Audit of the Middlesex County District Attorney’s Office (December 19, 2025)
December 19, 2025 · Middlesex County District Attorney’s Office · Read the full official report on mass.gov ↗
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with hyperlinks to each page listed.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Middlesex County District Attorney’s Office covering mostly July 1, 2022 through June 30, 2024, with a longer lookback for employee settlement agreements.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Middlesex County District Attorney’s Office (MDAO) for the period July 1, 2022 through June 30, 2024.”
Auditors checked whether the office properly used the sexual assault evidence kit tracking system, followed cybersecurity training standards, and had policies for employee settlement agreements.
“The purpose of our audit was to determine the following:”
The issues matter because they involve sensitive sexual assault case information, employee cybersecurity habits, and clear rules for handling public-sector settlement agreements.
“If MDAO does not promptly revoke former employees’ access rights to the Track-Kit system, then there is a risk of unauthorized access to sensitive case and survivor information.”
For residents, the audit is about whether a major county prosecutor’s office has basic safeguards for sensitive records, public accountability, and employee cybersecurity practices.
“It operates offices in Woburn, Framingham, and Lowell, and serves 54 cities and towns across Middlesex County.”
The office had shortcomings, but the report says it took steps after the audit to address the problems auditors raised.
“Based on its response, MDAO has taken measures to address our concerns regarding this matter.”
The auditor plans to check back in about six months to see whether the office’s fixes are working.
“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
The report says unclear rules for district attorneys in the kit tracking system may make the system less consistent and less effective across Massachusetts.
“If the role of the district attorneys in the Track-Kit system is not clearly defined, then there could be inconsistent use of the system across district attorneys’ offices, which may limit the effectiveness of the system.”
SAECK means a sexual assault evidence collection kit; Track-Kit is the online system used to follow where those kits are and what their status is.
“EOPSS implemented the web-based Track-Kit system to allow all users to trace a SAECK’s location from distribution to collection to processing to storage.”
What the Auditor checked
- Partially To what extent did MDAO participate in the statewide sexual assault evidence collection kit (SAECK) tracking system as required by Section 18X(g) of Chapter 6A of the General Laws?
- Did not comply Did MDAO adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Standard IS0.010 regarding cybersecurity awareness training?
- Did not comply Did MDAO have internal policies and procedures in place for (a) the review and approval of employee settlement agreements, including the use of non-disclosure, non-disparagement, or similarly restrictive clauses, and (b) the reporting of monetary employee settlements to the Office of the Comptroller of the Commonwealth (CTR) in accordance with Sections 5.06 and 5.09 of Title 815 of the Code of Massachusetts Regulations (CMR)?
What the Auditor found
Why it matters: There was a risk of unauthorized access to sensitive case and survivor information, and survivors could lack a clear single point of contact.
Standard: Section 18X(g) of Chapter 6A of the General Laws; Track-Kit User Manual; EOPSS Policies and Procedures for Sexual Assault Evidence Collection Kit Tracking; EOTSS Access Management Standard IS.003 ( Section 18X(g) of Chapter 6A of the General Laws; Section 6.1.6 of EOTSS Access Management Standard IS.003 )
2 recommendations
- MDAO should assign its contact information to each SAECK within its jurisdiction in the Track-Kit system and should train its employees on how to use this system.agency: already implemented
- MDAO should develop, document, and implement policies and procedures for Track-Kit system access authorization for new users and the revocation of access upon termination of users, including semiannual access reviews.agency: already implemented
Agency response & Auditor reply
Agency: "As of February 3, 2025, all access has been revoked for users who have either ended employment or no longer require access."
Auditor: "Based on its response, MDAO has taken measures to address our concerns regarding this matter."
Why it matters: Without a documented process, employee settlements may not be handled in an ethical, legal, and appropriate manner.
Standard: Section 5.09 of Title 815 of the Code of Massachusetts Regulations; Standards for Internal Control in the Federal Government ( Section 5.09 of Title 815 of the Code of Massachusetts Regulations )
1 recommendation
- MDAO should develop, document, and implement a written policy related to employee settlement agreements, including prohibiting the use of non-disclosure, non-disparagement, or similarly restrictive clauses in its agreements.agency: already implemented
Agency response & Auditor reply
Agency: "Nevertheless, as of September 1, 2025, the Middlesex District Attorney’s Office has modified its Employee Handbook to include a policy governing employee settlement agreements, particularly those containing non-disclosure, non-disparagement or similar restrictive clauses."
Auditor: "Based on its response, MDAO has taken measures to address our concerns regarding this matter."
Why it matters: MDAO may face a higher-than-acceptable risk of cybersecurity attacks and financial or reputational losses.
Standard: Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 )
1 recommendation
- MDAO should ensure that all employees complete annual refresher cybersecurity awareness training and that all newly hired employees complete the initial training within the first 30 days of their new hire orientation.agency: already implemented
Agency response & Auditor reply
Agency: "As this audit shows, by 2024, the Office was in full compliance."
Auditor: "Based on its response, MDAO has taken measures to address our concerns regarding this matter."
More audits of this entity
Other Office of the State Auditor reports on Middlesex County District Attorney’s Office .
- Audit of the Middlesex County District Attorney’s Office (MDAO)District Attorney · June 17, 2021