Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Department of Transitional Assistance (January 30, 2026)

January 30, 2026 · Department of Transitional Assistance · Read the full official report on mass.gov ↗ · official site ↗

Published January 30, 2026 Audit covers July 1, 2021 – June 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The audit found that DTA generally ran its benefits programs, but had problems with some work plans, staff recordkeeping, cybersecurity training records, and tracking of EBT cards.
source
“Below is a summary of our findings, the effects of our findings, and our recommendations, with hyperlinks to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Department of Transitional Assistance, the agency that manages SNAP, cash assistance, and related support programs.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Department of Transitional Assistance (DTA) for the period July 1, 2021 through June 30, 2023.”
Why was it audited?

Auditors checked whether DTA followed rules for its Pathways to Work program, protected personal information, and controlled blank EBT cards.

“The purpose of our audit was to determine whether DTA did the following:”
Why it matters

The problems matter because weak records and weak controls can put people’s personal information and public benefits at risk.

“Misuse of PII can not only have severe long-term consequences for program participants but also for DTA and the Commonwealth of Massachusetts.”
What's in it for me?

If you receive benefits, this audit is about whether your benefits, EBT card, and personal information are being handled carefully.

“Recipients entrust DTA with their personal information in order to access their benefits, and a breach would be a violation of that trust.”
The bottom line

The auditor found five main problems: missing or unproven work plans, missing CORI and training records, EBT reconciliation issues, missing daily logs, and cards assigned to inactive locations.

“DTA did not always provide EDPs for its PTW program participants as required by 106 CMR 707.110.”
What happens next

DTA said it agreed with several recommendations and is making changes; the auditor said the office will check progress later.

“We will review progress on this matter as part of our post-audit review process in approximately six months.”
Jargon, unpacked

An EBT card is the card people use to receive SNAP or cash benefits, similar to a debit card, but benefits are loaded only after eligibility is approved.

“EBT cards function similarly to traditional debit cards provided by banks, which are designed to allow individuals to receive benefits conveniently and securely.”

What the Auditor checked

What the Auditor found

DTA did not always provide required Employment Development Plans for Pathways to Work participants.
recordkeeping/documentationinternal controls

Why it matters: Participants may be placed in programs that do not meet their needs, wasting resources and undermining program goals.

Standard: Section 707.110(A)(1) of Title 106 of the Code of Massachusetts Regulations requires an EDP to be completed every year for specified grantees and participants. ( Section 707.110(A)(1) of Title 106 of the Code of Massachusetts Regulations )

3 recommendations
  • DTA should consistently provide EDPs for all TAFDC PTW program participants.agency: agreed
  • DTA should ensure that its FEWs follow DTA policies and procedures when developing and maintaining EDPs for participants.agency: agreed
  • DTA should implement monitoring controls to ensure that each participant’s file includes all required documents that should be stored within the Benefit Eligibility and Control Online Network (BEACON) system.agency: agreed
Agency response & Auditor reply
Agency: "DTA agrees with [the Office of the State Auditor’s (OSA’s)] first recommendation that it should consistently provide [Employment Development Plans (EDPs)] for TAFDC PTW participants, because it believes these are a critical component of transitioning clients to self-sufficiency."
Auditor: "We acknowledge DTA’s response and its stated commitment to providing complete and individualized EDPs for all TAFDC PTW participants."
DTA did not consistently retain CORI background checks and cybersecurity training records for employees with system access.
cybersecuritydata privacyrecordkeeping/documentationinternal controls

Why it matters: There is a higher-than-acceptable risk of unauthorized access to participants’ personally identifiable information and potential regulatory fines or litigation from a breach.

Standard: DTA’s Information System Security Plan, 101 CMR 15.00, EOTSS Information Security Risk Management Standard IS.010, and 803 CMR 2.14(4). ( 101 CMR 15.00; Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010; 803 CMR 2.14(4) )

4 recommendations
  • DTA should coordinate with EOHHS and the Human Resources Division to maintain copies of each employee’s CORI background check documentation in DTA employee files for seven years from the last date of employment or the date of the final decision regarding employment.agency: agreed
  • DTA should regularly review and maintain employee files to ensure that required documents, such as CORI background checks, are retained.agency: agreed
  • DTA should implement monitoring controls to ensure that its employees complete cybersecurity awareness training at least annually.agency: agreed
  • DTA should suspend user access if an employee does not complete their cybersecurity awareness training by a required deadline.agency: agreed
Agency response & Auditor reply
Agency: "DTA agrees with [the Office of the State Auditor’s (OSA’s)] first and second recommendations that it should collaborate with its Secretariat, the Executive Office of Health and Human Services (EOHHS) and the Commonwealth’s Human Resources Division (HRD) to ensure that completed CORI background checks for DTA employees are maintained in compliance with applicable regulations, DTA’s Information System Security Plan, and all relevant access agreements, as well as to ensure requisite documents are retained."
Auditor: "We acknowledge DTA’s response and its agreement with our recommendations to enhance controls over CORI background check documentation and to ensure compliance with cybersecurity training requirements."
DTA could not reconcile issued EBT cards between its eligibility and payment systems.
internal controlsrecordkeeping/documentationvendor oversight

Why it matters: DTA could not ensure eligible families received correct benefits, and unauthorized changes or incorrect distributions could go undetected.

Standard: Section IV of DTA’s “TAO Card Issuance System (CIS) Security & Handling Procedures” and reconciliation best practices cited from the Association of Government Accountants. ( Section IV of DTA’s “TAO Card Issuance System (CIS) Security & Handling Procedures”; Association of Government Accountants Tools and Resources )

2 recommendations
  • To ensure program and data integrity, DTA should establish and implement policies, procedures, and monitoring controls for reconciling the EBT cards issued by the EPPIC system to the BEACON system.agency: agreed
  • DTA should reconcile the BEACON and EPPIC systems regularly to ensure that families with low incomes are receiving the SNAP and cash benefits to which they are entitled.agency: partially agreed
Agency response & Auditor reply
Agency: "DTA agrees with [the Office of the State Auditor’s (OSA’s)] first recommendation that it should maintain policies, procedures, and monitoring controls for reconciling its EBT card inventory."
Auditor: "We acknowledge DTA’s response and its agreement with the recommendations to maintain policies, procedures, and monitoring controls for EBT card inventory."
DTA did not always retain daily EBT card reconciliation logs.
recordkeeping/documentationinternal controls

Why it matters: Missing logs increase the risk that blank EBT cards could be missing or unaccounted for, potentially leading to benefit misuse.

Standard: Section IX of DTA’s “TAO Card Issuance System (CIS) Security & Handling Procedures” requires EBT-related documents to be retained for three years in a secure area and organized for retrieval. ( Section IX of DTA’s “TAO Card Issuance System (CIS) Security & Handling Procedures” )

3 recommendations
  • DTA should further enhance its monitoring controls over EBT card distribution.agency: agreed
  • DTA should retain daily reconciliation logs at all TAOs for at least three years.agency: agreed
  • DTA should maintain all daily reconciliation logs in an orderly manner for easy, retrievable access.agency: agreed
Agency response & Auditor reply
Agency: "Regarding the first recommendation, DTA agrees that it is important to maintain effective monitoring controls over EBT card distribution, including but not limited to maintaining its CIS Daily Reconciliation Logs."
Auditor: "We acknowledge DTA’s response and its agreement with the recommendations regarding the maintenance and retention of CIS Daily Reconciliation Logs."
DTA issued EBT cards from inactive or non-TAO locations in its EPPIC data.
recordkeeping/documentationinternal controlsvendor oversight

Why it matters: Incorrect location data undermines the validity and accuracy of EBT card issuance data and could erode public trust.

Standard: DTA officials stated that each TAO has a unique prefix embedded in the EBT card to identify the associated TAO and support accurate records.

3 recommendations
  • DTA should contact its third-party vendor to deactivate all inactive and non-TAO locations from the EPPIC system.agency: agreed
  • DTA should develop and implement policies and procedures to conduct regular EBT card issuance data reconciliations to ensure that all issued EBT cards are assigned to an accurate TAO.agency: partially agreed
  • DTA should separately create policies and procedures for periodic review of TAOs in the EPPIC system to ensure that the system is consistently updated.agency: agreed
Agency response & Auditor reply
Agency: "Regarding the first recommendation, DTA agrees that TAO locations should be accurate and up to date in the EBT vendor’s electronic system."
Auditor: "We acknowledge DTA’s response and its agreement with the recommendations to ensure that TAO location data in the EPPIC system is accurate and regularly updated."

More audits of this entity

Other Office of the State Auditor reports on Department of Transitional Assistance .

See this entity's page with all 3 audits →