Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Cape and Islands District Attorney’s Office (November 25, 2025)

November 25, 2025 · Cape and Islands District Attorney's Office · Read the full official report on mass.gov ↗

Published November 25, 2025 Audit covers July 1, 2022; extended – July 1, 2019 for employee settlement agreements to June 30, 2024 Under Diana DiZoglio · 2023–present

In plain English
The auditor found that the Cape and Islands District Attorney’s Office had weak follow-through in three areas: tracking sexual assault evidence kits, documenting employee settlement processes, and making sure staff completed cybersecurity training.
source
“Below is a summary of our findings, the effects of those findings, and recommendations, with hyperlinks to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Cape and Islands District Attorney’s Office, covering mostly July 2022 through June 2024, with a longer lookback for employee settlement agreements.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Cape and Islands District Attorney’s Office (CIDAO) for the period July 1, 2022 through June 30, 2024.”
Why was it audited?

Auditors checked whether the office followed rules and best practices for sexual assault evidence kit tracking, cybersecurity training, employee settlement policies, and reporting monetary settlements to the state comptroller.

“The purpose of this audit was to determine the following:”
Why it matters

The issues matter because they involve sensitive survivor information, public accountability around employee payments, and the office’s exposure to cybersecurity risks.

“If CIDAO does not promptly revoke former employees’ access rights to the Track-Kit system, then there is a risk of unauthorized access to sensitive case and survivor information.”
What's in it for me?

For residents, the practical concern is whether a public prosecutor’s office is protecting sensitive information, handling taxpayer-funded settlements properly, and training employees to reduce cyber risks.

“Without educating its employees on their responsibility to protect the security of information assets, CIDAO exposes itself to a higher risk of cybersecurity attacks and financial and/or reputational losses.”
The bottom line

The auditor concluded that the office did not participate enough in the sexual assault kit tracking system, did not meet cybersecurity training expectations, and lacked documented settlement policies.

“No; see Finding 2”
What happens next

The auditor recommended written policies, better access controls, staff training, settlement recordkeeping, and coordination with state agencies; the auditor also said the office’s progress will be checked later.

“We will follow up on this matter in approximately six months, as part of our post-audit review process.”
Why it's significant

The report points to gaps in basic government controls at an office that handles criminal cases, sensitive victim-related information, public funds, and employee records.

“The Track-Kit system was designed to increase transparency, accountability, and survivor-centered care in the handling of SAECKs.”
Jargon, unpacked

CIDAO means the Cape and Islands District Attorney’s Office. SAECK means a sexual assault evidence collection kit. Track-Kit is the state web system used to track those kits from collection through later steps.

“EOPSS implemented the web-based Track-Kit system to allow all users to trace a SAECK’s location from distribution to collection to processing to storage.”

4 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

CIDAO did not promptly remove former employees’ Track-Kit access or complete required contact information fields.
data privacyinternal controlsrecordkeeping/documentation

Why it matters: There is a risk of unauthorized access to sensitive case and survivor information, and survivors may not have an informed single point of contact.

Standard: Section 18X(g) of Chapter 6A of the General Laws; Track-Kit User Manual; EOPSS Policies and Procedures for Sexual Assault Evidence Collection Kit Tracking; EOTSS Access Management Standard IS.003 ( Section 18X(g) of Chapter 6A of the General Laws; Section 6.1.6 of the Executive Office of Technology Services and Security’s Access Management Standard IS.003 )

2 recommendations
  • CIDAO should assign its contact information to each SAECK within its jurisdiction in the Track-Kit system and should train its employees on how to use the system.
  • CIDAO should develop, document, and implement policies and procedures for Track-Kit system access authorization for new users and the revocation of access upon termination of users.
Agency response & Auditor reply
Agency: "After the audit period, the Cape and Islands District Attorney’s Office has reached out to the Executive Office of Public Safety regarding the tracking program and has engaged in meetings to schedule appropriate training for our staff."
Auditor: "Regarding the training of employees in the use of the Track-Kit system, CIDAO appears to be taking steps to address some of the issues raised in this finding."
CIDAO did not ensure employees completed required cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: CIDAO faces higher risk of cybersecurity attacks and financial and reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • CIDAO should ensure that all employees complete annual cybersecurity awareness training and that all newly hired employees complete initial training within the first 30 days of their new hire orientation.agency: already implemented
  • CIDAO should design and implement policies and procedures to ensure that its employees complete cybersecurity awareness training.
Agency response & Auditor reply
Agency: "Aware of our obligation and the importance of cybersecurity, the Cape and Islands District Attorney’s Office first worked to staff the [information technology] department, as identified above, and then began the process of identifying the requirements and implementation of Cybersecurity training for our staff, which have since been completed."
Auditor: "CIDAO appears to be taking steps to address the issues raised in this finding."

More audits of this entity

Other Office of the State Auditor reports on Cape and Islands District Attorney's Office .

See this entity's page with all 4 audits →