Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Executive Office of Education - Information Technology Contracts

October 11, 2019 · Executive Office of Education—Information Technology Contracts · Read the full official report on mass.gov ↗

Published October 11, 2019 Audit covers July 1, 2016 – June 30, 2018 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that the Executive Office of Education did not consistently track whether its IT vendors were performing well, and its contracts did not always include required security protections.
source
“EOE did not always establish performance metrics or effectively measure the performance of its IT vendors.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Executive Office of Education’s IT contracts.

“I am pleased to provide this performance audit of the Executive Office of Education.”
Why was it audited?

Auditors wanted to know whether EOE properly monitored its IT contracts from July 1, 2016 through June 30, 2018.

“The purpose of this audit was to determine whether EOE effectively monitored its information technology (IT) contracts during the period July 1, 2016 through June 30, 2018.”
Why it matters

If EOE does not set clear measures and check vendor performance, it may not be able to hold vendors accountable when work is late, poor, or not compliant with contracts.

“Without establishing measures and objectively monitoring vendor performance, EOE cannot hold its IT vendors accountable for contractual noncompliance and/or poor performance, which could affect its operations.”
What's in it for me?

For ordinary residents, the concern is that weak IT contract oversight can increase the risk of security problems involving government systems and confidential information.

“As a result, there is a higher-than-acceptable risk that EOE may experience security issues, such as misuse of confidential information, with some of its IT vendors.”
The bottom line

The auditor concluded that EOE did not effectively monitor its IT contracts.

“EOE did not ensure that all of its third-party contracts contained essential security provisions.”
What happens next

EOE told auditors it had added the third-party security standard to its internal controls after the audit work was completed.

“After we completed our audit work, EOE officials informed us that the agency had added a “Third-Party Information Security Standard” to its internal control plan.”
Why it's significant

The report matters because it says EOE should use measurable standards and regular checks to judge whether IT vendors are doing the job well.

“In OSA’s opinion, to properly assess the quality and effectiveness of the services provided by its contractors, EOE should establish quantifiable performance metrics and should regularly assess vendors’ compliance with those metrics.”
Jargon, unpacked

“Third-party services” means work done by outside suppliers, vendors, or partners, and the audit says those relationships need clear management and monitoring.

“The need to assure that services provided by third parties (suppliers, vendors and partners) meet business requirements requires an effective third-party management process.”

What the Auditor checked

What the Auditor found

EOE did not always set or use performance metrics to evaluate IT vendors.
vendor oversightinternal controlsprocurement/contracts

Why it matters: EOE could not hold IT vendors accountable for contractual noncompliance or poor performance, which could affect operations.

Standard: ISACA Control Objectives for Information and Related Technology 4.1, Section DS2, Manage Third-Party Services ( Control Objectives for Information and Related Technology 4.1, Section DS2, Manage Third-Party Services; State Finance Law and General Contract Requirements )

3 recommendations
  • EOE should establish key performance indicators for future IT contracts.
  • EOE should develop and implement a process to measure and monitor IT vendors’ performance.
  • EOE should develop and implement metrics to ensure that IT vendors’ performance requirements, such as project milestones and time and expense budgets, are met.
Agency response & Auditor reply
Agency: "EOE prides itself on managing vendor relationships with processes and procedures that ensure it receives the services and products for which it contracts."
Auditor: "We acknowledge that EOE does perform some monitoring of its contractors’ activities."
EOE did not ensure all third-party IT contracts included required security provisions.
cybersecuritydata privacyprocurement/contractsvendor oversightinternal controls

Why it matters: EOE faced a higher risk of security problems, including misuse of confidential information by IT vendors.

Standard: EOTSS Third-Party Information Security Standard ( EOTSS Third-Party Information Security Standard )

1 recommendation
  • EOE should establish policies and procedures that require that all IT contracts it negotiates with IT vendors comply with EOTSS’s “Third-Party Information Security Standard.”
Agency response & Auditor reply
Agency: "EOE ensures that each third-party contract contains required security policies."
Auditor: "OSA acknowledges that EOE’s contracts with these six vendors contain various important provisions related to the management and protection of Commonwealth data that the vendors may obtain and/or access when providing goods or services."