Audit of the Committee for Public Counsel Services Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Committee for Public Counsel Services (CPCS) for the period January 1, 2019 through December 31, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer, the conclusion we reached regarding each objective, and where each objective is discussed in the audit findings.

To achieve our audit objectives, we gained an understanding of CPCS’s internal control environment related to the objectives by reviewing applicable agency policies and procedures, as well as conducting inquiries with CPCS’s staff and management. We evaluated the design of controls over cybersecurity awareness training, computer use acknowledgment forms, the business continuity and disaster recovery plan, and the ICP.

We obtained a list of all employees during the audit period from CPCS. From this list, we selected a random, nonstatistical sample of 60 CPCS employees from a population of 884. We requested copies of the 60 employees’ signed Certification of Receipt Personnel Policies forms (including computer usage) from CPCS’s Human Resource Department and verified that there was a signature on each user’s form to ensure that all users had signed forms and acknowledged the policies.

During our data reliability assessment, we tested all 23 CPCS employees, including 5 hired during the audit period, who had access to the Massachusetts Management Accounting and Reporting System (MMARS) during our audit period to ensure that they had received cybersecurity awareness training.

In addition, to determine whether CPCS newly hired employees without access to MMARS received cybersecurity awareness training within 30 days of new-hire orientation, we selected a nonstatistical, random sample of 35 CPCS newly hired employees from the list of employees without MMARS access from a population of 145. For each newly hired employee in our sample, we requested the orientation date from CPCS’s Human Resource Department, and we requested the cybersecurity awareness training materials presented to the newly hired employees from CPCS’s Information Technology (IT) Department. Also, we requested the cybersecurity awareness training certificates from CPCS’s IT Department to determine whether these newly hired employees received annual cybersecurity awareness training, if applicable.

To determine whether CPCS’s existing employees (who were hired before the audit period began) with no MMARS access completed their cybersecurity awareness training, we selected a nonstatistical sample of 50 existing CPCS employees from a population of 716 (which excludes the 18 existing employees with MMARS access). For each existing employee in our sample, we examined their cybersecurity awareness training certificate to determine whether they completed the annual training and the certificate was documented in KnowBe4.

We obtained KnowBe4 test results for all employees who received phishing emails as part of the test during the audit period. We examined the test results and determined that 218 CPCS employees failed the phishing testing during our audit period. In addition, for employees with MMARS access who failed the phishing tests, we determined how many times they each failed. We divided the 218 employees who failed the phishing tests into two strata.

For stratum one, 172 employees failed once, and we targeted the 6 employees with MMARS access and 29 without MMARS access to determine whether these employees took additional cybersecurity awareness training. We reviewed email notifications for additional training dates, interactive PowerPoint presentations used for additional training, and cybersecurity awareness training certificates from KnowBe4. No exceptions were noted with this testing.

For stratum two, there were 46 employees who failed more than once. For this stratum, we selected a random, nonstatistical sample of 10 employees to determine whether they received additional cybersecurity awareness training. We reviewed email notifications for additional training dates, interactive PowerPoint presentations used for additional training, and cybersecurity awareness training certificates from KnowBe4. No exceptions were noted with this testing.

We requested CPCS’s ICPs for fiscal years 2020, 2021, and 2022 to determine whether they were updated with COVID-19 pandemic guidance as required by CTR’s “Internal Control Guide,” because COVID-19 had caused a significant change to the work environment. We examined a copy of the ICP for fiscal year 2021 to determine whether it contained the components required by CTR’s “COVID-19 Pandemic Response Internal Controls Guidance.”

To determine whether CPCS had established a business continuity and disaster recovery plan, we requested the business continuity and disaster recovery plan from CPCS management. CPCS management provided an outline of the business continuity and disaster recovery plan that had not been approved by CPCS management (see Finding 2).

When we used nonstatistical sampling methods for our audit objectives, we did not project the results from the samples to the populations.

CPCS Employee List

To determine the completeness and accuracy of the list of all CPCS employees during the audit period generated from MMARS, we compared this list to an employee list provided by CPCS’s Human Resource Department and an employee list provided by CPCS’s IT Department. In addition, for each of these lists, we tested for duplicate data, missing data, and dates outside the audit period. No exceptions were noted with this testing.

KnowBe4

To assess the reliability of CPCS’s phishing test records from KnowBe4, we tested for missing data, duplicate data, and dates outside the audit period. For completeness and accuracy, we compared the names of employees from KnowBe4 to our reconciled employee list.

We assessed the reliability of the cybersecurity awareness training and phishing test records obtained from KnowBe4 using Service Organization Control reports⁴ to determine whether there were exceptions in the testing performed for certain general IT controls (security management, access control, configuration management, segregation of duties, and contingency planning). In addition, we reviewed the peer review report of the agency that prepared the Service Organization Control reports.

MMARS

In 2018, the Office of the State Auditor performed a data reliability assessment of MMARS for the period April 1, 2017 through March 31, 2018. The assessment focused on reviewing selected system controls, including access controls, cybersecurity awareness, audit and accountability, configuration management, identification and authentication, and personnel security.

During this audit, we asked CPCS management about the agency’s cybersecurity awareness policy and personnel security policy and procedures. We requested cybersecurity awareness training certificates for all 23 employees who had access to MMARS during the audit period.

Based on the results of our data reliability assessments, we determined that the information obtained for our audit period was sufficiently reliable for the purpose of our audit objectives.