutrition Assistance Program (SNAP) and cash benefits that they are entitled to and increases the risk of unauthorized changes in one system going undetected, which may lead to DTA’s funding being distributed in incorrect amounts.
Recommendations
 
  1. To ensure program and data integrity, DTA should establish and implement policies, procedures, and monitoring controls for reconciling the EBT cards issued by the EPPIC system to the BEACON system.
  2. DTA should reconcile the BEACON and EPPIC systems regularly to ensure that families with low incomes are receiving the SNAP and cash benefits to which they are entitled.
Finding 4
 		DTA did not always retain the daily reconciliation log information, increasing the risk that benefit misuse goes undetected.
EffectIt is important for DTA to maintain effective monitoring controls over all aspects of EBT card distribution, including the retention of daily reconciliation logs at all TAOs. If DTA does not properly retain these daily reconciliation logs, then it may increase the risk that blank EBT cards go missing or are unaccounted for, potentially leading to the misuse of DTA benefits.
Recommendations
 
  1. DTA should further enhance its monitoring controls over EBT card distribution.
  2. DTA should retain daily reconciliation logs at all TAOs for at least three years.
  3. DTA should maintain all daily reconciliation logs in an orderly manner for easy, retrievable access.
Finding 5
 		EBT cards were issued from inactive locations, which impacts the validity and accuracy of DTA’s EBT card issuance data.
EffectIf DTA does not ensure that all EBT cards are recorded as being issued from the correct TAOs and does not ensure that inactive TAOs are deactivated in the EPPIC system, then staff members could choose the wrong locations when processing EBT cards. This could result in an erosion of public trust and undermine the validity and accuracy of DTA’s EBT card data.
Recommendations 
 
  1. DTA should contact its third-party vendor to deactivate all inactive and non-TAO locations from the EPPIC system.
  2. DTA should develop and implement policies and procedures to conduct regular EBT card issuance data reconciliations to ensure that all issued EBT cards are assigned to an accurate TAO.
  3. DTA should separately create policies and procedures for periodic review of TAOs in the EPPIC system to ensure that the system is consistently updated.

In addition to the conclusions we reached regarding our audit objectives, we also addressed stakeholder concerns about how EBT cards are issued, how eligibility for benefits is determined, and how EBT cards are impacted by emergencies such as the COVID-19 pandemic. See Other Matters for more information.


 


 

1.    A comprehensive security program includes information technology security management, access control, audit and accountability, configuration management policies, and contingency plans.

Table of Contents

Appendix

Downloads

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback