Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Division of Professional Licensure

September 15, 2021 · Division of Professional Licensure · Read the full official report on mass.gov ↗

Published September 15, 2021 Audit covers July 1, 2017 – March 31, 2020 Under Suzanne M. Bump · 2011–2023

In plain English
Auditors tried to check whether the Division of Professional Licensure properly ran criminal record and sex offender checks for people applying for licenses, but the agency's records were too incomplete and unreliable to prove whether it did.
source
“We were not able to determine whether DPL conducted CORI or SORI checks for all license applicants because the data in Accela and MLO were incomplete and inaccurate.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Division of Professional Licensure covering July 1, 2017 through March 31, 2020.

“This report details our audit objectives, scope, methodology, and conclusions for the audit period, July 1, 2017 through March 31, 2020.”
Why was it audited?

The audit was meant to determine whether DPL followed its own process for checking license applicants' criminal record and sex offender record information.

“The purpose of this audit was to determine whether DPL performed Criminal Offender Record Information (CORI) and Sex Offender Record Information (SORI) checks for license applicants in accordance with the requirements of its license application process.”
Why it matters

DPL oversees licensing for many jobs and businesses, so weak background-check controls could affect public safety and consumer protection.

“DPL’s mission is to protect the public health, safety and welfare by licensing qualified individuals and businesses to provide services to consumers, while ensuring the fair and consistent enforcement of licensing laws and regulations.”
What's in it for me?

If you live in Massachusetts, this matters because DPL licenses and regulates hundreds of thousands of workers, businesses, and schools that may provide services to the public.

“Collectively, DPL boards and offices license and regulate more than 580,000 individuals, businesses, and schools to engage in over 150 trades and professions in Massachusetts.”
The bottom line

The auditor could not reach a clear yes-or-no answer because DPL's systems lacked reliable background-check data, but the report still identified several process problems DPL should fix.

“We could not determine whether DPL conducted CORI or SORI checks for all license applicants because the data in DPL’s Accela2 and MyLicense3 Office software had significant limitations and did not provide an adequate basis for addressing our audit objectives.”
What happens next

The auditor recommended stronger policies, better documentation, more consistent background-check procedures, and a compliant internal control plan; DPL said it had begun creating procedures and a centralized background check unit.

“DPL should establish policies and procedures that standardize the background check process for all of its boards and agencies that use vendors to perform their licensing-related activities so that no vendor can issue a license to an applicant before the applicant has passed a CORI check.”
Why it's significant

The report points to a serious oversight issue: DPL did not have enough controls or reliable records to show that background checks were consistently done before licenses were issued.

“This control deficiency increases the risk of a vendor issuing a license to someone who may have a criminal record that should preclude him/her from obtaining the license.”
Jargon, unpacked

CORI means criminal record information, SORI means sex offender record information, and an internal control plan is the agency's system for managing risks and making sure required procedures are followed.

“To comply with CTR internal control guidelines, an ICP must contain information on the eight components of ERM: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.”

What the Auditor checked

What the Auditor found

DPL did not adequately administer CORI and SORI background check processes for licensees and license applicants.
public safetyinternal controlslicensing/inspectionsrecordkeeping/documentationvendor oversight

Why it matters: Weak background check controls could allow inconsistent checks, incomplete documentation, licenses issued before satisfactory CORI results, and increased public safety risk.

Standard: The CORI law is intended to protect vulnerable populations, and DPL should have internal controls, policies, and procedures over background check processes. ( CORI law )

4 recommendations
  • DPL should develop and implement policies and procedures for background check processes.agency: already implemented
  • DPL should create guidance for OPSI boards and commissions to assess risk to vulnerable populations and create standards for CORI checks.agency: agreed
  • DPL should consider performing periodic background checks when licensees renew their licenses.agency: partially agreed
  • DPL should establish policies and procedures so vendors cannot issue licenses before applicants pass CORI checks.agency: already implemented
Agency response & Auditor reply
Agency: "DPL appreciates the recommendations contained in the draft audit report regarding internal controls over background checks, which are in line with the changes the agency was working on before the audit began."
DPL did not have a compliant internal control plan.
internal controlsrecordkeeping/documentation

Why it matters: The lack of a compliant ICP impeded DPL from identifying vulnerabilities that could prevent it from achieving objectives and exposed it to heightened operational risks.

Standard: An internal control plan must address the eight components of enterprise risk management and be updated at least annually. ( Office of the Comptroller of the Commonwealth internal control guidelines; CTR Internal Control Guide; Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management—Integrated Framework )

1 recommendation
  • DPL should ensure that it has a compliant ICP and update it whenever significant changes occur in objectives, risks, management structure, or program scope.agency: agreed
Agency response & Auditor reply
Agency: "The DPL ICB plans to issue an updated ICP for FY2022 that addresses all eight components of the Enterprise Risk Management approach, including risk assessment and risk response."

More audits of this entity

Other Office of the State Auditor reports on Division of Professional Licensure .

See this entity's page with all 2 audits →