(ALGA Repost) Opportunities for Improvement: We Need to Talk

“The Yellow Book addresses communication of audit scope and objective at the beginning of the audit, and audit results at the end, but much communication happens, or should, during the audit.

8.23 Determining the form, content, and frequency of the communication with management or those charged with governance is a matter of professional judgment, although written communication is preferred. Auditors may use an engagement letter to communicate key information early in the engagement.

“Written communication is preferred”? Of course an engagement letter and discussion draft are written, and at the federal level, written is probably preferred, but the federal government is astronomically larger than any local audit office, like Jupiter is to Earth. Working under the general assumption that communications must be written, I think, will limit interaction that is critical to the ultimate success of an audit.

Because you all are auditing in a large variety of jurisdictions, I am cautious about recommending universal practices and just urge you to develop your briefing (and listening) procedures around the who, what, when, where, and why appropriate to your government.”

Gary Blackmer, former director of the Oregon Audits Division, discusses how auditors can communicate most effectively with agency heads and staff in his quarterly ALGA post, with practical suggestions for making introductions, engaging the agency in the audit process, finding context for problems, and making sure that your audit is on point. Read more here.

Accountability and Media Featured

Audit Release: Significant Cost Savings Can Be Achieved by Modernizing Oregon’s Procurement Systems and Practices


Report Highlights

The Department of Administrative Services (DAS) has taken steps to develop a strategic approach for procuring goods and services more efficiently and at lower costs. However, a lack of detailed purchase data inhibits the agency’s ability to analyze its spending, resulting in missed opportunities for potentially millions of dollars in cost savings. Additionally, although the Office of the State Chief Information Officer (OSCIO) has made some improvements in project oversight processes for major information technology (IT) procurements, those processes remain immature, resulting in inefficiencies and confusion for state agencies.

Background

DAS has the authority and responsibility to oversee procurements for state agencies. The OSCIO, a component of DAS, is responsible for overseeing major IT procurements conducted by the state. The OSCIO also has authority to require agencies to obtain independent quality assurance (QA) for IT projects.

Purpose

The purpose of this audit was to determine whether DAS has implemented effective processes to reduce risk and minimize costs associated with IT procurements. Furthermore, we sought to determine whether costs for QA services for major IT investments align with best practices and are appropriately independent.

Key Findings

  1. Due to reliance on legacy systems and outdated procurement processes, DAS Procurement Services does not adequately analyze state spending data. As a result, during the 2015-17 biennium, the state missed the opportunity to potentially reduce costs between $400 million and $1.6 billion based on DAS Procurement Services’ estimate of $8 billion in procurements during that time.
  2. Although efforts to improve procurement efficiencies and reduce costs through Oregon’s new Basecamp program generally align with best practices, the effectiveness of these efforts is limited due to a lack of detailed purchase data.
  3. The OSCIO has made progress in establishing oversight processes to mitigate significant procurement risks associated with major IT projects. However, some processes remain immature, and lack of training and guidance have contributed to confusion and frustration for agencies with projects subject to OSCIO oversight.
  4. The cost for QA services is below industry norms, averaging 3.5% of total project costs, with a median of 5.1%. Additionally, controls are appropriate to ensure QA remains independent, but report tracking should be strengthened.

Recommendations

Our report includes one recommendation to DAS to modernize strategic sourcing efforts and four recommendations to the OSCIO to strengthen IT investment oversight processes. DAS and the OSCIO agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read full report here.

Auditors at Work Featured IT Audit New Audit Release

Oregon Health Authority Audit Release: Constraints on Oregon’s Prescription Drug Monitoring Program Limit the State’s Ability to Help Address Opioid Drug Misuse and Abuse


Report Highlights

The Prescription Drug Monitoring Program provides an important tool to address prescription drug abuse, including opioid abuse, and help improve health outcomes. Oregon’s laws have put constraints on the program that limit its effectiveness and impact. Restrictions are placed on what data are collected, analyses that can be done with the data, and with whom information can be shared. Correcting weaknesses in Oregon’s program will maximize its potential and help address opioid and other substance abuse issues the state faces.

Background

Oregon has the highest rate in the nation of seniors hospitalized for opioid-related issues such as overdose, abuse, and dependence. The state also has the sixth highest percentage of teenage drug users. The Oregon Health Authority (OHA) manages the state’s Prescription Drug Monitoring Program (PDMP), which collects information on controlled substance prescriptions within the state. The program was designed to promote public health and safety and to help improve patient care. It was also developed to support the appropriate use of prescription drugs.

Purpose

The purpose of this audit was to determine if Oregon can better leverage its PDMP to help with the opioid epidemic.

