• This page, Audit of the Division of Capital Asset Management and Maintenance Objectives, Scope, and Methodology, is   offered by
  • Office of the State Auditor

Audit of the Division of Capital Asset Management and Maintenance Objectives, Scope, and Methodology

An overview of the purpose and process of auditing the Division of Capital Asset Management and Maintenance.

Table of Contents

Overview

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Division of Capital Asset Management and Maintenance (DCAMM) for the period January 1, 2019 through December 31, 2020.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

Objective

Conclusion

  1.  

Does DCAMM have internal tracking, oversight, and enforcement procedures to ensure compliance with the provisions of workforce participation goals under Section 44A(1)(G) of Chapter 149 of the General Laws?

No; see Findings 1 and 3

  1.  

Does DCAMM monitor quarterly contractor notifications regarding minorities’ and women’s workforce participation goals as required by the general conditions of the Commonwealth’s standard construction contract?

No; see Finding 2

  1.  

Does DCAMM ensure that contractors are certified before awarding contracts, in accordance with Sections 4.03 and 4.04 of Title 810 of the Code of Massachusetts Regulations?

Yes

  1.  

Did DCAMM update its internal control plan (ICP) to address the 2019 coronavirus (COVID-19) pandemic, as required by the Office of the Comptroller of the Commonwealth’s (CTR’s) guidance?

No; see Finding 4

  1.  

Do DCAMM employees receive cybersecurity awareness training in accordance with the Executive Office of Technology Services and Security’s Information Security Risk Standard IS.010?

No; see Finding 5

 

To accomplish our objectives, we gained an understanding of DCAMM’s internal control environment related to the objectives by reviewing applicable agency policies and procedures, as well as conducting interviews with DCAMM management. We evaluated the operating effectiveness of internal controls related to the certification and certified payroll processes.

To obtain sufficient, appropriate audit evidence to address our audit objectives, we conducted further audit testing as follows.

We examined workforce data for the 127 construction contracts and 58 design contracts for which DCAMM accepted certified payroll data during the audit period to determine whether contracts met the workforce participation goals for women and minorities.

  • Using Microsoft Excel, we filtered the certified payroll data by work type (construction and design) and gender (women) to identify the total hours women worked on each contract during our audit period. We then compared the number of hours worked by women to the women’s workforce participation goal of 6.9%. We calculated the total number of contracts that met the women’s workforce participation goal and the number of contracts that did not. We analyzed the data by contract size, based on the number of employees and total hours worked on the contract, to determine the correlation between the number of employees and the number of contracts that met the goals for women’s workforce participation. We calculated the total number of female employees of each ethnicity on all contracts. Finally, we compared the sum of gross pay for all female employees to the total gross pay for all contracts during our audit period.
  • Using Microsoft Excel, we filtered the certified payroll data by work type and ethnicity (African American, Asian, Hispanic, or other) to identify the total hours worked by minorities. We then compared the total number of hours worked by minorities to the total number of hours worked on each contract during our audit period. We compared the percentage of hours worked by minorities to the minority workforce participation goal of 15.3%. We compared the sum of gross pay for all minority employees, grouped by ethnicity, to the total gross pay for all contracts during our audit period. We calculated the total number of contracts that met the minorities’ workforce participation goal and the number of contracts that did not. We analyzed the data by contract size, based on the number of employees and total hours worked on the contract, to determine the correlation between the number of employees and the number of contracts that met the goals for minority workforce participation. Finally, we calculated the total number of employees by each ethnicity on all contracts.

During our audit period, construction contracts per quarter ranged from 50 to 69, with an average of 60. Design contracts per quarter ranged from 23 to 43 contracts, with an average of 33. We identified the contracts that did not meet the workforce participation goals each quarter to identify the contracts for which DCAMM had not requested quarterly projected staffing tables as required by the general conditions of the Commonwealth’s standard construction contract.

  • Using Microsoft Excel, we filtered the certified payroll data by gender, work type, quarter, and year. We compared all the contracts’ work hours to the percentage of women’s work hours for each quarter of the audit period, showing a complete summary of the data. We determined the number of contracts and the percentage of contracts that met the women’s workforce participation goal in every quarter.
  • Using Microsoft Excel, we filtered the certified payroll data by ethnicity, work type, quarter, and year. We compared all the contracts’ work hours to the percentage of minority work hours for each quarter of the audit period, showing a complete summary of the data. We determined the number of contracts and the percentage of contracts that met the minority workforce participation goal in every quarter.

Based on a high level of risk, we selected a random, statistical sample with a 90% confidence level, 5% tolerable rate, and 0% expected error rate. Our sample consisted of 47 contractors out of a total population of 1,389 contractors that applied for certification from DCAMM during our audit period. To determine whether contractors met the certification requirements before they were awarded contracts, we performed the following tests.

