Audit of the Norfolk District Attorney’s Office Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Norfolk District Attorney’s Office (NDAO) for the period July 1, 2019 through June 30, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To achieve our audit objectives, we gained an understanding of NDAO’s internal control environment related to the objectives by reviewing NDAO’s internal control plan and applicable policies and procedures, as well as by interviewing NDAO officials. We evaluated the design and tested the operating effectiveness of internal controls related to the verification of amounts of forfeited assets received from law enforcement agencies, the monthly reconciliation of forfeiture trust fund deposits, and the approval of forfeiture trust fund expenditures.

To obtain sufficient, appropriate audit evidence to address our audit objectives, we performed the following procedures.

To determine whether NDAO made forfeiture trust fund expenditures in compliance with Section 47(d) of Chapter 94C of the General Laws, we performed the following procedures.

NDAO provided us with a list—maintained by NDAO’s Financial Department using Microsoft Excel spreadsheets—of 211 forfeiture trust fund expenditures that were made during the audit period. We selected a random, nonstatistical sample of 35 (totaling $186,312) out of the 211 forfeiture trust fund expenditures (totaling $528,695). We reviewed supporting documentation (e.g., invoices, receipts, grant applications, email correspondence between NDAO staff members, written explanations of charges and travel, and training request memos) to determine whether each expenditure was allowable under Section 47(d) of Chapter 94C of the General Laws.

We used nonstatistical sampling methods for testing and therefore did not project the results of our testing to any population.

We noted no exceptions in our testing; therefore, we conclude that NDAO made forfeiture trust fund expenditures in compliance with Section 47(d) of Chapter 94C of the General Laws.

To determine whether NDAO ensured that forfeited assets from closed cases were collected, deposited, and distributed in compliance with Section 47(d) of Chapter 94C of the General Laws, we performed the following procedures.

NDAO provided us with a list—maintained by NDAO’s asset forfeiture unit using Microsoft Excel spreadsheets—of all closed and open forfeiture cases. From that list, we identified 121 forfeiture cases that were closed during the audit period, totaling $502,794² in seized assets.

We selected a random, nonstatistical sample of 35 closed forfeiture cases for testing, totaling $354,670.65 in seized assets. We reviewed relevant case documentation (e.g., forfeiture split letters, forfeiture orders from courts, police reports, checks, and deposit slips) to calculate the forfeited asset split for each case, with NDAO’s portion being half of the forfeiture amount ordered by the court plus half of the forfeited asset revenue of any property sold at auction. We compared our calculation to the amounts listed in the forfeiture split letters (which NDAO prepares and disseminates) to determine whether NDAO distributed the correct amount of forfeited assets to the police department(s) involved in each case. We reviewed copies of checks and deposit slips to determine whether NDAO collected and deposited the correct amount of forfeited assets.

We used nonstatistical sampling methods for testing and therefore did not project the results of our testing to any population.

See Finding 1 for an issue we identified with NDAO’s distribution of forfeited assets.

To determine whether NDAO employees completed cybersecurity awareness training in accordance with standards issued by the Executive Office of Technology Services and Security, we performed the following procedures.

To ensure that NDAO’s employees received cybersecurity awareness training, we interviewed NDAO’s information technology director and first assistant district attorney to discuss whether NDAO had established a cybersecurity awareness training program (using a training system called KnowBe4). Beginning in calendar year 2020, NDAO implemented an annual cybersecurity awareness training program for its employees. In October 2020, NDAO used KnowBe4 to assign all its current employees cybersecurity awareness training, which they were to complete also using KnowBe4. The NDAO-established deadline for completion of this training was November 1, 2020.

NDAO’s Human Resources Department provided us with a list of all 149 NDAO employees as of June 30, 2021. We filtered out employees on this list with (1) termination dates before October 1, 2020 or (2) start dates in 2021. The filtered list included a total of 114 employees who would have been required to take NDAO’s annual cybersecurity awareness training during calendar year 2020. We obtained electronic cybersecurity awareness training records from KnowBe4 to determine whether these employees completed cybersecurity awareness training within the timeframe established by NDAO.

See Finding 2 for an issue we identified with NDAO’s cybersecurity awareness training program.

Massachusetts Management Accounting and Reporting System

In 2018 and 2022, the Office of the State Auditor performed a data reliability assessment of the Massachusetts Management Accounting and Reporting System (MMARS), the state’s accounting system. The assessment focused on reviewing selected system controls, including access controls, security awareness, audit and accountability, configuration management, identification and authentication, and personnel security.

Forfeiture Trust Fund Expenditures

To determine the reliability of the list of forfeiture trust fund expenditures, we (1) checked the list for duplicate records, (2) inquired about any missing values in key fields, (3) ensured that payment records were only for services provided during the audit period, and (4) compared the total amount of the expenditures on the list to data recorded in MMARS. We also randomly selected a sample of 10 expenditures from this list and compared the expenditure information to source documentation (e.g., receipts, invoices, purchase orders, and bank statements) that NDAO’s Financial Department maintained.

Forfeited Assets from Closed Cases

To determine the reliability of the lists of forfeited assets from closed cases, we (1) checked for duplicate records, (2) inquired about any missing values in key fields, (3) ensured that the dates cases were closed were within the audit period, (4) compared the total number of cases that were closed during the audit period against NDAO’s deposit workbook, and (5) compared the total amount of forfeiture trust fund deposits made during the audit period to data recorded in MMARS. We selected a random sample of 20 closed cases from the list and compared them to source documents maintained within NDAO’s hardcopy case files.

Cybersecurity Awareness Training

To determine the reliability of the cybersecurity awareness training records we obtained from KnowBe4, we reviewed System and Organization Control reports³ for KnowBe4 that covered the audit period and ensured that an independent certified public accountant performed certain information system control tests on KnowBe4. We also interviewed NDAO’s information technology director, who monitors training completion.

To determine the reliability of the list of all 149 NDAO employees that NDAO’s Human Resources Department provided to us, we selected a random sample of 20 employees from the list and traced them to employee data reported in CTHRU.⁴ We also selected a random sample of 20 employees from CTHRU and traced them back to NDAO’s employee list. In addition, we checked the list for duplicate and blank fields, verified that employment dates were valid (i.e., no start dates after the end of the audit period or end dates before the start of the audit period), and compared the total number of unique employee records on the employee list to the total number of unique employee records reported in CTHRU.

Based on the data reliability procedures described above, we determined that the data obtained for our audit period were sufficiently reliable for the purposes of our audit.