Massachusetts Housing Finance Agency
January 26, 2017 · Read the full official report (PDF) ↗
source
“Our audit of MHFA identified seven findings, but only five are disclosed in this public report.”
Read the plain-English breakdown
This is a public version of a Massachusetts State Auditor audit of MassHousing's IT controls for July 1, 2014 through December 31, 2015.
“I am pleased to provide this information technology general control audit of the Massachusetts Housing Finance Agency.”
The audit looked at whether MassHousing had enough IT controls to protect systems, data, and operations that support its work.
“The objective of ITGCs is to ensure the confidentiality, integrity, and availability of systems, programs, data files, and computer operations in an organization.”
Weak IT governance can mean daily technology work may not line up with the agency's broader mission or protect data well enough.
“As a result, there is an increased risk that day-to-day IT operations do not support its overall strategies and objectives.”
If you are a Massachusetts resident, borrower, homeowner, employee, or someone whose information is handled by MassHousing, weak data controls can increase the risk that personal or confidential information is mishandled.
“Compromise of personal and confidential data can seriously damage the mission, safety, or integrity of an agency and its staff.”
The main takeaway is that MassHousing had important gaps in how it managed and protected IT systems and protected information.
“MassHousing did not have sufficient controls over the security and confidentiality of protected information.”
MassHousing received recommendations and is responsible for acting on them; the agency said it was already taking or planning steps in several areas.
“In accordance with Sections 7.39–7.43 of the Government Accountability Office’s Government Auditing Standards, as well as the policies of the Office of the State Auditor, for reporting confidential and sensitive information, we have given a separate full report to MFHA, which will be responsible for acting on our recommendations.”
MassHousing is a major public housing finance agency, so weaknesses in its technology controls matter because the agency supports billions of dollars in affordable housing work.
“Since its inception, it has provided more than $18.5 billion for affordable housing.”
ITGCs means basic technology safeguards that apply across an organization, such as backup controls, access controls, disaster recovery, asset tracking, and data protection.
“ITGCs are a subset of internal controls that are applied to every information technology (IT) system that an organization relies on and to the IT staff that administers those systems.”
1 figure(s) pending source verification - not shown
What the Auditor checked
- Did not comply Has MassHousing established adequate internal controls to support its mission-critical and essential application systems over IT organization and management in regard to IT policies and procedures, IT risk assessments, and providing adequate IT oversight?
- Did not comply Has MassHousing established adequate internal controls to support its mission-critical and essential application systems over IT computer operations such as backup scheduling and network monitoring?
- Did not comply Has MassHousing established adequate internal controls to support its mission-critical and essential application systems over business continuity and disaster recovery, including its policies and procedures, emergency contact list, hot site, and incident testing?
- Did not comply Has MassHousing established adequate internal controls to support its mission-critical and essential application systems over asset inventory, including inventory management, loss prevention, and disposal management?
- Did not comply Has MassHousing established adequate internal controls to support its mission-critical and essential application systems over protected information, such as employee acknowledgement forms, employee training, and established confidentiality agreements between contractors, vendors, and other third parties?
- Complied Has MassHousing established adequate internal controls to support its mission-critical and essential application systems over IT system development and change management, including project approval by IT management and segregation of duties between the testing environment and the production environment?
- Did not comply Has MassHousing established adequate internal controls to support its mission-critical and essential application systems over logical access security, including background checks, user account management, and password security?
What the Auditor found
Why it matters: Day-to-day IT operations may not support MassHousing's overall strategies and objectives, increasing risks such as lost productivity, inadequate data protection, miscommunication, and insufficient protection of personal and confidential data.
