Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Civil Service Commission

April 22, 2011 · Read the full official report (PDF) ↗

Published April 22, 2011 Audit covers July 1, 2008 – November 8, 2010 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found CSC’s IT controls were generally adequate, but it flagged problems with tracking computer equipment and planning for a disruption.
source
“Based on our review, we have concluded that, except for the issues addressed in the Audit Results section of this report, during the audit period ended November 8, 2010, CSC maintained adequate internal controls regarding system access security, inventory controls over computer equipment, business continuity planning, and selected controls regarding the protection of personal information.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor report on information technology controls at the Civil Service Commission.

“In accordance with Chapter 11, Section 12, of the General Laws, we performed an audit of information technology controls at CSC.”
Why was it audited?

Auditors checked whether CSC had reasonable safeguards for system access, computer equipment, continuity planning, personal information, and physical security.

“Our audit included a review of system access security, inventory controls over computer equipment, business continuity planning, and selected controls regarding the protection of personal information per Executive Order 504 and Chapter 93H of the General Laws.”
Why it matters

CSC handles appeals from public employees and job applicants, so its systems and records support decisions that can affect people’s jobs and careers.

“The mission of CSC is to adjudicate appeals of public employees and job applicants under the civil service laws.”
What's in it for me?

If you are a public employee, job applicant, or taxpayer, this matters because CSC is supposed to treat people fairly and keep its case information and equipment under control.

“It is CSC’s responsibility to ensure that individuals who come before it are treated fairly and impartially.”
The bottom line

The big takeaway is that CSC needed stronger basic housekeeping: better computer inventory records and a written plan for keeping operations going after a serious IT disruption.

“However, we found that CSC did not have a formal, documented business continuity plan that would help ensure that mission-critical business operations can be recovered in a timely manner.”
What happens next

CSC agreed to make changes and said it planned to carry out the recommendations by June 30, 2011.

“In regard to those areas where the Audit recommends improvements, we have already taken steps to implement some of those recommendations and plan on implementing all of the recommendations by the end of this fiscal year (June 30, 2011).”
Why it's significant

The report is significant because missing or weak IT controls could make it harder for CSC to find equipment, detect losses, or continue serving the public during an outage.

“The absence of a sufficiently reliable inventory of computer equipment hinders CSC’s ability to properly account for IT resources, evaluate the allocation of equipment, identify missing equipment, and support IT configuration management objectives.”
Jargon, unpacked

“Business continuity planning” means having written steps so an agency can keep doing essential work if systems, offices, or data access are disrupted.

“Contingency planning is an essential part of continuing an agency’s business operations.”

What the Auditor checked

What the Auditor found

CSC did not have adequate inventory controls over computer equipment.
asset/inventory controlinternal controlsrecordkeeping/documentation

Why it matters: CSC could not reliably account for IT resources, identify missing equipment, or support IT configuration management objectives.

Standard: Office of the State Comptroller inventory requirements and Chapter 647 of the Acts of 1989. ( Chapter 647 of the Acts of 1989; Office of the State Comptroller inventory requirements )

4 recommendations
  • Develop and implement internal control policies, procedures, and practices regarding inventory control of IT resources.agency: agreed
  • Update inventory fields to include cost, purchase date, and verified serial numbers.agency: agreed
  • Report all unaccounted-for variances, losses, and thefts to the Office of the State Auditor.agency: agreed
  • Surplus obsolete and non-functional IT equipment and remove it from inventory records.agency: agreed
Agency response & Auditor reply
Agency: "In regard to those areas where the Audit recommends improvements, we have already taken steps to implement some of those recommendations and plan on implementing all of the recommendations by the end of this fiscal year (June 30, 2011)."
CSC did not have a formal documented business continuity plan.
internal controlsrecordkeeping/documentation

Why it matters: CSC risked disruption of service and delays in accessing mission-critical systems if IT capabilities or network connectivity were interrupted.

Standard: Executive Orders 144, 475, and 490, and generally accepted business practices and industry standards for computer operations. ( Executive Order No. 144; Executive Order No. 475; Executive Order No. 490 )

4 recommendations
  • Work with ITD and EOAF to develop a comprehensive business continuity plan for accessing mission-critical applications after a disaster.agency: agreed
  • Formally review, test, approve, and periodically update the business continuity plan.agency: agreed
  • Include detailed staff instructions, contacts, alternate-site procedures, and IT recovery responsibilities.agency: agreed
  • Follow Executive Orders 144, 475, and 490 for continuity planning, documentation, maintenance, and training.agency: agreed
Agency response & Auditor reply
Agency: "The Commission acknowledges, however, that there is no written formalized business continuity plan regarding computer operations that currently exists."

More audits of this entity

Other Office of the State Auditor reports on Civil Service Commission .

See this entity's page with all 4 audits →