Overview
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Massachusetts Office of Business Development (MOBD) for the period November 1, 2020 through June 30, 2022.
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.
| Objective | Conclusion |
|---|---|
| 1. Did MOBD encourage businesses owned by people within minority groups, women, veterans, and people with disabilities to apply for tax credits through the Economic Development Incentive Program (EDIP) and/or the Massachusetts Vacant Storefront Program (MVSP), as stated in the “Goals & Initiatives” section of MOBD’s EDIP Fiscal Year 2020 and 2021 Annual Reports? | No; see Finding 1 |
| 2. Did MOBD track diversity-related metrics that helped it measure its success in meeting its goal to encourage businesses owned by people within minority groups, women, veterans, and people with disabilities to apply for tax credits in the EDIP and/or the MVSP, as stated in the “Goals & Initiatives” section of MOBD’s EDIP Fiscal Year 2020 and 2021 Annual Reports? | No; see Finding 1 |
| 3. Did MOBD ensure that EDIP awardees submitted an equal opportunity employment / affirmative action statement or plan, as required by Section 1(d) of Part V of the EDIP Supplemental Application? | Yes |
| 4. Did MOBD provide annual cybersecurity awareness training to its employees, as required by Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010? | No; see Finding 2 |
To accomplish our audit objectives, we gained an understanding of the aspects of MOBD’s internal control environment relevant to our objectives by reviewing MOBD’s internal control plan and by interviewing MOBD officials.
To obtain sufficient, appropriate evidence to address our audit objectives, we performed the following procedures.
EDIP and MVSP Outreach
To determine whether MOBD encouraged businesses owned by people within minority groups, women, veterans, and people with disabilities to apply for tax credits through the EDIP and/or the MVSP, as stated in the “Goals & Initiatives” section of MOBD’s EDIP Fiscal Year 2020 and 2021 Annual Reports, we took the following actions. We conducted interviews with management and employees, specifically inquiring about policies and procedures regarding outreach targeted toward the types of businesses relevant to our audit objectives. We inquired whether MOBD had procedures to identify these types of businesses, had directly reached out to these businesses, and had either collected diversity-related metrics or sought approval to collect diversity-related metrics from applicants.
MOBD provided us with PDF copies of the two types of Microsoft PowerPoint files it uses in the presentations that it conducts for its employees and for helping municipalities inform businesses about the EDIP and/or the MVSP. We reviewed both types of PDF copies to determine whether they included language specifically targeting businesses owned by people within minority groups, women, veterans, and people with disabilities. We noted that neither of the two types of PDF copies did. We also reviewed the emails that MOBD sent to municipal employees to promote its general information session presentation. We reviewed these emails for evidence of information that would indicate that MOBD either specifically invited or would be discussing topics relevant to businesses owned by people within minority groups, women, veterans, and people with disabilities. We determined that these emails did not include language specifically targeting businesses owned by people within minority groups, women, veterans, and people with disabilities.
MOBD provided us with a list of the population of all 40 applications (of which, the Economic Assistance Coordinating Council (EACC) certified 26 and did not certify 14) that various businesses submitted during the audit period. The list included 39 unique businesses (one business applied twice). As we learned that MOBD did not collect any diversity-related metrics from applicants, we reached out to the Supplier Diversity Office5 to confirm the certification status of all EDIP and MVSP applicants during the audit period.
See Finding 1 for more information regarding the results of our testing of whether MOBD encouraged businesses owned by people within minority groups, women, veterans, and people with disabilities to apply for tax credits through the EDIP and/or the MVSP.
EDIP and MVSP Diversity-Related Metrics Tracking
To determine whether MOBD tracked diversity-related metrics that helped it measure its success in meeting its goal to encourage businesses owned by people within minority groups, women, veterans, and people with disabilities to apply for tax credits in the EDIP and/or the MVSP, as stated in the “Goals & Initiatives” section of MOBD’s EDIP Fiscal Year 2020 and 2021 Annual Reports, we took the following actions. We interviewed MOBD employees to discuss whether MOBD collected diversity-related metrics from applicants through self-identification.
MOBD provided us with Microsoft Excel spreadsheets that it uses to track various metrics that cover the seven quarters of the audit period. These spreadsheets are organized by the following functions:
- One spreadsheet (used by the EDIP project manager) internally tracks applications and related materials for EACC quarterly meetings.
