Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Operational Services Division (April 25, 2024)

April 25, 2024 · Operational Services Division · Read the full official report on mass.gov ↗

Published April 25, 2024 Audit covers July 1, 2021 – December 31, 2022 Under Diana DiZoglio · 2023–present

In plain English
The auditor found that the Operational Services Division had website accessibility problems, contract-document accessibility problems, gaps in its incident-response plan, and no business continuity or disaster recovery plan during the audit period.
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Operational Services Division, which helps state and local government buy goods and services and runs procurement tools such as COMMBUYS.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Operational Services Division (OSD) for the period July 1, 2021 through December 31, 2022.”
Why was it audited?

Auditors checked whether OSD’s websites, contracts, and technology policies met state accessibility and information-security requirements.

“In this performance audit, we determined the following:”
Why it matters

These issues matter because people rely on state websites for services, and residents with disabilities may face extra barriers if pages or documents are not accessible.

“Government websites are an important way for the general public to access government information and services.”
What's in it for me?

If the recommendations are fixed, residents should have an easier time using OSD online services, including people who use screen readers, zoom tools, keyboards, or translation tools.

“To make web content accessible to people with disabilities, developers must ensure that various components of web development and interaction work together.”
The bottom line

The audit found several compliance problems: some OSD web pages were not fully accessible, some contract links and documents had accessibility issues, the incident-response plan was incomplete, and OSD lacked continuity and disaster recovery plans.

“OSD does not have a business continuity plan or a disaster recovery plan to ensure the continuity of operations in the case of an interruption or disaster.”
What happens next

The report recommends that OSD fix broken links and display issues, improve contract accessibility, strengthen incident-response procedures, and develop and test continuity and disaster recovery plans.

“OSD should develop, document, and test a disaster recovery plan for both onsite and offsite recovery locations.”
Why it's significant

The stakes are practical: if OSD systems fail or remain hard to use, residents and public agencies could lose access to important purchasing information and services, and statewide procurement could be disrupted.

“Additionally, if OSD is inoperable, statewide procurement may cease.”
Jargon, unpacked

COMMBUYS is the state’s online purchasing system where public buyers post bids, make contracts, and buy goods or services. A contract user guide explains how a statewide contract works.

“Additionally, OSD uses COMMBUYS as a web-based procurement platform for Commonwealth agencies and political subdivisions.”

What the Auditor checked

What the Auditor found

OSD’s Mass.gov website was not fully accessible because some hyperlinks were broken or faulty and one page did not display properly at 400% zoom.
data privacyrecordkeeping/documentationinternal controls

Why it matters: Users may have difficulty finding related information, may be directed to outdated or nonexistent webpages, and may be unable to read enlarged content without additional assistive technology.

Standard: EOTSS’s Enterprise Information Technology Accessibility Policy and WCAG 2.1 Success Criteria 1.4.10 Reflow and 2.4.5 Multiple Ways ( Section 2 of Chapter 7D of the Massachusetts General Laws; EOTSS’s Enterprise Information Technology Accessibility Policy; WCAG 2.1 Success Criterion 1.4.10 Reflow; WCAG 2.1 Success Criterion 2.4.5 Multiple Ways )

2 recommendations
  • OSD should review its Mass.gov webpages to ensure that all hyperlinks lead to related information to provide equitable access to critical information and services offered online by OSD for all Massachusetts residents and state agencies.agency: already implemented
  • OSD should ensure that content on its Mass.gov webpages displays clearly, even when zoomed up to 400%, resulting in a user experience that is inclusive of all Massachusetts residents and state agencies.agency: partially agreed
Agency response & Auditor reply
Agency: "OSD’s web team monitors the broken links report regularly and fixes identified links immediately."
Auditor: "Based on its response, OSD is taking measures to address our concerns on this matter."
OSD did not ensure all hyperlinks in contract user guides led to related information.
procurement/contractsrecordkeeping/documentationinternal controls

Why it matters: Users may have difficulty locating relevant contract information, may access outdated or incorrect information, or may be directed to webpages that no longer exist.

