Audit of the Executive Office of Elder Affairs (April 25, 2023)
April 25, 2023 · Executive Office of Elder Affairs · Read the full official report on mass.gov ↗
source
“EOEA did not establish monitoring controls to ensure that all applicable incidents of alleged elder abuse are reported to DAs’ offices.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Executive Office of Elder Affairs’ Protective Services Program, covering July 1, 2019 through June 30, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Elder Affairs’ (EOEA’s) Protective Services Program for the period July 1, 2019 through June 30, 2021.”
Auditors checked whether the agency fixed problems from a prior audit and whether it followed rules for elder abuse referrals, decision-making assessments, COVID-19 internal controls, and cybersecurity training.
“In this performance audit, we examined whether EOEA implemented recommendations from our prior audit report (No. 2018-0004-3S), issued October 9, 2018.”
If serious elder abuse cases are not properly referred, older adults may remain in unsafe situations and prosecutors may not be alerted when they should be.
“As a result, EOEA cannot ensure that its designated PSAs are referring all incidents of alleged elder abuse to DAs’ offices as required, which can put elders at risk of continued abuse.”
For ordinary residents, this audit is about whether Massachusetts has strong enough checks to protect older adults from abuse, financial exploitation, neglect, and related risks.
“These 19 PSAs, if necessary, make referrals so that elders can seek other services, including, but not limited to, housing, nutrition, in-home support, caregiver support, and healthcare counseling.”
The agency had taken some steps, such as creating guidance, but the auditor found four oversight and compliance problems that still needed correction.
“Below is a summary of our findings and recommendations, with links to each page listed.”
The agency said it would add manual monitoring, build better automated review tools, update its internal control plan, and improve tracking of cybersecurity training.
“EOEA will assess the MassAchieve reporting capability and establish a process to track and monitor cybersecurity awareness training, determine an appropriate means by which to ensure such training is complete, and incorporate the resulting process into its policies and procedures to ensure compliance.”
The audit is significant because it found weaknesses in systems meant to protect older adults, manage pandemic-related controls, and reduce cybersecurity risk.
“If EOEA does not ensure that its employees complete cybersecurity awareness training, it is exposed to a higher risk of cyberattacks and financial and/or reputation losses.”
In this report, “elders” means people age 60 or older; “PSAs” are local protective service agencies; “DAs” are district attorneys; and the “IDA tool” is a screening form used to help decide whether an older adult may need a professional capacity evaluation.
“Persons who are 60 years old or older are considered elders.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Complied Did EOEA develop a guidance manual addressing case record documentation practices for referring abuse reports to district attorneys’ (DAs’) offices to reflect the requirements of Sections 5.18(2)(e) and 5.19 of Title 651 of the Code of Massachusetts Regulations (CMR)?
- Did not comply Did EOEA establish monitoring controls to ensure that each person involved in the DA referral process complies with 651 CMR 5.19?
- Did not comply Did EOEA monitor its effectiveness for assessing an elder’s decisional capacity by EOEA’s protective services agencies in accordance with Section 16(c) of Title 19A of the General Laws?
- Did not comply Did EOEA update its internal control plan (ICP) to address the 2019 coronavirus (COVID-19), as required by the Office of the Comptroller of the Commonwealth’s (CTR’s) “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020?
- Did not comply Did EOEA employees who had access to COVID-19 funds complete cybersecurity awareness training in accordance with the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOEA cannot ensure that designated protective service agencies refer all alleged elder abuse incidents to district attorneys, which can put elders at risk of continued abuse.
Standard: Section 5.19 of Title 651 of the Code of Massachusetts Regulations ( Section 5.19 of Title 651 of the Code of Massachusetts Regulations )
1 recommendation
- While EOEA works to establish a different automated method for monthly queries, it should establish manual monitoring controls to ensure that each person involved in the DA referral process complies with its policies and procedures for reporting incidents of alleged elder abuse.agency: agreed
Agency response & Auditor reply
Agency: "While EOEA’s Protective Services unit continues its efforts to develop an automated system to identify cases for evaluation regarding DA referrals, it will establish a system of manual monitoring through its Protective Services unit."
Auditor: "Based on its response, EOEA must continue to take measures to address our concerns from our prior audit report (No. 2018-0004-3S), issued in October 2018, which found that EOEA did not report seven incidents of serious abuse to DAs’ offices as required."
Why it matters: The absence of an up-to-date internal control plan may hinder EOEA’s effective and efficient achievement of its mission and objectives.
Standard: Office of the Comptroller of the Commonwealth’s “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020 ( CTR’s “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020 )
1 recommendation
- EOEA should establish policies and procedures, including a monitoring component, to ensure that its ICP is updated when significant changes occur.agency: agreed
Agency response & Auditor reply
Agency: "EOEA will review CTR’s “COVID-19 Pandemic Response Internal Controls Guidance” and take appropriate action to ensure that the ICP is updated, incorporated into the agency’s policies and procedures, and monitored for compliance."
Auditor: "Based on its response, EOEA has not updated its internal control plan to reflect COVID-19 guidance from September 30, 2020, but has pledged to take measures to ensure it is updated and monitored going forward."
Why it matters: EOEA is exposed to a higher risk of cyberattacks and financial and/or reputation losses.
Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Section 6.2.4 ( Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )
1 recommendation
- EOEA should develop and implement policies, procedures, and controls to ensure that its employees with access to COVID-19 funds complete EOTSS-compliant cybersecurity awareness training.agency: agreed
Agency response & Auditor reply
Agency: "EOEA will assess the MassAchieve reporting capability and establish a process to track and monitor cybersecurity awareness training, determine an appropriate means by which to ensure such training is complete, and incorporate the resulting process into its policies and procedures to ensure compliance."
Auditor: "Based on its response, EOEA is taking measures to address our concerns on this matter."
Prior findings revisited
"Did EOEA develop a guidance manual addressing case record documentation practices for referring abuse reports to district attorneys’ (DAs’) offices to reflect the requirements of Sections 5.18(2)(e) and 5.19 of Title 651 of the Code of Massachusetts Regulations (CMR)?"
"Based on its response, EOEA must continue to take measures to address our concerns from our prior audit report (No. 2018-0004-3S), issued in October 2018, which found that EOEA did not report seven incidents of serious abuse to DAs’ offices as required."
More audits of this entity
Other Office of the State Auditor reports on Executive Office of Elder Affairs , including the prior audits referenced above.
- Audit of the Executive Office of Elder AffairsState Agency / Office · October 9, 2018
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Executive Office of Elder Affairs (January 28, 2025)State Agency / Office · January 28, 2025