Conducting a web forms audit

Form audits help validate that state organizations collect the right data, send it securely to the right place, and store it properly.

Authors on Mass.gov use Formstack to create forms that are embedded on the website. It’s a crucial security and privacy practice to audit your organization’s Formstack forms, and the Mass Digital team provides you with quarterly data to help you conduct an audit.

Auditing forms ensures that you’re collecting the right data, storing it properly, and sending it securely to only the right places. It also helps identify outdated forms that should be removed from Formstack and Mass.gov.

We recommend taking the following steps to audit your agency’s forms at least annually.

Take inventory of Formstack forms and form pages on Mass.gov

While you can do an audit anytime, the Mass Digital team will generate a spreadsheet that contains data about all forms and related Form pages on Mass.gov at the end of each quarter. Having this data will allow your organization to conduct a forms audit more efficiently. Each organization should filter the spreadsheet to highlight their forms.

Columns in the forms audit spreadsheet include information related to both Formstack forms and Mass.gov pages.

Audit inventory starter sheet for March 2024

Download a copy, then filter the data based on the “Formstack folder” column and remove the rest of the rows.

Formstack columns: A through AF (headers are shaded blue)

Drupal columns: AH through AS (headers are shaded green)

From there, you can sort and filter the data in various ways to perform the audit. For some organizations, it might make more sense to audit by column (perform the same check on all forms), and for others, by rows (for each form, perform all checks).

Overview of Audit Steps:

1. Find and delete old forms that are no longer needed.

2. Verify user access to forms and all email addresses that receive submissions

3. Review all integrations related to forms

4. Verify that staff are getting data from any forms that don’t have data submitted by email or an integration.

5. Look at the data being collected by forms for PII information

6. Confirm that forms are using accessible features

7. Verify that forms are using the correct design theme

8. Verify the Formstack users that have access to your form

Each of these steps is described in the sections below. You can also find more details in our acceptable use guidelines.

Find and delete old forms that are no longer needed

Eliminating unneeded forms eliminates the need to do further checks of those forms.

1. Sort the data by “Date of last submission” and look for any forms that have not had any submissions for “X” period of time, say 3 months. This may be an indication that the form is no longer valid and can be deleted within Formstack (please delete rather than archive).

2. Double check for outdated forms by sorting the spreadsheet by “# of form submissions” and looking for forms that have no submissions or very few.

3. If a form should be deleted, determine whether you need to save the submissions. If so, you can "Export All” of the submissions from within Formstack under the “Submissions” tab when editing a form.

4. To delete the form, use the “Form status” dropdown under “Settings” when viewing a form in Formstack.

5. Look under the “Mass.gov Form page title” or “Node ID” column in the spreadsheet to find the corresponding Form page for your form, and search for it in the content management system (CMS).

6. Trash the Form page, though first use the “Pages linking here” tool to see which other pages may be affected by trashing the Form page and remove any links to it from those pages.

You can crosscheck for outdated forms by reviewing the Mass.gov page data in the spreadsheet.

1. Sort the spreadsheet by Mass.gov “Page views.” Very few page views may be a sign the page, and the form, are out of date.

2. Sort by “Mass.gov page state.” If the page has been unpublished or trashed, it probably means the associated form is no longer valid.

3. Sort by “Date created” to spot pages created a very long time ago and that may no longer be current.

Verify user access to forms and all email addresses that receive submissions

It’s important to make sure that the correct people are getting form responses and are acting on them.

1. Look for anyone under “Form creator” who you know has left your organization. Their forms may still be valid, but it’s possible the forms will not be, so it’s worth checking them.

2. Look under “Notification emails” to identify emails of anyone who may no longer be with your organization. This could be an indication that the form is outdated, or you may need to update the “Notification email” address to someone else within Formstack.

