Audit of the Essex County District Attorney’s Office

This page, Audit of the Essex County District Attorney’s Office, is offered by
Office of the State Auditor

Organization:	Office of the State Auditor
Date published:	November 25, 2025

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Essex County District Attorney’s Office (EDAO) for the period July 1, 2022 through June 30, 2024. When examining employee settlement agreements, we extended the audit period to July 1, 2019 through June 30, 2024.

The purpose of our audit was to determine the following:

the extent to which EDAO participated in the statewide sexual assault evidence kit (SAECK) tracking system in accordance with Section 18X(g) of Chapter 6A of the General Laws;
whether EDAO ensured that its employees completed cybersecurity awareness training, in accordance with its “Security Training and Awareness” policy and Section 6.2.3 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010;and
whether EDAO had internal policies and procedures in place for (a) the review and approval of employee settlement agreements, including the use of non-disclosure, non-disparagement, or similarly restrictive clauses, and (b) the reporting of monetary employee settlements to the Office of the Comptroller of the Commonwealth (CTR) in accordance with Sections 5.06 and 5.09 of Title 815 of the Code of Massachusetts Regulations.

Below is a summary of our findings, the effect of those findings, and our recommendations, with hyperlinks to each page listed.


Finding 1	EDAO did not promptly revoke former employees’ access rights within the statewide SAECK tracking system and did not complete certain data fields in the system.
Effect	If EDAO does not promptly revoke former employees’ access rights to the Track-Kit system, then there is a higher-than-acceptable risk of unauthorized access to sensitive case and survivor information. Additionally, if EDAO does not assign its contact information to SAECKs, then the Track-Kit system is not being fully used as intended. Having EDAO contact information assigned to SAECKs allows survivors to have an informed single point of contact and can streamline outreach and reduce confusion.
Recommendations	EDAO should develop, document, and implement policies and procedures for adding access authorization for new users and revoking user access to the Track-Kit system upon termination of a user’s employment. These policies and procedures should incorporate periodic access reviews (at least semiannually) to ensure that users’ access rights are limited to their individual job requirements. EDAO should assign its contact information to each SAECK within its jurisdiction in the Track-Kit system and should train its employees on how to use this system.
Finding 2	EDAO should ensure that all of its employees complete cybersecurity awareness training.
Effect	If EDAO does not ensure that all of its employees complete cybersecurity awareness training, then EDAO exposes itself to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Recommendation	EDAO should implement effective monitoring controls to ensure that all employees complete agency-required bimonthly cybersecurity awareness training and that newly hired employees complete initial training within the first 30 days of their new hire orientation.
Finding 3	EDAO should have documented internal policies and procedures regarding state employee settlement agreements, as would be best practice.
Effect	If EDAO does not have a documented process by which it handles employee settlement agreements, especially those containing non-disclosure, non-disparagement, or similarly restrictive clauses, then it cannot ensure that employee settlements are handled in an equitable, ethical, legal, and consistent manner.
Recommendations	EDAO should update its “Policies, Procedures, and Guidelines—Settlements and Judgments,” effective July 2024, to include review and approval of agreement terms by the District Attorney and chief legal counsel. EDAO should ensure that its “Policies, Procedures, and Guidelines—Settlements and Judgments,” effective July 2024, is formally communicated to all relevant employees and fully integrated into its operations.

Downloads

Open PDF file, 413.91 KB, Audit Report - Essex County District Attorney’s Office (English, PDF 413.91 KB)

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Audit Audit of the Essex County District Attorney’s Office

Executive Summary

Table of Contents

Downloads

Help Us Improve Mass.gov with your feedback