Audit of the Massachusetts Office of Business Development (July 2, 2024)
July 2, 2024 · Massachusetts Office of Business Development · Read the full official report on mass.gov ↗
source
“MOBD did not have documented procedures outlining how to track diversity-related metrics regarding its program applicants.”
Read the plain-English breakdown
This is a state performance audit of the Massachusetts Office of Business Development, covering work from November 1, 2020 through June 30, 2022.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Massachusetts Office of Business Development (MOBD) for the period November 1, 2020 through June 30, 2022.”
Auditors checked whether the office encouraged certain underrepresented business owners to apply for tax-credit programs, tracked related diversity information, collected required hiring-policy documents from awardees, and made employees complete cybersecurity training.
“The purpose of our audit was to determine the following:”
The office set a public goal to encourage businesses owned by people in minority groups, women, veterans, and people with disabilities to seek tax credits, but without tracking it could not show whether that goal was being met.
“If MOBD does not have documented procedures that outline how to track diversity-related metrics regarding its program applicants and therefore does not track diversity-related metrics, then it cannot monitor its progress in meeting its goal to encourage businesses owned by people within minority groups, women, veterans, and people with disabilities to apply for its EDIP and MVSP tax credits.”
For ordinary residents and business owners, this matters because these programs can support jobs, business growth, investment, and downtown storefront activity in Massachusetts communities.
“The Economic Development Incentive Program (EDIP) is designed to foster job creation and stimulate business growth.”
The office met the requirement to collect equal opportunity or affirmative action statements from EDIP awardees, but fell short on diversity-metric procedures and full cybersecurity training compliance.
“We noted no exceptions in our testing; therefore, we determined that, during the audit period, MOBD ensured that all EDIP awardees submitted an equal opportunity employment / affirmative action statement or plan.”
Auditors recommended that the office get approval to collect diversity-related information, create procedures to track outreach and metrics, work with the Supplier Diversity Office, and make sure every employee completes annual cybersecurity training.
“MOBD should ensure that all of its employees complete annual cybersecurity awareness training.”
The audit is significant because the office publicly said it wanted to improve access for diverse business owners, but auditors found it had not built the basic tracking needed to measure progress.
“We also consider it to be a best practice for agencies to track progress toward goals they have set, so they can support improvement in areas that are deemed important enough to establish goals to improve.”
EDIP and MVSP are tax-credit programs: one supports job creation and business growth, and the other supports businesses moving into vacant storefronts in approved districts.
“The MVSP makes tax credits available to businesses proposing to move into a vacant storefront4 located in an EACC-certified vacant storefront district.”
What the Auditor checked
- Did not comply Did MOBD encourage businesses owned by people within minority groups, women, veterans, and people with disabilities to apply for tax credits through the Economic Development Incentive Program (EDIP) and/or the Massachusetts Vacant Storefront Program (MVSP), as stated in the “Goals & Initiatives” section of MOBD’s EDIP Fiscal Year 2020 and 2021 Annual Reports?
- Did not comply Did MOBD track diversity-related metrics that helped it measure its success in meeting its goal to encourage businesses owned by people within minority groups, women, veterans, and people with disabilities to apply for tax credits in the EDIP and/or the MVSP, as stated in the “Goals & Initiatives” section of MOBD’s EDIP Fiscal Year 2020 and 2021 Annual Reports?
- Complied Did MOBD ensure that EDIP awardees submitted an equal opportunity employment / affirmative action statement or plan, as required by Section 1(d) of Part V of the EDIP Supplemental Application?
- Did not comply Did MOBD provide annual cybersecurity awareness training to its employees, as required by Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: MOBD could not monitor progress toward encouraging businesses owned by people within minority groups, women, veterans, and people with disabilities to apply, so those businesses may miss opportunities to benefit from the programs.
Standard: MOBD’s EDIP Fiscal Year 2020 and 2021 Annual Reports set goals to encourage diverse businesses to seek tax credits and track related metrics. ( MOBD’s EDIP Fiscal Year 2020 Annual Report; MOBD’s EDIP Fiscal Year 2021 Annual Report )
3 recommendations
- MOBD should pursue approval from appropriate state agencies so that it can collect diversity-related metrics from applicants to its EDIP and MVSP.
- MOBD should develop, document, and implement procedures to measure the outreach performed regarding the EDIP and the MVSP to businesses and track diversity-related metrics to ensure that it meets its program goals.
- MOBD should work with SDO to identify businesses owned by people within minority groups, women, veterans, and people with disabilities that could benefit from the EDIP and the MVSP.
Agency response & Auditor reply
Agency: "MOBD will work with the Executive Office of Economic Development (EOED) to identify and implement best practices regarding the collection of diversity-related metrics from grantees and applicants to the EDIP."
Auditor: "We strongly encourage MOBD to implement our recommendations."
Why it matters: MOBD faced increased risk of user error and compromised integrity or security of protected information in its information technology systems.
Standard: Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010 requires annual cybersecurity awareness training for all personnel. ( Chapter 7D of the Massachusetts General Laws; Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010, Section 6.2.4 )
1 recommendation
- MOBD should ensure that all of its employees complete annual cybersecurity awareness training.agency: already implemented
Agency response & Auditor reply
Agency: "Cybersecurity training is now offered by Human Resources Division, and new procedures already have been put into place to ensure that all executive branch employees complete annual cybersecurity awareness training."
Auditor: "Based on its response, MOBD is taking measures to address our concerns on this matter."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Office of Business Development .
- Audit of the Massachusetts Office of Business Development (MOBD)State Agency / Office · June 20, 2019