Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Office of the Attorney General

October 10, 2013 · Read the full official report (PDF) ↗

Published October 10, 2013 Audit covers July 1, 2010 – June 30, 2012 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that the Attorney General's Office generally had adequate controls in the areas tested, but needed to fix weaknesses in computer user access, charity filing-fee processing, and fixed-asset tracking.
source
“Except for the issues addressed in the Audit Findings section of this report, for the period July 1, 2010 through June 30, 2012, the AGO maintained adequate internal controls over its financial operations and program activities and complied with applicable laws, rules, and regulations for the areas tested.”
Read the plain-English breakdown
What is this?

This is a performance audit of the Massachusetts Attorney General's Office covering July 1, 2010 through June 30, 2012.

“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, we conducted a performance audit at the Attorney General’s Office (AGO) for the period July 1, 2010 through June 30, 2012.”
Why was it audited?

Auditors reviewed whether the office had proper internal controls, including controls over revenue, spending, public charity operations, fixed assets, and computer access.

“Our audit was initiated to determine whether the AGO’s internal control structure was suitably designed and to assess the adequacy of controls over its operations, including internal controls over financial records pertaining to revenue and expenditures.”
Why it matters

The Attorney General's Office handles lawsuits involving the Commonwealth and manages sensitive case information, public money, and state property.

“The AGO is responsible for representing the Commonwealth in all lawsuits and civil proceedings in which the Commonwealth is an interested party.”
What's in it for me?

For an ordinary resident, the audit is about whether a major state office is protecting public money, state equipment, and sensitive legal information properly.

“The AGO’s case-management system consists of separate application modules used to manage information related to civil and criminal cases.”
The bottom line

The biggest problem was that former employees still appeared on active user lists, including some with high-level access, even though auditors found no evidence of unauthorized access.

“Our test of system access security controls revealed that 143 former AGO employees, including 56 with high-level access privileges to the AGO’s case-management database system, remained on the active user list.”
Why it's significant

The findings matter because weak controls can increase the risk of lost checks, lost revenue, unauthorized internal access, or poor tracking of state assets.

“Without the AGO’s performing an annual physical inventory and reconciliation and adhering to the OSC Fixed Asset Accounting and Management Policy, there is the potential for Commonwealth assets to be improperly safeguarded against loss, theft, or misuse and the inability to verify that its inventory system of record and the Fixed Asset Subsystem are complete, accurate, and up to date.”
Jargon, unpacked

A 'GAAP fixed asset' means a significant long-term item the state owns, such as land, buildings, vehicles, equipment, or computer systems, that must be recorded and tracked under accounting rules.

“The Commonwealth defines GAAP fixed assets as all tangible property (real and personal) such as land, buildings, computer software and systems, landmarks, infrastructure and equipment, etc., with a useful life of more than one year.”

3 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

The AGO did not promptly deactivate former employees’ case-management system accounts.
cybersecurityinternal controlsdata privacy

Why it matters: Confidential and sensitive case-management information could be vulnerable to unauthorized internal access.

Standard: AGO internal control plan and COBIT IT security control framework ( Control Objectives for Information and Related Technology (COBIT) )

Agency response & Auditor reply
Agency: "The AGO has deactivated the accounts of former employees and has created a periodic review and reconciliation procedure which is also now reflected in the AGO’s ICP."
Auditor: "Based on its response, we believe that, by strengthening internal controls over its system user accounts, the AGO is taking appropriate measures to address concerns we identified."
The NPO/PCD did not always process and forward filing-fee checks for deposit within one business day.
cash handlinginternal controlsreporting timeliness

Why it matters: Late processing increases the risk that checks may be misplaced or lost and that revenue due to the Commonwealth may be lost.

Standard: AGO internal controls and OSC Cash Recognition and Reconciliation Policy ( OSC Cash Recognition and Reconciliation Policy; Chapter 30, Section 27, of the Massachusetts General Laws )

2 recommendations
  • More closely monitor procedures to ensure checks are sent to the Budget Division within one business day of receipt.
  • If daily remittance is impractical, seek an exception from the Executive Office of Administration and Finance and the Office of the State Treasurer.
Agency response & Auditor reply
Agency: "The AGO is seeking from the State Treasurer an exception from the requirement per the same statute that establishes the requirement, M.G.L. c. 30, § 27."
The AGO did not conduct and document required annual physical inventories and did not consistently tag fixed assets.
asset/inventory controlrecordkeeping/documentationinternal controls

Why it matters: The AGO could not ensure that Commonwealth fixed assets were safeguarded against loss, theft, or misuse or that inventory records were complete, accurate, and current.

Standard: OSC Fixed Assets – Accounting and Management Policy ( OSC Fixed Assets – Accounting and Management Policy )

2 recommendations
  • Develop and implement policies, procedures, and internal controls to ensure an annual physical inventory and reconciliation is conducted and documented on or around June 30 each fiscal year.agency: already implemented
  • Assign a unique asset identification number to each GAAP and non-GAAP fixed asset.
Agency response & Auditor reply
Agency: "The AGO will run a report based on its perpetual inventory system and reconcile physically its fixed assets to the report on or about June 30 of each year."
Auditor: "Based on its response, we are pleased that the AGO is taking measures to improve its classification of fixed assets and strengthen internal controls by conducting and documenting an annual physical inventory and reconciliation process."
The AGO did not timely determine and record certain leased equipment as GAAP fixed assets.
asset/inventory controlreporting timelinessinternal controls

Why it matters: The value of fixed assets could be understated and depreciation expenses distorted in the statewide CAFR.

Standard: OSC Fixed Asset Accounting and Management Policy and Fixed Assets – Acquisition Policy ( OSC Fixed Asset Accounting and Management Policy; OSC Fixed Assets – Acquisition Policy )

2 recommendations
  • Establish and implement internal controls to follow OSC inventory and reporting policies for fixed assets, especially GAAP fixed assets, and record GAAP fixed assets in MMARS within seven days of acquisition.
  • Review policies and procedures for midyear and annual GAAP fixed-asset reviews and determine whether additional controls are needed to ensure accurate confirmation forms.
Agency response & Auditor reply
Agency: "With respect to the second GAAP fixed asset, the EMC storage unit lease, the AGO did not enter the lease within seven days of its acquisition because it initially identified the lease as an operating lease."
Auditor: "With regard to the AGO’s telecommunications system, we recognize that on occasion technical malfunctions can take place that may prevent the timely recording of transactions in MMARS."

Prior findings revisited

Being worked on
"Prior Audit Results Partially Resolved"
Being worked on
"Our prior audit report (No. 2003-0072-2S) disclosed that inadequate administrative controls and an outmoded public-charities database had hindered the Not-for-Profit Organizations / Public Charities Division’s (NPO/PCD’s) enforcement of Massachusetts laws requiring accountability by all public charities engaging in charitable work or fundraising in the Commonwealth."
Still a problem
"Our prior audit report disclosed that the AGO had not conducted annual physical inventories and reconciliations or ensured that its inventory records were complete by including total costs and asset identification numbers, as required by the OSC."