Audit of the Massachusetts Convention Center Authority Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Massachusetts Convention Center Authority (MCCA) for the period January 1, 2021 through December 31, 2022. When examining MCCA’s procurement and employee complaint practices, we extended the audit period back through January 1, 2018.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of MCCA’s internal control environment relevant to our objectives by reviewing applicable agency policies and procedures, as well as by interviewing MCCA’s staff members and management. We evaluated the design and implementation of internal controls and tested the operating effectiveness of controls related to the approval of procurement purchases. We identified an issue regarding MCCA’s internal controls for its employee complaint process. See Finding 6 for more information.

In addition, during the course of our audit, we identified issues regarding certain information system general controls over MCCA’s procurement system. See Finding 9 for more information.

To obtain sufficient, appropriate evidence to address our audit objectives, we performed the procedures described below.

To determine whether MCCA had a process in place to ensure that it met the fiscal years 2021 and 2022 benchmarks set by SDO for contracting with minority-owned, women-owned, and veteran-owned businesses, we took the following actions:

• During the course of our audit, we held multiple interviews with MCCA officials to gain an understanding of how MCCA develops its discretionary spending budget and how MCCA reports its spending to SDO.
• We reviewed the Supplier Diversity Comprehensive Annual Report for both fiscal years 2021 and 2022 to identify the amounts of MCCA’s discretionary budget¹⁰ spent that would qualify toward meeting SDO’s benchmarks for contracting with minority-owned, women-owned, and veteran-owned businesses. These reports indicated that MCCA did not meet SDO’s benchmarks for fiscal years 2021 or 2022. We then inquired with MCCA officials to determine why MCCA did not meet these benchmarks.

See Finding 1 for more information regarding the results of our testing of MCCA’s supplier diversity spending.

To determine whether MCCA adhered to its procurement and purchasing policies for purchases made during our extended audit period of January 1, 2018 through December 31, 2022, we took the following actions. We obtained all purchases made from MCCA’s procurement systems and grouped them based on contract numbers to determine the entire amount per contract. This allowed us to ensure that MCCA was not splitting purchases into lesser amounts to circumvent spending threshold guidelines. We then divided our population into two categories based on the spending thresholds for purchases over $10,000 outlined in MCCA’s “Procurement, Purchasing and Payment Policy and Guidelines.”

For purchases that MCCA made between $10,000 and $50,000, we selected a random, nonstatistical sample of 35 purchases from the population of 214 purchases for goods or services that were not procured through Operational Services Division–approved contractors. We reviewed each purchase in our sample to determine whether MCCA obtained three quotes before the purchase, selected the lowest quote, and retained records that included who provided the quote, the date the quote was provided, and the amount quoted for all quotes, in accordance with MCCA’s policies for purchases of these amounts.

For purchases that MCCA made that were $50,000 and over, we selected a judgmental,¹¹ nonstatistical sample of 35 purchases from the population of 144 purchases for goods and services that were not procured through Operational Services Division–approved contractors. We reviewed each order to determine whether MCCA published a bid invitation or request for proposals, obtained bids before the purchase, selected the lowest bid amount, and retained all supporting documentation (i.e., proof of bid invitation or request for proposals, dollar amounts of bids submitted, and contract awarded). We also determined whether MCCA received board approval for purchases over $250,000. Additionally, we reviewed the term length of the contracts in our sample to determine whether MCCA received board approval before entering into contracts that extended beyond three years, as required by Section 12 of Chapter 30B of the General Laws as follows:

Unless authorized by majority vote, a procurement officer shall not award a contract for a term exceeding three years, including any renewal, extension, or option. Such authorization may apply to a single contract or to any number or types of contracts, and may specify a uniform limit or different limits on the duration of any such contracts.

See Findings 2, 3, and 4 for more information regarding the results of our testing of MCCA’s procurement.

To determine whether MCCA developed ballroom event safety plans in accordance with MCCA policies and Section 20.1.5.6.1 of the Massachusetts Comprehensive Fire Safety Code, we took the following actions:

• We selected a random, nonstatistical sample of 20 ballroom events from the list of all 90 ballroom events from the audit period, which came from MCCA’s event management system.

• For each event in our sample, we examined supporting documentation (including pre-event security surveys, security proposals, employee rosters, attendance records, and safety plans) to determine whether MCCA created an event safety plan, sent pre-event security surveys to each client, and scheduled the required number of crowd managers for each ballroom event.

