Audit of the Office of Medicaid (MassHealth)—Review of Continuity of Operations Plan Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of MassHealth’s continuity of operations plan (COOP) for its Medicaid Management Information System (MMIS) for the period January 1, 2020 through June 30, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer, the conclusion we reached regarding each objective, and where each objective is discussed in the audit findings.

To achieve our audit objectives, we gained an understanding of the internal control environment related to the objectives by conducting inquiries with MassHealth.

In addition, we performed the following procedures to obtain sufficient, appropriate audit evidence to address the objectives.

To determine whether the MassHealth COOP met the requirements of Executive Order 490, we reviewed the COOP, dated July 2016, to determine whether it was updated annually. We interviewed MassHealth officials who were responsible for oversight of the COOP, asking whether the plan had been run through for practice and whether employees had been trained in relation to the plan. Additionally, we reviewed the list of employees in the COOP plan and confirmed that the employees were still active in the Commonwealth’s “Global Email List” to determine whether the COOP was up to date with current key decision-makers.

To determine whether a formal disaster recovery plan (DRP) was in place to restore essential operations and enable MassHealth to continue its daily operations in a timely manner if automated systems were unavailable for an extended period, we interviewed knowledgeable MassHealth management personnel about their “New MMIS Disaster Recovery / Business Continuity Plan.” We reviewed this plan, which was dated September 2008. We also reviewed the names of the key decision-making employees listed in the plan to determine whether they were still active EOHHS employees, in order to ensure that the plan was up to date with current key decision-makers.

We reviewed the results of the MA-21 software system¹ disaster recovery exercise conducted in March 2021 to determine what would be the impact of a disruption of services if an emergency arose.