Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Division of Banks

January 25, 2012 · Read the full official report (PDF) ↗

Published January 25, 2012 Audit covers July 1, 2008 – April 30, 2011 Under Suzanne M. Bump · 2011–2023

In plain English
The auditor found that the Division of Banks had fixed its earlier problem with oversight of mortgage brokers and lenders, but still had not finished strong disaster recovery and business continuity plans for its technology systems.
source
“Based on our review we have determined that, except as reported in the Audit Results section of this report, for the period July 1, 2008 through April 30, 2011, DOB maintained adequate internal controls and complied with applicable laws, rules, and regulations related to its operations for the areas tested.”
Read the plain-English breakdown
What is this?

This is a follow-up audit of the Massachusetts Division of Banks, the state agency that oversees state-chartered banks, credit unions, mortgage businesses, and other financial service companies.

“The scope of our audit consisted of an evaluation of the status of Audit Results in our prior audit report, No. 2007-0100-4T, regarding the oversight of mortgage brokers and lenders and business continuity and disaster recovery planning for mission-critical applications utilized by DOB.”
Why was it audited?

Auditors wanted to see whether the agency fixed issues from a prior audit: weak capacity to oversee mortgage brokers and lenders, and weak planning for keeping operations going after a technology failure or disaster.

“The purpose of our audit was to determine whether corrective action had been taken to address the Audit Results contained in our prior audit report, No. 2007-0100-4T.”
Why it matters

This matters because the agency oversees major parts of the financial system in Massachusetts, including banks, credit unions, mortgage companies, debt collectors, check cashers, and other financial businesses.

“The DOB is responsible for the oversight of nearly 225 state-chartered banks and credit unions holding approximately $271 billion in combined assets as of March 31, 2011.”
The bottom line

The mortgage oversight issue was fixed, but the disaster recovery and business continuity issue was still unresolved.

“Although certain objectives for contingency planning existed, our audit found that DOB did not have a sufficiently comprehensive disaster recovery plan in place to provide for the timely restoration of business and IT capabilities should application systems be rendered inoperable or inaccessible.”
What happens next

The auditor recommended that the Division of Banks work with the Executive Office of Housing and Economic Development to assess risks, identify critical systems, and create tested recovery and continuity plans.

“DOB, in conjunction with EOHED, should assess the extent to which it is dependent upon the continued availability of information systems for all required processing or operational needs and develop its recovery plans based on the critical aspects of its information systems.”
Why it's significant

The unresolved technology planning issue could cause delays, extra costs, and trouble accessing important systems if a disaster or major outage happened.

“Furthermore, the absence of a comprehensive and tested DRP could result in unnecessary costs and significant processing delays.”
Jargon, unpacked

A disaster recovery plan means a detailed plan for restoring computer systems after a major outage; a business continuity plan means a plan for keeping key work going during and after a disruption.

“A business continuity plan should document DOB’s recovery strategies with respect to various disaster scenarios.”

What the Auditor checked

What the Auditor found

DOB did not have sufficiently comprehensive disaster recovery and business continuity plans.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: DOB risked delayed restoration of business and IT operations, unnecessary costs, processing delays, and vulnerability of data files and software after a disaster.

Standard: Generally accepted business practices and industry standards for computer operations require an ongoing business continuity planning process that assesses criticality and develops contingency and recovery plans. ( Executive Order 510 )

3 recommendations
  • DOB, with EOHED, should assess dependence on information systems and develop recovery plans based on critical information systems.agency: agreed
  • DOB should develop detailed disaster recovery and business continuity plans based on criticality, business impact assessments, risk management, and testing.agency: agreed
  • DOB's contingency plans should assign staff roles and detailed recovery steps for mission-critical and essential IT systems and operations.agency: agreed
Agency response & Auditor reply
Agency: "The Division continues to place a priority on disaster recovery and business continuity."

Prior findings revisited

Fixed
"Our follow-up audit disclosed that as a result of significant regulatory reform and an increased emphasis on performing examinations of non-bank entities, the DOB is providing adequate oversight of mortgage brokers and lenders under its authority."
Still a problem
"We found that DOB had a draft Continuity of Operations Plan (COOP), dated February 2011, that provided detailed procedures to be performed to sustain key business functions during and after a disruption of computer operations."

More audits of this entity

Other Office of the State Auditor reports on Division of Banks , including the prior audits referenced above.

See this entity's page with all 4 audits →