BOSTON – A turf battle has broken out near the top of state government as executive branch agencies and the state's independent fiscal overseer tangle over who gets to design and implement computer systems that touch all state agencies, affect all state employees and can access sensitive information.
The rift over control of the project to upgrade the state's payroll and accounting systems broke into public view earlier this month during a contentious meeting with administration officials, constitutional officers and Comptroller Thomas Shack. The belligerency has continued since, largely between Shack and Administration and Finance Secretary Michael Heffernan.
The comptroller and the administration agree that the two old systems Massachusetts currently uses for human resources, payroll and accounting -- the Human Resource/Compensation Management System (HR/CMS) and the Massachusetts Management Accounting and Reporting System (MMARS) -- are antiquated, vulnerable to hacking and must be replaced. The donnybrook is over who gets to take the lead on designing and implementing the systems.
The independent and apolitical state financial watchdog appointed by the governor, Shack wants to replace the 1980s-era systems with a cloud-based "enterprise resource planning" system that could handle all the same functions as HR/CMS and MMARS. His office has worked on the project for two years and sought quotes from top vendors in June. The bids expire Nov. 12.
Shack said the administration earmarked $8 million for the project in its fiscal 2019 capital plan and that his team met with Executive Office of Administration and Finance (ANF) officials in July to clear up a few questions. They left with the impression that nothing stood in the way of the financial systems transformation project, Shack said. In late July, he told the Comptroller Advisory Board the project was delayed as his office waited for funding from the administration.
"In late September, I was asked personally to withdraw the [Request for Quotes] and partner with ANF and others on a bigger, better procurement that would encompass business process redesign," Shack said at an Oct. 12 meeting of the Comptroller Advisory Board. He added, "At this point, it has been made clear to me, at least verbally, that the funding will not be forthcoming unless we were to withdraw the RFQ and agree to a more broad RFQ."
The administration's side of the story is slightly different. The capital plan released in May includes $8 million for a "financial systems transformation" but that authorization is for the Executive Office of Technology Services and Security (EOTTS), a cabinet-level agency created by the Baker administration in 2017 to coordinate the state's IT and cybersecurity efforts.
"The project is going forward as planned and budgeted with EOTTS performing the necessary preliminary work to do the project," Jennifer Sullivan, the undersecretary of ANF, said at the Oct. 12 meeting. Sullivan, an expert in capital budgeting, participated in the meeting on Heffernan's behalf.
Shack said the idea of partnering with EOTTS to design and implement the state's accounting and payroll systems is untenable because his independent office cannot partner with one part of state government "to the exclusion of" others.
"So if I were to simply say, 'yes, I'll partner with ANF or TSS or the executive,' then now I'm subjecting the apolitical and independent comptroller's office to a political arm of government," he said.
Heffernan, in a letter to Shack last week, wrote that he hopes the comptroller will follow the procurement model that EOTTS has laid out and wants to use as it seeks to replace the state's financial systems.
"Replacement of our core financial systems is certainly needed and the proposed project is a major project in terms of scope, expected capital costs, timing, and the centrality to the effective operations of state government," Heffernan wrote on Oct. 16. "We expect that the capital project delivery process described above will be followed in order to develop an affordable, sustainable, and practical operating and capital financing plan for this project."
In response to Heffernan's letter, Shack said the steps Heffernan laid out for a successful project "are in complete harmony" with how his office has led the project to this point.
"All of these components have been covered, in exquisite detail, by the cross-commonwealth team, assembled and led by CTR [the comptroller's office] and including EOANF, EOTSS, et al. since the project's inception," he said. "This makes the rationale of withholding FY19 FST [financial system transformation] project funds even more perplexing at this very late hour -- and raising obvious concerns about the EOANF's stated rationale."
A question of authority
Shack's concern about the involvement of EOTTS and ANF extends beyond his worry that such a partnership could threaten his office's independence. He argues that the comptroller, and only the comptroller, has the authority under state law to "design and install an accounting system for the commonwealth." The law says no accounting system other than the one prescribed by the comptroller should be used.
"My job is to design the accounting system under Chapter 7a and to implement it," Shack said. "Their job is to either pay for it or not pay for it."
Heffernan said ANF is "conscious of the status of the Comptroller as an independent agency" and its responsibility to design and install the state's accounting system. Nonetheless, he said ANF is well within its own rights.
