Audit  Audit of the Division of Capital Asset Management and Maintenance

The audit found that DCAMM did not have adequate process in place to help ensure that its contractors met its workforce participation goals for women and minorities and recommends DCAMM develop policies and procedures to effectively monitor the extent to which each contractor achieves workforce participation goals for women and minorities. The audit examined the period of January 1, 2019 through December 31, 2020.

Organization: Office of the State Auditor
Date published: February 23, 2022

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Division of Capital Asset Management and Maintenance (DCAMM) for the period January 1, 2019 through December 31, 2020. The purpose of our audit was to determine the following:

  • Did DCAMM have internal tracking, oversight, and enforcement procedures to ensure that contractors complied with the workforce participation goals1 established by Section 44A(1)(G) of Chapter 149 of the General Laws?
  • Did DCAMM monitor quarterly contractor notifications regarding minority and woman workforce participation goals as required by the general conditions of the Commonwealth’s standard construction contract, which DCAMM uses for most construction projects?
  • Did DCAMM ensure that contractors were certified before awarding contracts in accordance with Sections 4.03 and 4.04 of Title 810 of the Code of Massachusetts Regulations?
  • Did DCAMM update its internal control plan (ICP) to address the 2019 coronavirus (COVID-19) pandemic as required by the Office of the Comptroller of the Commonwealth’s (CTR’s) guide “COVID-19 Pandemic Response Internal Controls Guidance”?
  • Did DCAMM ensure that its employees received annual cybersecurity awareness training as required by the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010?

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1
 

DCAMM did not have adequate processes in place to help ensure that its contractors met its workforce participation goals for women and minorities.

Recommendation
 

DCAMM should develop policies and procedures to effectively monitor the extent to which each contractor achieves workforce participation goals for women and minorities. These policies and procedures should establish the conditions under which DCAMM will use enforcement provisions against contractors that do not meet their workforce participation goals.

Finding 2
 

DCAMM did not ensure that contractors completed projected staffing tables each quarter that identified female and minority workers.

Recommendation
 

DCAMM should develop policies and procedures, including a monitoring component, to ensure that all contractors work toward meeting its workforce participation goals for female and minority workers every quarter.

Finding 3
 

DCAMM did not maintain adequate documentation to support all the information in its annual reports to the state Legislature.

Recommendation
 

DCAMM should develop policies and procedures that require its staff to perform and retain regular reconciliations of its certified payroll data to ensure completeness and accuracy.

Finding 4
 

DCAMM’s ICP was not updated with a COVID-19 component.

Recommendation
 

DCAMM should establish policies and procedures, including a monitoring component, for updating its ICP when significant changes occur.

Finding 5
 

DCAMM did not retain employees’ cybersecurity awareness training certificates.

Recommendations
 

  1. DCAMM should keep cybersecurity awareness training certificates in employee personnel files.
  2. DCAMM should develop a formal process to ensure that cybersecurity awareness training certificates are collected and retained in all personnel files.

 

Post-Audit Action

During our audit, DCAMM updated its ICP, an agency-wide document that summarizes risks and controls for all of its business operations, to include recommendations from CTR’s “COVID-19 Pandemic Response Internal Controls Guidance” (see Finding 4). This updated ICP included telework, return-to-office plans, and a risk assessment of the impact of COVID-19 on department operations.

DCAMM’s management indicated that, as a result of the problems identified in Finding 5, the agency implemented a process to ensure that cybersecurity awareness training certificates would be collected and retained in employees’ files.

 

A PDF copy of the audit of the Division of Capital Asset Management and Maintenance is available here.

 

1.    Workforce participation goals are the percentages of work hours for each construction contract that must be worked by minorities and women.

Appendix

Downloads

Contact

Feedback