Audit of the Executive Office of Education - Information Technology Contracts
October 11, 2019 · Executive Office of Education—Information Technology Contracts · Read the full official report on mass.gov ↗
source
“EOE did not always establish performance metrics or effectively measure the performance of its IT vendors.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Executive Office of Education’s IT contracts.
“I am pleased to provide this performance audit of the Executive Office of Education.”
Auditors wanted to know whether EOE properly monitored its IT contracts from July 1, 2016 through June 30, 2018.
“The purpose of this audit was to determine whether EOE effectively monitored its information technology (IT) contracts during the period July 1, 2016 through June 30, 2018.”
If EOE does not set clear measures and check vendor performance, it may not be able to hold vendors accountable when work is late, poor, or not compliant with contracts.
“Without establishing measures and objectively monitoring vendor performance, EOE cannot hold its IT vendors accountable for contractual noncompliance and/or poor performance, which could affect its operations.”
For ordinary residents, the concern is that weak IT contract oversight can increase the risk of security problems involving government systems and confidential information.
“As a result, there is a higher-than-acceptable risk that EOE may experience security issues, such as misuse of confidential information, with some of its IT vendors.”
The auditor concluded that EOE did not effectively monitor its IT contracts.
“EOE did not ensure that all of its third-party contracts contained essential security provisions.”
EOE told auditors it had added the third-party security standard to its internal controls after the audit work was completed.
“After we completed our audit work, EOE officials informed us that the agency had added a “Third-Party Information Security Standard” to its internal control plan.”
The report matters because it says EOE should use measurable standards and regular checks to judge whether IT vendors are doing the job well.
“In OSA’s opinion, to properly assess the quality and effectiveness of the services provided by its contractors, EOE should establish quantifiable performance metrics and should regularly assess vendors’ compliance with those metrics.”
“Third-party services” means work done by outside suppliers, vendors, or partners, and the audit says those relationships need clear management and monitoring.
“The need to assure that services provided by third parties (suppliers, vendors and partners) meet business requirements requires an effective third-party management process.”
What the Auditor checked
- Did not comply Does EOE effectively monitor its information technology (IT) contracts?
What the Auditor found
Why it matters: EOE could not hold IT vendors accountable for contractual noncompliance or poor performance, which could affect operations.
Standard: ISACA Control Objectives for Information and Related Technology 4.1, Section DS2, Manage Third-Party Services ( Control Objectives for Information and Related Technology 4.1, Section DS2, Manage Third-Party Services; State Finance Law and General Contract Requirements )
3 recommendations
- EOE should establish key performance indicators for future IT contracts.
- EOE should develop and implement a process to measure and monitor IT vendors’ performance.
- EOE should develop and implement metrics to ensure that IT vendors’ performance requirements, such as project milestones and time and expense budgets, are met.
Agency response & Auditor reply
Agency: "EOE prides itself on managing vendor relationships with processes and procedures that ensure it receives the services and products for which it contracts."
Auditor: "We acknowledge that EOE does perform some monitoring of its contractors’ activities."
Why it matters: EOE faced a higher risk of security problems, including misuse of confidential information by IT vendors.
Standard: EOTSS Third-Party Information Security Standard ( EOTSS Third-Party Information Security Standard )
1 recommendation
- EOE should establish policies and procedures that require that all IT contracts it negotiates with IT vendors comply with EOTSS’s “Third-Party Information Security Standard.”
Agency response & Auditor reply
Agency: "EOE ensures that each third-party contract contains required security policies."
Auditor: "OSA acknowledges that EOE’s contracts with these six vendors contain various important provisions related to the management and protection of Commonwealth data that the vendors may obtain and/or access when providing goods or services."