Audit of the Secretary of the Commonwealth of Massachusetts Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of Secretary of the Commonwealth of Massachusetts (SOC) for the period January 1, 2020 through December 31, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our objectives, we gained an understanding of SOC’s internal control environment related to the objectives by reviewing applicable agency policies and procedures, as well as conducting interviews with SOC management. We evaluated the design and implementation of the internal controls related to our audit objectives. We evaluated the operating effectiveness of internal controls related to the approval process of Articles of Organization and annual report filings.

To obtain sufficient, appropriate audit evidence to address our audit objectives, we conducted further audit testing as follows.

To determine whether SOC processed Articles of Organizations for domestic profit and foreign corporations as required by 950 CMR 113.06(4) and 950 CMR 113.16(3), we performed the following procedures.

• Based on a high risk level, we selected a random, statistical sample with a 95% confidence level, 5% tolerable error rate, and 0% expected error rate. Our sample consisted of 60 out of 28,293 Articles of Organization that were filed during our audit period. We examined each Articles of Organization to ensure that it included the following: name of the corporation; purpose; authorized shares; any limitation or class listing; restrictions on transfer; effective date; the registered agent’s name and address; and the names and addresses of the individuals who will serve as the initial president, treasurer, secretary, and directors of the corporation. In addition, we examined each Articles of Organization filing to determine whether the authorized person¹⁰ signed it, stated their role in the corporation, and included the date they signed.

To determine whether SOC approved the Articles of Organization for domestic profit and foreign corporations that were filed during the audit period in a timely manner, we performed the following procedures:

• Based on a high risk level, we selected a random, statistical sample with a 95% confidence level, 5% tolerable error rate, and 0% expected error rate. Our sample consisted of 60 out of 28,293 Articles of Organization that were filed during our audit period. We examined the submission date (when the filing was approved) and insert date (when the filing was uploaded to the public website) and compared them to ensure that Articles of Organization submitted before 4:00 p.m. were approved that day or the next business day.

To determine whether SOC verified that annual reports for domestic profit and foreign corporations filed during the audit period were filed within two and a half months after a corporation’s fiscal year ended, we performed the following procedures:

• Based on a high risk level, we selected a random, statistical sample with a 95% confidence level, 5% tolerable rate, and 0% expected error rate. Our sample consisted of 60 out of 308,311 annual reports that were filed during the audit period. We inspected the annual reports to determine the date of each corporation’s fiscal year end. We used Microsoft Excel to calculate each corporation’s last date to file. The calculation included the fiscal year end date and the addition of two and half months. Finally, we used Microsoft Excel again for our comparison of the submission date and the last date to file. For any annual reports submitted after the last date to file, we examined the annual report in addition to the annual report’s detail record¹¹ to ensure that the appropriate fee was assessed.
• We examined the sample of 60 annual reports to determine whether they included all the required information listed in 950 CMR 113.57.

To determine whether SOC updated its ICP in accordance with CTR’s “COVID-19 Pandemic Response Internal Controls Guidance,” we performed the following procedure:

• We asked SOC officials whether they updated the ICP during the audit period with the COVID-19 guidance established by CTR’s “COVID-19 Pandemic Response Internal Controls Guidance” because COVID-19 caused a significant change to the work environment. We examined copies of the ICP that was updated in 2019 and SOC’s COVID-19 response plan to determine whether they contained the components required by CTR’s “COVID-19 Pandemic Response Internal Controls Guidance.”

To determine whether SOC ensured that each employee who was responsible for managing CARES Act funds completed cybersecurity awareness training, we performed the following procedure:

• We obtained from SOC a list of the 14 employees, which included 10 Elections Division employees and 4 administrative employees, who were responsible for managing CARES Act funds during the audit period. We examined copies of each employee’s certificate of completion for cybersecurity awareness training during our audit period to determine whether each employee responsible for managing CARES Act funds received cybersecurity awareness training.

Corporations Division Database

SOC uses the business and Uniform Commercial Code electronic filing and imaging system to house all Articles of Organization, annual reports, and other types of filings made with SOC. We assessed the reliability of the data obtained from the system by conducting interviews with SOC employees who were knowledgeable about the data, examining system documentation, testing for duplicate records, and examining the data for any dates outside the audit period. We also tested certain general information system controls (access controls, security management, configuration management, contingency planning, and segregation of duties).

To confirm the completeness and accuracy of the list of Articles of Organization and annual report filings made during the audit period from SOC’s filing and imaging system that we used for our testing, we selected a judgmental sample of 20 annual report filings from the list provided. We determined whether the information in SOC’s filing and imaging system matched information from the filings on the public search database. We selected a judgmental sample of 20 hardcopy Articles of Organization filings made during the audit period and traced them to SOC’s filing and imaging system for completeness.

List of Employees

To confirm the completeness and accuracy of the SOC-provided list of employees responsible for the management of CARES Act funds, we extracted employee lists from the CTHRU¹² database for calendar years 2020 and 2021 and combined the two lists to test for duplicate records. We then compared the list of employees extracted from CTHRU to the list provided by SOC to determine whether employee names and titles, as well as the number of employees, matched.

Based on the results of our data reliability assessments, we determined that the information obtained for our audit period was sufficiently reliable for the purpose of our audit objectives.