Audit of the Massachusetts Board of Library Commissioners Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities (specifically, those detailed in the table below) of the Massachusetts Board of Library Commissioners (MBLC) for the period July 1, 2020 through March 31, 2022.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.

To achieve our audit objectives, we gained an understanding of the internal control environment in the areas related to the objectives by reviewing applicable policies and procedures, grant agreements, vendor contracts, and MBLC’s ICP; interviewing MBLC management; and reviewing the processes related to our objectives. We evaluated the design of controls over the review of grant applications and the administration of these grants, the implementation of the post-construction review process, the update of the ICP, and the administration of employee cybersecurity awareness training. We also tested the operating effectiveness of controls over grant disbursements.

To obtain sufficient, appropriate evidence to address our audit objectives, we conducted the procedures detailed below.

To determine whether MBLC administered funding for its Summer Software Grant Program in accordance with the guidelines outlined in Remarks 2 and 3(c) of the IMLS CARES Act Grant and ensured that funds were disbursed within the grant award period of April 21, 2020 through September 30, 2021, we performed the following procedures.

• We obtained the Summer Software Grant Program recipient list from MBLC that listed the 75 recipients of the Beanstack licenses provided by the grant from MBLC during our audit period. MBLC maintains this list in a Microsoft Excel spreadsheet. Based on a low risk level, we selected a random, nonstatistical sample³ of 10 recipients of the Beanstack licenses and performed the following testing.
  • For our sample of 10 Summer Software Grant Program recipients, we reviewed MBLC’s description of the Summer Software Grant Program, as documented on its website, and the Massachusetts Higher Education Consortium’s⁴ description of Beanstack and compared these to Remark 2 of the IMLS CARES Act Grant to determine whether the funding was used for the purposes specified in the grant guidelines.
  • We reviewed MBLC’s directory of public libraries to confirm that the 10 Summer Software Grant Program recipients in our sample were listed in the directory. We reviewed Beanstack welcome letters and the separate websites that were provided to libraries to determine whether eligible libraries received Beanstack licenses.
  • We reviewed payments from the IMLS CARES Act Grant funds to the program vendor (Zoobean, Inc.) in the Massachusetts Management Accounting and Reporting System (MMARS) and confirmed that contracted amounts for our test sample of 10 Summer Software Grant Program recipients were made within the grant award period of April 21, 2020 through September 30, 2021, in accordance with Remark 4 of the IMLS CARES Act Grant.

To determine whether MBLC administered funding for its VPDL Grant Program in accordance with the guidelines outlined in Remarks 2 and 3(c) of the IMLS CARES Act Grant and ensured that funds were disbursed within the grant award period of April 21, 2020 through September 30, 2021, we performed the following procedures.

• We obtained Microsoft Excel spreadsheets containing two VPDL Grant Program recipient lists from MBLC, totaling 47 recipients. We selected a random, nonstatistical sample of 5 library grant recipients based on a low risk level. We performed the following testing with this sample.
  • We reviewed applications, final financial and written reports produced by the VPDL Grant Program recipients, and recipient grant agreements with MBLC specifying the use of these funds for the five library grant recipients in our sample and compared these to the requirements specified in the IMLS CARES Act Grant award language to determine whether these grants were provided for the purposes specified in this award language.
  • We reviewed MBLC’s directory of state libraries to confirm that each of the five library grant recipients in our sample was listed in the directory. We also reviewed payment documentation to determine whether these funds were disbursed to eligible libraries.
  • We reviewed payments from the IMLS CARES Act Grant funds to the five library grant recipients in our sample in MMARS and confirmed that they were made within the grant award period of April 21, 2020 through September 30, 2021, in accordance with Remark 4 of the IMLS CARES Act Grant.

To determine whether MBLC implemented a post-construction review process to ensure that the projects met their goals as recommended in our prior audit (No. 2018-0165-3S), issued July 10, 2018, we performed the following procedures.

• MBLC officials told us that they instituted a new post-construction review policy for projects approved in the 2016–2017 grant award period and that MBLC conducted post-construction reviews for projects that were completed for at least one year. We obtained a list of all five Massachusetts Public Library Construction Program projects from MBLC that were completed during our audit period. We then identified those projects that had been complete for at least one year. MBLC maintains this list in a Microsoft Excel spreadsheet.
• We requested documentation, such as project evaluations and survey reports, to determine whether MBLC conducted post-construction formal reviews for the two projects that we determined had been completed for at least one year during our audit period.
• We obtained and reviewed Construction Project Final Reports for both projects and determined whether these documents (1) described the types of projects; (2) documented proposed versus actual costs; (3) addressed the success, or other results, of the completed projects; and (4) described the completed projects’ impact on stakeholders, such as the community and employees.

To determine whether MBLC updated its ICP to address the COVID-19 pandemic in accordance with CTR’s “COVID-19 Pandemic Response Internal Controls Guidance,” we performed the following procedures.

• We reviewed MBLC’s most recent ICP to determine whether it had been updated with COVID-19 guidance, as required by CTR’s “COVID-19 Pandemic Internal Controls Guidance,” because COVID‑19 had caused a significant change to the work environment.
• We also examined the most recent ICP to determine whether it contained the components required by CTR’s “COVID-19 Pandemic Response Internal Controls Guidance.”

To determine whether MBLC employees who were responsible for managing COVID-19 grant funds completed required cybersecurity awareness training, we performed the following procedures.

• We obtained a list of employees who had worked at MBLC during the audit period from MBLC. MBLC maintains this list in a Microsoft Excel spreadsheet.
• We identified the four employees who worked at MBLC during our audit period who were responsible for managing COVID-19 grant funds.
• We requested from MBLC management all certificates of completion of cybersecurity awareness training for MBLC employees responsible for managing COVID-19 grant funds during the audit period. We determined whether they completed the training in accordance with Section 6.2.3 (if they were newly hired employees) and Section 6.2.4 (if they were existing employees) of EOTSS’s Information Security Risk Standard IS.010, as well as CTR’s “COVID-19 Pandemic Response Internal Controls Guidance.”
• Our review found that MBLC employees were not able to take fiscal year 2020 cybersecurity awareness training, as this training was not initially offered to them by EOTSS. This error was not resolved until the fiscal year 2021 training was offered.
• We reviewed cybersecurity awareness training certificates of completion to confirm that those employees completed training during our audit period.

When nonstatistical sampling methods were used, we did not project the results of our testing to the population.

Summer Software Grant Program

We assessed the reliability of the Summer Software Grant Program recipient list that we obtained from MBLC by interviewing knowledgeable personnel at MLBC about this list and testing for hidden records and duplicate values. MBLC maintains this list in a Microsoft Excel spreadsheet. In addition, we reviewed supporting documentation for a total of 10 Summer Software Grant Program recipients out of a total of 75 from the list to ensure that the list was accurate. We confirmed that these grant recipients were awarded Beanstack licenses by obtaining an extract of participant records from the Beanstack directory and obtained and verified the unique Beanstack website for each selected grant recipient.

VPDL Grant Program

We assessed the reliability of the VPDL Grant Program recipient list from MBLC by interviewing knowledgeable personnel at MBLC about these lists and testing for hidden records and duplicate values. MBLC maintains these lists in Microsoft Excel spreadsheets. Further, to verify that the list was complete and accurate, we traced a total of 10 VPDL Grant Program records out of a total of 47 from the list to and from source documents, such as grant agreements.

Post-Construction Review Process

We assessed the reliability of the list of construction projects from MBLC by interviewing knowledgeable personnel at MBLC about this list and testing for hidden records and duplicate values. MBLC maintains this list in a Microsoft Excel spreadsheet. We verified the total number of 2016–2017 construction grant awards by comparing the total number of records on MBLC’s list of construction projects to the records published on MBLC’s website.

To verify that the list was complete and accurate, we traced a total of 10 libraries from this list to and from source documents, such as contract agreements. Finally, for the construction projects identified as completed, we reviewed letters from municipalities to MBLC confirming that the projects were closed. We also reviewed MMARS payment confirmations and MBLC 2016–2017 Construction Grant Round Disbursement Forms to confirm that MBLC had made its final payments to the municipalities.

MBLC Employee List

We assessed the reliability of the list of employees who worked at MBLC during the audit period from MBLC by interviewing knowledgeable personnel at MBLC about this list. We verified that the list that we received from MBLC was complete and accurate by executing a query in the Human Resources Compensation Management System, the Commonwealth’s human resources and payroll system, and comparing our list to the records provided by MBLC. Further, we identified the employees who were responsible for managing COVID-19 grant funds by inquiring with MBLC and reviewing COVID-19 grant funds approvals and MMARS transactions. Finally, we determined whether a hardcopy human resources file existed for each of the four employees identified as responsible for managing COVID‑19 grant funds.

MMARS

In 2018 and 2022, the Office of the State Auditor performed a data reliability assessment of MMARS that focused on testing selected system controls (access, security awareness, audit and accountability, configuration management, identification and authentication, and personnel security). As part of our current audit, we reviewed MBLC’s cybersecurity awareness policies and procedures and personnel security policies and procedures. Further, we verified that all nine MBLC employees who had access to MMARS during the audit period had MMARS authorizations.

Based on the results of our data reliability assessments, we determined that the information obtained for our audit period was sufficiently reliable for the purposes of our audit objectives.

Our audit revealed no significant instances of noncompliance by MBLC that must be reported under generally accepted government auditing standards.