Audit of the Department of Transitional Assistance Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Department of Transitional Assistance (DTA) for the period July 1, 2021 through June 30, 2023. When examining inventory and physical security controls over blank Electronic Benefits Transfer (EBT) cards for all Transitional Assistance Offices (TAOs) and the EBT central processing center for regular EBT cards, we used the audit period August 12, 2022 through June 30, 2023, and for emergency EBT cards, we used the audit period October 29, 2021 through June 30, 2023.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of the aspects of the DTA internal control environment relevant to our objectives by reviewing its internal control plan and applicable policies and procedures and by conducting interviews with DTA management. We also conducted site visits to four TAOs and DTA’s central EBT processing center to observe the physical controls in place for blank EBT cards. In addition, we observed the inventory count of EBT cards and the daily reconciliation process at the TAOs we visited. Additionally, to obtain sufficient, appropriate evidence to address our audit objectives, we performed the procedures described below.

To determine whether DTA administered its TAFDC PTW programs in accordance with 106 CMR 707.000, we selected a statistical,²⁰ random sample with a 95% confidence level,²¹ a 5% tolerable rate,²² and a 0% expected error rate.²³ Our sample consisted of 60 participants out of a total population of 27,166 participants who applied for TAFDC PTW programs during the audit period. For our sample, we examined participants’ files within the Benefit Eligibility and Control Online Network (BEACON) system to determine the following:

• whether DTA verified that each participant had a qualified dependent child within the participant’s household whose information matched each dependent child’s hospital birth record, birth certificate, school record, or passport;
• whether DTA verified that each participant’s Massachusetts residency requirement matched each participant’s driver’s license, bank statements, signed lease agreements, rent receipts, verification confirmations from the Registry of Motor Vehicles, or another government document, including records from housing authorities and the Department of Homeland Security;
• whether DTA verified that each participant’s citizenship or immigration status matched the participant’s passport, the Systematic Alien Verification for Entitlements system, birth certificate, or permanent resident card; and
• whether DTA verified that each participant’s income was below the TAFDC limits and that the income reported by the participant matched with an external agency that confirmed employment information and wage verification.

Based on the test results, we determined that DTA administered its TAFDC PTW programs in accordance with 106 CMR 707.000. 

To determine whether DTA created EDPs for participants in TAFDC PTW programs as required by 106 CMR 707.110, we selected a statistical, random sample using a 95% confidence level, a 5% tolerable rate, and a 0% expected error rate. Our sample consisted of 60 participants from a total population of 27,166 participants who applied for TAFDC PTW programs during the audit period. For the sample selected, we examined each participant’s EDP to determine whether the EDP included employment goals and the necessary activities tailored to their individual needs.

Based on the results of our testing, we determined that DTA did not always generate EDPs for participants in the TAFDC PTW programs, as required by Section 707.110 of 106 CMR. We used statistical projection techniques to project the result to the population of the participants who applied for the TAFDC PTW programs during the audit period. See Finding 1 for more information.

To determine whether DTA designed and implemented a comprehensive security program to protect program participants’ PII in accordance with 201 CMR 17.03 and 17.04, we took the actions described below.

• We inspected DTA’s policies and procedures related to information technology security management, including access control, audit and accountability, configuration management policies, and contingency plans.
• We obtained evidence to determine whether DTA did the following:
  • implemented automatic lockout and user session lockout features within the system by inspecting the account lockout setting within the BEACON system;
  • allocated sufficient audit record storage capacity within the system by inspecting the audit storage capacity within the BEACON system;
  • monitored changes to the BEACON system by examining the production changes log provided by DTA management and the auditable event logs generated from the BEACON system to ensure that there was no inappropriate or suspicious activity; and
  • complied with its information technology policies and procedures over password complexity requirements by examining password parameter settings in the BEACON system.
• We selected a statistical, random sample of 60 BEACON users out of 1,877 active BEACON users during the audit period, using a 95% confidence level, a 5% tolerable rate, and a 0% expected error rate. We took the following actions:
  • We examined the Criminal Offender Record Information (CORI) background checks for each BEACON user and determined whether DTA conducted background checks on employees before they were granted access to the BEACON system.
  • We inspected cybersecurity training records to determine whether BEACON users completed cybersecurity awareness training during the audit period.
  • We examined each user’s Security Request Form and the Certification Statement from DTA management to determine whether user access rights were approved and reviewed by users’ supervisors.
• In addition, we randomly selected 35 terminated employees²⁴ out of 245 terminated employees from the audit period and inspected the Security Request Form for each terminated employee to determine whether DTA revoked terminated employees’ access from the BEACON system within three business days of a user’s last day of employment.

Based on the results of our audit testing, we determined that DTA could not provide documentation to prove that a CORI background check had been conducted for some of its employees who have access to the BEACON system. In addition, DTA did not ensure that all of its employees completed cybersecurity awareness training. We used statistical projection techniques to project the results of our testing to the population of active BEACON users during the audit period. See Finding 2 for more information. 

