Audit  Audit of the Office of the Inspector General (OIG) — Review of Cybersecurity Awareness Training

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Office of the Inspector General (OIG)¹ for the period January 1, 2019 through December 31, 2020. In this performance audit, we determined whether OIG administered a cybersecurity awareness training program that complied with the Executive Office of Technology Services and Security’s (EOTSS’s) requirements and industry best practices.

Our audit revealed no significant instances of noncompliance by OIG that must be reported under generally accepted government auditing standards. However, in performing our audit testing, we found an internal control issue: OIG had not established a written policy regarding its cybersecurity awareness training. This written policy would include establishing a requirement for all employees to receive cybersecurity awareness training upon hire and annually thereafter as required by EOTSS standards. We brought this matter to the attention of OIG officials who established a formal, written cybersecurity awareness training policy after our audit.

A PDF copy of the audit of the Office of the Inspector General is available here.

1.     Generally accepted government auditing standards require that organizations be free from organizational impairments to independence with respect to the entities they audit. In accordance with Section 2 of Chapter 12A of the General Laws, the Inspector General is appointed by a majority vote of the Attorney General, State Auditor, and Governor. Additionally, pursuant to Section 3 of Chapter 12A of the General Laws, State Auditor Suzanne M. Bump serves on the eight-member Inspector General Council along with the Attorney General; the Secretary of Public Safety; the State Comptroller; and four other members appointed separately by the Attorney General, State Auditor, and Governor. This disclosure is made for informational purposes only, and this circumstance did not interfere with our ability to perform our audit work and report its results impartially.