• To identify any instances of unnecessary overstaffing of crowd managers, we compared the minimum number of crowd managers required for each event to the number of crowd managers scheduled. For events that we found to have more than the required number of crowd managers scheduled, we reviewed the safety plans to determine a reason for the extra crowd managers.

See Finding 5 for more information regarding the results of our testing related to the development of safety plans for ballroom events.

To determine whether MCCA developed event safety plans for non-ballroom events in accordance with its “[Public Safety Department] Standard Operating Procedures Event Security Assessment Program,” we took the following actions:

• We selected a judgmental, nonstatistical sample of 40 non-ballroom events from the list of all 362 non-ballroom events from the audit period, which came from MCCA’s event management system.
• For each event in our sample, we examined supporting documentation (including pre-event security surveys, security proposals, employee rosters, attendance records, and safety plans) to determine whether MCCA created an event safety plan, sent pre-event security surveys to each client, and scheduled the required amount of crowd managers for each non-ballroom event.
• To identify any instances of unnecessary overstaffing of crowd managers, we compared the minimum number of crowd managers required for each event to the number of crowd managers scheduled. For events that we found to have more than the required number of crowd managers scheduled, we reviewed the safety plans to determine a reason for the extra crowd managers.

See Finding 5 for more information regarding the results of our testing related to the development of safety plans for non-ballroom events.

To determine whether MCCA followed a process when determining whether to enter into, and when reviewing and finalizing, non-union employee settlement agreements, we took the following action:

• As part of our internal control review, we interviewed MCCA’s general counsel and now-former chief financial officer to determine the steps MCCA takes when entering into a settlement agreement. During this interview, these MCCA officials told us that MCCA did not have a documented process for reviewing and finalizing its non-union employee settlement agreements.

See Finding 7 for more information regarding the results of our testing of the process for non-union employee settlement agreements.

We used nonstatistical sampling methods for testing and, therefore, did not project the results of our testing to any corresponding population.

Procurement

To determine the reliability of the data received from MCCA’s procurement systems used during the audit period, we interviewed MCCA officials who were knowledgeable about the data. We also tested certain general information system controls (including security management, access controls, configuration management, segregation of duties, and contingency planning) over MCCA’s current procurement system. See Finding 9 for more information regarding the results of our testing of the procurement system controls.

From both of the procurement systems used during the audit period, we obtained both a list of purchases and a list of invoices for a total of four data sets.¹² For each of these four data sets, we tested to ensure that there were no blank fields or duplicates and that all the data was from within the audit period. Further we selected a random sample of 20 transactions from each of the four data sets for a total of 80 transactions and traced the data to the original purchase and/or invoice.

Ballroom and Non-Ballroom Events

To determine the reliability of the list of ballroom and non-ballroom events from MCCA’s event management system, we interviewed employees knowledgeable about the data. For the event data obtained for the audit period, we tested to ensure that there were no blank fields or duplicates and that all of the data was from within the audit period. Further, we performed a reconciliation to match the data from the event management system to a separate listing of MCCA events.

Non-Union Employee Complaints

We received a list of 72 lines of data for employee complaints from the now-former director of human resources. However, we did not rely on this list for testing, as it was missing dates and names, had incorrect complaint descriptions (for example, one complaint stated that an employee received “respectful treatment” instead of “disrespectful treatment”), and one line of data was missing all information except the type of complaint filed. The interim director of human resources at the time of our audit and the assistant general counsel provided us with 83 hardcopy employee complaint files dating back to November 2015, which we manually compiled into a list by doing the following:

• We reviewed all of the provided complaint files to determine whether the dates associated with the complaints fell within the extended audit period (January 1, 2018 through December 31, 2022).
• We verified that 71 of the complaint files that we received were on the original list of complaints provided, and the other 12 complaint files were not included on that list. Of the 83 hardcopy complaint files, the following were inapplicable to our testing: 29 that were from outside of the audit period, 2 that were for complaints brought to the Human Resources Department against clients or contractors, and 25 that were filed by union employees. The remaining 27 of these 83 complaint files were non-union employee complaints filed during the audit period. We used these 27 complaint files as the population of non-union employee complaints for our testing.

We used this data as it was the only source of data available for our audit objective see Finding 6.

Based on the results of the data reliability assessment procedures described above, we determined that the information obtained for the audit period was sufficiently reliable for the purposes of our audit.