Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Plymouth Division of the Probate and Family Court Department

September 22, 2011 · Read the full official report (PDF) ↗

Published September 22, 2011 Audit covers July 1, 2008 – December 31, 2010 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found the court generally had adequate IT controls, but needed fixes for computer inventory, password security, and emergency continuity planning.
source
“Based on our review, we have determined that, except for the issues noted in the Audit Results section of the report, for the period July 1, 2008 through December 31, 2010, the Court maintained adequate internal controls for the areas tested.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor review of IT controls at the Plymouth Probate and Family Court for July 1, 2008 through December 31, 2010.

“In accordance with Chapter 11, Section 12, of the General Laws, we performed an audit of information technology (IT) controls at the Plymouth Division of the Probate and Family Court Department.”
Why was it audited?

Auditors checked whether the court had enough safeguards around its computer systems, data, equipment, and emergency readiness.

“The primary objective of our audit was to determine whether IT-related controls were in place and in effect to support the Court’s IT processing environment.”
What's in it for me?

If you use this court, better controls can help protect your information and reduce the risk of delays if systems fail.

“An extended loss of processing capabilities could adversely affect the Court’s ability to perform its primary business functions and could result in significant delays in processing caseloads.”
The bottom line

The court passed many control checks, but auditors found three main problems: mismatched computer inventory records, weak password rules, and no documented tested continuity plan.

“Our audit revealed that the Court, in conjunction with AOTC, had not developed a documented business continuity plan that would provide reasonable assurance that mission-critical data processing and business operations could be regained effectively and in a timely manner in the event of an emergency.”
What happens next

The court said it would work with Trial Court IT officials to reconcile equipment records, improve password policies, and create a written continuity and recovery plan.

“We shall contact the AOTC and the AOTC ITD in order to develop a written coordinated business continuity and recovery plan in the event of any interruption of our normal operations.”
Why it's significant

This report is significant because it points to practical weaknesses that could affect accountability for public equipment, protection of confidential court data, and the court’s ability to keep operating during an emergency.

“Without a comprehensive, documented, and tested business continuity plan, including required user area plans, the Court would be hindered from performing essential business functions.”
Jargon, unpacked

MassCourt is the main case-management computer system the court uses for filings, scheduling, case records, notices, reports, and related court information.

“The primary application system used by the Court is MassCourt, a comprehensive case management system that provides case entry, docketing, scheduling, case-related financial management, automated reports, notices and forms, and electronic storage of case documents available through the AOTC intranet.”

What the Auditor checked

What the Auditor found

The Court did not adequately reconcile and maintain complete inventory records for computer equipment.
asset/inventory controlinternal controlsrecordkeeping/documentation

Why it matters: Incomplete and inaccurate inventory records may hinder IT resource management, theft detection, unauthorized-use detection, and technology planning.

Standard: AOTC Fiscal Systems Manual, Chapter 647 of the Acts of 1989, and generally accepted IT asset-management standards. ( Chapter 647 of the Acts of 1989; AOTC Fiscal Systems Manual )

1 recommendation
  • The Court should reconcile all IT-related assets, resubmit a complete IT asset record to AOTC, maintain a perpetual inventory, ensure AOTC records key asset details, and receive timely deployment/removal information from AOTC.agency: agreed
Agency response & Auditor reply
Agency: "We shall immediately re-submit a complete record of all IT related equipment to AOTC ITD and work with that office to reconcile all essential IT inventory records of our two entities."
The Court and AOTC did not require regular password changes or maintain comprehensive password policies.
cybersecuritydata privacyinternal controls

Why it matters: Weak password controls increase the risk of unauthorized access, modification, or loss of confidential data in MassCourt and other automated systems.

Standard: Control Objectives for Information and Related Technology (CobiT) guidelines and computer industry standards for system access security. ( Information Systems Audit and Control Foundation’s Control Objectives for Information and Related Technology (CobiT) )

1 recommendation
  • The Court and AOTC should develop written password administration policies and implement system prompts requiring password changes within an established timeframe.agency: agreed
Agency response & Auditor reply
Agency: "We shall work with the AOTC ITD to develop appropriate written policies and procedures to implement and refine practices that will address the audit recommendations in this sensitive security area."
The Court and AOTC had not developed, documented, and tested a business continuity plan.
recordkeeping/documentationinternal controlspublic safety

Why it matters: Without documented and tested contingency planning, the Court may not be able to restore mission-critical operations quickly after an emergency, causing delays in caseload processing.

1 recommendation
  • The Court and AOTC should develop, document, test, review, and distribute disaster recovery, contingency, and user area plans, including annual criticality and business impact assessments and a risk analysis.agency: agreed
Agency response & Auditor reply
Agency: "We shall contact the AOTC and the AOTC ITD in order to develop a written coordinated business continuity and recovery plan in the event of any interruption of our normal operations."