Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts Office of Business Development (July 2, 2024)

July 2, 2024 · Massachusetts Office of Business Development · Read the full official report on mass.gov ↗

Published July 2, 2024 Audit covers November 1, 2020 – June 30, 2022 Under Diana DiZoglio · 2023–present

In plain English
The audit found two main problems: the office did not have a documented way to track whether its outreach was reaching diverse business owners, and one employee missed required annual cybersecurity training on time.
source
“MOBD did not have documented procedures outlining how to track diversity-related metrics regarding its program applicants.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts Office of Business Development, covering work from November 1, 2020 through June 30, 2022.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Massachusetts Office of Business Development (MOBD) for the period November 1, 2020 through June 30, 2022.”
Why was it audited?

Auditors checked whether the office encouraged certain underrepresented business owners to apply for tax-credit programs, tracked related diversity information, collected required hiring-policy documents from awardees, and made employees complete cybersecurity training.

“The purpose of our audit was to determine the following:”
Why it matters

The office set a public goal to encourage businesses owned by people in minority groups, women, veterans, and people with disabilities to seek tax credits, but without tracking it could not show whether that goal was being met.

“If MOBD does not have documented procedures that outline how to track diversity-related metrics regarding its program applicants and therefore does not track diversity-related metrics, then it cannot monitor its progress in meeting its goal to encourage businesses owned by people within minority groups, women, veterans, and people with disabilities to apply for its EDIP and MVSP tax credits.”
What's in it for me?

For ordinary residents and business owners, this matters because these programs can support jobs, business growth, investment, and downtown storefront activity in Massachusetts communities.

“The Economic Development Incentive Program (EDIP) is designed to foster job creation and stimulate business growth.”
The bottom line

The office met the requirement to collect equal opportunity or affirmative action statements from EDIP awardees, but fell short on diversity-metric procedures and full cybersecurity training compliance.

“We noted no exceptions in our testing; therefore, we determined that, during the audit period, MOBD ensured that all EDIP awardees submitted an equal opportunity employment / affirmative action statement or plan.”
What happens next

Auditors recommended that the office get approval to collect diversity-related information, create procedures to track outreach and metrics, work with the Supplier Diversity Office, and make sure every employee completes annual cybersecurity training.

“MOBD should ensure that all of its employees complete annual cybersecurity awareness training.”
Why it's significant

The audit is significant because the office publicly said it wanted to improve access for diverse business owners, but auditors found it had not built the basic tracking needed to measure progress.

“We also consider it to be a best practice for agencies to track progress toward goals they have set, so they can support improvement in areas that are deemed important enough to establish goals to improve.”
Jargon, unpacked

EDIP and MVSP are tax-credit programs: one supports job creation and business growth, and the other supports businesses moving into vacant storefronts in approved districts.

“The MVSP makes tax credits available to businesses proposing to move into a vacant storefront4 located in an EACC-certified vacant storefront district.”

What the Auditor checked

What the Auditor found

MOBD did not have documented procedures for tracking diversity-related metrics for program applicants.
recordkeeping/documentationinternal controlsgrants management

Why it matters: MOBD could not monitor progress toward encouraging businesses owned by people within minority groups, women, veterans, and people with disabilities to apply, so those businesses may miss opportunities to benefit from the programs.

Standard: MOBD’s EDIP Fiscal Year 2020 and 2021 Annual Reports set goals to encourage diverse businesses to seek tax credits and track related metrics. ( MOBD’s EDIP Fiscal Year 2020 Annual Report; MOBD’s EDIP Fiscal Year 2021 Annual Report )

3 recommendations
  • MOBD should pursue approval from appropriate state agencies so that it can collect diversity-related metrics from applicants to its EDIP and MVSP.
  • MOBD should develop, document, and implement procedures to measure the outreach performed regarding the EDIP and the MVSP to businesses and track diversity-related metrics to ensure that it meets its program goals.
  • MOBD should work with SDO to identify businesses owned by people within minority groups, women, veterans, and people with disabilities that could benefit from the EDIP and the MVSP.
Agency response & Auditor reply
Agency: "MOBD will work with the Executive Office of Economic Development (EOED) to identify and implement best practices regarding the collection of diversity-related metrics from grantees and applicants to the EDIP."
Auditor: "We strongly encourage MOBD to implement our recommendations."
MOBD did not ensure that all employees completed annual cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: MOBD faced increased risk of user error and compromised integrity or security of protected information in its information technology systems.

Standard: Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010 requires annual cybersecurity awareness training for all personnel. ( Chapter 7D of the Massachusetts General Laws; Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010, Section 6.2.4 )

1 recommendation
  • MOBD should ensure that all of its employees complete annual cybersecurity awareness training.agency: already implemented
Agency response & Auditor reply
Agency: "Cybersecurity training is now offered by Human Resources Division, and new procedures already have been put into place to ensure that all executive branch employees complete annual cybersecurity awareness training."
Auditor: "Based on its response, MOBD is taking measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Office of Business Development .

See this entity's page with all 2 audits →