Audit

Audit  Audit of the Cannabis Control Commission

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Cannabis Control Commission (CCC) for the period January 1, 2019 through December 31, 2020.

Organization: Office of the State Auditor
Date published: September 26, 2023

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Cannabis Control Commission (CCC) for the period January 1, 2019 through December 31, 2020. The purpose of our audit was to determine whether CCC ensured that recreational marijuana products sold met the safety standards required by the following:

  • Sections 15(a)(1) through (3) of Chapter 94G of the General Laws;
  • Section 500.160(1) through (4) and (10) of Title 935 of the Code of Massachusetts Regulations, which was in effect during the audit period; and
  • CCC’s “Protocol for Sampling and Analysis of Finished Medical Marijuana Products and Marijuana‑Infused Products for Massachusetts Registered Medical Marijuana Dispensaries.”

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1
 

CCC did not identify all products considered expired and prevent their sale to consumers before they were retested.

Recommendation
 

CCC should develop and implement monitoring controls to identify all products with materials that were last tested more than one year ago and prevent the sale of those products to consumers.

Finding 2
 

CCC did not ensure that marijuana establishments (MEs) and independent testing laboratories (ITLs) properly reported marijuana products that tested positive for pesticides.

Recommendations
 

  1. CCC should use existing Metrc capabilities to create a report that identifies all positive pesticide tests for CCC’s Investigations and Enforcement Unit to monitor MEs’ and ITLs’ compliance with reporting requirements.
  2. CCC should develop adequate policies and procedures to ensure that ITLs’ standard operating procedures include instructions for responding to laboratory results that indicate that contaminant levels are above acceptable limits.

Finding 3
 

CCC did not provide cybersecurity awareness training to its employees.

Recommendation
 

CCC should ensure that all new employees receive initial cybersecurity awareness training and that all employees complete annual cybersecurity awareness training thereafter.

Downloads

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback