Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Department of Conservation and Recreation

November 3, 2022 · Department of Conservation and Recreation · Read the full official report on mass.gov ↗

Published November 3, 2022 Audit covers July 1, 2019 – June 30, 2021 Under Suzanne M. Bump · 2011–2023

In plain English
The auditor found that DCR did not do enough during the audit period to track whether contractors met diversity-related hiring and business goals, and also did not make sure all employees completed required cybersecurity training.
source
“DCR did not have adequate processes or procedures to ensure that its contractors met its workforce participation goal for women and minorities.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Department of Conservation and Recreation covering July 1, 2019 through June 30, 2021.

“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2019 through June 30, 2021.”
Why was it audited?

The audit checked whether DCR had systems to make sure construction contractors followed workforce participation goals and business ownership goals for women and minorities.

“In this performance audit, we determined whether DCR had internal tracking, oversight, and enforcement procedures to ensure that contractors complied with its workforce participation goal1 in accordance with Section 44A(1)(G) of the General Laws and the Executive Office of Administration and Finance administrative bulletin “Equal Opportunity and Non-discrimination on State and State-Assisted Construction Contracts.””
Why it matters

If DCR does not collect and review the right information, it cannot tell whether contractors are actually meeting required goals for women and minority participation.

“Without adequate processes or procedures, DCR could not collect the data to calculate the workforce participation goal achieved for the 99 construction contracts that were active during our audit period.”
What's in it for me?

DCR manages public parks, forests, reservations, campgrounds, swimming pools, and bike trails, so its contracting practices affect public projects connected to places ordinary residents use.

“It operates under the direction of the Executive Office of Energy and Environmental Affairs and is responsible for the administration and oversight of state parks, forests, reservations, and recreational facilities (e.g., campgrounds, swimming pools, and bike trails).”
The bottom line

The audit found three main problems: weak monitoring of workforce participation goals, missing payment certificates needed to track business ownership goals, and incomplete cybersecurity training.

“DCR did not ensure that all employees completed required annual cybersecurity awareness training during the audit period.”
What happens next

The auditor recommended that DCR create and use clearer policies, procedures, monitoring, and enforcement steps; DCR said it has taken measures to address some concerns.

“DCR should develop policies and procedures to effectively monitor the extent to which each construction contractor achieves the business ownership goal for women and minorities.”
Why it's significant

The report matters because weak oversight can make diversity goals unenforceable in practice, and weak cybersecurity training can expose the agency to avoidable risks.

“If employees do not receive cybersecurity awareness training, DCR could face a higher risk of cybersecurity attacks and financial and/or reputation losses.”
Jargon, unpacked

A workforce participation goal means a required share of construction work hours that should be performed by women and minority workers.

“Workforce participation goals are the percentages of work hours for each construction contract that must be worked by minorities and women.”

What the Auditor checked

What the Auditor found

DCR did not adequately monitor whether contractors met workforce participation goals for women and minorities.
procurement/contractsrecordkeeping/documentationinternal controlsvendor oversight

Why it matters: DCR could not collect the data needed to calculate workforce participation goal achievement for 99 active construction contracts.

Standard: Section 44A(1)(G) of Chapter 149 of the Massachusetts General Laws and the Executive Office of Administration and Finance administrative bulletin “Equal Opportunity and Non-discrimination on State and State-Assisted Construction Contracts.” ( Section 44A(1)(G) of Chapter 149 of the Massachusetts General Laws; Executive Office of Administration and Finance’s “Equal Opportunity and Non-discrimination on State and State-Assisted Construction Contracts” administrative bulletin )

1 recommendation
  • DCR should develop policies and procedures to effectively monitor and collect the data necessary to ensure that the contractors achieve the workforce participation goal.
Agency response & Auditor reply
Agency: "DCR has established a process and procedures to ensure that contractors meet workforce participation goals for women and minorities."
Auditor: "Therefore, we reiterate our recommendation that DCR should develop policies and procedures to effectively monitor and collect the data necessary to ensure that the contractors achieve the workforce participation goal."
DCR did not ensure contractors submitted Certificates of Payment needed to monitor business ownership goal compliance.
procurement/contractsrecordkeeping/documentationinternal controlsvendor oversight

Why it matters: DCR could not monitor contractors’ compliance with the 10.4% combined women and minority business ownership goal.

Standard: Part III of DCR’s standard construction contract and Section 8 of Part 1 of DCR’s “Instructions to Bidders.” ( Part III of DCR’s standard construction contract; Section 8 of Part 1 of DCR’s “Instructions to Bidders” )

1 recommendation
  • DCR should develop policies and procedures to effectively monitor the extent to which each construction contractor achieves the business ownership goal for women and minorities. These policies and procedures should include the enforcement provisions, stated in the contract, that DCR will use against contractors that do not meet the goal.agency: agreed
Agency response & Auditor reply
Agency: "DCR agrees that it is desirable to improve rates of submission of certificates of payment and has taken a number of steps to improve compliance."
Auditor: "Based on its response, DCR has taken measures to address our concerns on this matter."
DCR did not ensure all employees completed required annual cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: DCR faced a higher risk of cybersecurity attacks and financial or reputational losses.

Standard: Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010. ( Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • DCR should stay informed about all requirements of EOTSS’s Information Security Risk Management Standard IS.010.agency: already implemented
  • DCR should document and implement policies and procedures that require all employees to complete initial and annual cybersecurity awareness training. The policies and procedures should include internal controls to monitor and document completion of the training.agency: already implemented
Agency response & Auditor reply
Agency: "DCR now has new tools and controls to ensure that all employees complete required training, including cybersecurity training."
Auditor: "Based on its response, DCR has taken measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Department of Conservation and Recreation .

See this entity's page with all 4 audits →