Paragraph 9.12 of the US Government Accountability Office’s Government Auditing Standards states, “Auditors should . . . report any significant constraints imposed on the audit approach by information limitations or scope impairments.” During our audit of DTA, we experienced a scope limitation regarding our ability to obtain the information necessary to answer the blank EBT cards–related objective. Specifically, we requested shipping logs for both regular and emergency EBT cards that tracked the number of EBT cards shipped from DTA’s central office to its TAOs during the audit period. DTA management informed us that DTA started using an electronic inventory tracking log for emergency EBT cards on October 29, 2021 and for regular EBT cards on August 12, 2022. Because TAOs reopened following the end of the state of emergency declared for the COVID-19 pandemic, any information before those two dates was documented in physical shipping logs. Because all the physical logs were handwritten, and much of the information was unclear, we could not ensure the accuracy and completeness of the information. Therefore, the audit team was not able to calculate the total number of regular EBT cards shipped to TAOs before August 12, 2022 or the total number of emergency EBT cards shipped to TAOs before October 29, 2021. As a result, we had to limit the scope of our review when performing the ending balance reconciliation for blank EBT cards for all TAOs and the EBT central processing center for regular EBT cards to the period between August 12, 2022 and June 30, 2023 and for emergency EBT cards to the period between October 29, 2021 and June 30, 2023.

To determine whether DTA implemented inventory and physical security controls over blank EBT cards in accordance with Step 4 of Section IV of its “TAO Card Issuance System (CIS) Security & Handling Procedures,” we took the following actions:

• We judgmentally selected and visited five TAOs across the Commonwealth and DTA’s EBT central processing center to assess compliance with management control policies and procedures over physical security controls for the EBT card inventory.
• We reconciled the Electronic Payment Process Internal Control (EPPIC) system’s EBT card issuance data to the daily logs to ensure that each TAO’s ending balance of blank EBT cards was accurate at the end of the audit period.
• We judgmentally selected two dates across the 20 TAOs and requested Card Issuance System (CIS) Daily Reconciliation Logs, CIS Inventory Logs, and EBT Card Signature Cover Sheets for the sampled dates. In addition, we judgmentally selected seven dates for the central EBT processing center (because the central EBT processing center operates differently than the TAOs and has a higher card issuance volume than TAOs) and requested CIS Daily Reconciliation Logs and CIS Safe Inventory Logs from the central EBT processing center.
• We inspected CIS Daily Reconciliation Logs, CIS Inventory Logs, and EBT Card Signature Cover Sheets for the TAOs in our sample to ensure that all the logs were reviewed and signed by a TAO manager or an authorized employee.
• We inspected CIS Daily Reconciliation Logs, CIS Inventory Logs, and EBT Card Signature Cover Sheets for the 20 TAOs and DTA’s central EBT processing center that DTA provided to us and compared all logs to the EPPIC system EBT card issuance data.

Based on the results of our audit testing, we determined that DTA has implemented inventory and physical security controls over blank EBT cards in accordance with Step 4 of Section IV of its “TAO Card Issuance System (CIS) Security & Handling Procedures.” However, we were not able to reconcile the number of EBT cards issued from the daily and inventory logs to the EPPIC system. See Findings 3, 4, and 5 for more information.

To assess the reliability of the TAFDC PTW program participant data and BEACON user list that we obtained from the BEACON system, we conducted interviews and system walkthroughs with DTA management responsible for oversight of the data. We tested general information technology controls (security management, access controls, configuration management, segregation of duties, and contingency planning).

We compared the TAFDC PTW program participant data record counts from the system to the records that we received from DTA. We tested the TAFDC PTW program participant data for any worksheet errors (hidden rows, headers, and missing data elements) and removed duplicates in the data to create a list of unique participants who enrolled in the TAFDC PTW programs for the audit period. In addition, we randomly selected a sample of 20 TAFDC PTW program participants from the TAFDC PTW program participant data to compare participants’ names to their identification documents.

We tested the BEACON user list for any worksheet errors (hidden rows, headers, and missing data elements) and for duplicates in the data. We obtained a list of DTA employees from the Commonwealth Information Warehouse²⁵ and compared it to the BEACON user list to ensure the completeness and accuracy of the BEACON user list. We also compared the list of terminated employees to the Commonwealth Information Warehouse’s list of terminated employees from the audit period to ensure the completeness and accuracy of the terminated employee list provided by DTA.

To assess the reliability of the card issuance data, we interviewed DTA management and information technology employees who were knowledgeable about the EPPIC system. We reviewed the System and Organization Control reports²⁶ for the audit period. Our review included, but was not limited to, testing all access and account management controls. We also tested the EBT card issuance data for any worksheet errors (hidden rows, headers, and other contents) and duplicates.

To assess the reliability of the blank EBT card data provided by DTA, we interviewed DTA officials who were knowledgeable about the data. We inspected the Weekly Safe Inspection Log and CIS Safe Inventory Log for each TAO at the end of the audit period and verified the date and number of blank EBT cards for each TAO as of June 30, 2023. In addition, we attempted to reconcile the blank EBT cards reported in the CIS Daily Reconciliation Log from the BEACON system with the EBT card issuance data from the EPPIC system. We encountered a discrepancy while reconciling DTA’s EPPIC system to the BEACON system. See Finding 3 for more information regarding the results of our reconciliation on blank EBT cards.

Based on the results of the data reliability assessment procedures described above, we determined that the information we obtained during the course of our audit was sufficiently reliable for the purposes of our audit.