Audit of the Middlesex County District Attorney’s Office Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Middlesex County District Attorney’s Office (MDAO) for the period July 1, 2022 through June 30, 2024. When examining employee settlement agreements entered into by MDAO, we extended the audit period to July 1, 2019 through June 30, 2024.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of the MDAO internal control environment relevant to our objectives by reviewing applicable policies and procedures and MDAO’s internal control plan, as well as by interviewing MDAO officials. We also reviewed Track-Kit system user manuals, which included user roles for prosecuting attorneys. In addition, to obtain sufficient, appropriate evidence to address our audit objectives, we performed the procedures described below.

To determine to what extent MDAO participated in the statewide SAECK tracking system as required by Section 18X(g) of Chapter 6A of the General Laws, we took the following actions:

• We requested policies and procedures regarding the use of the Track-Kit system. MDAO informed us that it did not have any documented internal policies or procedures for how it should use the Track-Kit system during the audit period.
• We interviewed the chief of the Child Protection Unit about MDAO’s use of the Track-Kit system. We were informed that MDAO rarely uses the Track-Kit system.
• We conducted a system walkthrough of MDAO’s access to the data and observed that there were 583 SAECKs collected within MDAO’s jurisdiction during the audit period in the Track-Kit system.
• We observed a virtual walkthrough of a sandbox² version of the prosecuting attorney and survivor portals within the Track-Kit system.
• We reviewed Track-Kit system access logs and determined that there were 21 active user accounts. We determined that 7 of the 21 users were former employees. Further, out of the 14 active users, only 1 user accessed the Track-Kit system during the audit period.

For this objective, we found certain issues during our testing regarding the extent to which MDAO participated in the statewide SAECK tracking system. See Finding 1 and Other Matters for more information.

To determine whether MDAO adhered to Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Standard IS0.010 regarding cybersecurity awareness training, we took the following actions. First, we selected a random, nonstatistical³ sample of 40 employees from the population of 327 employees who were active during the audit period. We reviewed the MDAO cybersecurity awareness training platform’s training certificates of completion to determine whether the sampled employees completed the required annual refresher cybersecurity awareness training. For sampled employees hired during the audit period, we determined whether the date on their certificate of completion was within 30 days of their hire date, as required by the EOTSS standard.

We also determined the following:

• For calendar year 2022, 25 out of 40 sampled employees should have received annual refresher cybersecurity awareness training and 4 should have received initial cybersecurity training within 30 days of their hire date. None (0%) of the 25 employees received annual refresher training and none (0%) of the 4 new employees received the initial training.
• For calendar year 2023, 28 out of 40 sampled employees should have received annual refresher cybersecurity awareness training, and 8 should have received initial cybersecurity training within 30 days of their hire date. Of the 28 who should have received annual refresher training, 27 (96%) received training. MDAO could not provide evidence that 1 employee completed that training. Of the 8 new employees, 7 (88%) received initial cybersecurity training within 30 days, and 1 did not.
• For calendar year 2024, 32 employees out of 40 sampled employees should have received annual refresher cybersecurity awareness training, and 1 should have received initial cybersecurity training within 30 days of their hire date. Of the 32 employees who should have received annual training, all 32 (100%) received training. The 1 (100%) new employee received the initial cybersecurity training. Therefore, we noted no findings for 2024.

For this objective, we found certain issues during our testing regarding whether MDAO adhered to Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Standard IS0.010 regarding cybersecurity awareness training. See Finding 3 for more information.

We used nonstatistical sampling methods for testing and therefore did not project the results of our testing to the corresponding population.

To determine whether MDAO had internal policies and procedures in place for (a) the review and approval of employee settlement agreements, including the use of non-disclosure, non-disparagement, or similarly restrictive clauses, and (b) the reporting of monetary employee settlements to CTR in accordance with 815 CMR 5.06 and 5.09, we took the following actions:

• We interviewed the District Attorney and the director of human resources. They stated that MDAO did not have any employee settlement agreements during the extended audit period.
• We inquired about internal policies and procedures regarding employee settlement agreements. We were informed that MDAO did not have any such documented policies.
• We inquired about internal policies and procedures regarding the use of non-disclosure, non-disparagement, and similarly restrictive language in employee settlement agreements. We were informed that MDAO did not have any such documented policies.

For this objective, we found certain issues during our testing; namely, that, while MDAO did not enter into any employee settlements during the extended audit period, it did not have a documented, transparent, or accountable process related to employee settlements agreements. See Finding 2 for more information.

Cybersecurity Awareness Training

To determine the reliability of MDAO’s cybersecurity awareness training platform data, we interviewed MDAO management who were knowledgeable about the data. We reviewed System and Organization Control 2 reports⁴ covering the audit period. We ensured that certain information system control tests (i.e., access controls, security management, configuration management, contingency planning, and segregation of duties) had been performed without exception.

Employee Lists

We obtained from MDAO management a list of 327 employees who were active during the audit period. To ensure the reliability of the employee data, we tested the list to ensure that it did not contain certain dataset issues (i.e., duplicate records and employment start dates and end dates outside the audit period). To ensure the accuracy of the list, we compared the list of MDAO employees to a list of MDAO employee records obtained from the CTHRU statewide payroll website⁵ for calendar years 2022 through 2024. To ensure completeness of the active employee list, we traced the employee names listed from the CTHRU data back to the active employee list.

Employee Settlement Agreements

We requested a list of settlements executed during the extended audit period, July 1, 2019 through June 30, 2024. We were informed that MDAO did not enter into any settlement agreements with employees during the extended audit period.

To corroborate MDAO’s statements, we contacted CTR to determine whether any employee settlement agreements were reported for MDAO in the CTR settlements and judgments Microsoft Access database during the extended audit period. CTR confirmed that there were no records of employee settlement agreements executed by MDAO in the database. We examined MDAO’s personnel folders for a random, nonstatistical sample of 35 employees out of the population of 229 employees who separated from MDAO during the extended audit period for evidence of complaints, grievances, or settlement agreements and found none. We then ran a query from the Commonwealth Information Warehouse⁶ of all legal expenses paid by MDAO for the extended audit period. Using this data, we selected vendors that MDAO paid $3,000 or more during the extended audit period and requested supporting invoices for all their legal expenses. We examined the invoices and confirmed that they did not contain settlement language in their descriptions.

Based on the results of the data reliability assessment procedures described above, we determined that the information we obtained during the course of our audit was sufficiently reliable for the purposes of our audit.