Audit of the Massachusetts Clean Energy Center
June 11, 2018 · Massachusetts Clean Energy Center · Read the full official report on mass.gov ↗
source
“MassCEC did not prevent or properly report the theft of $93,679 in public funds.”
Read the plain-English breakdown
This is a state performance audit of the Massachusetts Clean Energy Center, covering its activities from July 1, 2015 through June 30, 2017.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Massachusetts Clean Energy Center (MassCEC) for the period July 1, 2015 through June 30, 2017.”
Public money was stolen, and most of it was not recovered, meaning those funds could not support clean energy work.
“Most of these funds were not recovered, so the agency was unable to use them to further its mission of promoting clean energy technology, projects, and companies.”
MassCEC is funded in part through a small charge paid by Massachusetts electric customers, so its controls affect public money that residents help provide.
“Proceeds from the surcharge totaled $22,784,856 in 2016 and $22,649,352 in 2017, representing approximately $0.29 per month paid by each residential customer.”
The auditor found two main problems: weak controls allowed a cyber-related theft, and MassCEC lacked documented and tested plans to recover computer operations after a major disruption.
“MassCEC did not develop DRPs and BCPs for its computer systems.”
The auditor recommended stronger risk reviews, written procedures, cyber-risk controls, board notification, and tested recovery plans; MassCEC said it was strengthening its policies and procedures.
“MassCEC should conduct risk assessments and develop written policies and procedures to manage all risks to its operations, including its exposure to cybercrime, and immediately inform its board of directors of any incidents, including security breaches perpetrated against the organization.”
The audit matters because it found weaknesses in how a public clean-energy agency protected money and prepared for computer disruptions, even though other reviewed areas received positive conclusions.
“Does MassCEC have adequate internal controls, including policies and procedures, over the processing of wire transfers and internal fund transfers?”
A disaster-recovery plan is a written plan for quickly restoring important computer systems after a major disaster or outage.
“A DRP is an information-system-based plan designed to allow for quick recovery of critical systems, applications, and information-technology infrastructure in the event of a large-scale disaster.”
What the Auditor checked
- Complied Did the Wind Technology Testing Center (WTTC) generate sufficient revenue to cover operating expenses?
- Complied Did MassCEC have a record of investing in financially viable Massachusetts companies?
- Complied Does MassCEC properly administer the Equity Investment and Venture Debt Investments Programs?
- Did not comply Does MassCEC have adequate internal controls, including policies and procedures, over the processing of wire transfers and internal fund transfers?
- Did not comply Did MassCEC have a disaster-recovery plan (DRP) and business-continuity plan (BCP) in place for its computer operations?
What the Auditor found
Why it matters: The agency could not use most of the stolen funds to further its clean energy mission, and delayed board and law-enforcement involvement reduced oversight and recovery opportunities.
Standard: COSO internal control framework and DHS cybercrime reporting guidance. ( Section 12 of Chapter 11 of the Massachusetts General Laws; COSO Internal Control—Integrated Framework; DHS Cyber Incident Reporting )
2 recommendations
- MassCEC should conduct risk assessments and develop written policies and procedures to manage all risks to its operations, including its exposure to cybercrime, and immediately inform its board of directors of any incidents, including security breaches perpetrated against the organization.agency: agreed
- MassCEC should consider adopting elements of the COSO model in developing control activities to prevent, detect, and mitigate cyber-risks.agency: agreed
Agency response & Auditor reply
Agency: "Upon discovering the fraudulent activity, management immediately contacted its bank and successfully recovered $25,261, or 27% of the funds."
Why it matters: MassCEC could have difficulty restoring mission-critical and confidential data and could experience delays in restoring software for transactions, financial data, and sales and marketing performance data.
Standard: EOTSS Enterprise Business Continuity for IT Management Policy and Enterprise Information Security Policy. ( Enterprise Business Continuity for IT Management Policy issued June 5, 2013 by the Executive Office of Technology Services and Security; EOTSS Enterprise Information Security Policy )
1 recommendation
- MassCEC should assess its computer systems from a risk-management and business-continuity perspective and develop and test an appropriate DRP and BCP.agency: agreed
Agency response & Auditor reply
Agency: "In response to the state auditor’s recommendation, management is in the process of enhancing the current backup and disaster recovery procedures by formalizing them into a centralized business continuity and disaster recovery plan in order to ensure more effective communication and implementation throughout the entire organization."
Verified dollar findings
Funds recovered or repaid to the Commonwealth.
Identified dollar findings that do not fall in a named band.
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Clean Energy Center .
- Massachusetts Clean Energy CenterOther · September 14, 2011