Audit of the Division of Banks Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Division of Banks (DOB) for the period July 1, 2017 through June 30, 2019.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.

In performing our audit work, we found that not all DOB employees promptly received cybersecurity awareness training, as discussed in Finding 1.

To achieve our audit objectives, we gained an understanding of DOB’s internal control environment related to the objectives by reviewing agency policies and procedures, as well as conducting inquiries with DOB’s staff and management. We evaluated the design, and tested the effectiveness, of controls DOB had established over monitoring FTA recordkeeping and notifying other states of public enforcement actions.

We performed the following procedures to obtain sufficient, appropriate audit evidence to address the audit objectives.

To determine whether DOB ensured that FTAs maintained three years of records in accordance with Section 10 of Chapter 169 of the General Laws, we selected a nonstatistical, random sample of 10 of the 44 FTA examinations DOB completed during our audit period. We inspected records of the detailed daily revenue and/or expense transactions, data reports, and money transfers DOB maintained for these examinations and confirmed that these 10 FTAs retained their records for at least three years.

To determine whether DOB collected, and acted on, information about mortgage lenders and brokers that may have had their licenses suspended or revoked by the licensing authority of any other state, we asked DOB for a report from the Nationwide Mortgage License System (NMLS) that showed the mortgage lenders and brokers that had had their licenses suspended or revoked by any state other than Massachusetts during the audit period. By reviewing examination schedules, completed examination folders, and file notations, we confirmed that DOB investigated and obtained actions due from other states regarding all 13 license suspensions or revocations in the report to ensure that it acted on notifications from NMLS.

We extracted all 213 examinations of licensed mortgage lenders and brokers that DOB completed during our audit period from the Non-Depository Regulatory System (NDRS) and separated them into two strata: examinations without formal enforcement action and examinations with formal enforcement action. For the first stratum, we inspected a nonstatistical, random sample of 20 of 207 examination folders to verify that there were no formal enforcement actions that resulted in reporting in NMLS. For the second stratum, we inspected all 6 examination folders to verify that DOB had reported the formal enforcement actions in NMLS so that notice of the action would be available to other states.

We used nonstatistical sampling methods and therefore could not project the results of our testing to the population.

We determined the reliability of the data we received from NDRS by testing for accuracy and completeness. We randomly selected 10 of 257 examinations of FTAs and mortgage lenders and brokers from our audit period from NDRS and traced them to the source documentation (the final examination report, a sheet signed by different levels of reviewers, and the commissioner of banks’ letter to the licensee) to determine the accuracy of the data. We then compared DOB’s published annual report, which showed a total of 257 examination reports during our audit period, to reports generated from NDRS to determine the completeness of the population of examinations.

In addition, we determined the reliability of the data we received from NDRS by conducting interviews with DOB officials about access rights and privileges for the Regulatory Management System (RMS), NDRS, and the M drive. We also tested certain information system general controls regarding access and security management.

From the 196 employees who had access to NDRS and the M drive for the audit period, we randomly selected 10 of the 19 who were hired during the audit period, and 20 of the 177 who were hired before the audit period, and reviewed cybersecurity awareness training certificates to determine whether they received the required annual cybersecurity awareness training (see Finding 1). In addition, we randomly selected 20 of the 196 employees and reviewed the email requests from DOB’s Human Resources Department to verify that those employees’ system access rights and editing privileges were authorized.

For all 33 employees terminated during our audit period, we compared the termination dates from DOB’s Human Resources Department to the access termination dates in RMS, NDRS, and the M drive to determine whether employees were removed from all three systems within 24 hours after termination.

Based on the results of our data reliability assessments, we determined that the information obtained for our audit period was sufficiently reliable for the purposes of our audit work.