Standard: COBIT 4.1 Sections PO1, PO2, and PO4; MassIT Enterprise IT Asset and Risk Management Policy ( Section PO1 in Control Objectives for Information and Related Technologies (COBIT) 4.1; Section PO4 of COBIT 4.1; Massachusetts Office of Information Technology Enterprise IT Asset and Risk Management Policy )
3 recommendations
- MassHousing should formally document an IT strategic plan to manage and direct all IT resources in line with its business strategies and objectives.agency: disagreed
- MassHousing should modify its ISP and create policies to include all functions such as physical access security, retention and restoration of data, and data classification.agency: disagreed
- MassHousing should perform a data inventory and develop a data-classification scheme.agency: disagreed
Agency response & Auditor reply
Agency: "MassHousing respectfully disagrees with the State Auditor’s assessment that we have not “established adequate internal controls to support the agency’s mission critical and essential application systems” in seven out of eight audit objectives."
Auditor: "Although MassHousing asserts that it maintains robust internal controls and effectively manages risks related to IT, our audit identified significant problems with the agency’s IT controls."
Why it matters: Restoration of technology operations could be delayed in a disaster, potentially causing financial loss and reputational damage.
Standard: MassHousing Disaster Recovery and Incident Management Team Plan; COBIT 4.1 Section DS1; MassHousing ISP Section IV(C) ( MassHousing’s Disaster Recovery and Incident Management Team Plan; Section DS1 of COBIT 4.1; Section IV(C) of MassHousing’s ISP )
4 recommendations
- MassHousing should conduct and document an annual disaster-recovery test, including testing of mission-critical applications and recovery resources with all employees at the hot site.agency: partially agreed
- MassHousing should repair or replace the Incident Management Team laptop.agency: already implemented
- MassHousing should review and update the contract for service of backup media and implement a control to periodically review and update all service-provider contracts, including reviews and updates when there is a change in ownership.agency: already implemented
- MassHousing should establish policies and procedures that require the appropriate agency staff members to periodically request and review the SOC 2 Type 2 report from the contractor that administers its service provider’s data center.agency: partially agreed
Agency response & Auditor reply
Agency: "MassHousing has successfully tested its abilities to retrieve electronic data for continued operations at its disaster (hot) site, with the last test during the audit period occurring in March 2015."
Why it matters: Protected information was not properly safeguarded against possible misuse.
Standard: Massachusetts Executive Order 504; MassHousing ISP Section III(A); NIST Special Publication 800-53 Revision 4 Appendix F ( Massachusetts Executive Order 504; Section III(A) of MassHousing’s ISP; Appendix F of Revision 4 of NIST’s Special Publication 800-53 )
3 recommendations
- MassHousing should train the new employees who have not completed security training.agency: agreed
- MassHousing should review the training log periodically and implement appropriate controls to ensure that all employees are trained before they are given access to protected information.agency: agreed
- MassHousing should establish and implement effective policies, procedures, and monitoring controls to ensure that all employees, contractors, and interns sign acknowledgment forms before they are given access to protected information.agency: agreed
Agency response & Auditor reply
Agency: "Management is planning to implement a process to ensure initial, day-one security awareness training for all new hires with access to our IT network by October 31, 2016."
Auditor: "MassHousing’s implementation and documentation of IT security training for all employees, temporary personnel, and contractors who have access to its systems is key to ensuring that its systems are properly safeguarded."
Why it matters: The system could not establish accountability for backup schedule changes, increasing the risk that configuration settings could be changed without detection and cause loss of files and data.
Standard: COBIT 4.1 Section DS5 ( Section DS5 of COBIT 4.1 )
2 recommendations
- MassHousing should establish access-security policies that state the requirements for managing accounts.agency: already implemented
- MassHousing should add the user accounts of the staff members who are responsible for the backup schedule to the backup operation group.agency: already implemented
Agency response & Auditor reply
Agency: "MassHousing IT has made the appropriate changes to the backup operations group, and each system-level account is held by an individual IT Division employee."
Auditor: "We believe MassHousing is taking the appropriate steps to control its backup schedule adequately."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Housing Finance Agency .
- Audit of the Massachusetts Housing Finance Agency (October 30, 2025)Other · October 30, 2025
- Audit of the Massachusetts Housing Finance AgencyOther · December 20, 2021