Audit of the Executive Office of Education—Information Technology Contracts Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Executive Office of Education (EOE) for the period July 1, 2016 through June 30, 2018.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below are the question we intended our audit to answer, the conclusion we reached regarding our objective, and where the objective is discussed in the audit findings.

We conducted this performance audit by using criteria from policies issued by EOE, the “Enterprise Information Security Policies and Standards” issued by the Executive Office of Technology Services and Security (EOTSS); the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-53, Revision 4, titled Security and Privacy Controls for Federal Information Systems and Organizations; and the Information Systems Audit and Control Association’s (ISACA’s) document Control Objectives for Information and Related Technology [COBIT] 4.1. The EOTSS policies we used as criteria are also derived from NIST’s Special Publication 800-53, Revision 4.

According to ISACA’s website,

COBIT helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.

We gained an understanding of the internal controls over the monitoring process through interviews and observations.

To achieve our objective, we obtained a list of all 22 EOE IT contracts that were ongoing during our audit period and performed the following audit procedures:

• We selected a judgmental nonstatistical sample of 6 of the 22 contracts and reviewed them to ensure that their terms and conditions complied with EOTSS’s “Third-Party Information Security Standard.”
• We reviewed the same judgmental nonstatistical sample and asked EOE for evidence of monitoring activities related to these contracts to assess its monitoring of IT vendors.
• We further reviewed the same sample and held discussions with EOE officials to determine whether EOE had established performance measures to be used to assess vendor performance.

We used nonstatistical sampling and therefore did not project the results of our testing to the population.

To assess the completeness and accuracy of the contract list, we interviewed knowledgeable employees at EOE and searched COMMBUYS² for EOE IT contracts in effect during the audit period. We obtained the list of contracts from COMMBUYS and then compared that to the list we received from EOE’s budget director, whom we also observed obtaining a list of contracts from the Commonwealth Information Warehouse. We determined that the list of IT contracts was complete and sufficiently reliable for the purposes of this audit.