Audit of the Division Of Professional Licensure Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of the Division of Professional Licensure (DPL) for the period July 1, 2017 through March 31, 2020.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is our audit objective, indicating the question we intended our audit to answer, the conclusion we reached, and where the objective is discussed in this report.

We gained an understanding of the internal control environment in the areas we deemed significant to our audit objective by conducting interviews with DPL management and other staff members, performing a walkthrough of DPL’s CORI and SORI check process for its Board of Registration of Cosmetology and Barbering, and reviewing DPL’s internal control plan.

Section 9.12 of the United States Government Accountability Office’s Government Auditing Standards states, “Auditors should . . . report any significant constraints imposed on the audit approach by information limitations or scope impairments.”

We initiated this audit to determine whether DPL conducted CORI and SORI checks for license applicants in accordance with the requirements of its license application process. However, DPL could not provide us with the information we needed to meet this audit objective.

DPL primarily uses two software programs to track license applications and renewals and maintain CORI and SORI check information: DPL’s 29 boards use the Accela software suite, and its Office of Public Safety and Inspections (OPSI) primarily uses a software application called MyLicense Office (MLO).

We were not able to determine whether DPL conducted CORI or SORI checks for all license applicants because the data in Accela and MLO were incomplete and inaccurate.

According to data in Accela, 61,720 unique individuals were granted licenses during the audit period; however, for 41,131 (67%) of these individuals, there was no CORI information in Accela. We also analyzed SORI information in Accela and determined that 25,918 (42%) of the 61,720 licensees did not have any such information. Further, the data in Accela were not defined correctly (e.g., date fields contained characters instead of numbers), which also compromised the integrity of the data.

According to data in MLO, OPSI issued 31,740 unique licenses during the audit period. Only 408 (1%) of the licensees had any CORI check information; 31,332 (99%) had none. As previously noted, OPSI only requires a CORI check for 9 of its 85 licenses. There is no field in MLO that indicates whether a CORI check is required. Because of this limitation, we could not determine how many of these 31,332 licensees should have had CORI checks.

We could not verify the total population of licenses issued by DPL’s 29 boards and OPSI during our audit period. DPL officials told us they could not provide hardcopy records we needed to reconcile to the data in Accela and MLO to determine the accuracy and completeness of the information in these databases.

We attempted to reconcile the CORI data in Accela to data from the Department of Criminal Justice Information Services (DCJIS), which administers the Commonwealth’s law enforcement information and criminal record systems and processes all requested CORI checks. DPL gave us a dataset that included all CORI checks conducted by DCJIS for DPL’s 29 boards during the audit period. The dataset showed 71,147 individuals with unique names and birthdates (aliases were included, so there may be multiple records for any one person) for whom DCJIS had conducted a CORI check. However, we could not compare the information in the DCJIS dataset to the CORI information in Accela because the data did not contain a unique identifier for each entry, such as a Social Security number, that was common to both data sources and would allow us to perform this analysis.

DPL also gave us a dataset that included all CORI checks conducted by DCJIS for OPSI during the audit period. The dataset indicated that DCJIS conducted CORI checks on 1,784 unique OPSI license applicants during the audit period. The difference between CORI checks conducted by DCJIS (1,784 records) and CORI checks in MLO (408 records) was significant, but we could not reconcile the DCJIS dataset to the information in MLO because DPL officials told us that the results of some OPSI CORI checks were not stored in MLO but rather in other databases.

During our audit, we shared our concerns about the CORI and SORI data with DPL management, and management acknowledged the deficiencies we identified and agreed that the databases were unreliable for both DPL and OSA.