Audit of the Worcester County District Attorney’s Office (May 4, 2023)
May 4, 2023 · Worcester County District Attorney’s Office · Read the full official report on mass.gov ↗
source
“WCDA did not ensure that its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
This is a state performance audit of the Worcester County District Attorney's Office covering July 1, 2019 through June 30, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Worcester County District Attorney’s Office (WCDA) for the period July 1, 2019 through June 30, 2021.”
Auditors checked whether the office followed rules for forfeited funds, tracked seized money properly, updated pandemic-related controls, and trained employees on cybersecurity.
“The purpose of our audit was to determine the following:”
The office handles criminal cases and seized or forfeited money, so weak controls or missed training can affect public money and information security.
“WCDA also assists in the investigation of a variety of criminal activities.”
If you live in central Massachusetts, this office serves your community, and the audit tells you whether it followed important rules during the period reviewed.
“WCDA serves four cities and 56 towns in central Massachusetts, representing approximately 862,000 residents of the Commonwealth.”
The main problem reported was cybersecurity training: new and current employees were not all confirmed as trained as required.
“The Worcester County District Attorney’s Office (WCDA) did not ensure that all new employees completed cybersecurity awareness training as part of their orientation when they began working or that all employees completed annual cybersecurity awareness training.”
The auditor recommended that the office make employees complete cybersecurity training soon after hiring and every year after that.
“WCDA should ensure that employees complete cybersecurity awareness training within 30 days of their orientation and annually thereafter.”
The risk is practical: untrained employees make the office more vulnerable to cyberattacks and possible financial or reputation damage.
“Without educating all employees on their responsibility to protect the security of information assets, WCDA is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.”
Confiscated funds are money first seized by police; they only become forfeited funds after a court says so.
“Funds initially seized by law enforcement agencies are considered confiscated until they are ultimately declared forfeited by a court order.”
What the Auditor checked
- Complied Did WCDA make all forfeited fund expenditures in compliance with Section 47(d) of Chapter 94C of the General Laws?
- Complied Did WCDA process and track all confiscated funds in accordance with its “Fiscal Policy and Procedures” to ensure that all funds are properly accounted for?
- Complied Did WCDA process and track all forfeited funds in accordance with its “Fiscal Policy and Procedures” to ensure that all funds are properly accounted for?
- Complied Did WCDA update its ICP to address the 2019 coronavirus (COVID-19) pandemic, in accordance with the Office of the Comptroller of the Commonwealth’s (CTR’s) “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020?
- Did not comply Did WCDA ensure that its employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: Without training employees on information security responsibilities, WCDA faced a higher risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 ( Section 6.2 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )
2 recommendations
- WCDA should ensure that employees complete cybersecurity awareness training within 30 days of their orientation and annually thereafter.agency: agreed
- WCDA should ensure that its employees are aware of EOTSS requirements.agency: agreed
Agency response & Auditor reply
Agency: "After reviewing the draft audit report on the Worcester County District Attorney's Office, our office is in agreement on the finding and recommendations."
Auditor: "Based on its response, WCDA has taken measures to address our concerns in this area."