Audit of the Essex County District Attorney’s Office Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Essex County District Attorney’s Office (EDAO) for the period July 1, 2022 through June 30, 2024. When examining employee settlement agreements, we extended the audit period to July 1, 2019 through June 30, 2024.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of the EDAO internal control environment relevant to our objectives by reviewing applicable policies, procedures, and its internal control plan, as well as by interviewing EDAO management and employees. We also reviewed Track-Kit system user manuals, which included user roles for prosecuting attorneys. We evaluated the design and implementation of the internal controls related to our audit objectives. We tested the operating effectiveness of internal controls related to the monitoring of employee cybersecurity awareness training.

In addition, to obtain sufficient, appropriate evidence to address our audit objectives, we performed the procedures described below.

To determine to what extent EDAO participated in the statewide SAECK tracking system as required by Section 18X(g) of Chapter 6A of the General Laws, we performed the following procedures:

• We requested policies and procedures regarding the use of the Track-Kit system. EDAO informed us that it did not have any documented internal policies or procedures for how it should use the Track-Kit system.
• We interviewed EDAO officials about EDAO’s use of the Track-Kit system. We were informed that EDAO does not and has not used it.
• We conducted a walkthrough of the Track-Kit system with EDAO, observing the current status and test results of kits, as well as system reports for the 272 SAECKs collected within EDAO’s jurisdiction during the audit period. We also observed a sandbox³ version of the prosecuting attorney and survivor portals within the Track-Kit system with the Executive Office of Public Safety and Security (EOPSS).
• We reviewed Track-Kit system access logs for EDAO and compared the listed user accounts to EDAO’s current employee list.

For this objective, we found certain issues during our testing regarding the extent to which EDAO participated in the statewide SAECK tracking system. See Finding 1 and Other Matters for more information.

To determine whether EDAO ensured that all of its employees completed cybersecurity awareness training, in accordance with its “Security Training and Awareness” policy and Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010, we took the actions described below.

We obtained a list of 197 employees who were employed by EDAO during the audit period. We grouped these 197 EDAO employees into the following two categories: 63 EDAO employees with hire dates during the audit period (i.e., newly hired employees)—who were required to complete initial cybersecurity awareness training—and 134 EDAO employees with hire dates before the audit period (i.e., existing employees)—who were required to complete bimonthly cybersecurity awareness training.

We selected a random, nonstatistical sample⁴ of 35 existing employees from the population of 134 and another random nonstatistical sample of 20 newly hired employees from the population of 63.

To determine whether EDAO ensured that its employees within our two samples completed cybersecurity awareness training—the bimonthly training for our sample of 35 existing employees and the initial training for our sample of 20 newly hired employees—we took the actions described below for each sample.

We obtained a report of all the 1,599 cybersecurity awareness trainings completed during the audit period from EDAO’s training system. We inspected this report to determine whether there were cybersecurity awareness training completion dates recorded for each of the 35 existing employees.

To assess the timeliness of cybersecurity awareness trainings, we compared the training completion date to the training due date for all 1,599 training records to determine whether trainings were completed within five weeks of enrollment in accordance with EDAO’s internal training policy.

Additionally, for the newly hired employees in our sample, we compared their hire dates from the EDAO employee list to the dates on which they completed their initial cybersecurity awareness training, based on the training activity report for the audit period. We calculated the number of days it took each of the newly hired employees to complete the initial cybersecurity awareness training to determine whether the number of days for each newly hired employee was within 30 days of their hire date.

For this objective, we found certain issues during our testing; namely, that EDAO did not ensure that all of its employees completed cybersecurity awareness training. See Finding 2 for more information.

We requested a list of all employee settlements and complaints from a five-year period (July 1, 2019 through June 30, 2024). We were advised that EDAO had not entered into any settlement agreements with employees since the current administration began in January 2023, and EDAO management was not aware of any such settlements under the prior administration.

