Audit  Audit of the Merit Rating Board

This audit of the Merit Rating Board examines the activities of the board and its control over selected information technology operations. The audit examines the period of July 1, 2014 through June 30, 2016.

Organization: Office of the State Auditor
Date published: February 1, 2018

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted an audit to review and evaluate controls over selected information technology (IT) operations and activities of the Merit Rating Board (MRB) for the period July 1, 2014 through June 30, 2016.

In this performance audit, we reviewed certain IT controls over MRB mission-critical applications related to logical access security; change management (monitoring, documenting, and approving modifications to an agency’s IT system); personally identifiable information (PII); and business continuity planning and disaster recovery (DR).

Our audit of MRB identified an issue that has been omitted from this report in accordance with Exemption (n) of the Commonwealth’s public-records law (Section 7[26] of Chapter 4 of the General Laws), which allows for the withholding of certain records, including security measures or any other records related to cybersecurity or other infrastructure, if their disclosure is likely to jeopardize public safety or cybersecurity.

In accordance with Sections 7.39–7.43 of the Government Accountability Office’s Government Auditing Standards, as well as OSA policies, for reporting confidential and sensitive information, we have given a separate, full report to MRB, which will be responsible for acting on our recommendations.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1a

MRB did not have policies and procedures in place to remove access rights to its Automated License and Registration System (ALARS) when employees were terminated.

Finding 1b

MRB did not review employee access rights to ALARS quarterly.


  1. MRB should define a specific timeframe to revoke terminated employees’ access to ALARS. It should also develop its own logical access security policies and procedures to supplement the Massachusetts Department of Transportation’s (MassDOT’s) information security program.
  2. MRB should develop and implement a process to review the access rights for all ALARS user accounts and work with the Information Technology Division of MassDOT (MassDOT IT) to obtain the information necessary to perform this activity. MRB should include access rights in its monthly ALARS reports to managers, or MRB could establish a process of review at least quarterly to ensure that users’ access rights are limited to their individual job requirements.

Finding 2a

MRB did not have policies and procedures to classify data and maintain a data inventory.

Finding 2b

Employees did not receive IT security training before they received access to ALARS.


  1. MRB should consult with MassDOT to develop policies and procedures to classify and inventory its data in case of loss or corruption. In addition, a periodic review should be put in place to ensure that this procedure occurs regularly.
  2. MRB should ensure that all new employees receive security awareness training during the onboarding process, before they receive access to MRB systems.

Finding 3a

MRB did not have a business continuity plan (BCP).

Finding 3b

MRB did not test a DR plan for fiscal years 2015 and 2016.

Finding 3c

MRB did not have backup policies and procedures for its internal FTP server.


  1. MRB should work with MassDOT IT to develop, document, and implement a BCP that includes MRB operations.
  2. MRB should consult with MassDOT to perform a DR test for all critical IT assets (such as data, equipment, IT services, and IT personnel) to ensure that suitable alternative procedures exist in case disruptions occur. The DR test should be performed annually to minimize the duration of any disruption to MRB operations.
  3. MRB should consult with MassDOT to document, develop, and implement backup procedures for its servers. These procedures should ensure that full offsite backups are performed and maintained regularly.


A PDF copy of the audit of the Merit Rating Board is available here.

List of Abbreviations


Automated License and Registration System


business continuity plan


Control Objectives for Information and Related Technologies


disaster recovery


File Transfer Protocol


human resources


information security program


information technology


information technology general control


Massachusetts Department of Transportation


Massachusetts Office of Information Technology


Merit Rating Board


National Institute of Standards and Technology


personally identifiable information


Registry of Motor Vehicles


Office of the State Auditor




(617) 727-3014


Massachusetts State House
Room 230
Boston, MA 02133

Help Us Improve with your feedback