Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Middlesex County District Attorney’s Office (December 19, 2025)

December 19, 2025 · Middlesex County District Attorney’s Office · Read the full official report on mass.gov ↗

Published December 19, 2025 Audit covers July 1, 2022 – June 30, 2024 Under Diana DiZoglio · 2023–present

In plain English
The audit found three main issues: the office did not fully manage access and information in the sexual assault kit tracking system, lacked written settlement-agreement policies, and missed some cybersecurity training requirements, though it later reported fixes.
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with hyperlinks to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Middlesex County District Attorney’s Office covering mostly July 1, 2022 through June 30, 2024, with a longer lookback for employee settlement agreements.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Middlesex County District Attorney’s Office (MDAO) for the period July 1, 2022 through June 30, 2024.”
Why was it audited?

Auditors checked whether the office properly used the sexual assault evidence kit tracking system, followed cybersecurity training standards, and had policies for employee settlement agreements.

“The purpose of our audit was to determine the following:”
Why it matters

The issues matter because they involve sensitive sexual assault case information, employee cybersecurity habits, and clear rules for handling public-sector settlement agreements.

“If MDAO does not promptly revoke former employees’ access rights to the Track-Kit system, then there is a risk of unauthorized access to sensitive case and survivor information.”
What's in it for me?

For residents, the audit is about whether a major county prosecutor’s office has basic safeguards for sensitive records, public accountability, and employee cybersecurity practices.

“It operates offices in Woburn, Framingham, and Lowell, and serves 54 cities and towns across Middlesex County.”
The bottom line

The office had shortcomings, but the report says it took steps after the audit to address the problems auditors raised.

“Based on its response, MDAO has taken measures to address our concerns regarding this matter.”
What happens next

The auditor plans to check back in about six months to see whether the office’s fixes are working.

“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
Why it's significant

The report says unclear rules for district attorneys in the kit tracking system may make the system less consistent and less effective across Massachusetts.

“If the role of the district attorneys in the Track-Kit system is not clearly defined, then there could be inconsistent use of the system across district attorneys’ offices, which may limit the effectiveness of the system.”
Jargon, unpacked

SAECK means a sexual assault evidence collection kit; Track-Kit is the online system used to follow where those kits are and what their status is.

“EOPSS implemented the web-based Track-Kit system to allow all users to trace a SAECK’s location from distribution to collection to processing to storage.”

What the Auditor checked

What the Auditor found

MDAO did not promptly revoke former employees’ Track-Kit access and did not complete required contact-information fields.
internal controlsdata privacyrecordkeeping/documentation

Why it matters: There was a risk of unauthorized access to sensitive case and survivor information, and survivors could lack a clear single point of contact.

Standard: Section 18X(g) of Chapter 6A of the General Laws; Track-Kit User Manual; EOPSS Policies and Procedures for Sexual Assault Evidence Collection Kit Tracking; EOTSS Access Management Standard IS.003 ( Section 18X(g) of Chapter 6A of the General Laws; Section 6.1.6 of EOTSS Access Management Standard IS.003 )

2 recommendations
  • MDAO should assign its contact information to each SAECK within its jurisdiction in the Track-Kit system and should train its employees on how to use this system.agency: already implemented
  • MDAO should develop, document, and implement policies and procedures for Track-Kit system access authorization for new users and the revocation of access upon termination of users, including semiannual access reviews.agency: already implemented
Agency response & Auditor reply
Agency: "As of February 3, 2025, all access has been revoked for users who have either ended employment or no longer require access."
Auditor: "Based on its response, MDAO has taken measures to address our concerns regarding this matter."
MDAO lacked documented policies or procedures for employee settlement agreements and supporting records.
internal controlsrecordkeeping/documentation

Why it matters: Without a documented process, employee settlements may not be handled in an ethical, legal, and appropriate manner.

Standard: Section 5.09 of Title 815 of the Code of Massachusetts Regulations; Standards for Internal Control in the Federal Government ( Section 5.09 of Title 815 of the Code of Massachusetts Regulations )

1 recommendation
  • MDAO should develop, document, and implement a written policy related to employee settlement agreements, including prohibiting the use of non-disclosure, non-disparagement, or similarly restrictive clauses in its agreements.agency: already implemented
Agency response & Auditor reply
Agency: "Nevertheless, as of September 1, 2025, the Middlesex District Attorney’s Office has modified its Employee Handbook to include a policy governing employee settlement agreements, particularly those containing non-disclosure, non-disparagement or similar restrictive clauses."
Auditor: "Based on its response, MDAO has taken measures to address our concerns regarding this matter."
MDAO did not ensure all employees completed cybersecurity awareness training upon hire and annually thereafter.
cybersecurityinternal controls

Why it matters: MDAO may face a higher-than-acceptable risk of cybersecurity attacks and financial or reputational losses.

Standard: Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 )

1 recommendation
  • MDAO should ensure that all employees complete annual refresher cybersecurity awareness training and that all newly hired employees complete the initial training within the first 30 days of their new hire orientation.agency: already implemented
Agency response & Auditor reply
Agency: "As this audit shows, by 2024, the Office was in full compliance."
Auditor: "Based on its response, MDAO has taken measures to address our concerns regarding this matter."

More audits of this entity

Other Office of the State Auditor reports on Middlesex County District Attorney’s Office .

See this entity's page with all 2 audits →