• This page, Audit of the Massachusetts Rehabilitation Commission Objectives, Scope, and Methodology, is   offered by
  • Office of the State Auditor

Audit of the Massachusetts Rehabilitation Commission Objectives, Scope, and Methodology

An overview of the purpose and process of auditing the Massachusetts Rehabilitation Commission.

Table of Contents

Overview

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of certain activities of the Massachusetts Rehabilitation Commission (MRC) for the period July 1, 2018 through June 30, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

Objective

Conclusion

  1. Did MRC maintain written agreements for on-the-job training (OJT) in accordance with Section 6.07(12) of Title 107 of the Code of Massachusetts Regulations (CMR)?

No; see Finding 1

  1. Did MRC check the debarred vendor lists before awarding or renewing a contract to ensure that it does not award a contract to a debarred vendor, as required by the “State Finance Law and General Contract Requirements” policy, which was jointly issued by the Office of the Comptroller of the Commonwealth (CTR) and the state Operational Services Division?

No; see Finding 2

  1. Did MRC update its internal control plan (ICP) to address the 2019 coronavirus (COVID-19) pandemic in accordance with CTR’s “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020?

Yes

  1. Did MRC employees managing COVID-19 funds complete required cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010?

Yes

 

To achieve our objectives, we gained an understanding of the internal controls related to the objectives by reviewing applicable policies and procedures and interviewing MRC officials.

To obtain sufficient, appropriate evidence to address our audit objectives, we performed the following audit procedures.

To determine whether MRC maintains OJT written agreements as required by 107 CMR 6.07(12), we obtained and inspected OJT written agreements for all 75 individuals who received OJT services during the audit period. In addition, we verified that the written agreements were approved by an MRC area director.

To determine whether MRC checked the debarred vendor lists before awarding or renewing the contracts as required by the “State Finance Law and General Contract Requirements” policy, we obtained preliminary data analysis from OSA’s Data Analytics Unit, which identified 46 potentially debarred vendors. We selected a judgmental sample of 10 vendors from the population of 46 potentially debarred vendors that were paid by MRC during the audit period. We inspected the contracts MRC had with these vendors to determine whether the contracts were awarded or renewed while the vendors were potentially debarred. Further, we reviewed the Do Not Pay list and various debarment lists (such as the federal government’s Excluded Parties List System and MassHealth’s “Suspended/Excluded MassHealth Providers” list) to verify that all 46 potentially debarred vendors were actually debarred.

We used nonstatistical sampling methods and therefore did not project the results of our testing to the population.

To determine whether MRC updated its ICP to address the COVID-19 pandemic in accordance with CTR’s “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020, we inspected MRC’s ICP, fiscal year 2020 and fiscal year 2021 Internal Control Questionnaires, and return-to-work plan.

To determine whether MRC employees who managed COVID-19 funds during the audit period received cybersecurity awareness training in accordance with EOTSS’s Information Security Risk Management Standard IS.010, we inspected cybersecurity awareness training completion certificates for all 19 employees who managed COVID-19 funds.

Data Reliability Assessment

MRC officials provided a list of all individuals who received OJT services during the audit period. We determined the reliability of the list by performing validity and integrity tests, including testing for blank fields and scanning for duplicate records. We also selected a judgmental sample of 20 hardcopy consumer records and traced information (such as client identification number, first name, and last name) from them to the list for agreement. Additionally, we selected a judgmental sample of 20 client identification numbers, first names, and last names from the list and traced them to hardcopy consumer records for agreement.

MRC uses the Massachusetts Management Accounting and Reporting System (MMARS) to report its expenses to CTR. We determined the reliability of the data obtained from MMARS by relying on the work OSA performed in two separate projects completed in 2018 and 2022, which tested certain information system controls in MMARS. These selected system controls included access controls, application controls, configuration management, contingency planning, and segregation of duties. As part of our current audit, we tested personnel security controls. In addition, we performed validity and integrity tests, including testing for blank fields, scanning for duplicate records, and looking for dates outside the audit period.

Based on the results of the data reliability procedures described above, we determined that the data obtained were sufficiently reliable for the purposes of our audit.

Date published: January 6, 2023

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback