Audit of the Massachusetts District Attorneys Association Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Massachusetts District Attorneys Association (MDAA) for the period July 1, 2022 through June 30, 2024.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our objectives, we gained an understanding of the MDAA internal control environment relevant to our objectives by reviewing applicable policies and procedures and by interviewing MDAA management. In addition, to obtain sufficient, appropriate evidence to address our audit objectives, we performed the procedures described below.

To determine whether MDAA provided Commonwealth DA offices with sufficient technical assistance that coordinated and standardized DA office organization, operations, and procedures in accordance with Section 20D of Chapter 12 of the General Laws, we took the following actions related to information technology (IT) expenses, security reports, and the case management system (CMS).

We selected a random, nonstatistical⁴ sample of 25 IT expenses out of a population of 341 IT expenses that MDAA incurred during the audit period. We obtained an invoice for each corresponding IT expense and reviewed the information on each invoice (i.e., vendor name, the item or service purchased, the purchase description, and which DA office benefited from the expense) to determine whether the expense directly supported any of 11 DAs and was related to IT (e.g., technical assistance, hardware, software, or internet service fees).

We obtained all 28 (100%) of the security reports⁵ that were generated during the audit period. We reviewed each security report to identify the number of active devices on the wide area network (WAN) within each report, as well as the total number of devices that were unpatched, vulnerable, or lacked antivirus protection. We calculated the number of unpatched devices and the percentage change in the patch levels from month to month. We then calculated the average number of unpatched and vulnerable devices and determined whether there was a trend showing an increase or decrease in the vulnerability of the devices on the WAN during the audit period.

We conducted multiple interviews with MDAA officials regarding the adequacy of the CMS that was in place during the audit period and obtained screenshots of it. We conducted internet research regarding the CMS and reviewed relevant audit findings from prior Office of the State Auditor reports (i.e., our audit of the Cape and Islands District Attorney’s Office, issued in March 2021, and our audit of the Middlesex County District Attorney’s Office, issued in June 2021). Additionally, we obtained two reports from the Massachusetts Juvenile Justice Policy and Data (JJPAD) Board, dated June 2019 and March 2022. We reviewed these reports for any findings or insights related to the CMS and, using this information, we determined whether the current CMS was adequate for the needs of all 11 DA offices.

For this objective, we found certain issues during our testing. See Finding 1 for more information.

To determine whether MDAA complied with its annual reporting requirements regarding child abuse and neglect cases in accordance with Section 20D of Chapter 12 of the General Laws, we took the following actions. First, we obtained all two (100%) of the Reports on the Status of Child Abuse and Neglect Cases that were generated during the audit period. We reviewed each report to determine whether it was filed with the clerks of the Senate and the House; the Senate and the House Committees on Ways and Means; the Joint Committee on Children, Families and Persons with Disabilities; the Joint Committee on the Judiciary; the Office of the Child Advocate; and the Governor. We determined whether each report contained the required information listed in Section 20D of Chapter 12 of the General Laws, specifically, the status of child abuse and neglect cases that were referred for criminal prosecution (including the number of cases that resulted in prosecution, the results of those prosecutions, the principal reason for decisions not to prosecute, and what resources would have assisted in corresponding investigations and prosecutions). We then determined whether each report contained accurate information by comparing the information in the report to the source information provided by each DA office. We also contacted the recipients of the reports to determine how the information in the reports was used and whether the information was beneficial to each recipient.

For this objective, we found certain issues during our testing. See Finding 2 and Other Matters for more information.

We used nonstatistical sampling methods for testing and therefore did not project the results of our testing to the corresponding populations.

To determine the reliability of the data from MDAA’s local computer network system, we assessed certain areas within MDAA’s information system controls (e.g., configuration management, the monitoring of configuration changes, application controls, security management, controls over the segregation of duties, and IT general access controls). We tested data regarding all 10 MDAA employees who were active during the audit period to determine whether background checks were performed at their time of hire and whether their computer user access rights matched their titles and positions. We also determined whether employees who were terminated during the audit period had their computer network access removed. We tested 3 employees hired during the audit period to determine whether they had completed initial cybersecurity awareness training and tested the remaining 7 to determine whether they completed annual refresher cybersecurity awareness training.

We observed MDAA officials query the number of computer network users and extract 2,864 computer network users⁶ from their computer network (of whom, 10 were specifically MDAA employees who were active during the audit period, and thus, constituted our testing population for cybersecurity awareness training and personnel screening). The chief information officer then provided these records to us in Microsoft Excel workbooks. We determined whether the number of users we observed in the system matched the corresponding number of users in the Excel workbooks. We tested the data to ensure that it did not contain certain spreadsheet issues (e.g., embedded data; hidden objects such as names, rows, columns, or worksheets; duplicate records; or missing values in necessary data fields).

We also traced all 10 MDAA computer network users to the Human Resources Compensation Management System, which is the Commonwealth’s official payroll system, to ensure that each of the 10 MDAA computer network users was an active MDAA employee during the audit period.

To determine the reliability of IT transactions, we interviewed MDAA management who were knowledgeable about the data and observed the chief fiscal officer query MDAA’s finance system and extract 444 transactions incurred during the audit period. The chief fiscal officer then provided these 444 transactions to us in a Microsoft Excel workbook. We determined whether the total number of transactions we observed within the system matched the total number of transactions in the Excel workbook. We refined the data by removing transactions related to salaries, employee reimbursements, and payroll taxes, and then sorted the data specific to the audit period, resulting in a population of 341 IT transactions. We tested the data to ensure that it did not contain certain spreadsheet issues (e.g., embedded data; hidden objects such as names, rows, columns, or worksheets; duplicate records; or missing values in necessary data fields). We selected a random sample of 20 IT transactions and traced certain information on each transaction (i.e., fiscal year; period; department; cash expense amount; acceptance date; appropriation number; object code, which indicates the type of good or service in question; vendor customer code; and vendor’s legal name) to source documents (e.g., invoices, purchase orders, and email approvals). We then selected a judgmental sample⁷ of 20 digital copy invoices and traced certain information in each invoice (i.e., fiscal year, period, department, cash expense amount, acceptance date, appropriation number, object code, vendor customer code, and vendor’s legal name) to the information listed in the IT transaction Excel workbook.

Based on the results of the data reliability assessment procedures described above, we determined that the information we obtained during the course of our audit was sufficiently reliable for the purposes of our audit.