Audit of the Norfolk District Attorney’s Office (October 24, 2023)
October 24, 2023 · Norfolk District Attorney’s Office · Read the full official report on mass.gov ↗
source
“NDAO disbursed to two police departments $28,086 in forfeited assets that it should have retained.”
Read the plain-English breakdown
This is a state performance audit of selected activities at the Norfolk District Attorney’s Office for July 1, 2019 through June 30, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Norfolk District Attorney’s Office (NDAO) for the period July 1, 2019 through June 30, 2021.”
Auditors checked whether the office handled forfeited assets properly and whether employees completed cybersecurity awareness training under the standards the auditors used.
“The purpose of our audit was to determine the following:”
Forfeited money is supposed to be split according to state law, and cybersecurity training helps reduce the risk of attacks, financial harm, or damage to public trust.
“A lack of cybersecurity awareness training for new employees and untimely annual refresher cybersecurity awareness training for existing employees exposes NDAO to a higher risk of cybersecurity attacks and financial and/or reputational losses.”
For residents, the issue is whether public money from forfeited assets is kept and used as allowed, including for public-safety purposes like anti-drug or neighborhood crime watch programs.
“If NDAO does not collect all of the forfeited assets to which it is entitled, it cannot use the associated revenue for other purposes, such as anti-drug or neighborhood crime watch programs.”
The office generally passed the spending test for its forfeiture trust fund, but failed the test for collecting, depositing, and distributing forfeited assets correctly, and failed the test for ensuring cybersecurity training completion.
“Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.”
The auditor recommended that the office recover all forfeited assets it is entitled to, update its policies, make sure employees complete cybersecurity training, track completion, and monitor deadlines.
“NDAO should collect all of the forfeited assets to which it is entitled.”
The dollar finding was narrow but concrete: one house forfeiture was split three ways even though the office should have received half and the police departments should have split the other half.
“NDAO overpaid the PDs a total of $28,086.”
Asset forfeiture means law enforcement can seize money or property connected to illegal drug activity, and if a court orders it forfeited, the proceeds are divided under state law.
“To prevent individuals from profiting from illegal drug activity, Section 47 of Chapter 94C of the General Laws authorizes law enforcement agencies to seize assets such as any profits of drug distribution or any property that is used, or was intended to be used, for illegal drug activity.”
2 figure(s) pending source verification - not shown
What the Auditor checked
- Complied Did NDAO make forfeiture trust fund expenditures in accordance with Section 47(d) of Chapter 94C of the General Laws?
- Did not comply Did NDAO ensure that forfeited assets from closed cases were collected, deposited, and distributed in accordance with Section 47(d) of Chapter 94C of the General Laws?
- Did not comply Did NDAO ensure that its employees completed cybersecurity awareness training in accordance with Sections 6.2.1, 6.2.3, and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: NDAO had less forfeited asset revenue available for purposes such as anti-drug or neighborhood crime watch programs.
Standard: Section 47(d) of Chapter 94C of the Massachusetts General Laws requires forfeited assets to be distributed equally between the prosecuting district attorney and the involved police department, with the police department share split equitably if more than one department was substantially involved. ( Section 47(d) of Chapter 94C of the Massachusetts General Laws )
2 recommendations
- NDAO should collect all of the forfeited assets to which it is entitled.
- NDAO should include language in its policies that references the law on forfeited asset splits involving multiple police departments and its process for forfeited asset distribution calculation review.
Agency response & Auditor reply
Agency: "The NDAO will follow the language of the forfeiture statute."
Auditor: "We encourage NDAO to implement our recommendations fully, including using language in its policies that references the part of Section 47(d) of Chapter 94C of the General Laws about forfeited asset splits involving multiple PDs and its process for forfeited asset distribution calculation review."
Why it matters: The lack of new-employee testing and late annual refresher training increased the risk of cybersecurity attacks and financial or reputational losses.
Standard: Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010, Sections 6.2.1, 6.2.3, and 6.2.4. ( Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )
4 recommendations
- NDAO should ensure that its employees complete cybersecurity awareness training within 30 days of their orientation and annually thereafter, including a test of each individual’s understanding.agency: disagreed
- NDAO should implement monitoring controls to ensure that its employees complete their cybersecurity awareness training on time.agency: disagreed
- NDAO should ensure that its employees are informed on all requirements outlined in EOTSS’s Information Security Risk Management Standard IS.010.agency: disagreed
- NDAO should maintain a record of completion of cybersecurity awareness training for each employee.agency: disagreed
Agency response & Auditor reply
Auditor: "NDAO is correct in stating that it does not fall within the state executive branch and therefore is not required to follow EOTSS’s Information Security Risk Management Standard IS.010."
More audits of this entity
Other Office of the State Auditor reports on Norfolk District Attorney’s Office .
- Audit of the Norfolk District Attorney’s OfficeDistrict Attorney · October 24, 2018