Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts Convention Center Authority (August 19, 2024)

August 19, 2024 · Massachusetts Convention Center Authority · Read the full official report on mass.gov ↗

Published August 19, 2024 Audit covers January 1, 2021 – December 31, 2022 Under Diana DiZoglio · 2023–present

In plain English
The audit found repeated problems at the Massachusetts Convention Center Authority, including weak purchasing oversight, missed supplier diversity benchmarks, poor recordkeeping, and inadequate controls over employee settlements and complaints.
source
“Below is a summary of our findings, the effects of our findings, and our recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts Convention Center Authority, which runs major public venues such as the Boston Convention & Exhibition Center, the Hynes Convention Center, the MassMutual Center, and the Lawn on D.

“The Massachusetts Convention Center Authority (MCCA) is an independent public authority of the Commonwealth that owns and operates several public facilities primarily for conventions, trade shows, and industry meetings.”
Why was it audited?

The auditor reviewed whether MCCA followed rules and good practices for purchasing, supplier diversity, event safety planning, employee complaints, and employee settlement agreements.

“The purpose of our audit was to determine the following:”
Why it matters

The issues matter because weak controls can waste public money, reduce fairness in contracting, weaken employee protections, and make it harder for the public to know whether decisions were lawful and appropriate.

“This also risks wasting public resources, elevates risk for potential bid splitting, increases the possibility of ethical violations, etc.”
What's in it for me?

For an ordinary Massachusetts resident, this audit is about whether a public authority that uses public resources is spending money fairly, keeping proper records, protecting workers, and following oversight rules.

“Not only does this cause potential harm to contractors, it also places taxpayer funds at risk.”
The bottom line

The auditor found that MCCA did not fully follow its own policies or expected controls in several areas, especially procurement, board approval, security survey records, employee complaint tracking, and settlement oversight.

“MCCA did not have a documented process for reviewing, entering into, and finalizing its non-union employee settlement agreements during the extended audit period (January 1, 2018 through December 31, 2022).”
What happens next

The report recommends that MCCA create clearer policies, keep better documentation, involve its board more, track supplier diversity spending and employee complaints, and improve cybersecurity and access controls.

“MCCA should develop, document, and implement policies and procedures to effectively monitor, and communicate to its board of directors, the extent to which it achieves its annual benchmarks for diverse supplier spending.”
Why it's significant

The audit is significant because some matters were serious enough that the auditor referred them to outside agencies for review and possible enforcement.

“We have referred these instances to external agencies for their investigation and potential enforcement:”
Jargon, unpacked

“Procurement” means how MCCA buys goods and services. “Supplier diversity” means spending with certified minority-owned, women-owned, and veteran-owned businesses. “Settlement agreements” are deals resolving employee disputes, sometimes with secrecy or non-disparagement terms.

“Through consultation with the Operational Services Division, SDO sets annual benchmark percentages for spending with minority-owned, woman-owned, and veteran-owned businesses.”

10 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

MCCA did not ensure that it met Supplier Diversity Office annual diverse supplier spending benchmarks.
procurement/contractsinternal controlsvendor oversight

Why it matters: MCCA’s ability to evaluate and improve the effectiveness of its efforts to promote diversity in its procurement process was limited.

Standard: Supplier Diversity Office Diverse and Small Business Program policies for goods and services procurements. ( SDO’s “The Commonwealth of Massachusetts Diverse and Small Business Program Policies for Goods and Services Procurements” )

4 recommendations
  • MCCA should develop, document, and implement policies and procedures to effectively monitor, and communicate to its board of directors, the extent to which it achieves its annual benchmarks for diverse supplier spending.
  • MCCA should use established policies to track diversity spending throughout the year.
  • MCCA should involve its chief diversity officer in the procurement process to help support an inclusive and equitable business environment.
  • MCCA should collaborate with SDO to ensure increased accountability.
Agency response & Auditor reply
Agency: "The MCCA consistently meets or exceeds its Supplier Diversity Office (SDO) benchmarks for spending on diverse suppliers, and is proud of its record in this regard."
Auditor: "As noted above, MCCA did not meet the SDO’s discretionary spending benchmarks for minority-owned, women-owed, and veteran-owned businesses during the audit period of January 1, 2021 through December 31, 2022."
MCCA could not demonstrate that it obtained original quotes for all purchases between $10,000 and $50,000.
procurement/contractsrecordkeeping/documentationinternal controls

Why it matters: MCCA could not be sure that it awarded contracts to the most appropriate vendors at the lowest available cost, increasing risks of wasted public resources, bid splitting, and ethical violations.