To corroborate EDAO’s statements, we performed the following procedures:

• We contacted CTR to determine whether any EDAO employee settlements were reported in the CTR Settlement and Judgment Access database during the audit period. CTR confirmed that there were no records of employee settlements in the database.
• We examined all eight EDAO employee complaints for the five-year audit period. We reviewed the complaint dates, descriptions of the complaints, actions administered or recommended, and the results of the complaints and determined that none of these complaints resulted in an employee settlement.
• We selected a random, nonstatistical sample of five terminated employees from a population of 44 during the period and inspected their personnel files to determine whether any of them had employee settlements related to their termination. We determined that none of these terminations resulted in an employee settlement.
• We then ran a data extract from the Commonwealth Information Warehouse⁵ of all external legal expenses paid by EDAO for the period July 1, 2019 through June 30, 2024. For a random, nonstatistical sample of 30 legal expense records from a population of 549 attorneys and legal support service expenses during the period, we requested supporting invoices. We reviewed the vendor names, invoice dates, amounts, invoice numbers, and descriptions of work performed for any mention of employee settlement agreements. No employee settlements were identified as a result of this review.

To determine whether EDAO had internal policies and procedures in place for (a) the review and approval of employee settlement agreements, including the language used, and (b) the reporting of employee settlement agreements to CTR, we performed the following procedures:

• We conducted interviews with EDAO’s chief financial officer, chief legal counsel, and director of human resources because they were knowledgeable about the employee settlement process. They told us that EDAO follows CTR’s “Settlements and Judgments Policy” for monetary employee settlement agreements.
• We inquired about internal policies and procedures regarding entering into, approving, and processing employee settlement agreements. We obtained from EDAO its “Policies, Procedures, and Guidelines—Settlements and Judgments,” an internal policy that requires the chief legal counsel, chief fiscal officer, and director of human resources to ensure that claims against the agency are negotiated and processed in compliance with 815 CMR 5.00. However, we noted that this policy became effective in July 2024 and, therefore, was not applicable to the audit period.
• We inquired about internal policies and procedures regarding the use of non-disclosure, non-disparagement, non-publication, and similarly restrictive language in settlement agreements. EDAO management explained that the District Attorney and chief legal counsel would review and approve the terms and language of any settlement agreement before execution. We also found that EDAO’s “Policies, Procedures, and Guidelines—Settlements and Judgments,” which went into effect in July 2024, did not describe this practice.

We did not perform testing on the reporting to CTR because we did not identify any employee settlement agreements executed during the extended audit period. See Finding 3 for more information.

We used a nonstatistical sampling method for testing and, therefore, did not project the results of our testing to the corresponding populations.

Cybersecurity Awareness Training

We obtained from EDAO a list of the 197 employees who were employed during the audit period. To determine the reliability of the list, we checked it for duplicate records and checked that employment start dates and termination dates were within the audit period. We traced employee names, identification numbers, and job titles from the employee list provided by EDAO to payroll summary data that we extracted from CTHRU, the Commonwealth’s statewide payroll open records system.

Further, we verified employee names, employment statuses, employee titles, hire dates, and termination dates (if applicable) for a random sample of 10 employees from the list to physical personnel files maintained by EDAO. Additionally, we vouched employee names, employment statuses, employee titles, hire dates, and termination dates (if applicable) from a random sample of 10 personnel files to the employee list provided by EDAO.

To determine the reliability of the cybersecurity awareness training data obtained from EDAO’s cybersecurity awareness training system, we reviewed System and Organization Control 2 Reports⁶ covering the entire audit period. We ensured that certain information system control tests (access controls, security management, configuration management, contingency planning, and segregation of duties) had been performed without exception. We reviewed enrollment dates to ensure that the bimonthly trainings offered fell within the audit period. Additionally, we inspected the data for any hidden rows and columns. According to EDAO management, this is the only record of enrollment and completion of cybersecurity awareness training for EDAO employees.

Based on the results of the data reliability assessment procedures described above, we determined that the information we obtained during the course of our audit was sufficiently reliable for the purposes of our audit.