Audit of the Executive Office for Administration and Finance
October 10, 2018 · Executive Office for Administration and Finance · Read the full official report on mass.gov ↗
source
“Based on our audit, we have concluded that EOAF has established adequate controls and practices in the areas we reviewed that were related to our audit objectives.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Executive Office for Administration and Finance, focused on certain information technology activities during a six-month period.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain information technology (IT) activities of the Executive Office for Administration and Finance (EOAF) for the period October 1, 2017 through March 31, 2018.”
The audit was done to see whether EOAF had controls over selected IT operations, especially hardware inventory and vulnerability patching.
“The purpose of this audit was to review and evaluate controls over selected information technology (IT) operations and activities for the period October 1, 2017 through March 31, 2018.”
EOAF matters because it helps run major state financial, budgeting, administrative, tax, human resources, and asset-related functions.
“Through its various entities, EOAF is responsible for maintaining Commonwealth assets, collecting taxes, performing human-resource functions, and supervising other state fiscal and/or administrative matters.”
For an ordinary resident, this audit is about whether a major state office is keeping track of its computers and protecting systems from known software weaknesses.
“In this performance audit, we examined EOAF’s processes for managing the IT hardware connected to its network and determined whether EOAF had a program in place to detect, manage, and patch potential system and software vulnerabilities.”
The auditor answered yes to both audit questions: EOAF actively managed hardware on its network and had a vulnerability detection, management, and patching program.
“Does EOAF have a program in place to detect, manage, and patch1 potential system and software vulnerabilities?”
The report does not describe required corrective action, because the auditor did not find significant deficiencies in the reviewed areas.
“We did not identify any significant deficiencies in those areas.”
The audit is significant because it checked EOAF against government audit standards, state technology policies, and recognized cybersecurity best practices.
“We conducted this performance audit using criteria from policies issued by the Executive Office of Technology Services and Security (EOTSS) as well as industry standards established in the Center for Internet Security Critical Security Controls (CIS Controls) 1 and 3, which are based on the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-53r4.”
A patch is a software update from a manufacturer that fixes security or functionality problems.
“According to the National Institute of Standards and Technology’s Special Publication 800-40r3, patches are software packages deployed by a manufacturer to “correct security and functionality problems in software and firmware.””
What the Auditor checked
- Complied Does EOAF actively manage the inventory of hardware devices connected to its network?
- Complied Does EOAF have a program in place to detect, manage, and patch potential system and software vulnerabilities?
More audits of this entity
Other Office of the State Auditor reports on Executive Office for Administration and Finance .
- Audit of the Executive Office for Administration and Finance (May 29, 2024)State Agency / Office · May 29, 2024
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Executive Office for Administration and Finance (January 28, 2025)State Agency / Office · January 28, 2025