Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Commonwealth Corporation (July 9, 2024)

July 9, 2024 · Commonwealth Corporation · Read the full official report on mass.gov ↗

Published July 9, 2024 Audit covers July 1, 2020 – June 30, 2022 Under Diana DiZoglio · 2023–present

In plain English
The audit found that Commonwealth Corporation did not do enough to track whether YouthWorks helped young people get regular jobs, verify participant eligibility records, train staff on cybersecurity, or control access to the YouthWorks database.
source
“Commonwealth Corporation did not consistently collect or analyze employment outcome data related to its YouthWorks program participants.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of Commonwealth Corporation, focused on some of its activities from July 1, 2020 through June 30, 2022.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of Commonwealth Corporation (CommCorp) for the period July 1, 2020 through June 30, 2022.”
Why was it audited?

Auditors wanted to know whether CommCorp properly oversaw YouthWorks eligibility and reporting, tracked job outcomes after YouthWorks, and made sure employees completed cybersecurity training.

“The purpose of our audit was to determine the following:”
Why it matters

YouthWorks uses public money to help young people in low-income communities get work experience, so the public needs to know whether the program is reaching eligible participants and helping them move into regular employment.

“If CommCorp does not track its program participants’ employment outcome data, then it cannot evaluate and understand the impact of YouthWorks on the individuals who use the program.”
What's in it for me?

As a taxpayer or community member, this matters because weak tracking makes it harder to know whether public funds are producing results for young people and whether sensitive participant data is being protected.

“This prevents the public and policymakers from determining the effectiveness of this program and use of taxpayer dollars.”
The bottom line

The audit found multiple oversight problems: missing or inconsistent job outcome data, missing eligibility documentation, incomplete or inaccurate Social Security number records, missing cybersecurity training evidence, and weak database access controls.

“CommCorp did not ensure that YouthWorks grant recipients obtained eligibility documentation and accurately recorded program participant information.”
What happens next

The auditor recommended that CommCorp create stronger policies, monitoring controls, data checks, cybersecurity training records, and database access procedures; CommCorp said it was taking steps including a new secure database and revised program reviews.

“Based on its response, CommCorp is taking measures to address our concerns on this matter.”
Why it's significant

The report is significant because it says CommCorp could not fully show whether YouthWorks met a key goal: helping participants get regular jobs after the program.

“It also prevents YouthWorks from demonstrating its value to secure additional funding.”
Jargon, unpacked

“Unsubsidized employment” means a regular job that is not being paid for through the YouthWorks subsidy; the audit says CommCorp should track whether participants get those jobs after the program.

“The YouthWorks program aims to improve the employability of youth placed at risk by offering them structured work and learning opportunities through subsidized employment and supporting activities.”

What the Auditor checked

What the Auditor found

Commonwealth Corporation did not consistently collect or analyze YouthWorks employment outcome data.
recordkeeping/documentationreporting timelinessinternal controls

Why it matters: Without tracking employment outcomes, CommCorp cannot evaluate YouthWorks’ impact, demonstrate value, or support public and policymaker assessment of taxpayer-funded program effectiveness.

Standard: Section 116(b)(2)(A) of the Workforce Innovation and Opportunity Act of 2014; CommCorp’s YouthWorks “Program Administration and Management Guide”; and CommCorp’s memorandum of understanding with the Department of Unemployment Assistance. ( Section 116(b)(2)(A) of the Workforce Innovation and Opportunity Act of 2014; Section VIII (for fiscal year 2021) and Section VII (for fiscal year 2022) of CommCorp’s YouthWorks “Program Administration and Management Guide” )

3 recommendations
  • CommCorp should develop policies and procedures to effectively monitor the extent to which its YouthWorks program achieves its intended purpose of helping program participants secure unsubsidized employment. These policies and procedures should include information on how to routinely collect and analyze employment outcome data related to its YouthWorks program participants.
  • CommCorp should revise its YouthWorks post-program survey to capture information regarding whether a program participant gained unsubsidized employment as a result of its YouthWorks program.agency: already implemented
  • CommCorp should require all YouthWorks grant recipients to report employment outcome data in the YouthWorks database.
Agency response & Auditor reply
Agency: "YouthWorks is in the process of re-tooling its review strategy to analyze participant post-program outcomes."
Auditor: "Based on its response, CommCorp is taking measures to address our concerns on this matter."
Commonwealth Corporation did not ensure YouthWorks grant recipients documented eligibility and accurately recorded participant information.
eligibility determinationrecordkeeping/documentationinternal controls

Why it matters: YouthWorks funds may have supported ineligible individuals, intended participants may not have received funds, and CommCorp may not be able to accurately evaluate or report program outcomes.

