Audit  Audit of the Division of Banks

The audit examined whether DOB whether DOB ensured that its employees had the cybersecurity awareness training required by the Executive Office of Technology Services and Security (EOTSS) as well as oversight over foreign transmittals, and whether the DOB collected, acted on and shared information about licensee holders appropriately. The audit examined the period of July 1, 2017 through June 30, 2019.

Organization: Office of the State Auditor
Date published: November 18, 2021

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Division of Banks (DOB) for the period July 1, 2017 through June 30, 2019.

In this performance audit, we determined whether DOB (1) ensured that foreign transmittal agencies maintained three years of records in accordance with Section 10 of Chapter 169 of the General Laws; (2) collected, and acted on, information on mortgage lenders or brokers that may have had their licenses suspended or revoked by the licensing authority of any other state, as required by Sections 42.04(2)(b)(4) and 42.06(2)(b)(4) of Title 209 of the Code of Massachusetts Regulations; and (3) shared its information regarding Massachusetts-licensed lenders and brokers that had been subjected to formal enforcement action from other states, as required by Section 5107 of Title 12 of the United States Code and Section 1508(d)(3) of Title V of Public Law 110-289 (the Secure and Fair Enforcement for Mortgage Licensing Act of 2008). In addition, as part of our data reliability assessment, we determined whether DOB ensured that its employees had the cybersecurity awareness training required by the Executive Office of Technology Services and Security (EOTSS).

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1
 

DOB did not ensure that all of its employees promptly completed cybersecurity awareness training.

Recommendations
 

  1. DOB should develop and implement policies and procedures, in accordance with EOTSS policies, that require all current employees to receive annual cybersecurity awareness training.
  2. DOB should develop and implement policies and procedures, in accordance with EOTSS policies, that require newly hired employees to receive cybersecurity awareness training during orientation or within a prescribed timeline before they have access to DOB’s systems.

 

A PDF copy of the Audit of the Division of Banks is available here.

Downloads

Contact

Feedback