Audit of the Massachusetts Rehabilitation Commission
July 3, 2018 · Massachusetts Rehabilitation Commission · Read the full official report on mass.gov ↗
source
“MRC is not properly administering its contract management database.”
Read the plain-English breakdown
This is a state performance audit of the Massachusetts Rehabilitation Commission covering July 1, 2015 through June 30, 2017.
“In accordance with Section 12 of Chapter 11 of the General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of MRC for the period July 1, 2015 through June 30, 2017.”
Auditors looked at whether MRC had a proper system for handling bills from vendors.
“In this audit, we determined whether MRC has a system in place to properly administer its billings to vendors.”
The problems increased the risk that people who should not have access could get into MRC systems or see information they should not see.
“As a result of the administrative problems, there is a higher-than-acceptable risk of unauthorized access and/or improper disclosure of information stored in the MRC network and the CMDB.”
If you rely on state disability services, pay taxes, or care about privacy, this matters because MRC’s systems include contract and vendor information connected to public services.
“Its primary mission is to help individuals with disabilities live and work independently in the community.”
The billing process passed the audit question, but the contract database security and monitoring controls needed improvement.
“Based on these procedures, we determined that the information system general controls over MRC’s contract billings and information systems need improvement.”
MRC said it would create policies, train managers, review vendors, tighten employee off-boarding, and regularly review network access.
“MRC will review all network users quarterly to ensure compliance.”
The audit’s main significance is not that vendors were wrongly paid, but that weak access controls and vendor monitoring could expose government systems and information to avoidable risk.
“MRC has not established monitoring controls to ensure that its staff members comply with EOHHS’s IT Information Security Management Program Standards.”
The contract management database is the system MRC uses to store contracts and related documents and manage contracting work.
“The CMDB is maintained by MRC’s Contracts Unit Team and contains copies of all contracts and contract-related information, such as Requests for Responses.”
What the Auditor checked
- Complied Is MRC properly administering its contractor billing process?
What the Auditor found
Why it matters: There was a higher-than-acceptable risk of unauthorized access and improper disclosure of information stored in the MRC network and contract management database.
Standard: EOHHS Information Security Management Program Standards and EOTSS Enterprise Information Security Policy ( Section 6.1.2 of the Executive Office of Health and Human Services Information Security Management Program Standards; Section 6.1.9 of the Executive Office of Health and Human Services Information Security Management Program Standards; Section 6.1.7 of the Executive Office of Health and Human Services Information Security Management Program Standards; Section 6.2.2 of the Executive Office of Health and Human Services Information Security Management Program Standards; Section 3.1 of the Executive Office of Health and Human Services Information Security Management Program Standards; Executive Office of Technology Services and Security Enterprise Information Security Policy dated March 2014 )
2 recommendations
- MRC should address identified noncompliance and ensure staff comply with EOHHS Information Security Management Program Standards, including monitoring controls.
- MRC should implement monitoring of third-party vendors for compliance with Commonwealth information security control requirements established by EOHHS and EOTSS IT policies.
Agency response & Auditor reply
Agency: "MRC is creating policies and an implementation plan to be in compliance with Section 3.1 of the Executive Office of Health and Human Services (EOHHS) information technology (IT) Information Security Management Program Standards."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Rehabilitation Commission .
- Single Audit of the Commonwealth - Massachusetts Rehabilitation Commission (MRC)Authority / Commission · May 17, 2012
- Massachusetts Rehabilitation CommissionAuthority / Commission · May 12, 2011
- Audit of the Massachusetts Rehabilitation CommissionAuthority / Commission · January 6, 2023