Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Executive Office of Elder Affairs (April 25, 2023)

April 25, 2023 · Executive Office of Elder Affairs · Read the full official report on mass.gov ↗

Published April 25, 2023 Audit covers July 1, 2019 – June 30, 2021 Under Diana DiZoglio · 2023–present

In plain English
The audit found that the Executive Office of Elder Affairs had important gaps in oversight: it was not making sure all serious elder abuse cases were reported to prosecutors, was not checking whether a decision-making screening tool was being used properly, had not updated its internal controls for COVID-19, and could not prove all relevant employees completed cybersecurity training.
source
“EOEA did not establish monitoring controls to ensure that all applicable incidents of alleged elder abuse are reported to DAs’ offices.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Executive Office of Elder Affairs’ Protective Services Program, covering July 1, 2019 through June 30, 2021.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Elder Affairs’ (EOEA’s) Protective Services Program for the period July 1, 2019 through June 30, 2021.”
Why was it audited?

Auditors checked whether the agency fixed problems from a prior audit and whether it followed rules for elder abuse referrals, decision-making assessments, COVID-19 internal controls, and cybersecurity training.

“In this performance audit, we examined whether EOEA implemented recommendations from our prior audit report (No. 2018-0004-3S), issued October 9, 2018.”
Why it matters

If serious elder abuse cases are not properly referred, older adults may remain in unsafe situations and prosecutors may not be alerted when they should be.

“As a result, EOEA cannot ensure that its designated PSAs are referring all incidents of alleged elder abuse to DAs’ offices as required, which can put elders at risk of continued abuse.”
What's in it for me?

For ordinary residents, this audit is about whether Massachusetts has strong enough checks to protect older adults from abuse, financial exploitation, neglect, and related risks.

“These 19 PSAs, if necessary, make referrals so that elders can seek other services, including, but not limited to, housing, nutrition, in-home support, caregiver support, and healthcare counseling.”
The bottom line

The agency had taken some steps, such as creating guidance, but the auditor found four oversight and compliance problems that still needed correction.

“Below is a summary of our findings and recommendations, with links to each page listed.”
What happens next

The agency said it would add manual monitoring, build better automated review tools, update its internal control plan, and improve tracking of cybersecurity training.

“EOEA will assess the MassAchieve reporting capability and establish a process to track and monitor cybersecurity awareness training, determine an appropriate means by which to ensure such training is complete, and incorporate the resulting process into its policies and procedures to ensure compliance.”
Why it's significant

The audit is significant because it found weaknesses in systems meant to protect older adults, manage pandemic-related controls, and reduce cybersecurity risk.

“If EOEA does not ensure that its employees complete cybersecurity awareness training, it is exposed to a higher risk of cyberattacks and financial and/or reputation losses.”
Jargon, unpacked

In this report, “elders” means people age 60 or older; “PSAs” are local protective service agencies; “DAs” are district attorneys; and the “IDA tool” is a screening form used to help decide whether an older adult may need a professional capacity evaluation.

“Persons who are 60 years old or older are considered elders.”

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

EOEA did not monitor whether all required elder abuse incidents were referred to district attorneys’ offices.
internal controlspublic safety

Why it matters: EOEA cannot ensure that designated protective service agencies refer all alleged elder abuse incidents to district attorneys, which can put elders at risk of continued abuse.

Standard: Section 5.19 of Title 651 of the Code of Massachusetts Regulations ( Section 5.19 of Title 651 of the Code of Massachusetts Regulations )

1 recommendation
  • While EOEA works to establish a different automated method for monthly queries, it should establish manual monitoring controls to ensure that each person involved in the DA referral process complies with its policies and procedures for reporting incidents of alleged elder abuse.agency: agreed
Agency response & Auditor reply
Agency: "While EOEA’s Protective Services unit continues its efforts to develop an automated system to identify cases for evaluation regarding DA referrals, it will establish a system of manual monitoring through its Protective Services unit."
Auditor: "Based on its response, EOEA must continue to take measures to address our concerns from our prior audit report (No. 2018-0004-3S), issued in October 2018, which found that EOEA did not report seven incidents of serious abuse to DAs’ offices as required."
EOEA did not update its internal control plan to include a COVID-19 component.
internal controls

Why it matters: The absence of an up-to-date internal control plan may hinder EOEA’s effective and efficient achievement of its mission and objectives.

Standard: Office of the Comptroller of the Commonwealth’s “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020 ( CTR’s “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020 )

1 recommendation
  • EOEA should establish policies and procedures, including a monitoring component, to ensure that its ICP is updated when significant changes occur.agency: agreed
Agency response & Auditor reply
Agency: "EOEA will review CTR’s “COVID-19 Pandemic Response Internal Controls Guidance” and take appropriate action to ensure that the ICP is updated, incorporated into the agency’s policies and procedures, and monitored for compliance."
Auditor: "Based on its response, EOEA has not updated its internal control plan to reflect COVID-19 guidance from September 30, 2020, but has pledged to take measures to ensure it is updated and monitored going forward."
EOEA did not ensure that all employees with access to COVID-19 funds completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: EOEA is exposed to a higher risk of cyberattacks and financial and/or reputation losses.

Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Section 6.2.4 ( Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )

1 recommendation
  • EOEA should develop and implement policies, procedures, and controls to ensure that its employees with access to COVID-19 funds complete EOTSS-compliant cybersecurity awareness training.agency: agreed
Agency response & Auditor reply
Agency: "EOEA will assess the MassAchieve reporting capability and establish a process to track and monitor cybersecurity awareness training, determine an appropriate means by which to ensure such training is complete, and incorporate the resulting process into its policies and procedures to ensure compliance."
Auditor: "Based on its response, EOEA is taking measures to address our concerns on this matter."

Prior findings revisited

Fixed
"Did EOEA develop a guidance manual addressing case record documentation practices for referring abuse reports to district attorneys’ (DAs’) offices to reflect the requirements of Sections 5.18(2)(e) and 5.19 of Title 651 of the Code of Massachusetts Regulations (CMR)?"
Still a problem
"Based on its response, EOEA must continue to take measures to address our concerns from our prior audit report (No. 2018-0004-3S), issued in October 2018, which found that EOEA did not report seven incidents of serious abuse to DAs’ offices as required."

More audits of this entity

Other Office of the State Auditor reports on Executive Office of Elder Affairs , including the prior audits referenced above.

See this entity's page with all 3 audits →