Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Executive Office for Administration and Finance

October 10, 2018 · Executive Office for Administration and Finance · Read the full official report on mass.gov ↗

Published October 10, 2018 Audit covers October 1, 2017 – March 31, 2018 Under Suzanne M. Bump · 2011–2023

In plain English
The auditor checked selected IT controls at the Executive Office for Administration and Finance and found them adequate, with no significant problems in the areas reviewed.
source
“Based on our audit, we have concluded that EOAF has established adequate controls and practices in the areas we reviewed that were related to our audit objectives.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Executive Office for Administration and Finance, focused on certain information technology activities during a six-month period.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain information technology (IT) activities of the Executive Office for Administration and Finance (EOAF) for the period October 1, 2017 through March 31, 2018.”
Why was it audited?

The audit was done to see whether EOAF had controls over selected IT operations, especially hardware inventory and vulnerability patching.

“The purpose of this audit was to review and evaluate controls over selected information technology (IT) operations and activities for the period October 1, 2017 through March 31, 2018.”
Why it matters

EOAF matters because it helps run major state financial, budgeting, administrative, tax, human resources, and asset-related functions.

“Through its various entities, EOAF is responsible for maintaining Commonwealth assets, collecting taxes, performing human-resource functions, and supervising other state fiscal and/or administrative matters.”
What's in it for me?

For an ordinary resident, this audit is about whether a major state office is keeping track of its computers and protecting systems from known software weaknesses.

“In this performance audit, we examined EOAF’s processes for managing the IT hardware connected to its network and determined whether EOAF had a program in place to detect, manage, and patch potential system and software vulnerabilities.”
The bottom line

The auditor answered yes to both audit questions: EOAF actively managed hardware on its network and had a vulnerability detection, management, and patching program.

“Does EOAF have a program in place to detect, manage, and patch1 potential system and software vulnerabilities?”
What happens next

The report does not describe required corrective action, because the auditor did not find significant deficiencies in the reviewed areas.

“We did not identify any significant deficiencies in those areas.”
Why it's significant

The audit is significant because it checked EOAF against government audit standards, state technology policies, and recognized cybersecurity best practices.

“We conducted this performance audit using criteria from policies issued by the Executive Office of Technology Services and Security (EOTSS) as well as industry standards established in the Center for Internet Security Critical Security Controls (CIS Controls) 1 and 3, which are based on the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-53r4.”
Jargon, unpacked

A patch is a software update from a manufacturer that fixes security or functionality problems.

“According to the National Institute of Standards and Technology’s Special Publication 800-40r3, patches are software packages deployed by a manufacturer to “correct security and functionality problems in software and firmware.””

What the Auditor checked

More audits of this entity

Other Office of the State Auditor reports on Executive Office for Administration and Finance .

See this entity's page with all 3 audits →