Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Massachusetts Office on Disability

July 21, 2015 · Read the full official report (PDF) ↗

Published July 21, 2015 Audit covers July 1, 2012 – June 30, 2014 Under Suzanne M. Bump · 2011–2023

In plain English
The auditor found that the Massachusetts Office on Disability had problems tracking cases, proving some reported results, and securing its case-management database.
source
“MOD did not have adequate controls over information in its case files and case-management database.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts Office on Disability covering July 1, 2012 through June 30, 2014.

“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2012 through June 30, 2014.”
Why was it audited?

Auditors reviewed how the agency ran its Client Services Program, tracked advocacy cases, responded to public requests, and handled case backlogs.

“The objectives of our audit were to review certain aspects of MOD’s administration of its Client Services Program and to evaluate MOD’s process for tracking advocacy case information and responding to requests from the public.”
Why it matters

If case records are incomplete or outdated, the agency may not be able to track people’s requests properly or make sure cases are handled and closed according to its rules.

“A lack of current and complete information can inhibit MOD’s ability to effectively track and monitor cases and ensure that they are maintained and ultimately closed in accordance with MOD policies.”
What's in it for me?

For an ordinary resident seeking disability-related help, this matters because the office is supposed to provide information, referrals, and advocacy for services like housing, employment, and rehabilitation.

“By providing information, referral, and advocacy, MOD helps people obtain vocational rehabilitation, accessible housing, employment, and other services.”
The bottom line

The audit found three main issues: unreliable case data, unsupported performance reporting, and weak database security controls.

“MOD’s access-security controls over its mission-critical Omega case-management system did not ensure that only authorized users had access to information in the database.”
What happens next

The auditor recommended stronger controls, better performance tracking, and replacing or improving the case-management system, with security guidance from MassIT.

“MOD should establish the controls necessary to ensure that its case-management information is up to date, actively monitored, and maintained in accordance with prescribed procedures.”
Why it's significant

The report is significant because the agency serves many people each year, and weak tracking or security could affect how well it responds to the public.

“According to its website, MOD responds to the needs of more than 18,000 individuals yearly through three major programs: Community Services, Client Services, and Government Services.”
Jargon, unpacked

“Case-management” means the system and records the office uses to track requests for help, client contact, case activity, and whether cases are open or closed.

“The electronic system that MOD uses to maintain its case-management records has significant limitations.”

What the Auditor checked

What the Auditor found

MOD did not maintain adequate controls over case files and case-management data.
recordkeeping/documentationinternal controls

Why it matters: Unreliable, incomplete, or unsupported case information could prevent MOD from tracking, monitoring, and closing cases in accordance with its policies.

Standard: MOD's Client Service Procedures for monitoring open cases, client follow-up, closure, and maintaining closed-case lists. ( Chapter 11, Section 12, of the Massachusetts General Laws )

1 recommendation
  • MOD should establish the controls necessary to ensure that its case-management information is up to date, actively monitored, and maintained in accordance with prescribed procedures.
Agency response & Auditor reply
Agency: "The Massachusetts Office on Disability is endeavoring to have a case management process that is as reliable as possible."
Auditor: "Based on its response, we believe that MOD is taking appropriate measures to address our concerns in this area."
MOD could not substantiate reported 2013 Client Services Program performance measures.
recordkeeping/documentationreporting timelinessinternal controls

Why it matters: MOD may not have accurately represented Client Services Program performance and may not be capturing essential information needed to measure program outcomes.

Standard: Executive Order 540 requirements for strategic plans and performance reports with outcome measures and supporting analysis. ( Executive Order 540 )

1 recommendation
  • MOD should establish the processes and controls necessary to identify information needed to measure and document the Client Services Program objectives and performance measures detailed in its annual performance report.
Agency response & Auditor reply
Agency: "The new database will be able to generate this report automatically and document whether or not a survey has been sent out."
Auditor: "Based on its response, we believe that MOD is taking appropriate measures to address the concerns we identified."
MOD lacked sufficient access-security controls over its case-management system.
cybersecuritydata privacyinternal controls

Why it matters: The database was at risk of unauthorized access, alteration, or deletion of critical and personal information.

Standard: MassIT Enterprise Access Control Security Standards and MOD's MassIT-approved information security plan. ( MassIT Enterprise Access Control Security Standards; Executive Order 504 )

3 recommendations
  • MOD should pursue the possibility of obtaining a new case-management system to replace its existing, ineffective database.agency: agreed
  • Once an implementation date has been established, management should seek guidance from MassIT on ensuring that necessary access-security controls are in place and are consistent with established MassIT policies and standards.agency: agreed
  • Until a new system is in place, MOD should establish policies for access security that could include, for instance, periodically reviewing access privileges, refraining from sharing passwords, and providing employees with appropriate training on what are considered “good security practices.”agency: agreed
Agency response & Auditor reply
Agency: "MOD agrees with the recommendations that it should establish policies for access security; such policies and procedures will be addressed in the updated policies and procedures discussed above."
Auditor: "Based on its response, we believe that MOD is taking appropriate measures to address our concerns in this area."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Office on Disability .

See this entity's page with all 2 audits →