Audit

Audit  Audit of the Operational Services Division

Our office has conducted a performance audit of the Operational Services Division (OSD) for the period July 1, 2021 through December 31, 2022.

Organization: Office of the State Auditor
Date published: April 25, 2024

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Operational Services Division (OSD) for the period July 1, 2021 through December 31, 2022. In this performance audit, we determined the following:

  • whether OSD’s Mass.gov website met the accessibility standards established by the Executive Office of Technology Services and Security (EOTSS) and the Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility;
  • whether OSD ensured that all contracts posted to its COMMBUYS website complied with EOTSS’s Enterprise Information Technology Accessibility Policy and WCAG 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility; and
  • whether OSD established information technology governance policies and procedures that met the requirements of EOTSS’s Enterprise Information Security Policies and Standards for business continuity plans, disaster recovery plans, information security incident response plans and procedures, and cybersecurity awareness training.

Below is a summary of our findings and recommendations, with links to each page listed.

  
Finding 1
 
OSD’s Mass.gov website is not fully accessible for all Massachusetts residents.
Recommendations
 
  1. OSD should review its Mass.gov webpages to ensure that all hyperlinks lead to related information to provide equitable access to critical information and services offered online by OSD for all Massachusetts residents and state agencies.
  2. OSD should ensure that content on its Mass.gov webpages displays clearly, even when zoomed up to 400%, resulting in a user experience that is inclusive of all Massachusetts residents and state agencies.
Finding 2
 
OSD did not ensure that all of its hyperlinks within contract user guides (CUGs) led to related information.
Recommendation
 
OSD should regularly review its posted CUGs and ensure that hyperlinks within them are up-to-date and functional.
Finding 3
 
OSD did not ensure that all contracts posted to COMMBUYS had a language tag.
Recommendations
 
  1. OSD should ensure that all attached contract forms have a language tag.
  2. OSD should establish criteria and user guides that include accessibility requirements for attached contract forms.
Finding 4
 
OSD did not ensure that its COMMBUYS website provided correction suggestions.
Recommendations
 
  1. OSD should ensure that all fields on its webpages properly identify errors when a user inputs an incorrect data type into an entry field.
  2. OSD should ensure that it provides correction suggestions when a user inputs an incorrect data type into an entry field.
Finding 5
 
OSD relies on an information security incident response plan and procedures that do not include all required elements.
Recommendation
 
OSD should establish information security incident response procedures for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, and an analysis of legal requirements for reporting information technology system compromises.
Finding 6
Page 32
OSD does not have a business continuity plan or a disaster recovery plan.
Recommendations
Page 33
  1. OSD should develop, document, and test a business continuity plan.
  2. OSD should develop, document, and test a disaster recovery plan for both onsite and offsite recovery locations.

Downloads

Contact

Phone

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback