Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Lynn Housing Authority and Neighborhood Development

January 26, 2012 · Read the full official report (PDF) ↗

Published January 26, 2012 Audit covers January 1, 2007 – December 31, 2010 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that Lynn Housing Authority had improved some computer controls, but still needed stronger disaster recovery planning, password rules, and proof that it tracks computer equipment properly.
source
“Specifically, our audit determined that although LHAND had taken steps to address the prior audit issues of disaster recovery and business continuity planning, system access security, and inventory controls over fixed assets, further improvements were necessary.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor report on selected information technology controls at the Lynn Housing Authority and Neighborhood Development.

“In accordance with Chapter 11, Section 12, of the General Laws, we performed an audit of selected IT-related controls at LHAND for the period January 1, 2007 through December 31, 2010.”
Why was it audited?

Auditors checked whether LHAND’s computer policies, access controls, backup planning, and protection of personal information were strong enough to support its housing work.

“Our primary audit objective was to determine whether LHAND’s IT-related internal control environment and documented IT policies and procedures provided reasonable assurance that control objectives would be achieved to support LHAND’s business functions; adequate controls were in place to provide reasonable assurance that IT resources are safeguarded, properly accounted for, and available when required; adequate physical security controls were in place to restrict access to IT resources to only authorized; sufficient environmental protection controls were in place; adequate controls were in place to provide reasonable assurance that only authorized users were granted access to network resources, including the Visual HOMES/AccountMate application system and other business-related applications; and procedures were in place to prevent and detect unauthorized access to automated systems.”
Why it matters

LHAND handles housing programs and data for low- and moderate-income residents, so weak technology controls could affect services, records, and confidential information.

“LHAND’s primary mission is to assist low- and moderate-income families and individuals with safe, decent, adequate, and affordable housing.”
What's in it for me?

If you rely on LHAND or care about public housing services in Lynn, the report points to risks that could slow services after a technology failure or expose sensitive data if access controls are weak.

“As a result of its inadequate password administration policies, procedures, and control practices, LHAND cannot ensure that mission-critical systems and confidential data are safeguarded from access by unauthorized persons.”
The bottom line

LHAND had made progress since the earlier audit, especially on inventory records, but the Auditor still found gaps that needed fixing.

“Our follow-up review revealed that although LHAND had taken steps to address these issues, improvements were still necessary, as discussed below.”
What happens next

The report recommends that LHAND finish and test disaster recovery plans, strengthen password policies, train employees, monitor compliance, and better document annual inventory checks.

“LHAND should take steps to ensure that adequate disaster recovery and business continuity plans are in place and tested to provide adequate assurance of their viability.”
Why it's significant

This report is significant because LHAND manages public housing, rental vouchers, and systems tied to housing and financial operations, so basic IT weaknesses could affect important public services.

“At the time of our audit, LHAND administered 2,590 rental assistance vouchers through its rental assistance program.”
Jargon, unpacked

“Disaster recovery and business continuity” means having a tested plan to keep essential work going or restore it quickly if computer systems fail.

“The objective of business continuity planning is to help ensure the continuation of mission-critical and essential functions enabled by technology should a disaster cause significant disruption or loss of computer or network operations.”

What the Auditor checked

What the Auditor found

LHAND still lacked a comprehensive written and tested disaster recovery and business continuity plan.
cybersecurityinternal controls

Why it matters: LHAND could have difficulty restoring mission-critical and essential business processes within an acceptable period after a loss of IT systems or processing.

Standard: Generally accepted industry practices and standards for computer operations require an ongoing business continuity planning process and appropriate recovery and contingency plans. ( Generally accepted industry practices and standards for computer operations )

1 recommendation
  • LHAND should take steps to ensure that adequate disaster recovery and business continuity plans are in place and tested to provide adequate assurance of their viability.agency: partially agreed
Agency response & Auditor reply
Agency: "LHAND has now developed a written plan for disaster recovery and business continuity."
LHAND’s password administration policies and monitoring were inadequate.
cybersecurityinternal controlsdata privacy

Why it matters: Mission-critical systems and confidential data may not be adequately safeguarded from unauthorized access.

Standard: CobiT guidelines and prudent business practices require adequate formal password administration policies, staff training, and compliance monitoring. ( Control Objectives for Business Information and Related Technology (CobiT) guidelines )

1 recommendation
  • LHAND should develop appropriate formal policies and procedures for password administration, including formation, use, and frequency of change.agency: already implemented
Agency response & Auditor reply
Agency: "LHAND has now developed formal written procedures for password administration."
LHAND did not maintain evidence of annual physical inventory reconciliations or require signed notebook computer responsibility forms.
asset/inventory controlrecordkeeping/documentationinternal controls

Why it matters: LHAND lacked reasonable assurance that computer equipment was properly monitored and protected from loss or misuse.

Standard: Office of the State Comptroller guidelines for inventory control and fixed-asset accounting. ( Office of the State Comptroller OSC guidelines for inventory control )

2 recommendations
  • LHAND should enhance its documented control procedures and practices by ensuring that it maintains evidence of an annual physical inventory and reconciliation of asset records.agency: already implemented
  • With respect to notebook computers, LHAND should develop a formal policy requiring that users who are assigned notebook computers sign a responsibility and acceptable usage form.agency: already implemented
Agency response & Auditor reply
Agency: "LHAND has now developed enhanced documented control procedures for inventory, which include evidence of an annual physical inventory and a reconciliation of asset records."

Prior findings revisited

Still a problem
"Our follow-up review revealed that although LHAND had taken steps to address these issues, improvements were still necessary, as discussed below."