Audit of the Division of Insurance Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Division of Insurance (DOI) for the period July 1, 2021 through December 31, 2022.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To achieve our audit objectives, we gained an understanding of DOI’s internal control environment related to the objectives by reviewing applicable policies and procedures and by interviewing DOI staff members and management.

We performed the following procedures to obtain sufficient, appropriate audit evidence to address the audit objectives.

To determine whether DOI’s website meets WCAG 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility, we tested a random, nonstatistical sample of 60 out of a total of 930 DOI webpages in the audit population. We performed the following procedures.

User Accessibility

• We determined whether the webpage could be viewed in both portrait and landscape modes.
• We determined whether, when zoomed in to 200%, content on the webpage was undamaged and remained readable.
• We determined whether, when zoomed in to 400%, content on the webpage was undamaged and in a single column.

Keyboard Accessibility

• We determined whether all elements of the webpage could be navigated using only a keyboard.
• We determined whether any elements on the webpage prevented a user from moving to a different element when using only a keyboard to navigate the webpage.

Navigation Accessibility

• We determined whether there was a search function present to help users locate content.
• We determined whether related hyperlinks allowed navigation to the intended webpage.

Language

• We determined whether words that appeared on the webpage matched the language to which the webpage was set.   
• We determined whether proper names were identified in PDF files included on the webpage to avoid improper translation or pronunciation errors from screen readers.

Error Identification

• We determined whether there was text explaining why an error occurred.
• We determined whether there were examples given to assist the user in correcting mistakes (for example, a warning when entering a letter in a field meant for numbers).

Color Accessibility

• We determined whether there was at least a 3:1 contrast in color and additional visual cues to distinguish hyperlinks, which WCAG recommends for users with colorblindness or other visual impairments.

See Finding 1 for issues we identified with hyperlinks and language attributes on DOI’s website.

To determine whether DOI established effective IT governance policies and procedures, we performed the following procedures.

Business Continuity and Disaster Recovery

To determine whether DOI’s business continuity plan complied with Section 6.1.1.4 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, we interviewed knowledgeable DOI employees and inspected DOI’s business continuity plan to ensure that it addressed the following: critical business processes, DOI’s manual and automated processes, minimum operating requirements to resume critical functions, the designation of a business continuity lead, clearly defined and communicated roles and responsibilities, assigned points of contact, and annual updates.

To determine whether DOI’s disaster recovery plan complied with Section 6.2.1 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, we interviewed knowledgeable DOI employees and inspected DOI’s disaster recovery plan to ensure that it addressed the following:

• developing and maintaining processes for disaster recovery,
• identifying relevant stakeholders,
• conducting damage assessments of impacted IT infrastructure and applications,
• establishing procedures that allow facility access to support the restoration of data in an emergency,
• recovering critical agency services,
• implementing interim means for performing critical business processes at or above minimum service levels, and
• restoring service at the original site of impact without interruption.

See Finding 2 for an issue we identified regarding DOI’s business continuity plan.

Information Security Incident Response Plan and Procedures

To determine whether DOI’s information security incident response plan and procedures complied with Sections 6.5.1 and 6.5.2 of EOTSS’s Information Security Incident Management Standard IS.009, we interviewed knowledgeable DOI employees and requested DOI’s information security incident response plans and procedures. We learned that DOI relies on the Executive Office of Economic Development (formerly the Executive Office of Housing and Economic Development) for an information security incident response plan and procedures, so we inspected the Executive Office of Economic Development’s information security incident response plan and procedures to determine whether they complied with the aforementioned EOTSS policy.

See Finding 3 for an issue we identified regarding DOI’s information security incident response plan and procedures.

Cybersecurity Awareness Training

To determine whether DOI’s cybersecurity awareness training met the requirements of Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010, we performed the following procedures:

• We inspected the cybersecurity awareness training certificates of completion for all six newly hired employees to determine whether they completed the new hire cybersecurity awareness training within 30 days of orientation.
• We inspected the cybersecurity awareness training certificates of completion for a random sample of 35 out of a total population of 116 employees to determine whether they completed the annual refresher cybersecurity awareness training.

We noted no exceptions in our testing; therefore, we conclude that DOI’s cybersecurity awareness training met the requirements of Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.

We used nonstatistical sampling methods for testing and therefore did not project the results of our testing to any population.

Web Accessibility Testing

To determine the reliability of the site map spreadsheet that we received from DOI management, we interviewed knowledgeable DOI employees and checked that variable formats (e.g., dates, unique identifiers, and abbreviations) were accurate. Additionally, we ensured that there was no abbreviation of data fields, no missing data (e.g., hidden rows or columns, blank cells, and incomplete records), and no duplicate records and that all values in the data set corresponded with expected values.

We selected a random sample of 20 uniform resource locators (URLs)⁷ that could be accessed independently from the DOI site map and traced them to the corresponding webpage, checking that each URL and page title matched the information on the DOI website. We also selected a random sample of 20 URLs from DOI’s website and traced each URL and page title to the site map to ensure that there was a complete and accurate population of URLs on the site map.

IT Governance Testing

To determine the reliability of the employee list from DOI management, we checked that variable formats (e.g., dates, unique identifiers, and abbreviations) were accurate. Additionally, we ensured that there was no abbreviation of data fields, no missing data (e.g., hidden rows or columns, blank cells, and incomplete records), and no duplicate records and that all values in the data set corresponded with expected values.

We selected a random sample of 10 employees from the employee list and traced their names to CTHRU, the Commonwealth’s statewide payroll open records system, to verify the list’s accuracy. We also selected a random sample of 10 employees from CTHRU and traced their names back to the employee list provided by DOI to ensure that we received a complete and accurate employee list.

Based on the results of the data reliability assessment procedures described above, we determined that the site map and employee list were sufficiently reliable for the purposes of our audit.