Audit of the Cape and Islands District Attorney’s Office Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Cape and Islands District Attorney’s Office (CIDAO) for the period July 1, 2022 through June 30, 2024. When examining employee settlement agreements entered into by CIDAO, we extended the audit period to July 1, 2019 through June 30, 2024.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of the CIDAO internal control environment relevant to our objectives by reviewing applicable policies, procedures, and its internal control plan, as well as by interviewing CIDAO officials. We also reviewed Track-Kit system user manuals, which included user roles for prosecuting attorneys. We evaluated the design and implementation, and tested the operating effectiveness, of internal controls related to the monitoring of employee training, as well as the approval of executed employee settlement agreements. See Findings 1, 2, and 3 for more information.

To determine whether CIDAO participated in the statewide SAECK tracking system as required by Section 18X(g) of Chapter 6A of the General Laws, we performed the following procedures:

• We requested policies and procedures regarding the use of the Track-Kit system. CIDAO informed us that it did not have any documented internal policies and procedures for how it should use the Track-Kit system.
• We interviewed the first assistant district attorney and the information technology director about CIDAO’s use of the Track-Kit system. We were informed that CIDAO does not and has not used it.
• While CIDAO did have access to the Track-Kit system dashboard, we determined that CIDAO did not have access to SAECK data within its jurisdiction within the Track-Kit system. It appears that CIDAO did not have access to the data for SAECKS because CIDAO never requested this data from the Executive Office of Public Safety and Security (EOPSS). Once CIDAO gained access to the data for SAECKS within the Track-Kit system during the course of our audit, we observed that there were 129 SAECKs collected within CIDAO’s jurisdiction during the audit period in the Track-Kit system.
• We observed a sandbox² version of the prosecuting attorney and survivor portals within the Track-Kit system from EOPSS.
• We reviewed Track-Kit system access logs from CIDAO and determined that there were 14 active user accounts. We determined that 10 of the 14 user accounts were for former employees. Further, no active users accessed the Track-Kit system during the audit period.

For this objective, we found certain issues during our testing regarding the extent to which CIDAO participated in the statewide SAECK tracking system. See Finding 1 and Other Matters for more information.

To determine whether CIDAO adhered to Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 with regard to cybersecurity awareness training, we reviewed the KnowBe4 training result data to determine whether employees completed the required annual cybersecurity awareness training. To do this, we obtained the following from CIDAO:

• a list of the 89 unique CIDAO employees who were employed during the audit period, including the 22 CIDAO employees who were hired during the audit period; and
• cybersecurity awareness training records covering the audit period.

We then compared our lists of employees’ names to our lists of training records to determine whether there was an annual cybersecurity awareness training completion date recorded for each employee on our lists. Because there was no specific training program for newly hired employees during the audit period, we checked the names of all newly hired employees in the KnowBe4 training records to determine whether they completed a training within 30 days of their new hire orientation as required by the EOTSS Standard.

We determined the following through our review:

• In fiscal year 2023, 61 out of 75 employees did not complete annual cybersecurity awareness training.
• In fiscal year 2024, 65 out of 80 employees did not complete annual cybersecurity awareness training.
• During the audit period, 21 out of 22 newly hired employees did not complete cybersecurity awareness training within 30 days of their new hire orientation.

For this objective, we found certain issues during our testing. See Finding 3 for more information.

To determine whether CIDAO had internal policies and procedures in place for (a) the review and approval of employee settlement agreements, including the language used, and (b) the reporting of employee settlement agreements to CTR, we performed the following procedures:

• We interviewed CIDAO’s first assistant district attorney and its director of Human Resources. They stated that CIDAO follows CTR’s Settlements and Judgments Policy for any employee settlement agreements involving monetary payments.
• We inquired about internal policies and procedures regarding entering into, approving, and processing employee settlements. We were informed that CIDAO did not have any documented policies.
• We inquired about internal policies and procedures regarding the use of non-disclosure, non-disparagement, non-publication, and similarly restrictive language in employee settlement agreements. We were informed that CIDAO did not have any documented policies.

For the one separation agreement we discovered during our data reliability analysis, we determined whether the settlement was processed in accordance with CTR’s Settlements and Judgments Policy by requesting, and reviewing where applicable, the following supporting documentation:

• the executed settlement agreement, signed by the appropriate parties;
• the SJ Authorization Form, complete with approval signatures and accurate payment amounts; and
• email correspondence from CTR approving CIDAO’s claim payment.

For this objective, we found certain issues; namely, during our testing, CIDAO did not provide the SJ Authorization Form or the email correspondence from CTR containing the approval. We noted that CIDAO did not have a documented, transparent, or accountable process related to employee settlement agreements. This is evidenced by the settlement agreement that CIDAO failed to report to us when we requested a list. See Finding 2 for more information.

We did not identify any restrictive language in our review of the employee settlement agreement.

Cybersecurity Awareness Training

We obtained cybersecurity awareness training completion data from the KnowBe4 system covering the audit period, consisting of 133 training records. To determine the reliability of the training data, we ensured that training dates were within the audit period, checked for blank fields, and checked for duplicate records within the data. We reviewed System and Organization Control 2 reports³ covering the entire audit period. We ensured that certain information system control tests (access controls, security management, configuration management, contingency planning, and segregation of duties) had been performed without exception.

Employee Lists

We obtained from CIDAO management a list of all 89 CIDAO employees who were employed during the audit period. To ensure the accuracy of the list, we verified employee names, identification numbers, and employment date information for a sample of 10 employees against CIDAO personnel files. To ensure the completeness of the list, we traced employee names, identification numbers, and employment date information from a sample of 10 personnel files to the employee list. As part of our review, we also checked the list for employment start and end dates outside the audit period, blank fields, and duplicate records within the list.

Employee Settlement Agreements

We requested a list of employee settlement agreements from a five-year period (July 1, 2019 through June 30, 2024). CIDAO told us that it had not entered into any employee settlement agreements since the new administration took office in January 2023 and was not aware of whether the office had entered into any employee settlement agreements under the prior administration.

To corroborate CIDAO’s statements, we contacted CTR to determine whether any employee settlement agreements were reported for CIDAO in the CTR Settlement and Judgment Access Database during the extended audit period of July 1, 2019 through June 30, 2024. CTR confirmed that there were no records of employee settlements executed by CIDAO in the database. We examined the personnel folders for all CIDAO employees who separated from CIDAO in the five-year period for evidence of complaints, grievances, or settlement agreements and found none. We then ran a query from the Commonwealth Information Warehouse⁴ of all legal expenses paid by CIDAO for the extended audit period. Using this data, we requested supporting invoices for all legal expenses that were over $3,000. We examined the invoices and identified time charges for work on an employee separation agreement. We requested a copy of the separation agreement from CIDAO. We contacted CTR and requested a determination of whether the language of the agreement constituted a settlement agreement that should have been reported to CTR prior to payment, as required by 815 CMR 5.09. CTR determined that the separation agreement should have been reported to CTR prior to payment.

Based on the results of the data reliability assessment procedures described above, we determined that the information we obtained during the course of our audit was sufficiently reliable for the purposes of our audit.