3. Look under “Form access” to review those with access to forms within Formstack.

4. If anyone shouldn’t have access, go to the form in Formstack, find the “Settings” tab, and select “User access” on the left-hand side of the screen. Remove user access by selecting “Remove” under the “Action” column on the right.

5. If you identify a user who should no longer have access to Formstack itself, go to the Formstack Home screen, and select “Users” to call up a list of all those with accounts. Users who should no longer have access can be removed from the application by choosing “Remove user” under the “Actions” column.

6. In the CMS, take note of whether any users removed from your agency’s Formstack team have authored any of your organization’s Form pages but no longer have active CMS accounts. If so, you can change the author of the Form pages to a current user.

7. For every form recipient, contact them and verify that they are receiving the form submissions and taking all necessary action steps for them.

8. For each form, in the submissions tab, check to see if there are scheduled export jobs. If so, be sure to verify that the email address receiving the submissions is appropriate and verify that the data being exported and emailed is appropriate to be sent over email.

Review all integrations related to forms

Integrations take the form data and send it to another system. It’s important to make sure that this system is an appropriate place for the data.

1. Review the “Active integrations” column in the spreadsheet with your CIO, CISO or other senior business manager to verify that the integration method complies with your organization policies. Some integrations could use third party tools or systems which may not be appropriate for your organization.

2. Find out who manages the system where the data is being sent. Verify who has access to it. Make sure someone is taking action when forms are submitted. If you aren’t sure who manages the system where the data is being sent, look at the form history and ask the person who created or last modified the form.

3. Verify that forms are not collecting any payments. If you find a form that is collecting payments, review with your CIO, CFO since our Formstack account should not be used in this way.

4. Document this information and review with your CIO, CISO or senior business manager.

Verify that staff are downloading data from any forms that don’t have data submitted by email or an integration.

If you find forms that don’t have email or integrations, it’s important to make sure that someone is downloading data from Formstack on a regular basis. This ensures that constituents aren’t submitting forms that no one acts on.

Check the forms for any fields that solicit any sensitive information

1. Ensure that forms are not being used to collect sensitive personal identifiable information (PII), such as Social Security numbers, driver’s license numbers, health information, credit card numbers, or bank account numbers.

2. You can look at the form itself or review it via the back end in Formstack under the “Build” tab to determine whether any sensitive information is being collected and remove such questions from your form.

3. Consult with your organization’s CIO or CISO on what can or cannot be collected, and how data should be stored. Ask them to review any forms that might collect PII.

4. Those charged with handling the data collected through forms should be trained on what data should not be collected and how certain types of data need to be handled.

Confirm that forms are using accessible features

All forms should be accessible.

1. Check that yours do not require electronic signatures that are drawn with a mouse or finger; use options such as typing in a name in lieu of a signature.

2. Break long forms into smaller sections

3. Always label fields

Verify that forms are using the correct design theme

All forms on Mass.gov Form pages should use the Mayflower V4 default theme to ensure the form displays correctly.

1. You can see which theme your forms use under the “Design theme” column in the spreadsheet. If Mayflower V4” isn’t listed (Warning: It shouldn’t read “Mayflower Standalone Theme”), you should update the theme for your form.

2. In Formstack, go to the “Build” tab for your form and toggle to “Style” on the left-hand side of the page. From there you can change the theme.

3. Verify that forms are not using the “Save and Resume” feature which will not correctly style forms and will not render them on the correct domain.

Verify the Formstack authors that have access to your forms.

Make a ServiceNow ticket with Mass.gov request a list of Formstack users who have access to your forms. Attach a list of forms or top-level folders.

Audit Completion

Submit the results of your audit to your CIO and CISO. Review it with them to answer any questions. Please let EOTSS know that you completed a forms audit and include the following:

1. Who conducted the audit.

2. The date (or date range) when the audit was done.

3. A list of the top level Formstack folders that were included in the audit, along with a list of the forms.

4. Verification that you audited all points in the audit process document and all forms that you listed.