GAO Watchblog ReBlog: Office Space

The federal government spends billions of dollars every year to operate and maintain the roughly 273,000 buildings it owns or leases. But we’ve reported for years on problems with how the federal government manages its real estate—in fact, federal real property management has been on our High-Risk list since 2003.

So, has anything changed? How effectively is the government using its real estate assets? Today’s WatchBlog explores our recent work on reducing office space in federal buildings and telework as a space planning tool.

Read more here.

Accountability and Media Featured

Data-Smart City Solutions RePost — Map Monday: Beyond Floods

People tend not to think that bad things will happen to them. This psychological proclivity towards optimism—logically termed “optimism bias”—is in many ways a beneficial feature of the human psyche, as most live better lives when they’re not constantly obsessing over the possibility of some calamity befalling them.

However, the optimism bias also has its disadvantages, as it may discourage people from preparing for emergencies. This was the case during Hurricane Sandy, during which 77 percent of New Yorkers reported that inland flooding was much higher than they expected. In New York City alone, the storm damaged 90,000 buildings, created $19 billion in damage,and killed nearly 50 people.

Chris Bousquet, a Research Assistant and Writer with Harvard’s Ash Center, explores how data sharing can influence human action through the Beyond Floods CARTO platform.

Read more here.

Accountability and Media Data Wonk Featured

Audit Release – Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement

Report Highlights


The Oregon Department of Revenue (DOR) designed and implemented controls in their GenTax system to provide reasonable assurance that tax return and payment information remains complete, accurate, and valid from input through processing and output. Logical access controls and change management controls are generally sufficient, but some areas need improvement. In addition, existing controls ensure the creation of appropriate backup of GenTax system files, though DOR does not have assurance they could timely restore the system in the event of a disaster or major disruption.

Background

The Oregon Department of Revenue replaced its legacy tax systems with GenTax, an integrated tax processing software package. This system processed about $10.3 billion in payments and $1.2 billion in refunds for tax periods ending in 2016.

Audit Purpose

The purpose of our audit was to review and evaluate key application and general computer controls governing DOR’s GenTax system. We focused on personal income, withholding, and corporate income and excise tax programs.

Key Findings

  1. GenTax controls ensure accurate input of tax return and payment information for personal income, withholding, and corporate income and excise tax programs. Additional processing and output controls provide further assurance that GenTax issues appropriate refunds and bills to taxpayers for taxes due.
  2. Logical access controls are generally sufficient, but DOR needs to make improvements to ensure managers have enough information to request appropriate access. DOR should also ensure that access remains appropriate for users who change jobs and is removed for users who are terminated.
  3. DOR monitors and tracks changes to GenTax to ensure system developers implement only approved program modifications, but better guidance is needed for testing procedures to ensure program modifications meet business needs.
  4. DOR does not have sufficient assurance that it could timely restore GenTax in the event of a disaster or major disruption.
  5. DOR has not obtained independent verification that the GenTax vendor has implemented appropriate controls over servers at an external data center to provide additional assurance that Oregon data is secure.

Recommendations

The report includes 11 recommendations to DOR regarding needed improvements to logical access procedures, disaster recovery plans and tests, and independent assurance of controls over servers at an external data center. DOR generally agreed with our recommendations. DOR’s response can be found at the end of the report.

Read the full report here.

Featured IT Audit New Audit Release

Evergreen Data ReBlog: Is Feminist Data Visualization Actually a Thing? (Yes, and How!)

How can data visualization be feminist? Data is data — it speaks for itself.

A charming idea, to be sure. But it just ain’t true. Feminist data visualization is (and must be) a thing because data, data analysis, and data visualization are never neutral. The premise that, if handled correctly, data can present neutral evidence, is deeply flawed. Culture is embedded into our data at every stage.

As long as humans have been thinking about data viz, we’ve been projecting our worldview onto it.

Guest poster Heather Krause with Datassist discusses the concepts underlying feminist data visualization, how different cultures interpret data, and what data scientists and researchers can do to account for these differences in world view when collecting, analyzing, and presenting information.

Read more here.

Accountability and Media Data Wonk

GAO WatchBlog ReBlog: The Internet of Things — Are we ready for 50 billion things?

Your Fitbit, TV remote, microwave, and other wireless devices that use a network to communicate are part of the “Internet of Things” (IoT). Their use is growing fast—some experts forecast that 25-50 billion devices will be in use by 2025.

But the IoT depends on the availability of a finite resource—the radio frequency spectrum.

Read more here about the GAO’s recommendations to the FCC to expand efforts to make more spectrum available, use it more efficiently, or expand spectrum sharing.

Accountability and Media Featured

Audit Release: OLCC Cannabis Information Systems are Properly Functioning but Monitoring and Security Enhancements are Needed

Report Highlights


Although the Oregon Liquor Control Commission (OLCC) has taken positive steps to establish information systems for recreational marijuana regulation, we identified several weaknesses associated with OLCC’s new IT systems used for marijuana licensing and tracking. They include data reliability issues and insufficient processes for managing marijuana applications and vendors. In addition, OLCC has not implemented an appropriate agency-wide IT security management program. We identified eight IT security issues that significantly increase the risk that OLCC’s computer systems could be compromised, resulting in a disruption of OLCC business processes.

Background

In 2014, voters approved Measure 91, which legalized the production, sale, and use of recreational marijuana in Oregon. To help regulate and support this new industry, OLCC implemented the Marijuana Licensing System and the Cannabis Tracking System.

Audit Purpose

The purpose of our audit was to review and evaluate key general computer controls governing OLCC’s IT security management program, and application controls over the Cannabis Tracking and Marijuana Licensing Systems.

Key Findings

Within the context that legal marijuana is an emergent and unique public policy and the state is understandably still in the process of implementing governance programs, regulations, controls, and resources, we found:

  1. Data reliability issues with self-reported data in the Cannabis Tracking System (CTS) and an insufficient number of trained compliance inspectors inhibit OLCC’s ability to monitor the recreational marijuana program in Oregon.
  2. OLCC should improve processes for ensuring the security and reliability of data in the CTS and the Marijuana Licensing System. In addition, better processes are needed to monitor vendors that host and support these applications.
  3. OLCC has not implemented an effective IT security management program for the agency as a whole.
  4. OLCC has not formally developed a disaster recovery plan and has not tested backup files to ensure they can be used to restore mission-critical applications and data.

Recommendations

The report includes 17 recommendations to the Oregon Liquor Control Commission focused on addressing the weaknesses in the CTS data reliability, management of software as a service, IT security management, and disaster recovery and backup processes.

The Commission generally agreed with our recommendations.  The Commission’s response can be found at the end of the report.

Read full report here.

 

Featured New Audit Release

The Balance ReBlog: Communication skills for workplace success (w/ Weird Al bonus video!)

The ability to communicate effectively with superiors, colleagues, and staff is essential, no matter what industry you work in. Workers in the digital age must know how to effectively convey and receive messages in person as well as via phone, email, and social media. Good communication skills will help get hired, land promotions, and be a success throughout your career.

Alison Doyle with CareerToolBelt.com outlines the communication skills that serve both job applicants and workplace peers. Can you guess what the #1 most important skill is?

 

Communication tips not enough? Let Weird Al guide you toward full enlightenment with the following ballad:

 

Accountability and Media Featured