Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Department of Industrial Accidents

March 23, 2021 · Department of Industrial Accidents · Read the full official report on mass.gov ↗

Published March 23, 2021 Audit covers July 1, 2017 – June 30, 2019 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found problems with reporting, case deadlines, and computer access controls at the Department of Industrial Accidents, while other areas reviewed met the audit standards.
source
“DIA did not have adequate logical access controls for its CMS.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts Department of Industrial Accidents, the agency that handles workers' compensation disputes.

“DIA acts as the court system—the place where disputes regarding benefits are resolved—for workers’ compensation cases.”
Why was it audited?

Auditors checked whether the agency followed laws and policies for reporting, workers' compensation case handling, opioid-related treatment disputes, flextime, and parking benefits.

“In this performance audit, we determined whether DIA reported all fees, penalties, and continuances to the Workers’ Compensation Advisory Council1 (WCAC) within the timeframes established by Sections 7F and 11 of Chapter 152 of the General Laws and adjudicated workers’ compensation cases in accordance with Sections 10A and 11 of Chapter 152 of the General Laws.”
Why it matters

Delays and missing reports can make it harder to oversee the workers' compensation system and can hurt people waiting for decisions or benefits.

“As a result, cases could become backlogged and individuals could suffer economic losses because of delays in case processing.”
What's in it for me?

If you are an injured worker, employer, attorney, or taxpayer, this matters because the agency is supposed to move cases on time, track key information, and protect sensitive case data.

“It is also responsible for making sure employers in Massachusetts have workers’ compensation insurance.”
The bottom line

The agency did not report all required fees, penalties, and continuances, did not always meet required case timeframes, and had weaknesses in access controls for its case management system.

“DIA did not always meet its mandated timeframes for completing certain case claim events.”
What happens next

The auditor recommended that DIA report the missing information, create procedures for reporting and case timing, improve access controls, remove terminated employees' access right away, and formally develop a continuity plan.

“DIA should report attorney fees, insurer penalties, and case continuances to WCAC.”
Jargon, unpacked

DIA is the state workers' compensation agency; WCAC is the oversight council; CMS is DIA's case management system; BCP means business continuity plan, a plan for keeping critical work going during disruptions.

“WCAC oversees the workers’ compensation system in Massachusetts.”
Identified in this audit - source-verified
$60,430

What the Auditor checked

What the Auditor found

DIA did not report all required fees, penalties, and case continuances to WCAC.
reporting timelinessrecordkeeping/documentationinternal controls

Why it matters: WCAC could not accurately monitor penalties, fees assessed against insurers and paid to attorneys, or case continuances.

Standard: Sections 7F and 11 of Chapter 152 of the Massachusetts General Laws ( Section 7F of Chapter 152 of the Massachusetts General Laws; Section 11 of Chapter 152 of the Massachusetts General Laws )

2 recommendations
  • DIA should report attorney fees, insurer penalties, and case continuances to WCAC.agency: agreed
  • DIA should develop policies and procedures to establish a process for reporting attorney fees, insurer penalties, and case continuances to ensure that this information is reported to WCAC.agency: agreed
Agency response & Auditor reply
Agency: "The DIA will update its practices to ensure that all fees, penalties, and case continuances are included in the data presented to the Advisory Council during the regularly scheduled meetings."
DIA did not always complete case claim events within mandated timeframes.
reporting timelinessinternal controls

Why it matters: Cases could become backlogged and individuals could suffer economic losses because of delays in case processing.

Standard: Sections 10A and 11 of Chapter 152 of the Massachusetts General Laws ( Section 10A(1–3) of Chapter 152 of the General Laws; Section 11 of Chapter 152 of the General Laws )

1 recommendation
  • DIA should develop policies and procedures regarding the completion of single- and group-case claim events to ensure consistency in meeting its timeframes.agency: partially agreed
Agency response & Auditor reply
Agency: "The DIA will continue its efforts to meet the 28-day timeframe specified in the statute."
DIA did not retain employees’ security awareness training certificates.
cybersecurityrecordkeeping/documentationinternal controls

Why it matters: Insufficient security awareness training may lead to user error and compromise the integrity and security of protected information in DIA’s CMS.

Standard: EOTSS Information Security Risk Management Standard and Executive Order 504 ( Section 6.2.4 of the Executive Office of Technology Services and Security’s “Information Security Risk Management Standard”; Section 6 of Executive Order 504 )

2 recommendations
  • DIA should keep security awareness training certificates in employee personnel files.agency: agreed
  • DIA should develop a formal process to ensure that security awareness training certificates are collected and retained in each employee’s personnel file.agency: agreed
Agency response & Auditor reply
Agency: "The Department of Industrial Accidents (DIA) will work with EOLWD HR to ensure the security awareness training certificate is included in the personnel file and will retain a copy of the certificate in the DIA’s internal document management system."
DIA did not have documented management approval for some CMS access rights.
cybersecuritydata privacyrecordkeeping/documentationinternal controls

Why it matters: Employees could have access to and alter CMS personal information beyond what their job duties require.

Standard: EOTSS Enterprise Access Control Security Standards and Access Management Standard ( Section 2.1 of EOTSS’s “Enterprise Access Control Security Standards”; Section 6.1.4.3 of EOTSS’s “Access Management Standard” )

1 recommendation
  • DIA should develop a formal process for recording and maintaining approvals of CMS user access requests.agency: agreed
Agency response & Auditor reply
Agency: "The DIA will not change this practice, as it has been effective in ensuring that employees have only the necessary access required to perform their job functions."
DIA did not always immediately revoke terminated employees’ CMS access.
cybersecuritydata privacyinternal controls

Why it matters: Terminated employees could improperly access claimants’ personal health information and personally identifiable information.

Standard: EOTSS Enterprise Access Control Security Standards ( EOTSS’s “Enterprise Access Control Security Standards” )

1 recommendation
  • DIA should revoke employees’ access to its CMS immediately upon termination.agency: agreed
Agency response & Auditor reply
Agency: "During the audit period this practice was 92% effective and a change in process to revoke access is not warranted."
DIA did not have a business continuity plan.
cybersecurityinternal controls

Why it matters: DIA may not be able to ensure timely restoration of mission-critical and essential business functions or train staff sufficiently in recovery efforts for mission-critical applications such as CMS.

Standard: EOTSS Enterprise Information Security Policy and Business Continuity and Disaster Recovery Standard ( Section 14 of EOTSS’s “Enterprise Information Security Policy”; EOTSS’s “Business Continuity and Disaster Recovery Standard” )

1 recommendation
  • DIA should formally develop a BCP.agency: already implemented
Agency response & Auditor reply
Agency: "The Department of Industrial Accidents (DIA) has recently implemented a complete Business Continuity Plan (BCP)."

Verified dollar findings

Revenue not collected $60,430

Money the entity was owed but failed to assess or collect - unassessed penalties, underpaid incentives.

$60,430 - insurer penalties
Other identified $157,694,993 not in headline

Identified dollar findings that do not fall in a named band.

$157,694,993 - attorney fees

More audits of this entity

Other Office of the State Auditor reports on Department of Industrial Accidents .

See this entity's page with all 3 audits →