Standard: MCCA’s “Procurement, Purchasing and Payment Policy and Guidelines” for purchases between $10,000 and $50,000. ( MCCA’s “Procurement, Purchasing and Payment Policy and Guidelines” )

3 recommendations
  • MCCA should retain evidence of all quotes received for purchases between $10,000 and $50,000.
  • MCCA should implement sufficient monitoring controls to ensure that original quotes from vendors are obtained and retained.
  • MCCA should modify its “Procurement, Purchasing and Payment Policy and Guidelines” to require compliance in full with Chapter 30B of the Massachusetts General Laws.
Agency response & Auditor reply
Agency: "The MCCA acknowledges that it did not retain several of the “original quotes” for some purchases between 2018 and 2022."
Auditor: "Given its response and the new business system referenced above, we believe MCCA is taking sufficient steps to resolve this issue."
MCCA did not follow procurement policies when entering into a media contract for over $100,000.
procurement/contractsinternal controlsvendor oversight

Why it matters: There was an increased risk that MCCA did not award the contract to the most appropriate vendor offering the lowest price, risking wasted public resources and unfair procurement behavior.

Standard: MCCA “Procurement, Purchasing and Payment Policy and Guidelines” for purchases of $50,000 or more. ( MCCA “Procurement, Purchasing and Payment Policy and Guidelines” )

2 recommendations
  • MCCA should always follow its purchasing process by advertising and documenting procurements of $50,000 or more.agency: agreed
  • MCCA should follow its existing policy and ensure that its procurement department is involved during the process for every procurement of $50,000 or more.agency: agreed
Agency response & Auditor reply
Agency: "The MCCA agrees with the [Office of the State Auditor’s] finding."
Auditor: "Given its response and the new business system referenced in MCCA’s response to Finding 2 of this report, we believe that MCCA is taking steps to resolve this issue."
MCCA entered into vendor contract extensions without approval from its board of directors.
procurement/contractsinternal controlsvendor oversight

Why it matters: MCCA could not regularly ensure that it received services from the most appropriate vendors at the lowest available price, may have missed diverse vendor opportunities, and may have created unenforceable contract risk.

Standard: Section 12(b) of Chapter 30B of the General Laws; Section 35 of Chapter 190 of the Acts of 1982; MCCA Bylaws. ( Section 12(b) of Chapter 30B of the General Laws; Section 35 of Chapter 190 of the Acts of 1982 )

2 recommendations
  • MCCA should request and secure approval from its board of directors for vendor contract extensions to ensure compliance with Section 35 of Chapter 190 of the Acts of 1982, as well as MCCA Bylaws.
  • MCCA should always follow Chapter 30B of the General Laws relative to the number of extensions and maximum term length for contracts, regardless of the contract’s dollar value instead of only “generally” following Chapter 30B.
Agency response & Auditor reply
Agency: "The MCCA believes that the contract extensions from 2018 to 2021 aligned with existing MCCA procurement policies."
Auditor: "The development and implementation of stricter procurement policies may address the underlying issues cited in our audit."
MCCA could not ensure that it sent and retained pre-event security surveys.
public safetyrecordkeeping/documentationinternal controls

Why it matters: MCCA risked not addressing client needs consistently, fairly, and equitably.

Standard: Section 2.0 of MCCA’s “[Public Safety Department] Standard Operating Procedures Event Security Assessment Program.” ( Section 2.0 of MCCA’s “[Public Safety Department] Standard Operating Procedures Event Security Assessment Program” )

2 recommendations
  • MCCA should ensure it sends pre-event security surveys to clients and retains this documentation.
  • MCCA should retain all pre-event security surveys completed by its clients in a central, accessible location.
Agency response & Auditor reply
Agency: "The MCCA asks our clients to provide a “pre-event” survey so that they can highlight aspects of their event our public safety team should be aware of before creating the security and safety plan."
Auditor: "Our audit found that MCCA could not produce records indicating that it sent and retained responses to pre-event security surveys to 85% of ballroom events and 95% of non-ballroom events in our sample."
MCCA did not have an adequate process for handling employee complaints.
internal controlsrecordkeeping/documentation

Why it matters: MCCA may not identify trends in employee complaints or ensure that all employee complaints are addressed and handled in a consistent, timely, and appropriate manner.

