Audit of the Executive Office of Elder Affairs Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of certain activities of the Executive Office of Elder Affairs (EOEA) for the period July 1, 2019 through June 30, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To achieve our audit objectives, we gained an understanding of EOEA’s internal control environment related to the objectives by reviewing applicable policies and procedures, as well as conducting inquiries with EOEA employees and management.

We performed the following procedures to obtain sufficient, appropriate audit evidence to address the audit objectives.

We determined whether EOEA developed a guidance manual addressing case record documentation practices for referring abuse reports to DAs’ offices. To do this, we interviewed EOEA officials and reviewed training materials, manuals, and guidelines that supported that EOEA and its protective services employees received training on the Protective Services Program, as well as abuse case investigation, record documentation, and reporting, during the audit period.

To determine whether EOEA established monitoring controls to ensure that each person involved in the DA referral process complies with 651 CMR 5.19, we interviewed EOEA officials who were responsible for establishing and implementing these controls. Specifically, we inquired about EOEA’s response to OSA’s 2018 post-audit review questionnaire where EOEA responded that it was running monthly queries to monitor the DA referral process to fix the issue OSA found that not all reports of abuse were referred to DAs’ offices. We requested the monthly queries that were completed during the audit period and any results that came from the queries. EOEA stated during an interview with us that it was unable to run the queries because of the volume of data and was in the process of trying to determine another way to monitor the process. (See Finding 1.)

To determine whether EOEA monitored the effectiveness of the Interview for Decisional Abilities (IDA) tool, we interviewed EOEA officials who were responsible for monitoring it and requested any reports and documentation regarding reviewing the form. We also requested training materials and any policies and procedures related to the IDA tool. EOEA officials stated in an email to us that its Adult Protective Services system was unable to run reports on the IDA tool because the forms were uploaded as Portable Document Format files, and therefore, EOEA was not monitoring the use of the IDA tool. (See Finding 2.)

To determine whether EOEA updated its ICP to address the effects of COVID-19, as required by CTR’s “COVID-19 Pandemic Response Internal Controls Guidance,” we received EOEA’s current fiscal year 2022 ICP from EOEA and reviewed it.

To determine whether all seven EOEA employees who had access to COVID-19 funds during our audit period completed annual refresher or new hire cybersecurity awareness training in accordance with the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, we obtained and inspected certificates of completion of cybersecurity awareness training for all these employees.

We received a list of its employees who had access to COVID-19 funds from EOEA. We performed validity and integrity tests on this list, including testing for duplicates and blank fields, as well as tracing the list to the Massachusetts Management Accounting and Reporting System.

In 2018 and 2022, OSA performed a data reliability assessment of the Massachusetts Management Accounting and Reporting System that focused on testing certain information system general controls, including access controls, application controls, configuration management, contingency planning, and segregation of duties.

Based on the results of our data reliability procedures described above, we determined the data to be sufficiently reliable for the purpose of this audit.