Standard: EOTSS’s Enterprise Information Technology Accessibility Policy and WCAG 2.1 Success Criterion 2.4.5 Multiple Ways ( EOTSS’s Enterprise Information Technology Accessibility Policy; WCAG 2.1 Success Criterion 2.4.5 Multiple Ways )

1 recommendation
  • OSD should regularly review its posted CUGs and ensure that hyperlinks within them are up-to-date and functional.agency: agreed
Agency response & Auditor reply
Agency: "OSD acknowledges this issue and will take steps to implement regular reviews of the contract user guides to identify and fix broken links."
Auditor: "Based on its response, OSD will take measures to address our concerns on this matter."
OSD did not ensure all contracts posted to COMMBUYS had language tags.
procurement/contractsrecordkeeping/documentationinternal controls

Why it matters: People using screen readers, accessibility tools, or webpage translators may be unable to read or accurately translate contract documents.

Standard: EOTSS’s Enterprise Information Technology Accessibility Policy and WCAG 2.1 Success Criteria 3.1.1 Language of Page and 3.1.2 Language of Parts ( EOTSS’s Enterprise Information Technology Accessibility Policy; WCAG 2.1 Success Criterion 3.1.1 Language of Page; WCAG 2.1 Success Criterion 3.1.2 Language of Parts )

2 recommendations
  • OSD should ensure that all attached contract forms have a language tag.agency: disagreed
  • OSD should establish criteria and user guides that include accessibility requirements for attached contract forms.agency: partially agreed
Agency response & Auditor reply
Agency: "Documents posted by other entities are records of those entities and OSD is not responsible for monitoring those records for compliance with accessibility standards."
Auditor: "We agree that updated training material notices for COMMBUYS users will increase compliance with applicable accessibility standards."
OSD did not ensure COMMBUYS provided error identification and correction suggestions for incorrect data entries.
procurement/contractsinternal controlsvendor oversight

Why it matters: Public buyers may not know how to correct incorrect entries, may be unable to complete postings, and the Commonwealth may not receive complete vendor responses to bid solicitations.

Standard: EOTSS’s Enterprise Information Technology Accessibility Policy and WCAG 2.1 Success Criterion 3.3.3 Error Suggestion ( EOTSS’s Enterprise Information Technology Accessibility Policy; WCAG 2.1 Success Criterion 3.3.3 Error Suggestion )

2 recommendations
  • OSD should ensure that all fields on its webpages properly identify errors when a user inputs an incorrect data type into an entry field.agency: agreed
  • OSD should ensure that it provides correction suggestions when a user inputs an incorrect data type into an entry field.agency: agreed
Agency response & Auditor reply
Agency: "OSD acknowledges this issue and has taken steps to notify the vendor that maintains the site and system software."
Auditor: "Based on its response, OSD will take measures to address our concerns on this matter."
OSD relied on an information security incident response plan and procedures that lacked required elements.
cybersecurityinternal controlsdata privacy

Why it matters: OSD may not take sufficient containment measures or complete proper documentation, investigation, risk analysis, and impact analysis after a security event.

Standard: EOTSS’s Information Security Incident Management Standard IS.009, Sections 6.5.1 and 6.5.2 ( EOTSS’s Information Security Incident Management Standard IS.009; Section 2 of Chapter 7D of the Massachusetts General Laws )

1 recommendation
  • OSD should establish information security incident response procedures for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, and an analysis of legal requirements for reporting IT system compromises.agency: agreed
Agency response & Auditor reply
Agency: "However, OSD acknowledges that it does not have a written plan that is fully compliant with EOTSS’s Information Security Incident Management Standard IS.009 and will develop a compliant written information security incident response plan."
Auditor: "Based on its response, OSD is taking measures to address our concerns on this matter."
OSD did not have a business continuity plan or disaster recovery plan.
cybersecurityinternal controlsprocurement/contracts

Why it matters: OSD may be unable to continue critical operations after infrastructure failure or disaster, risking lost or incorrect data, financial losses, costly recovery, inaccurate or incomplete data, and halted statewide procurement.

Standard: EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, Sections 6.1.1.4 and 6.2.1 ( EOTSS’s Business Continuity and Disaster Recovery Standard IS.005; Section 6.1.1.4 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005; Section 6.2.1 of EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 )

2 recommendations
  • OSD should develop, document, and test a business continuity plan.agency: already implemented
  • OSD should develop, document, and test a disaster recovery plan for both onsite and offsite recovery locations.agency: already implemented
Agency response & Auditor reply
Agency: "OSD acknowledges that it did not have a written plan that was fully compliant with EOTSS’s Business Continuity and Disaster Recovery Standard IS.005."
Auditor: "Based on its response, OSD has taken measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Operational Services Division .

See this entity's page with all 2 audits →