Division of Banks
January 25, 2012 · Read the full official report (PDF) ↗
source
“Based on our review we have determined that, except as reported in the Audit Results section of this report, for the period July 1, 2008 through April 30, 2011, DOB maintained adequate internal controls and complied with applicable laws, rules, and regulations related to its operations for the areas tested.”
Read the plain-English breakdown
This is a follow-up audit of the Massachusetts Division of Banks, the state agency that oversees state-chartered banks, credit unions, mortgage businesses, and other financial service companies.
“The scope of our audit consisted of an evaluation of the status of Audit Results in our prior audit report, No. 2007-0100-4T, regarding the oversight of mortgage brokers and lenders and business continuity and disaster recovery planning for mission-critical applications utilized by DOB.”
Auditors wanted to see whether the agency fixed issues from a prior audit: weak capacity to oversee mortgage brokers and lenders, and weak planning for keeping operations going after a technology failure or disaster.
“The purpose of our audit was to determine whether corrective action had been taken to address the Audit Results contained in our prior audit report, No. 2007-0100-4T.”
This matters because the agency oversees major parts of the financial system in Massachusetts, including banks, credit unions, mortgage companies, debt collectors, check cashers, and other financial businesses.
“The DOB is responsible for the oversight of nearly 225 state-chartered banks and credit unions holding approximately $271 billion in combined assets as of March 31, 2011.”
The mortgage oversight issue was fixed, but the disaster recovery and business continuity issue was still unresolved.
“Although certain objectives for contingency planning existed, our audit found that DOB did not have a sufficiently comprehensive disaster recovery plan in place to provide for the timely restoration of business and IT capabilities should application systems be rendered inoperable or inaccessible.”
The auditor recommended that the Division of Banks work with the Executive Office of Housing and Economic Development to assess risks, identify critical systems, and create tested recovery and continuity plans.
“DOB, in conjunction with EOHED, should assess the extent to which it is dependent upon the continued availability of information systems for all required processing or operational needs and develop its recovery plans based on the critical aspects of its information systems.”
The unresolved technology planning issue could cause delays, extra costs, and trouble accessing important systems if a disaster or major outage happened.
“Furthermore, the absence of a comprehensive and tested DRP could result in unnecessary costs and significant processing delays.”
A disaster recovery plan means a detailed plan for restoring computer systems after a major outage; a business continuity plan means a plan for keeping key work going during and after a disruption.
“A business continuity plan should document DOB’s recovery strategies with respect to various disaster scenarios.”
What the Auditor checked
- Partially Determine whether corrective action had been taken to address the audit results contained in prior audit report No. 2007-0100-4T.
- Complied Assess DOB's capacity to perform examinations to protect consumers and evaluate the financial viability of mortgage lenders and brokers in Massachusetts.
- Did not comply Assess the adequacy of disaster recovery and business continuity planning.
What the Auditor found
Why it matters: DOB risked delayed restoration of business and IT operations, unnecessary costs, processing delays, and vulnerability of data files and software after a disaster.
Standard: Generally accepted business practices and industry standards for computer operations require an ongoing business continuity planning process that assesses criticality and develops contingency and recovery plans. ( Executive Order 510 )
3 recommendations
- DOB, with EOHED, should assess dependence on information systems and develop recovery plans based on critical information systems.agency: agreed
- DOB should develop detailed disaster recovery and business continuity plans based on criticality, business impact assessments, risk management, and testing.agency: agreed
- DOB's contingency plans should assign staff roles and detailed recovery steps for mission-critical and essential IT systems and operations.agency: agreed
Agency response & Auditor reply
Agency: "The Division continues to place a priority on disaster recovery and business continuity."
Prior findings revisited
"Our follow-up audit disclosed that as a result of significant regulatory reform and an increased emphasis on performing examinations of non-bank entities, the DOB is providing adequate oversight of mortgage brokers and lenders under its authority."
"We found that DOB had a draft Continuity of Operations Plan (COOP), dated February 2011, that provided detailed procedures to be performed to sustain key business functions during and after a disruption of computer operations."
More audits of this entity
Other Office of the State Auditor reports on Division of Banks , including the prior audits referenced above.
- Audit of the Division of BanksState Agency / Office · November 18, 2021
- Division of BanksState Agency / Office · March 23, 2017
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Division of Banks (January 28, 2025)State Agency / Office · January 28, 2025