Audit Audit of the Middlesex County District Attorney’s Office

Our office conducted a performance audit of certain activities of the Middlesex County District Attorney’s Office (MDAO) for the period July 1, 2022 through June 30, 2024. When examining employee settlement agreements entered into by MDAO, we extended the audit period to July 1, 2019 through June 30, 2024.

Organization:	Office of the State Auditor
Date published:	December 19, 2025

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Middlesex County District Attorney’s Office (MDAO) for the period July 1, 2022 through June 30, 2024. When examining employee settlement agreements entered into by MDAO, we extended the audit period to July 1, 2019 through June 30, 2024.

The purpose of our audit was to determine the following:

To what extent did MDAO participate in the statewide sexual assault evidence collection kit (SAECK) tracking system as required by Section 18X(g) of Chapter 6A of the General Laws?
Did MDAO adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Standard IS0.010 regarding cybersecurity awareness training?
Did MDAO have internal policies and procedures in place for (a) the review and approval of employee settlement agreements, including the use of non-disclosure, non-disparagement, or similarly restrictive clauses, and (b) the reporting of monetary employee settlements to the Office of the Comptroller of the Commonwealth in accordance with Sections 5.06 and 5.09 of Title 815 of the Code of Massachusetts Regulations?

Below is a summary of our findings, the effects of those findings, and our recommendations, with hyperlinks to each page listed.


Finding 1	MDAO did not promptly revoke former employees’ access rights within the statewide SAECK tracking system and did not complete certain data fields in the system.
Effect	If MDAO does not promptly revoke former employees’ access rights to the Track-Kit system, then there is a risk of unauthorized access to sensitive case and survivor information. Additionally, if MDAO does not assign its contact information to SAECKs, then the Track-Kit System is not being used as intended under statute. Having MDAO contact information assigned to SAECKs allows survivors to have an informed single point of contact and can streamline outreach and reduce confusion.
Recommendations	MDAO should assign its contact information to each SAECK within its jurisdiction in the Track-Kit system and should train its employees on how to use this system. MDAO should develop, document, and implement policies and procedures for Track-Kit system access authorization for new users and the revocation of access upon termination of users. These policies and procedures should include periodic access reviews at least semiannually to ensure that users’ access rights are limited to their job requirements.
Finding 2	MDAO should have documented internal policies or procedures regarding state employee settlement agreements and supporting records, as would be best practice.
Effect	A documented, written process to handle employee settlement agreements, especially for those containing non-disclosure, non-disparagement, or similarly restrictive clauses, can help ensure that employee settlements are handled in an ethical, legal, and appropriate manner.
Recommendation	MDAO should develop, document, and implement a written policy related to employee settlement agreements, including prohibiting the use of non-disclosure, non-disparagement, or similarly restrictive clauses in its agreements, as recommended in the Governor’s “Executive Department Settlement Policy,” issued January 27, 2025.
Finding 3	MDAO should ensure that all employees complete cybersecurity awareness training upon hire and annually thereafter.
Effect	If MDAO does not educate its employees on their responsibility to protect the security of information assets, then MDAO may expose itself to a higher-than-acceptable risk of cybersecurity attacks and financial and/or reputational losses.
Recommendation	MDAO should ensure that all employees complete annual refresher cybersecurity awareness training and that all newly hired employees complete the initial training within the first 30 days of their new hire orientation.

Post-Audit Action

During the course of our audit, we were informed that, and subsequently provided evidence regarding how, MDAO revoked all former employees’ access rights to the Track-Kit system. This corrective action addresses part of our audit finding related to the statewide SAECK tracking system.

Downloads

Open PDF file, 420.89 KB, Audit Report - Middlesex County District Attorney’s Office (English, PDF 420.89 KB)

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.