Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Commonwealth Corporation

March 19, 2019 · Commonwealth Corporation · Read the full official report on mass.gov ↗

Published March 19, 2019 Audit covers July 1, 2015 – June 30, 2018 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that Commonwealth Corporation generally handled its workforce training grant program, but failed in two areas: protecting employee personal information and reporting required payroll and spending data for public transparency.
source
“CommCorp did not adequately protect confidential employee information.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of Commonwealth Corporation covering July 1, 2015 through June 30, 2018.

“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2015 through June 30, 2018.”
Why was it audited?

Auditors reviewed how CommCorp managed a workforce training grant program, protected personal information, and followed public financial reporting rules.

“In this performance audit, we examined certain activities of CommCorp’s administration of the General Program within its Workforce Training Fund Program, its protection of personally identifiable information in its records, and its compliance with the General Laws regarding providing its financial records to the Secretary of Administration and Finance for public disclosure.”
Why it matters

The audit matters because a hacker accessed payroll information from W-2 forms for 164 current and former employees, putting them at possible risk of fraud.

“Current and former employees affected by this breach may be at risk of fraud.”
What's in it for me?

For an ordinary citizen, the key issue is whether a publicly connected agency is protecting sensitive worker data and making its spending visible to the public.

“As a result, CommCorp did not allow the Commonwealth to give the public a sufficient level of transparency regarding CommCorp’s operations, including its overall financial health and the nature and extent of its expenses.”
The bottom line

The auditor found two problems: CommCorp did not adequately safeguard confidential employee information, and it did not submit all required payroll and spending information for public posting.

“CommCorp did not submit required payroll and expenditure information to the Commonwealth to be made available to the public on a searchable website.”
What happens next

The auditor recommended stronger security training and controls, plus policies to make sure payroll and spending information is submitted for public posting.

“CommCorp should develop policies and procedures that require periodic security awareness training for all employees.”
Why it's significant

The report is significant because it found weaknesses in both cybersecurity and public accountability at a quasi-public agency that administers workforce training grants funded through state unemployment tax payments.

“The program’s purpose is to enhance business productivity and competitiveness by providing resources to medium-sized and small businesses to upgrade their workforces’ skills.”
Jargon, unpacked

Personally identifiable information means data that can identify a person; in this report, the concern was payroll data from employees’ W-2 tax forms.

“The hacker accessed payroll data from 164 current and former employees’ federal W-2 forms for the period 2008 through 2017.”

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

Commonwealth Corporation did not adequately protect confidential employee information.
cybersecuritydata privacyinternal controls

Why it matters: Current and former employees affected by the breach may be at risk of fraud.

Standard: Commonwealth Corporation’s password policy and COSO cyber-risk control guidance. ( CommCorp’s “Internal Policies and Procedures Password Policy,” dated October 11, 2016 )

2 recommendations
  • CommCorp should develop policies and procedures that require periodic security awareness training for all employees.agency: already implemented
  • CommCorp should consider adopting security practices outlined in the COSO model to enhance its control activities to prevent, detect, and mitigate cyber-risks.
Agency response & Auditor reply
Agency: "We have updated our Information Technology policies and procedures to strengthen policy and practice regarding the use and protection of personally identifiable information."
Commonwealth Corporation did not submit required payroll and expenditure information for public posting.
reporting timelinessrecordkeeping/documentationinternal controls

Why it matters: The public lacked a sufficient level of transparency regarding Commonwealth Corporation’s operations, financial health, and expenses.

Standard: Section 14C of Chapter 7 of the Massachusetts General Laws. ( Section 14C of Chapter 7 of the Massachusetts General Laws )

1 recommendation
  • CommCorp should contact CTR to obtain an understanding of how to submit information to EOAF for posting to CTR’s searchable website and submit all the required information for fiscal and calendar years 2016 and 2017 as well as any deficient fiscal and calendar years before our audit period.
Agency response & Auditor reply
Agency: "Commonwealth Corporation has developed policies and procedures to ensure payroll and expense data are uploaded to the Commonwealth’s CTHRU searchable website every year."

More audits of this entity

Other Office of the State Auditor reports on Commonwealth Corporation .

See this entity's page with all 2 audits →