Audit of the Cape and Islands District Attorney’s Office (November 25, 2025)
November 25, 2025 · Cape and Islands District Attorney's Office · Read the full official report on mass.gov ↗
source
“Below is a summary of our findings, the effects of those findings, and recommendations, with hyperlinks to each page listed.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Cape and Islands District Attorney’s Office, covering mostly July 2022 through June 2024, with a longer lookback for employee settlement agreements.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Cape and Islands District Attorney’s Office (CIDAO) for the period July 1, 2022 through June 30, 2024.”
Auditors checked whether the office followed rules and best practices for sexual assault evidence kit tracking, cybersecurity training, employee settlement policies, and reporting monetary settlements to the state comptroller.
“The purpose of this audit was to determine the following:”
The issues matter because they involve sensitive survivor information, public accountability around employee payments, and the office’s exposure to cybersecurity risks.
“If CIDAO does not promptly revoke former employees’ access rights to the Track-Kit system, then there is a risk of unauthorized access to sensitive case and survivor information.”
For residents, the practical concern is whether a public prosecutor’s office is protecting sensitive information, handling taxpayer-funded settlements properly, and training employees to reduce cyber risks.
“Without educating its employees on their responsibility to protect the security of information assets, CIDAO exposes itself to a higher risk of cybersecurity attacks and financial and/or reputational losses.”
The auditor concluded that the office did not participate enough in the sexual assault kit tracking system, did not meet cybersecurity training expectations, and lacked documented settlement policies.
“No; see Finding 2”
The auditor recommended written policies, better access controls, staff training, settlement recordkeeping, and coordination with state agencies; the auditor also said the office’s progress will be checked later.
“We will follow up on this matter in approximately six months, as part of our post-audit review process.”
The report points to gaps in basic government controls at an office that handles criminal cases, sensitive victim-related information, public funds, and employee records.
“The Track-Kit system was designed to increase transparency, accountability, and survivor-centered care in the handling of SAECKs.”
CIDAO means the Cape and Islands District Attorney’s Office. SAECK means a sexual assault evidence collection kit. Track-Kit is the state web system used to track those kits from collection through later steps.
“EOPSS implemented the web-based Track-Kit system to allow all users to trace a SAECK’s location from distribution to collection to processing to storage.”
4 figure(s) pending source verification - not shown
What the Auditor checked
- Partially To what extent did the CIDAO participate in the statewide sexual assault evidence collection kit (SAECK) tracking system as required by Section 18X(g) of Chapter 6A of the General Laws?
- Did not comply Did CIDAO adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 with regard to cybersecurity awareness training?
- Did not comply Did CIDAO have internal policies and procedures in place for (a) the review and approval of employee settlement agreements, including the use of non-disclosure, non-disparagement, or similarly restrictive clauses, and (b) the reporting of monetary employee settlements to CTR in accordance with Sections 5.06 and 5.09 of Title 815 of the Code of Massachusetts Regulations (CMR)?
What the Auditor found
Why it matters: There is a risk of unauthorized access to sensitive case and survivor information, and survivors may not have an informed single point of contact.
Standard: Section 18X(g) of Chapter 6A of the General Laws; Track-Kit User Manual; EOPSS Policies and Procedures for Sexual Assault Evidence Collection Kit Tracking; EOTSS Access Management Standard IS.003 ( Section 18X(g) of Chapter 6A of the General Laws; Section 6.1.6 of the Executive Office of Technology Services and Security’s Access Management Standard IS.003 )
2 recommendations
- CIDAO should assign its contact information to each SAECK within its jurisdiction in the Track-Kit system and should train its employees on how to use the system.
- CIDAO should develop, document, and implement policies and procedures for Track-Kit system access authorization for new users and the revocation of access upon termination of users.
Agency response & Auditor reply
Agency: "After the audit period, the Cape and Islands District Attorney’s Office has reached out to the Executive Office of Public Safety regarding the tracking program and has engaged in meetings to schedule appropriate training for our staff."
Auditor: "Regarding the training of employees in the use of the Track-Kit system, CIDAO appears to be taking steps to address some of the issues raised in this finding."
Why it matters: CIDAO faces higher risk of cybersecurity attacks and financial and reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- CIDAO should ensure that all employees complete annual cybersecurity awareness training and that all newly hired employees complete initial training within the first 30 days of their new hire orientation.agency: already implemented
- CIDAO should design and implement policies and procedures to ensure that its employees complete cybersecurity awareness training.
Agency response & Auditor reply
Agency: "Aware of our obligation and the importance of cybersecurity, the Cape and Islands District Attorney’s Office first worked to staff the [information technology] department, as identified above, and then began the process of identifying the requirements and implementation of Cybersecurity training for our staff, which have since been completed."
Auditor: "CIDAO appears to be taking steps to address the issues raised in this finding."
More audits of this entity
Other Office of the State Auditor reports on Cape and Islands District Attorney's Office .
- Cape and Islands District Attorney's OfficeDistrict Attorney · September 10, 2015
- Audit of the Cape and Islands District Attorney’s Office (CIDA)District Attorney · March 3, 2021
- Cape and Islands District Attorney's OfficeDistrict Attorney · February 8, 2012