Audit Release: OLCC Cannabis Information Systems are Properly Functioning but Monitoring and Security Enhancements are Needed

Report Highlights


Although the Oregon Liquor Control Commission (OLCC) has taken positive steps to establish information systems for recreational marijuana regulation, we identified several weaknesses associated with OLCC’s new IT systems used for marijuana licensing and tracking. They include data reliability issues and insufficient processes for managing marijuana applications and vendors. In addition, OLCC has not implemented an appropriate agency-wide IT security management program. We identified eight IT security issues that significantly increase the risk that OLCC’s computer systems could be compromised, resulting in a disruption of OLCC business processes.

Background

In 2014, voters approved Measure 91, which legalized the production, sale, and use of recreational marijuana in Oregon. To help regulate and support this new industry, OLCC implemented the Marijuana Licensing System and the Cannabis Tracking System.

Audit Purpose

The purpose of our audit was to review and evaluate key general computer controls governing OLCC’s IT security management program, and application controls over the Cannabis Tracking and Marijuana Licensing Systems.

Key Findings

Within the context that legal marijuana is an emergent and unique public policy and the state is understandably still in the process of implementing governance programs, regulations, controls, and resources, we found:

  1. Data reliability issues with self-reported data in the Cannabis Tracking System (CTS) and an insufficient number of trained compliance inspectors inhibit OLCC’s ability to monitor the recreational marijuana program in Oregon.
  2. OLCC should improve processes for ensuring the security and reliability of data in the CTS and the Marijuana Licensing System. In addition, better processes are needed to monitor vendors that host and support these applications.
  3. OLCC has not implemented an effective IT security management program for the agency as a whole.
  4. OLCC has not formally developed a disaster recovery plan and has not tested backup files to ensure they can be used to restore mission-critical applications and data.

Recommendations

The report includes 17 recommendations to the Oregon Liquor Control Commission focused on addressing the weaknesses in the CTS data reliability, management of software as a service, IT security management, and disaster recovery and backup processes.

The Commission generally agreed with our recommendations.  The Commission’s response can be found at the end of the report.

Read full report here.

 

Featured New Audit Release

The Balance ReBlog: Communication skills for workplace success (w/ Weird Al bonus video!)

The ability to communicate effectively with superiors, colleagues, and staff is essential, no matter what industry you work in. Workers in the digital age must know how to effectively convey and receive messages in person as well as via phone, email, and social media. Good communication skills will help get hired, land promotions, and be a success throughout your career.

Alison Doyle with CareerToolBelt.com outlines the communication skills that serve both job applicants and workplace peers. Can you guess what the #1 most important skill is?

 

Communication tips not enough? Let Weird Al guide you toward full enlightenment with the following ballad:

 

Accountability and Media Featured

Audit Release – Foster Care in Oregon: Chronic management failures and high caseloads jeopardize the safety of some of the state’s most vulnerable children

Report Highlights


Oregon’s most vulnerable children are being placed into a foster care system that has serious problems. Child welfare workers are burning out and consistently leaving the system in high numbers. The supply of suitable foster homes and residential facilities is dwindling, resulting in some children spending days and weeks in hotels. Foster parents are struggling with limited training, support and resources. Agency management’s response to these problems has been slow, indecisive and inadequate. DHS and child welfare managers have not strategically addressed caseworker understaffing, recruitment and retention of foster homes, and a poorly implemented computer system that leaves caseworkers with inadequate information.

Background

Since 2011, there have been over 11,000 children in the Oregon foster care system each year. These children are vulnerable and are often the victims of child abuse and neglect.

Audit Purpose

The purpose of the audit was to determine what changes and improvements DHS can make to better promote the wellbeing of children in foster care and ensure they are better protected and cared for.

Key Findings

  1. DHS and Child Welfare struggle with chronic and systemic management shortcomings that have a detrimental effect on the agency’s ability to protect child safety. Management has failed to address a work culture of blame and distrust, plan adequately for costly initiatives, address the root causes of systemic issues, use data to inform key decisions, and promote lasting program improvements. As a result, the child welfare system, which includes the foster care program, is disorganized, inconsistent, and high risk for the children it serves.
  2. DHS does not have enough foster placements to meet the needs of at-risk children, due in part to a lack of a robust foster parent recruitment program. The agency struggles to retain and support the foster homes it does have within its network. The agency also lacks crucial data regarding how many foster placements are needed and the capacity of current foster homes, inhibiting the agency’s ability to fully understand the scope of the problem.
  3. A number of staffing challenges compromise the division’s ability to perform essential child welfare functions. These challenges include chronic understaffing, overwhelming workloads, high turnover, and a large proportion of inexperienced staff in need of better training, supervision, and guidance.