- One spreadsheet documents each EDIP Preliminary Application that MOBD receives by quarter. This spreadsheet includes MOBD’s recommendation to EACC, including any recommendations and reasons not to certify certain projects.
- One spreadsheet documents each business’s tax liability projected over multiple years.
- One spreadsheet shows the EDIP tax credit amount that each business should receive based on the tax liability that the business projected in its application.
We reviewed each spreadsheet for evidence that MOBD collected diversity-related metrics from applicants.
See Finding 1 for more information regarding the results of our testing of whether MOBD tracked diversity-related metrics that helped it measure its success in meeting its goal to encourage businesses owned by people within minority groups, women, veterans, and people with disabilities to apply for tax credits in the EDIP and/or the MVSP.
Equal Opportunity Employment / Affirmative Action Statement or Plan Submission
To determine whether MOBD ensured that EDIP awardees submitted an equal opportunity employment / affirmative action statement or plan, as required by Section 1(d) of Part V of the EDIP Supplemental Application, we took the following actions. We obtained copies of each EDIP Supplemental Application submitted by all 20 businesses that EACC awarded during the audit period. We reviewed the documentation (i.e., the EDIP Supplemental Application and the equal opportunity employment / affirmative action statement or plan) to confirm that each business described its hiring policies and practices.
We noted no exceptions in our testing; therefore, we determined that, during the audit period, MOBD ensured that all EDIP awardees submitted an equal opportunity employment / affirmative action statement or plan.
Cybersecurity Awareness Training
To determine whether MOBD provided annual cybersecurity awareness training to its employees, as required by Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, we took the following actions. We obtained a list of MOBD employees who were active during the audit period from the Executive Office of Economic Development.6 This list included 11 MOBD employees who were active as of June 30, 2021 and 10 MOBD employees who were active as of June 30, 2022. Also, the Executive Office of Economic Development’s compliance and internal control officer extracted cybersecurity awareness training data from the two training systems that MOBD used during the audit period. For each existing employee in the employee lists, we reviewed the training data for evidence that each existing employee completed the training on an annual basis. For each employee who was newly hired during the audit period, we reviewed the training data for evidence that they completed the training within 30 days of hire.
See Finding 2 for more information regarding the results of our testing of whether MOBD provided annual cybersecurity awareness training to its employees.
Data Reliability Assessment
Data Regarding EDIP and MVSP
To determine the reliability of the list of the 40 applications that various businesses submitted during the audit period, we took the following actions. We checked the list for missing values and duplicate records. We also confirmed that the date for the corresponding EACC quarterly meeting was within the audit period.
We traced the entire population of 40 applications that various businesses submitted during the audit period, matching the information on these applications (i.e., the business name, the project type, and the tax credit amount) to source documents (e.g., EACC quarterly meeting minutes and copies of signed grant agreements between the businesses awarded tax credits and MOBD) to ensure that the information was accurate and complete.
Data Regarding Cybersecurity Awareness Training
To determine the reliability of the list of MOBD employees who were active during the audit period, which MOBD provided to us, we took the following actions. We checked the spreadsheet for missing values and duplicate records, identified any employees MOBD hired during the audit period, and confirmed whether employment start dates and/or termination dates were within the audit period. We also traced the entire population of active MOBD employee records in the list to payroll summary data that we extracted from the Office of the Comptroller of the Commonwealth’s CTHRU7 database, as well as to the two cybersecurity awareness training systems that MOBD used during the audit period. Because MOBD used two training systems during the audit period, MOBD provided us with training records from both systems.
To determine the reliability of the cybersecurity awareness training data, we took the following actions. We interviewed officials from the Executive Office for Administration and Finance, the Human Resources Division, and the Executive Office of Technology Services and Security, each of which was responsible for managing oversight of the two training systems.
We also reviewed System and Organization Control 2 reports8 for the two cybersecurity awareness training systems that MOBD used during the audit period (one of which MOBD used during the period March 16, 2021 through March 15, 2022 and the other of which MOBD used during the period January 1, 2022 through December 31, 2022). We verified that independent certified public accountants tested and produced no exceptions regarding certain information system general controls.
Based on the results of the data reliability assessment procedures described above, we determined that the information obtained for the audit period was sufficiently reliable for the purposes of our audit.
| Date published: | July 2, 2024 |
|---|