Standard: US Government Accountability Office’s Standards for Internal Control in the Federal Government, known as the Green Book. ( US Government Accountability Office’s Standards for Internal Control in the Federal Government )

2 recommendations
  • MCCA should develop, document, and implement internal controls over the process of handling employee complaints that would include the tracking and documentation of complaints.agency: agreed
  • MCCA should create and retain a centralized list of complaints to ensure that all complaints are addressed in a consistent, timely, and appropriate manner.agency: agreed
Agency response & Auditor reply
Agency: "The MCCA agrees that it did not adequately track employee complaints during the audit period."
Auditor: "Based on its response, MCCA has taken measures to address our concerns in this area."
MCCA did not have a transparent or accountable process for non-union employee settlement agreements.
internal controlsrecordkeeping/documentation

Why it matters: MCCA could not ensure that employee settlements were handled in an ethical, legal, or appropriate manner, and public dollars could be abused to cover up misconduct.

Standard: Section 5.09 of Title 815 of the Code of Massachusetts Regulations, cited as a best practice. ( Section 5.09 of Title 815 of the Code of Massachusetts Regulations )

2 recommendations
  • MCCA should develop, document, and implement a policy related to employee settlement agreements.
  • To help increase transparency and accountability, MCCA should track and document all complaints that result in payments and the use of non-disclosure, non-disparagement, or similarly restrictive clauses in employee settlement agreements.
Agency response & Auditor reply
Agency: "The MCCA is currently developing a new policy for non-union employee settlements, which will implement appropriate legal and non-legal review and approval processes for such settlements."
Auditor: "Based on its response, MCCA is taking measures to address our concerns in this area."
MCCA executed an employee settlement agreement exceeding $250,000 without required board approval.
internal controlsrecordkeeping/documentation

Why it matters: MCCA could not ensure that employee settlements were handled transparently, legally, or appropriately, and public dollars could be abused to cover up misconduct.

Standard: Section 35 of Chapter 190 of the Acts of 1982 and Section 4.15 of the Massachusetts Convention Center Authority Bylaws. ( Section 35 of Chapter 190 of the Acts of 1982; Section 4.15 of the Massachusetts Convention Center Authority Bylaws )

2 recommendations
  • MCCA should develop, document, and implement a policy related to employee settlement agreements.agency: agreed
  • MCCA should seek and obtain approval from its board of directors before executing employee settlement agreements and any agreement that includes non-disclosure, non-disparagement, or similarly restrictive clauses.agency: agreed
Agency response & Auditor reply
Agency: "The MCCA agrees with the [Office of the State Auditor’s] finding."
Auditor: "Based on its response, MCCA is taking measures to address our concerns in this area."
MCCA was missing certain information system general controls over its procurement system.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: MCCA had elevated risk of unauthorized access, cyberattacks, and financial or reputational losses.

Standard: MCCA’s “Information Security Policy” and Executive Office of Technology Services and Security’s Access Management Standard IS.003. ( Section AT-2 of MCCA’s “Information Security Policy”; Section 6.1.10.2 of the Executive Office of Technology Services and Security’s Access Management Standard IS.003 )

2 recommendations
  • MCCA should maintain certificates of completion of cybersecurity awareness training for all of its employees in their respective personnel files and/or on a centralized list.
  • MCCA should conduct and document user access reviews at least twice per year.
Agency response & Auditor reply
Agency: "While the MCCA has a comprehensive cybersecurity training program that includes annual cybersecurity training, quarterly phishing training, and annual vendor cybersecurity training, it acknowledges that some official attendance records for participants in the annual training were missing."
Auditor: "Based on its response, MCCA is taking measures to address our concerns."

Verified dollar findings

Other identified $505,000 not in headline

Identified dollar findings that do not fall in a named band.

$505,000 - total audit-period spending under contract

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Convention Center Authority .

See this entity's page with all 4 audits →