Recommendations

We make 24 recommendations that address the agency’s management challenges, foster parent recruitment and retention, and child welfare staffing. Our recommendations also affirm the foundational recommendations Public Knowledge LLC made in September 2016.

The Department generally agrees with our recommendations. The Department’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Audit Release: The State Must Do More to Prepare Oregon for a Catastrophic Disaster

Report Highlights


Oregon is at risk of a major Cascadia earthquake and tsunami that will threaten infrastructure, cost potentially billions of dollars, and result in numerous deaths. The state must do more to prepare for such a disaster, including completing and implementing critical plans, fulfilling minimum standards for an effective emergency management program, and adequately staffing the agency charged with coordinating emergency management efforts.

Background

The emergency management system encompasses local governments and almost all of state government. The Office of Emergency Management (OEM) is charged with coordinating Oregon’s emergency management efforts, including mitigation, preparedness, response, and recovery.

Audit Purpose

The purpose of this audit was to determine the status of state agency and local emergency management efforts to prepare for a catastrophic event, such as a Cascadia earthquake and tsunami.

Key Findings

  1. Oregon does not meet key emergency management program standards. These national baseline standards are a tool to strengthen preparedness and response, demonstrate accountability, and identify resource needs.
  2. Planning efforts across all levels of Oregon’s emergency management system are lacking. Critical continuity plans that ensure functional government services in the wake of a disaster are either missing or incomplete. Additionally, insufficient staff resources put the state at risk of losing potentially millions of dollars in federal grant funding for future disasters.
  3. Current statewide staffing is inadequate to reduce Oregon’s vulnerability to disasters. OEM in particular is understaffed, despite repeated budget requests to the Legislature, which inhibits the agency’s capacity to coordinate emergency management efforts in the state.
  4. More accountability, such as public reporting and tracking, is needed to ensure progress on long-term resilience goals and projects and to enhance public awareness.

To reach our findings, we conducted a survey of state agencies and local emergency management programs. We also interviewed staff at OEM, other executive branch agencies, and the legislative and judicial branches of state government. We researched programs in other states and assessed emergency management program standards.

Recommendations

This audit includes 11 recommendations, five to OEM and six to the Governor’s Office. These recommendations include such actions as completing, implementing, and exercising emergency and continuity plans; meeting minimum emergency management program standards; reporting on efforts to improve state resilience; defining roles and responsibilities and assessing and filling resource gaps.

OEM agreed with all the recommendations we made to them. The Governor’s Office agreed with all but one of our recommendations. That recommendation, they believe they have already implemented. Both OEM and the Governor’s Office’s responses can be found at the end of the report.

Read the full report here.

Emergency Management Framework

Featured New Audit Release Performance Audit

Internal Auditor ReBlog: Let’s talk about feedback

Through frequent conversations with practitioners who are relatively new to the internal audit profession — including both people within and outside my organization — it seems there is a disconnect when it comes to feedback. Manager-level employees tell me they often provide informal feedback to the staff and senior auditors who work with them. Meanwhile, those same managers’ staff and seniors say they don’t receive enough feedback, don’t know if they are “on track,” and don’t know what they are doing well and what they can im​prove. This is where a few simple conversation areas can reap great benefits.

Laura Soileau, a director in Postlethwaite & Netterville’s Consulting Department in Baton Rouge, Louisiana, discusses the importance of ongoing communication and relationship building in the workplace when delivering – and receiving – feedback (both in formal performance evaluations and day-to-day). She provides a list of useful questions for supervisors and staff to ask each other, and to ask themselves. Maintaining healthy working relationships and keeping the lines of communication open, professional, and productive “should be a shared responsibility.” Feedback is crucial to keeping performance on track, but in this case, the ‘who and how’ is almost as important as the ‘why.’

