Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts Clean Energy Center

June 11, 2018 · Massachusetts Clean Energy Center · Read the full official report on mass.gov ↗

Published June 11, 2018 Audit covers July 1, 2015 – June 30, 2017 Under Suzanne M. Bump · 2011–2023

In plain English
Auditors found that the Massachusetts Clean Energy Center generally met several program goals, but it failed to stop or promptly report a $93,679 theft and lacked formal disaster-recovery and business-continuity plans for its computer systems.
source
“MassCEC did not prevent or properly report the theft of $93,679 in public funds.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts Clean Energy Center, covering its activities from July 1, 2015 through June 30, 2017.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Massachusetts Clean Energy Center (MassCEC) for the period July 1, 2015 through June 30, 2017.”
Why it matters

Public money was stolen, and most of it was not recovered, meaning those funds could not support clean energy work.

“Most of these funds were not recovered, so the agency was unable to use them to further its mission of promoting clean energy technology, projects, and companies.”
What's in it for me?

MassCEC is funded in part through a small charge paid by Massachusetts electric customers, so its controls affect public money that residents help provide.

“Proceeds from the surcharge totaled $22,784,856 in 2016 and $22,649,352 in 2017, representing approximately $0.29 per month paid by each residential customer.”
The bottom line

The auditor found two main problems: weak controls allowed a cyber-related theft, and MassCEC lacked documented and tested plans to recover computer operations after a major disruption.

“MassCEC did not develop DRPs and BCPs for its computer systems.”
What happens next

The auditor recommended stronger risk reviews, written procedures, cyber-risk controls, board notification, and tested recovery plans; MassCEC said it was strengthening its policies and procedures.

“MassCEC should conduct risk assessments and develop written policies and procedures to manage all risks to its operations, including its exposure to cybercrime, and immediately inform its board of directors of any incidents, including security breaches perpetrated against the organization.”
Why it's significant

The audit matters because it found weaknesses in how a public clean-energy agency protected money and prepared for computer disruptions, even though other reviewed areas received positive conclusions.

“Does MassCEC have adequate internal controls, including policies and procedures, over the processing of wire transfers and internal fund transfers?”
Jargon, unpacked

A disaster-recovery plan is a written plan for quickly restoring important computer systems after a major disaster or outage.

“A DRP is an information-system-based plan designed to allow for quick recovery of critical systems, applications, and information-technology infrastructure in the event of a large-scale disaster.”

What the Auditor checked

What the Auditor found

MassCEC did not prevent or properly report the theft of $93,679 in public funds.
cybersecuritycash handlinginternal controlsfraud/theft

Why it matters: The agency could not use most of the stolen funds to further its clean energy mission, and delayed board and law-enforcement involvement reduced oversight and recovery opportunities.

Standard: COSO internal control framework and DHS cybercrime reporting guidance. ( Section 12 of Chapter 11 of the Massachusetts General Laws; COSO Internal Control—Integrated Framework; DHS Cyber Incident Reporting )

2 recommendations
  • MassCEC should conduct risk assessments and develop written policies and procedures to manage all risks to its operations, including its exposure to cybercrime, and immediately inform its board of directors of any incidents, including security breaches perpetrated against the organization.agency: agreed
  • MassCEC should consider adopting elements of the COSO model in developing control activities to prevent, detect, and mitigate cyber-risks.agency: agreed
Agency response & Auditor reply
Agency: "Upon discovering the fraudulent activity, management immediately contacted its bank and successfully recovered $25,261, or 27% of the funds."
MassCEC did not have documented and tested disaster-recovery and business-continuity plans for its computer systems.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: MassCEC could have difficulty restoring mission-critical and confidential data and could experience delays in restoring software for transactions, financial data, and sales and marketing performance data.

Standard: EOTSS Enterprise Business Continuity for IT Management Policy and Enterprise Information Security Policy. ( Enterprise Business Continuity for IT Management Policy issued June 5, 2013 by the Executive Office of Technology Services and Security; EOTSS Enterprise Information Security Policy )

1 recommendation
  • MassCEC should assess its computer systems from a risk-management and business-continuity perspective and develop and test an appropriate DRP and BCP.agency: agreed
Agency response & Auditor reply
Agency: "In response to the state auditor’s recommendation, management is in the process of enhancing the current backup and disaster recovery procedures by formalizing them into a centralized business continuity and disaster recovery plan in order to ensure more effective communication and implementation throughout the entire organization."

Verified dollar findings

Recovered / repaid $25,261 not in headline

Funds recovered or repaid to the Commonwealth.

$25,261 - recovered
Other identified $93,679 not in headline

Identified dollar findings that do not fall in a named band.

$93,679 - theft

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Clean Energy Center .

See this entity's page with all 2 audits →