Audit

Audit  Audit of the Massachusetts Clean Energy Center

This audit examines the Massachusetts Clean Energy Center's revenues, track record of investing in Massachusetts companies, administration over of programs and the strength of its internal controls over wire and internal fund transfers. It examined the period of July 1, 2015 through June 30, 2017.

Organization: Office of the State Auditor
Date published: June 11, 2018

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Massachusetts Clean Energy Center (MassCEC) for the period July 1, 2015 through June 30, 2017.

In this performance audit, we examined whether (1) MassCEC’s Wind Technology Testing Center generated sufficient revenue to cover its expenses; (2) MassCEC had a positive track record of investing in Massachusetts companies (i.e., had invested in companies that were financially viable); (3) MassCEC properly administered the Equity Investment and Venture Debt Investments Programs; (4) MassCEC had adequate internal controls (i.e., policies and procedures) over the processing of wire transfers and internal fund transfers; and (5) MassCEC developed a disaster-recovery plan (DRP)1 and business-continuity plan (BCP)2 for its computer operations. Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1
 

MassCEC did not prevent or properly report the theft of $93,679 in public funds.

Recommendations
 

  1. MassCEC should conduct risk assessments and develop written policies and procedures to manage all risks to its operations, including its exposure to cybercrime, and immediately inform its board of directors of any incidents, including security breaches perpetrated against the organization.
  2. MassCEC should consider adopting elements of the Committee of Sponsoring Organizations of the Treadway Commission’s model in developing control activities to prevent, detect, and mitigate cyber-risks.

Finding 2
 

MassCEC did not develop DRPs and BCPs for its computer systems.

Recommendation
 

MassCEC should assess its computer systems from a risk-management and business-continuity perspective and develop and test an appropriate DRP and BCP. It should reassess such plans at least annually or upon major changes to its operations or overall information-technology environment.

A PDF copy of the audit of the Massachusetts Clean Energy Center is available here.

Abbreviations

BCP

business-continuity plan

COSO

Committee of Sponsoring Organizations of the Treadway Commission

DRP

disaster-recovery plan

DHS

Department of Homeland Security

EOTSS

Executive Office of Technology Services and Security

FBI

Federal Bureau of Investigation

IT

information technology

MassCEC

Massachusetts Clean Energy Center

RETF

Renewable Energy Trust Fund

WTTC

Wind Technology Testing Center

1, A DRP is an information-system-based plan designed to allow for quick recovery of critical systems, applications, and information-technology infrastructure in the event of a large-scale disaster.

2.    A BCP is a plan that develops risk-based strategies to mitigate identified potential threats to business operations. At a minimum, it should include a DRP and continuity-of-operations plan.

Contact

Phone

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback