Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts Rehabilitation Commission

July 3, 2018 · Massachusetts Rehabilitation Commission · Read the full official report on mass.gov ↗

Published July 3, 2018 Audit covers July 1, 2015 – June 30, 2017 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that the Massachusetts Rehabilitation Commission handled contractor billing properly, but had serious weaknesses in how it managed access and security for its contract database.
source
“MRC is not properly administering its contract management database.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts Rehabilitation Commission covering July 1, 2015 through June 30, 2017.

“In accordance with Section 12 of Chapter 11 of the General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of MRC for the period July 1, 2015 through June 30, 2017.”
Why was it audited?

Auditors looked at whether MRC had a proper system for handling bills from vendors.

“In this audit, we determined whether MRC has a system in place to properly administer its billings to vendors.”
Why it matters

The problems increased the risk that people who should not have access could get into MRC systems or see information they should not see.

“As a result of the administrative problems, there is a higher-than-acceptable risk of unauthorized access and/or improper disclosure of information stored in the MRC network and the CMDB.”
What's in it for me?

If you rely on state disability services, pay taxes, or care about privacy, this matters because MRC’s systems include contract and vendor information connected to public services.

“Its primary mission is to help individuals with disabilities live and work independently in the community.”
The bottom line

The billing process passed the audit question, but the contract database security and monitoring controls needed improvement.

“Based on these procedures, we determined that the information system general controls over MRC’s contract billings and information systems need improvement.”
What happens next

MRC said it would create policies, train managers, review vendors, tighten employee off-boarding, and regularly review network access.

“MRC will review all network users quarterly to ensure compliance.”
Why it's significant

The audit’s main significance is not that vendors were wrongly paid, but that weak access controls and vendor monitoring could expose government systems and information to avoidable risk.

“MRC has not established monitoring controls to ensure that its staff members comply with EOHHS’s IT Information Security Management Program Standards.”
Jargon, unpacked

The contract management database is the system MRC uses to store contracts and related documents and manage contracting work.

“The CMDB is maintained by MRC’s Contracts Unit Team and contains copies of all contracts and contract-related information, such as Requests for Responses.”

What the Auditor checked

What the Auditor found

The Massachusetts Rehabilitation Commission did not properly administer its contract management database.
cybersecurityinternal controlsvendor oversightdata privacyrecordkeeping/documentation

Why it matters: There was a higher-than-acceptable risk of unauthorized access and improper disclosure of information stored in the MRC network and contract management database.

Standard: EOHHS Information Security Management Program Standards and EOTSS Enterprise Information Security Policy ( Section 6.1.2 of the Executive Office of Health and Human Services Information Security Management Program Standards; Section 6.1.9 of the Executive Office of Health and Human Services Information Security Management Program Standards; Section 6.1.7 of the Executive Office of Health and Human Services Information Security Management Program Standards; Section 6.2.2 of the Executive Office of Health and Human Services Information Security Management Program Standards; Section 3.1 of the Executive Office of Health and Human Services Information Security Management Program Standards; Executive Office of Technology Services and Security Enterprise Information Security Policy dated March 2014 )

2 recommendations
  • MRC should address identified noncompliance and ensure staff comply with EOHHS Information Security Management Program Standards, including monitoring controls.
  • MRC should implement monitoring of third-party vendors for compliance with Commonwealth information security control requirements established by EOHHS and EOTSS IT policies.
Agency response & Auditor reply
Agency: "MRC is creating policies and an implementation plan to be in compliance with Section 3.1 of the Executive Office of Health and Human Services (EOHHS) information technology (IT) Information Security Management Program Standards."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Rehabilitation Commission .

See this entity's page with all 4 audits →