Audit of the Department of Conservation and Recreation
November 3, 2022 · Department of Conservation and Recreation · Read the full official report on mass.gov ↗
source
“DCR did not have adequate processes or procedures to ensure that its contractors met its workforce participation goal for women and minorities.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Department of Conservation and Recreation covering July 1, 2019 through June 30, 2021.
“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2019 through June 30, 2021.”
The audit checked whether DCR had systems to make sure construction contractors followed workforce participation goals and business ownership goals for women and minorities.
“In this performance audit, we determined whether DCR had internal tracking, oversight, and enforcement procedures to ensure that contractors complied with its workforce participation goal1 in accordance with Section 44A(1)(G) of the General Laws and the Executive Office of Administration and Finance administrative bulletin “Equal Opportunity and Non-discrimination on State and State-Assisted Construction Contracts.””
If DCR does not collect and review the right information, it cannot tell whether contractors are actually meeting required goals for women and minority participation.
“Without adequate processes or procedures, DCR could not collect the data to calculate the workforce participation goal achieved for the 99 construction contracts that were active during our audit period.”
DCR manages public parks, forests, reservations, campgrounds, swimming pools, and bike trails, so its contracting practices affect public projects connected to places ordinary residents use.
“It operates under the direction of the Executive Office of Energy and Environmental Affairs and is responsible for the administration and oversight of state parks, forests, reservations, and recreational facilities (e.g., campgrounds, swimming pools, and bike trails).”
The audit found three main problems: weak monitoring of workforce participation goals, missing payment certificates needed to track business ownership goals, and incomplete cybersecurity training.
“DCR did not ensure that all employees completed required annual cybersecurity awareness training during the audit period.”
The auditor recommended that DCR create and use clearer policies, procedures, monitoring, and enforcement steps; DCR said it has taken measures to address some concerns.
“DCR should develop policies and procedures to effectively monitor the extent to which each construction contractor achieves the business ownership goal for women and minorities.”
The report matters because weak oversight can make diversity goals unenforceable in practice, and weak cybersecurity training can expose the agency to avoidable risks.
“If employees do not receive cybersecurity awareness training, DCR could face a higher risk of cybersecurity attacks and financial and/or reputation losses.”
A workforce participation goal means a required share of construction work hours that should be performed by women and minority workers.
“Workforce participation goals are the percentages of work hours for each construction contract that must be worked by minorities and women.”
What the Auditor checked
- Did not comply Does DCR have internal tracking, oversight, and enforcement procedures to ensure compliance with its workforce participation goal under Section 44A(1)(G) of Chapter 149 of the General Laws?
- Did not comply Does DCR ensure that construction contracts under Chapters 30 and 149 of the General Laws meet its business ownership goal for women and minorities in accordance with Section 8 of Part 1 of its “Instructions to Bidders”?
What the Auditor found
Why it matters: DCR could not collect the data needed to calculate workforce participation goal achievement for 99 active construction contracts.
Standard: Section 44A(1)(G) of Chapter 149 of the Massachusetts General Laws and the Executive Office of Administration and Finance administrative bulletin “Equal Opportunity and Non-discrimination on State and State-Assisted Construction Contracts.” ( Section 44A(1)(G) of Chapter 149 of the Massachusetts General Laws; Executive Office of Administration and Finance’s “Equal Opportunity and Non-discrimination on State and State-Assisted Construction Contracts” administrative bulletin )
1 recommendation
- DCR should develop policies and procedures to effectively monitor and collect the data necessary to ensure that the contractors achieve the workforce participation goal.
Agency response & Auditor reply
Agency: "DCR has established a process and procedures to ensure that contractors meet workforce participation goals for women and minorities."
Auditor: "Therefore, we reiterate our recommendation that DCR should develop policies and procedures to effectively monitor and collect the data necessary to ensure that the contractors achieve the workforce participation goal."
Why it matters: DCR could not monitor contractors’ compliance with the 10.4% combined women and minority business ownership goal.
Standard: Part III of DCR’s standard construction contract and Section 8 of Part 1 of DCR’s “Instructions to Bidders.” ( Part III of DCR’s standard construction contract; Section 8 of Part 1 of DCR’s “Instructions to Bidders” )
1 recommendation
- DCR should develop policies and procedures to effectively monitor the extent to which each construction contractor achieves the business ownership goal for women and minorities. These policies and procedures should include the enforcement provisions, stated in the contract, that DCR will use against contractors that do not meet the goal.agency: agreed
Agency response & Auditor reply
Agency: "DCR agrees that it is desirable to improve rates of submission of certificates of payment and has taken a number of steps to improve compliance."
Auditor: "Based on its response, DCR has taken measures to address our concerns on this matter."
Why it matters: DCR faced a higher risk of cybersecurity attacks and financial or reputational losses.
Standard: Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010. ( Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )
2 recommendations
- DCR should stay informed about all requirements of EOTSS’s Information Security Risk Management Standard IS.010.agency: already implemented
- DCR should document and implement policies and procedures that require all employees to complete initial and annual cybersecurity awareness training. The policies and procedures should include internal controls to monitor and document completion of the training.agency: already implemented
Agency response & Auditor reply
Agency: "DCR now has new tools and controls to ensure that all employees complete required training, including cybersecurity training."
Auditor: "Based on its response, DCR has taken measures to address our concerns on this matter."
More audits of this entity
Other Office of the State Auditor reports on Department of Conservation and Recreation .
- The Department Of Conservation And Recreation's Use Of American Recovery And Reinvestment Act FundsState Agency / Office · MARCH 1, 2011
-
Audit of the Department of Conservation and RecreationState Agency / Office · June 14, 2018 -
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Department of Conservation and Recreation (January 28, 2025)State Agency / Office · January 28, 2025