  • We inspected copies of the applications and certifications to ensure that contractors had certification in the requested categories of work.
  • We inspected copies of the contractors’ evaluations to ensure that no contractor had received three failing scores (under 80 points) during the previous five years.
  • We inspected copies of the contractors’ licenses for categories of work where licenses were required.
  • We examined the contractors’ financial records to ensure that they satisfied the requirement of financial responsibility.
  • We examined copies of the project bonding letters10 and verified that each surety was licensed by the state Division of Insurance and was on the current list of approved sureties from the United States Department of the Treasury.
  • We inspected contractors’ resumes to ensure that they had experience in performing construction projects.
  • We examined certificates of good standing issued by the Commonwealth and inspected applications to ensure that contractors had not broken the certification requirements (e.g., had no lawsuits, revoked licenses, or Occupational Safety and Health Administration sanctions) in the past five years.

We asked the DCAMM deputy commissioner of finance to evaluate the ICPs for 2019 and 2020 to determine whether they had been updated during the audit period with COVID-19 guidance as required by CTR’s Internal Control Guide because COVID-19 caused a significant change to the work environment. We examined a copy of the ICP that was updated in 2020 to determine whether it contained the components required by CTR’s “COVID-19 Pandemic Response Internal Controls Guidance.”

We asked management for certificates of completion of cybersecurity awareness training from our audit period. However, DCAMM management told us that the copies for 2019 were not maintained in the employees’ personnel files and DCAMM no longer had access to them because it had switched to another vendor.

For calendar year 2020, we selected a nonstatistical, judgmental sample of 40 employees out of the total population of 424 employees who had Commonwealth-provided email (85 of whom also had access to the Massachusetts Management Accounting and Reporting System, or MMARS). Of the 40 employees we selected, 9 also had accounts payable and procurement administrator11 roles in MMARS. We inspected cybersecurity awareness training certificates from 2020 to ensure that training had been completed.

When nonstatistical sampling methods were used, we could not project the results of our testing to the population.

Data Reliability Assessment

Labor Compliance Program Tracker

DCAMM uses the Labor Compliance Program Tracker (LCPTracker) for contractors to record certified payroll. We tested selected information system controls (access controls, security management, configuration management, contingency planning, and segregation of duties) to determine the reliability of the data in LCPTracker. In addition, for the list of weekly certified payroll data, we performed a data integrity test to verify that all data were within our audit period.

To assess the reliability of weekly LCPTracker certified payroll data, we checked for duplicates, electronically analyzed the data for errors and anomalies, and reconciled the data to DCAMM’s fiscal year 2020 annual report section on reported hours by gender and ethnicity. We discussed the results of our verification with DCAMM’s management team to gain an additional understanding of contractors’ eligibility for DCAMM certification.

We concluded that the data might be understated and some contractors’ certified payrolls might not have been submitted (see Finding 3). Despite these issues, we determined that the weekly certified payroll data were sufficiently reliable for our purposes.

Business to Government Now

DCAMM uses Business to Government Now (B2GNow) to manage certifications for the 18 categories of work. We inspected the System and Organization Control report performed by IS Partners LLC that covered the period February 1, 2020 through January 31, 2021. It described testing of the information system general controls and explained that they had been tested without exceptions. In addition, we tested certain general information technology controls (security management, access control, configuration management, segregation of duties, and contingency planning) for the period January 1, 2019 through December 31, 2020. We analyzed the spreadsheets by testing for hidden data, columns, worksheets, and duplicates. We ensured the completeness and accuracy of the data from B2GNow by judgmentally selecting 40 contractors from the contractor list and verifying that the certifications for which they had applied were the certifications granted.

List of Employees

We used a Microsoft Excel spreadsheet of employees, provided by DCAMM, to identify the number of contractor employees during our audit period. We compared the employee list to a list of Commonwealth Information Warehouse12 accounts payable data and inspected the two lists for discrepancies. We analyzed the spreadsheets by testing for hidden data, columns, worksheets, and duplicates. We judgmentally selected a sample of 20 employees from the Commonwealth Information Warehouse list and traced it to the list of employees provided by DCAMM to verify the employees’ existence.

Based on the results of our data reliability assessments, we determined that the information obtained for our audit period was sufficiently reliable for the purpose of our audit objectives.

10.    A bonding letter is an approval by a surety that the contractor can work on a project up to a specific amount of money. A surety is an insurance company that takes on a contractor’s financial responsibility up to a specific amount of money.

11.    An employee with an accounts payable role prepares payments for an agency. An employee with a procurement administrator role makes purchases for an agency.

12.    According to the website of the Executive Office for Administration and Finance, the Commonwealth's Information Warehouse is an "integrated repository" of "financial, budgetary, human resource, payroll, and time reporting information."

Date published: February 23, 2022

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback