Audit of the Massachusetts Commission against Discrimination Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Massachusetts Commission against Discrimination (MCAD) for the period January 1, 2019 through December 31, 2020.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer, the conclusion we reached regarding each objective, and where each objective is discussed in the audit findings.  

To achieve our objectives, we gained an understanding of MCAD’s internal control environment related to the objectives by reviewing applicable agency policies and procedures, as well as conducting inquires with MCAD management and personnel.

To determine whether MCAD finished each of the 2,854 investigations completed during the audit period within the time required by 804 CMR 1.05, we computed the time it took to complete each investigation (the time between the date it was opened and the date it was completed) and computed the number and percentage of investigations that exceeded the CMR completion time.

Because our analytical procedures indicated that a significant number of investigations took longer than the allowable time to complete, we evaluated a nonstatistical, judgmental sample of 88 of the 1,308 investigations that exceeded the allowable time. We analyzed the time between events, such as the time to contact an attorney or assign a new investigator, in each of these investigations to assess whether there was a delay related to a specific event that significantly contributed to investigations taking more than two years to complete.

We also analyzed whether the mediation process resulted in a significant reduction of the backlog by comparing the completion time for investigations that were settled using mediation to the time for those that were completed without mediation.

We used nonstatistical sampling methods and therefore did not project the results of our testing to the population.

We assessed whether MCAD notified CTR of the $75,000 in 2019 CARES Act funds received from HUD. We interviewed key MCAD personnel to discuss the ICP and how MCAD had followed CTR’s “COVID-19 Pandemic Response Internal Controls Guidance.” We also inspected amendments to MCAD’s policies and procedures related to the processing of CARES Act funds and determined whether MCAD had updated its ICP to meet CTR’s requirements related to the COVID-19 pandemic.

There were two employees responsible for managing CARES Act funds. We requested and inspected screenshots of their most recent training certificates to determine whether the training was sufficient to comply with EOTSS Information Security Risk Management Standard IS.010.

To assess the reliability of the data from the case management system (CMS) MCAD uses to record events, and the commission’s actions during investigations of complaints, we gained an understanding of the CMS information system controls by interviewing employees with knowledge about the data and reviewed MCAD’s policies for the following: access controls, security management, configuration management, contingency planning, and segregation of duties.

In addition, we performed electronic testing to verify that there were no duplicates and no closed cases outside the audit period; that there were valid date entries for dates complaints were entered, filed, and closed; and that there were valid entries for case statuses within our audit period.

Further, we ensured the completeness and accuracy of the data from the CMS by selecting a sample of 20 investigations from the CMS and verifying that each investigation’s file date matched its hardcopy intake form. In addition, we selected a random sample of 5 investigations from the CMS and traced both the file date and the close date for each investigation back to the hardcopy case file. Further, we selected a random sample of 5 investigations from the hardcopy case files and traced each file date and close date to the CMS.

Based on the data reliability assessment, we determined that the data were sufficiently reliable for the purposes of this audit.