Audit of the Massachusetts Rehabilitation Commission Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of the Massachusetts Rehabilitation Commission (MRC) for the period July 1, 2015 through June 30, 2017.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is our audit objective, indicating the question we intended our audit to answer and the conclusion we reached regarding the objective.

While performing our review of MRC’s contractor billing process, we identified issues with its administration of its contract management database (CMDB), which are presented as Finding 1 in this report.

We gained an understanding of the internal controls we deemed significant to our audit objectives through interviews and observations. We evaluated the design and effectiveness of those controls and assessed whether they operated as intended during the audit period. In addition, we performed the following procedures to obtain sufficient, appropriate audit evidence to address our audit objectives.

• We performed data analytics to determine whether any of MRC’s consumers received services from vendors while hospitalized during the period March 5, 2016 through October 2, 2016. We further analyzed all instances in which vendors provided services during this period when the consumers appeared to have been hospitalized. We then verified that the 10 vendors’ contracts were active and determined whether services were allowable while the consumers were hospitalized.
• We performed a statistical test of 24 vendor billings to MRC out of 18,927 billings during the audit period, using a 90% confidence level, a tolerable error rate of 10%, and an expected error rate of 0%. We verified that billings were allowable according to the contracts and compared invoice amounts to Massachusetts Management Accounting and Reporting System (MMARS) payment data.

To perform our audit procedures, we obtained data for all MRC payments made to vendors from MMARS. We relied on the work performed by OSA in a separate data reliability assessment project that tested certain information system controls in MMARS. As part of the work performed, OSA reviewed existing information, tested selected system general controls, and performed inquiries with knowledgeable agency officials regarding MRC billing data. We performed other validity and integrity tests on all claim data from MMARS by tracing a sample of claims queried to source documents. Based on these procedures, we determined that the vendor payment records obtained from MMARS for our audit period were sufficiently reliable for the purposes of this report.

Additionally, we performed other validity and integrity tests on selected information system general controls over the MRC server, Enterprise Invoice Management / Enterprise Service Management,² and the CMDB, including tracing a sample of claims queried to source documents. The selected information system general controls were over access and security management. We tested to determine whether all employees on the active users list were actually active users; all terminated users had their access to MRC’s systems revoked; employees who had transferred or been promoted had proper access; employees had proper background checks when hired; and new hires had received security awareness training.

Based on these procedures, we determined that the information system general controls over MRC’s contract billings and information systems need improvement.