"These statutory provisions do not deprive EOTTS and EOAF of their respective roles to oversee information technology investment, and to ensure the careful spending of bond proceeds that is consistent with the authorized purposes for such spending," Heffernan wrote, adding a footnote reminding Shack that he falls under the jurisdiction of EOTTS. "We also note that the transformation project that the Comptroller currently envisions ... is not exclusively for an 'accounting system.'"
Shack also expressed worry at the Oct. 12 meeting that EOTTS, which began as an arm of ANF, is involved at all with a project that carries such great security concerns.
"I'll just tell you right now, I am not going to put our technology future in the hands of TSS, with all due respect. That's where we've been," Shack said.
In the last year, the Boston Globe has reported on a series of embarrassing data snafus emanating from the Department of Revenue, which was run by Mark Nunnelly before he became Baker's first secretary of EOTTS. Nunnelly has since left the administration.
Until January, a data breach at DOR made the private information of 39,000 business taxpayers visible to other firms. In March, DOR officials blamed a computer system for the department's failure to deliver timely child support payments to about 1,500 parents, and in April DOR said personal information of thousands of child support payers was sent in error to companies other than those that employed the payers.
"Much of what we're talking about is the failings of the technology arm of the executive to address these issues in a timely basis," Shack said about IT issues broadly.
In a response to Heffernan's letter, Shack also pointed to recent payroll scandals at the State Police and the fact that various state policies allowed some State Police payroll data to remain unavailable through the comptroller's government transparency system. He said the "systemic weaknesses" of the state's IT infrastructure are to blame for those issues.
"No amount of statewide adherence to CTR's [the comptroller's office's] internal control standards can prevent the type of endemic fraud that the public have had to endure in the absence of better security and/or accounting systems," Shack wrote. "Unfortunately, improvements to the state's underlying technology and security infrastructure have been fraught with delay under EOANF and EOTSS' leadership in 'governance.' CTR believes we must do better."
'It is inevitable that we will be breached'
The comptroller said his office began an analysis of the HR/CMS and MMARS systems in 2015 and found "some alarming security concerns."
"In one examination, MARS and HR/CMS were hacked at the highest level in the system in less than 48 hours," Shack said. "That was a test, not an actual event, but it was devastatingly alarming to us as utilizers of the commonwealth's IT infrastructure."
The two systems collectively process about $60 billion in annual transactions and can access the personal information of more than 100,000 state employees across the 152 state agencies. Shack said the state's data warehouse contains more than 500,000 sensitive or private records of active and former state employees.
"Probably the most troubling aspect of this is just that every day that goes by is another day that that pronounced risk that I talked about, every single day that we wait on a project like this ... it makes absolutely no difference to the people of Massachusetts when that breach occurs," he said. "I'm telling you today -- and I've said it before but I'll say it quite clearly on Oct. 12, 2018 -- it is inevitable that we will be breached. It's not a question of if, it is a question of when."
If the systems were breached, Shack estimated the cost to the state would be between $75 million and $200 million.
'Independent except when we need the money'
The bad blood between the comptroller and administration emerged publicly at a meeting of the Comptroller Advisory Board, which counts Auditor Suzanne Bump and Treasurer Deborah Goldberg as members.
Bump and Goldberg, both Democrats elected statewide, expressed concern over the administration's apparent intervention in the comptroller's project and both said they thought it was late in the game for the administration to throw the brakes on.
"I don't want to turn this into a turf war but, in fact, the law gives the responsibility and the authority to the comptroller to lead in this area," Bump said at the Oct. 12 meeting. "So we've got an office with statutory authority to move forward and he's being told, 'no you can't move forward because we aren't ready' is what I think I'm hearing."
Bump, who relies on the state's computer systems to access information for her audits, said she and the other constitutional officers are also "dependent upon the will of the administration" to fund capital projects.
"And so we're independent except when we need the money, then we're dependent," she said.
It is unclear what the next steps in the financial system transformation project are. Shack's team expressed hope that things could be back on track before the bids they sought become stale on Nov. 12 and Sullivan, the ANF undersecretary, said "there is certainly hope" for resurrecting the project and collaboration.
"We expect that our ongoing partnership will be marked by mutual support and respect, appropriate allocation of responsibility and decision-making, open and effective communication, and prioritization of constituent and stakeholder outreach," Heffernan wrote in his letter urging Shack to follow the EOTTS process.
Shack said Tuesday that if his office listens to Heffernan's advice and goes along with the EOTTS process, "it would likely take a decade or more to see the project come to fruition."