Standard: CommCorp’s annual YouthWorks “Program Administration and Management Guide.” ( CommCorp’s YouthWorks “Program Administration and Management Guide” for fiscal years 2021 and 2022 )

2 recommendations
  • CommCorp should develop and implement monitoring controls to ensure that YouthWorks grant recipients obtain documentation to support program participant eligibility and accurately record program participant information in the YouthWorks database.
  • CommCorp should review program participant Social Security numbers that are recorded in the YouthWorks database and correct any incomplete or inaccurate numbers.
Agency response & Auditor reply
Auditor: "Based on its response, CommCorp is taking measures to address our concerns on this matter."
Commonwealth Corporation did not ensure employees completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: CommCorp faced a higher-than-acceptable risk of cybersecurity attacks and financial or reputational losses.

Standard: Section 8 of the “Commonwealth Corporation Information Security Policy” and Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010. ( Section 8 of the “Commonwealth Corporation Information Security Policy”; Section 6.2 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • CommCorp should develop, document, and implement monitoring controls to ensure that its employees complete cybersecurity awareness training within 30 days of their orientation and annually thereafter. The cybersecurity awareness training should include a test of each individual’s understanding of all policies and their role in maintaining the security of CommCorp’s information technology systems.agency: already implemented
  • CommCorp should maintain a record of completion of cybersecurity awareness training for each employee.agency: already implemented
Agency response & Auditor reply
Agency: "Commonwealth Corporation has implemented mandatory comprehensive cybersecurity training."
Auditor: "Based on its response, CommCorp has taken measures to address our concerns on this matter."
Commonwealth Corporation lacked documented management approval for YouthWorks database access rights.
cybersecurityinternal controlsdata privacy

Why it matters: Users may have had unapproved or excessive access to view or alter personal information in the YouthWorks database.

Standard: Section 6.1 of EOTSS’s Access Management Standard IS.003. ( Section 6.1 of EOTSS’s Access Management Standard IS.003 )

1 recommendation
  • CommCorp should develop, document, and implement policies and procedures for YouthWorks database user access requests that include documented management approval.
Agency response & Auditor reply
Agency: "YouthWorks is in the final stages of developing a new secure database, which will be implemented on June 10, 2024."
Auditor: "We reiterate our recommendation that CommCorp should develop, document, and implement policies and procedures for YouthWorks database user access requests that include documented management approval."
Commonwealth Corporation could not show that it promptly revoked former employees’ YouthWorks database access.
cybersecurityinternal controlsdata privacy

Why it matters: Former employees could improperly access or alter personal information in the YouthWorks database.

Standard: Section 8 of the “Commonwealth Corporation Information Security Policy” and Section 6.1 of EOTSS’s Access Management Standard IS.003. ( Section 8 of the “Commonwealth Corporation Information Security Policy”; Section 6.1 of EOTSS’s Access Management Standard IS.003 )

1 recommendation
  • CommCorp should develop, document, and implement policies and procedures for the revocation of user access to the YouthWorks database upon termination of a user’s employment. CommCorp should incorporate periodic access reviews (at least semiannually) to ensure that users’ access rights are limited to their individual job requirements.
Agency response & Auditor reply
Agency: "The new database has a comprehensive audit trail and additional security features to safeguard against any similar future oversights."
Auditor: "As previously stated, CommCorp should also develop, document, and implement policies and procedures for the revocation of user access to the YouthWorks database upon termination of a user’s employment."

More audits of this entity

Other Office of the State Auditor reports on Commonwealth Corporation .

See this entity's page with all 2 audits →