Audit of the Sex Offender Registry Board Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Sex Offender Registry Board (SORB) for the period July 1, 2019 through June 30, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To achieve our audit objectives, we gained an understanding of the internal control environment by reviewing SORB’s internal control plans that were in effect during the audit period. To understand SORB’s classification and registration process, we reviewed SORB’s policies and procedures as well as related sections of the General Laws. We interviewed SORB employees and conducted walkthroughs to observe how SORB uses the Sex Offender Registry Information System (SORIS2) for the classification and registration processes. To gain a better understanding of how SORB works to find current addresses for sex offenders who may be in violation, we reviewed SORB’s interdepartmental service agreements, interviewed SORB employees, and interviewed Department of Transitional Assistance (DTA) employees. In addition, we performed the following procedures.

To determine whether SORB issued final classifications of sex offenders at least 10 days before their earliest possible release dates as required by Section 178E(a) of Chapter 6 of the General Laws, we obtained data from SORIS2 for all 319 sex offenders released during the audit period. We then compared each sex offender’s release date / initial registration date with SORB to their final classification date to determine whether SORB classified them at least 10 days before their release.

To determine whether SORB gave priority scheduling for classification hearings to sex offenders involved in crimes against children or persons with disabilities and youthful sex offenders as required by Section 178K(3) of Chapter 6 of the General Laws, we obtained data from SORIS2 for 979 sex offenders to whom SORB assigned classifications during the audit period. We identified sex offenders who had committed crimes against children or persons with disabilities by searching the sex offense data from SORIS2 for keywords such as child, minor, and disability. We identified youthful offenders by calculating sex offenders’ ages as of the dates of their convictions. There were 682 total sex offenders who committed crimes against children or persons with disabilities and youthful offenders. We then calculated the average number of days between the dates these sex offenders were assigned to a SORB employee to be classified and the dates SORB assigned its initial classifications for these offenders. We compared this calculated average number of days for the 682 sex offenders to the calculated average number of days for the remaining 297 sex offenders who did not commit crimes against children or persons with disabilities and were not youthful offenders.

To determine whether SORB used information from executive branch agencies to identify the current addresses of sex offenders considered in violation, we interviewed officials from DTA and reviewed the interdepartmental service agreement between SORB and DTA, which allowed SORB to receive addresses of sex offenders considered in violation from DTA. We also performed the following procedures:

• We obtained the list of sex offenders considered in violation that SORB provided to DTA. We selected a nonstatistical, random sample of 25 weeks of data from a population of 104 weeks of data that SORB sent to DTA for the audit period. We inspected SORIS2 to determine whether SORB had sent to DTA all sex offenders considered in violation within the 25 weeks of data in our sample, as required by Section 178F of Chapter 6 of the General Laws.
• We selected a nonstatistical, random sample of 24 weeks of data from the population of 104 weeks of data sent by DTA to SORB for the audit period. We inspected SORIS2 to determine whether SORB updated sex offenders’ addresses to reflect information from DTA, as required by Section 178F of Chapter 6 of the General Laws.
• We interviewed SORB’s employees to determine to what extent SORB sent information, such as the last known addresses of sex offenders considered in violation or whose addresses could not be verified, to other executive branch agencies, as required by Section 178F of Chapter 6 of the General Laws. These agencies include the Department of Children and Families, the Department of Revenue, the Division of Occupational Licensure, and the Department of Housing and Community Development. We verified that SORB received monthly data on sex offenders considered in violation or whose addresses could not be verified from the Department of Children and Families for the 24 months of the audit period. We interviewed SORB officials to determine whether SORB performed address verification data matching with the Department of Revenue, the Division of Occupational Licensure, and the Department of Housing and Community Development during the audit period.

To determine whether SORB established a business continuity plan and a disaster recovery plan, we interviewed SORB’s employees and reviewed EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, dated October 15, 2018.

We used nonstatistical sampling methods for our testing and therefore did not project the results of our testing to any population.

To determine the reliability of the data within SORIS2, we interviewed SORB’s information technology personnel and reviewed information security policies and procedures from SORB and the Department of Criminal Justice Information Services. Specifically, we reviewed policies and procedures for security management, configuration management, contingency planning, and segregation of duties. We also tested whether (1) SORIS2 users completed cybersecurity awareness training, (2) SORB conducted background checks of users before they were given access, and (3) SORB removed users from the system when their access was no longer required. We assessed the reliability of data from SORIS2 related to classifications, registrations, and violations by performing electronic testing for duplicates, missing data, and data outside the audit period and by interviewing SORB officials who were knowledgeable about the data. We determined that the data were sufficiently reliable for the purposes of this audit.