Audit of the Secretary of the Commonwealth of Massachusetts Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Secretary of the Commonwealth of Massachusetts (SOC)for the period July 1, 2022 through June 30, 2024.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of the SOC internal control environment relevant to our objectives by reviewing SOC’s internal control plan and its applicable policies and procedures, as well as by interviewing SOC management. We also conducted site visits to the ACP office to observe the physical controls in place to protect ACP participants’ information. Furthermore, we tested the operating effectiveness of internal controls related to the approval of ACP participants’ application forms. In addition, to obtain sufficient, appropriate evidence to address our audit objectives, we performed the procedures described below.

To determine whether SOC administered its ACP in accordance with 950 CMR 130.04, we took the following actions. We requested, and SOC provided us with, a list of ACP applications that were submitted during the audit period. To protect the confidentiality of ACP participants, this list only included unique identifying codes to represent individual participants. This approach was intentionally taken to safeguard ACP participants’ personally identifiable information (including their names and actual addresses) during the course of our audit work. Next, we selected a random, nonstatistical⁵ sample of 20 ACP applications from a total population of 206 ACP applications (which included both the Participant Applications for victims of domestic violence, sexual assault, rape, and/or stalking, and the Health Care Applications for healthcare providers who have a connection to a legally protected healthcare service) approved during the audit period. For each application in our sample, we reviewed documentation (i.e., drivers’ licenses, Massachusetts court documents, and healthcare records) to determine whether SOC confirmed the ACP participant’s identity and residency in the Commonwealth. For ACP participants who were specifically victims of domestic violence, sexual assault, rape, and/or stalking, we examined court documents (e.g., abuse prevention orders, harassment prevention orders, and police reports) stored in SOC ACP participant files to determine whether SOC verified the ACP participant’s status as a victim of domestic violence, sexual assault, rape, and/or stalking. Furthermore, in cases involving minor children, we reviewed birth certificates to confirm that the information provided in the application matched the corresponding documentation. Finally, we inspected each application to determine whether (1) the ACP participant signed and dated the form, acknowledging the ACP’s rules and regulations, and (2) the ACP manager recorded the application’s approval status, the ACP participant’s enrollment start date, and the ACP participant’s enrollment expiration date.

For this objective, we found no significant issues during our testing. Therefore, we concluded that, based on our testing, SOC administered its ACP in accordance with 950 CMR 130.04.

To determine whether SOC processed exemption requests received from state/local entities seeking access to ACP participants’ actual addresses in accordance with 950 CMR 130.08, we took the following actions. First, we requested, and SOC provided us with, a list of all the state/local entity exemption requests made during the audit period (of which there was a total population of three). Next, we inspected copies of all three requests to determine whether each request contained a bona fide need for the actual address of the ACP participant in question and identified the individuals who would have access to the information. Additionally, we inspected copies of the three written exemptions SOC issued to ensure that each documented the following elements: (1) the outcome of the state/local entity exemption request, (2) the obligations and limitations on the use and access of the ACP participant’s actual address, (3) the specific format in which the state/local entity could use the information, and (4) the date when the state/local entity is required to dispose of any record of the ACP participant’s actual address.

For this objective, we found no significant issues during our testing. Therefore, we concluded that, based on our testing, SOC processed exemption requests received from state/local entities seeking access to ACP participants’ actual addresses in accordance with 950 CMR 130.08.

We used nonstatistical sampling methods for testing and therefore did not project the results of our testing to any population.

ACP Applications

To assess the reliability of the ACP application list provided by SOC, we interviewed SOC officials who were knowledgeable about the data. We tested the list to ensure that it did not contain certain dataset issues (e.g., hidden objects, such as rows or headers, or duplicate records). We examined the unique identifier field of each data record for gaps to determine whether any ACP participant records had been deleted. We reconciled the ACP application list with the ACP annual reports submitted by SOC to the Legislature to ensure that all enrolled ACP participants were included on the list. Furthermore, we selected a random sample of 20 applications from the ACP application list and compared certain information in this list (i.e., the ACP participants’ genders, counties, corresponding ACP application assistants’ names, ACP application assistants’ employing entities, and the ACP participants’ enrollment start dates) with the corresponding information on the original application forms to ensure the accuracy of the ACP application list. We also selected a random sample of 20 original application forms from SOC’s filing cabinet and traced the ACP application assistants’ names on these forms back to the ACP application list to ensure the list’s completeness.

State/Local Entity Exemption Requests

To assess the reliability of the state/local entity exemption request list provided by SOC, we interviewed SOC officials who were knowledgeable about the exemption request process. To ensure the accuracy of the state/local entity exemption request list, we traced the unique identifier field of each data record in this list to the ACP participant list to confirm that the participants were enrolled in the ACP. We selected a random sample of 20 enrolled ACP participants from the ACP participant list and inspected redacted ACP call logs within each participant’s file to ensure the completeness of the state/local entity exemption request list.

Based on the results of the data reliability assessment procedures described above, we determined that the information we obtained during the course of our audit was sufficiently reliable for the purposes of our audit.

Our audit revealed no significant issues related to our objectives that must be reported under generally accepted government auditing standards. However, during the course of our audit, we identified an issue not specifically addressed by our objectives regarding SOC’s administration of its Domestic Violence Service Provider Grant Program. See Other Matters for more information.