Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Committee for Public Counsel Services (June 9, 2023)

June 9, 2023 · Committee for Public Counsel Services · Read the full official report on mass.gov ↗

Published June 9, 2023 Audit covers January 1, 2019 – December 31, 2021 Under Diana DiZoglio · 2023–present

In plain English
The audit found three main problems: interns were not consistently trained on cybersecurity, CPCS did not have a completed business continuity and disaster recovery plan, and its internal control plan was not updated for COVID-19.
source
“CPCS did not ensure that interns receive cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Committee for Public Counsel Services, the state agency that helps provide lawyers for people who cannot afford one.

“The committee is responsible for planning, overseeing, and coordinating criminal and non-criminal legal services to people who cannot afford an attorney in the Commonwealth.”
Why was it audited?

The Auditor reviewed whether CPCS followed certain rules for cybersecurity training, disaster recovery planning, and updating internal controls during the COVID-19 pandemic.

“The objectives of this audit were to determine the following:”
Why it matters

CPCS handles legal services for many people, so weak cybersecurity training and missing continuity planning could put operations, data, money, and public trust at risk.

“In addition, CPCS has not assessed its ability to continue operations in the event of a business interruption, which could lead to reputational loss, financial loss, or breach of data.”
What's in it for me?

If you or someone you know ever needs court-appointed legal help, CPCS needs reliable systems and trained staff so legal services can continue even during cyberattacks, disasters, or other disruptions.

“There were 664,761 new cases assigned to CPCS public defenders and private attorneys in calendar years 2019, 2020, and 2021, which encompass four fiscal years.”
The bottom line

The Auditor found CPCS fell short in three administrative safeguards, and recommended fixing training records, creating and testing a continuity plan, and keeping internal controls up to date.

“CPCS should develop, document, and test a business continuity and disaster recovery plan to implement.”
What happens next

CPCS said it has already made or started changes, including new intern training tracking, continuity planning work, and updates to its internal control plan.

“Based on its response, CPCS is taking measures to address our concerns in this area.”
Why it's significant

The report is significant because CPCS had already experienced a cyberattack in 2019, yet the audit still found gaps in training and recovery planning afterward.

“According to CPCS management, on February 27, 2019, CPCS suffered a cyberattack.”

What the Auditor checked

What the Auditor found

CPCS did not ensure that interns received cybersecurity awareness training.
cybersecurityrecordkeeping/documentationinternal controls

Why it matters: This increased the risk of cybersecurity attacks and financial or reputational losses.

Standard: Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010 requires all new personnel to complete initial security awareness training within 30 days of new-hire orientation. ( Section 6.2.3 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • CPCS should require that interns receive cybersecurity awareness training.agency: already implemented
  • CPCS should have a system to document the receipt of emails from interns who watch the cybersecurity awareness training video.agency: already implemented
Agency response & Auditor reply
Agency: "CPCS completed both development and implementation of a new electronic platform to ensure all interns receive cybersecurity awareness training during onboarding or within 30 days of hire."
Auditor: "Based on its response, CPCS has taken measures to address our concerns in this area."
CPCS did not have a business continuity and disaster recovery plan.
cybersecurityinternal controlsdata privacy

Why it matters: Employees may not be sufficiently trained to perform recovery efforts, and CPCS had not assessed its ability to continue operations during a business interruption.

Standard: Section 6 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 requires agencies to establish a business continuity program and develop business continuity plans for critical business processes. ( Section 6 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005; Section 6.1.1.4 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 )

1 recommendation
  • CPCS should develop, document, and test a business continuity and disaster recovery plan to implement.
Agency response & Auditor reply
Agency: "CPCS has documented a Continuity of Operations Plan (“COOP”)."
Auditor: "Based on its response, CPCS is taking measures to address our concerns in this area."
CPCS did not update its internal control plan with a COVID-19 component.
internal controlsrecordkeeping/documentation

Why it matters: The absence of an up-to-date internal control plan may hinder CPCS from identifying vulnerabilities that could prevent it from achieving its mission.

Standard: CTR guidance requires department internal control plans to be based on risk assessments and updated annually or when significant changes occur. ( CTR’s “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020; CTR’s “Internal Control Guide,” revised June 25, 2015 )

1 recommendation
  • CPCS should establish policies and procedures to ensure that its ICP is updated annually and when significant changes occur.agency: already implemented
Agency response & Auditor reply
Agency: "CPCS has updated the agency’s Internal Control Plan."
Auditor: "Based on its response, CPCS has taken measures to address our concerns in this area."

More audits of this entity

Other Office of the State Auditor reports on Committee for Public Counsel Services .

See this entity's page with all 4 audits →