Read more here!

Accountability and Media Featured

Audit Release: DEQ Should Improve the Air Quality Permitting Process to Reduce Its Permit Backlog and Better Safeguard Oregon’s Air

Report Highlights


The Secretary of State’s Audits Division found that the Oregon Department of Environmental Quality (DEQ) should evaluate staffing and workloads among air quality permit writers and provide better guidance to both staff and businesses to help reduce the agency’s air quality permit backlog.

Background

This audit reviewed air quality permitting at the Oregon Department of Environmental Quality. Air quality permits regulate the types and amounts of air pollution businesses are allowed to emit, based on federal pollution limits set by the Clean Air Act and state limits established in state laws and DEQ rules.

Audit Purpose

The purpose of this audit was to determine how DEQ could improve its air quality permitting process to better safeguard Oregon’s air quality.

Key Findings

The Oregon Department of Environmental Quality has a significant backlog in air quality permit renewals. We found that:

  1. 43% (106 out of 246) of DEQ’s largest and most complex federal and state air quality permit renewals are overdue for renewal. Additionally, more than 40% of the most complex permits issued from 2007 to 2017 exceeded timeframes established by DEQ or the Clean Air Act, some by several years.
  2. DEQ struggles to issue timely permits and renewals due to a variety of factors, including competing priorities, vacancies, and position cuts that have created unmanageable workloads. Other factors include inconsistent support and guidance for staff; a lack of clear, accessible guidance for applicants; and increased time for the public engagement process.
  3. Untimely permits, combined with a current backlog of inspections, endanger the state’s air quality and the health of Oregonians. For example, when DEQ does not issue permit renewals on time, businesses may not provide DEQ with data showing they are complying with new or updated rules.

To reach our findings, we conducted interviews, analyzed air permit data, reviewed documents and reported practices, and researched leading practices.

Key Recommendations

Based on our review of leading practices and air quality agencies in other states, the report includes ten recommendations to the Department of Environmental Quality. Recommendations include evaluating permit writer workloads and staffing, clarifying the public engagement process, providing better guidance to permit writers and businesses, and conducting a process improvement effort.

The agency agreed with our findings and recommendations. Its response can be found at the end of the report.

Read the full report here.

Featured New Audit Release Performance Audit

Audit Release: Stronger Accountability, Oversight, and Support Would Improve Results for Academically At-Risk Students in Alternative and Online Education

Report Highlights


The Secretary of State’s Audits Division found that the Oregon Department of Education (ODE) has not focused on improving education for at-risk students in alternative and online schools and programs, though they account for nearly half the state’s high school dropouts. Sharpening Oregon’s focus would improve accountability, district oversight, and school and program performance, and would benefit at-risk students and the state’s economy.

Background

Many vulnerable students attend Oregon’s alternative schools and programs and online schools. Responsibility for improving education for those students is shared by ODE, school districts, and others.

Audit Purpose

To determine how ODE and school districts can help increase the success of academically at-risk students in alternative and online education. Online and alternative education schools and programs also serve students who are not academically at-risk. The audit did not focus on their effectiveness with these students.

Key Findings

  1. ODE has not adequately tracked and reported on the performance of alternative schools and programs. As a result, the state lacks critical information about school and program effectiveness.
  2. Enhanced state monitoring and support, and more robust district oversight could improve results for at-risk students in alternative schools and programs, and in online schools.
  3. Some states have held districts, alternative schools, and programs to high standards and provided more support to help at-risk students succeed.
  4. Other states have also increased oversight of fast-growing online schools. In contrast to these states, Oregon’s laws allow online schools to increase enrollment rapidly regardless of their performance.
  5. To reach our findings, we interviewed multiple stakeholders, reviewed documents, analyzed school performance data, researched practices in other states, visited schools, and surveyed all of Oregon’s school districts. Our office also released an audit of graduation rates recently that focuses on students in traditional high schools.

Key Recommendations

This audit includes recommendations designed to improve results for at-risk students in alternative and online schools and programs. ODE should develop a more meaningful accountability system for alternative and online education. The agency should establish and monitor standards for crucial practices, such as annual district evaluations of these schools and programs. ODE should also strengthen state attendance and funding standards for online schools.

ODE generally agreed with our recommendations. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release