Key Findings

  1. OHA could better use PDMP data to analyze trends in prescribed drugs, including identifying patterns of possible opioid misuse and abuse. State laws prevent OHA from sharing information with key stakeholders, such as health licensing boards and law enforcement, on questionable activity. Our analysis found people who have received opioid prescriptions from excessive numbers of prescribers, as well as instances of dangerous drug combinations and prescriptions for excessive dosages of drugs. One person who received an excessive amount of opioid prescriptions had some of those prescriptions paid for by Medicaid.
  2. Oregon is one of only nine states that does not require prescribers or pharmacies to use the PDMP database before an opioid prescription is written or dispensed. Mandating use can be effective in reducing opioid misuse and other health related outcomes.
  3. Due to statutory restrictions, Oregon’s PDMP does not collect some prescription information that could be critical in preventing prescription drug abuse. This includes prescriptions filled by pharmacies other than only retail, veterinarian prescribed prescriptions, prescriptions for Schedule V drugs and drugs known to be abused or misused such as gabapentin, and prescription details such as method of payment, lock-in status, and diagnosis information.

Recommendations

Our report includes 12 recommendations to OHA for optimizing the state’s PDMP. OHA can implement some of
these within existing statutes and rules, and for others it needs to work with the Legislature. OHA agreed with
all of the recommendations, but stated that because seven fall outside the scope of its statutory authority, its
ability to implement them is limited. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: ODOT Effectively Implementing Two Keep Oregon Moving Programs, but Could Do More to Enhance These Efforts


Report Highlights

Oregon House Bill 2017 (Keep Oregon Moving) is estimated to produce $5.2 billion in net revenue for the Oregon Department of Transportation (ODOT) to target congestion, public transportation and safety, and infrastructure repairs throughout the state. In addition to other initiatives, Keep Oregon Moving established two new programs: the Statewide Transportation Improvement Fund and Safe Routes to Schools infrastructure program. ODOT has developed and implemented frameworks to fulfill its statutory obligations for these two programs, but areas for improvement remain.

Background

Keep Oregon Moving was passed in 2017 as a significant investment in needed improvements to the state’s highway system, public transportation services, and routes for pedestrians, cyclists, and students. Its legislative intent is to increase the overall availability of public transit throughout the state, reduce congestion, increase safety, and provide public accountability. ODOT is charged with overseeing its implementation.

Purpose

The purpose of this audit was to examine ODOT’s strategic planning activities, governance approach, and control framework for implementing the state transportation investment package. The objective of the audit was to assess the accountability, equity, and transparency of the Statewide Transportation Improvement Fund (STIF) and Safe Routes to Schools (SRTS) programs established by Keep Oregon Moving. This real-time audit was conducted in alignment with our strategic focus of being timely and responsive. Real-time auditing focuses on evaluating front-end strategic planning, service delivery processes, controls, and performance measurement frameworks before or at the onset of signficant program or public policy implementations by state agencies.

Key Findings

We found ODOT has developed effective frameworks to meet its obligations for the STIF and SRTS programs. For example, ODOT developed timelines, engaged participants, and established milestones in order to meet Keep Oregon Moving requirements. However, ODOT still needs to refine the following areas:

  1. The STIF and SRTS programs lack performance measures to track the success of either program.
  2. The agency does not have documented internal policies and procedures for monitoring the use of STIF funds or for the review, approval, and monitoring process of submitted SRTS applications.
  3. Active Transportation Liaisons, who coordinate SRTS projects within ODOT regions, need better defined expectations and job duties as they relate to administering the SRTS program.

Recommendations

We include seven recommendations for ODOT intended to enhance the efficiency and effectiveness of the STIF and SRTS programs.

ODOT agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Audit Recommendation Follow-Up: Department of Administrative Services Should Enhance Succession Planning to Address Workforce Risks and Challenges


Recommendation Follow-Up Results

The Department of Administrative Services (DAS) agreed with the original audit, which identified eight recommendations for implementing a succession planning framework. Our follow-up work shows DAS has fully implemented six of those recommendations since the initial report. This significant progress still requires a little more work to implement the remaining two recommendations.

Highlights from the Original Audit

The Secretary of State’s Audits Division found that DAS should play a stronger leadership role in addressing key workforce risks and challenges within the state executive branch through enhanced workforce succession planning.  Multiple factors indicate these risks and challenges are important including changing workforce demographics, and citizens’ needs for essential services that require skilled and experienced staff.

Background

Our original audit reviewed succession planning within Oregon’s executive branch. Succession planning is an ongoing management process used to ensure workforce continuity and effectiveness, particularly in key leadership and technical functions.

Purpose

The purpose of the audit was to determine if and how the State of Oregon could better plan for future key workforce needs, including preparing state employees to fill key roles.  The purpose of this follow-up report is to provide a status on the auditee’s efforts to implement our recommendations.

Key Findings

Within the context that effective succession planning is difficult, complex, and is frequently not a priority within the public sector, we found:

  1. DAS has not developed or implemented a state-level succession planning framework, despite recognizing the importance of succession planning.
  2. The lack of a succession planning framework increases workforce risks, such as not developing or retaining knowledgeable and skilled employees to perform critical functions.
  3. These risks are exacerbated by demographic and economic trends, including increasing retirement rates, and a lack of formal succession planning processes within state agencies.
  4. State agencies also report challenges, including inaccessible workforce information that may hinder strategic human capital management practices and should be addressed at a state level.

Read the full report here.

Audit Recommendation Follow-Up Featured New Audit Release

TEDx Reblog: How do you get from diversity to inclusion? Ask these 4 questions about your meetings

Many organizations and companies today track diversity in sex, gender, race, ethnicity, sexual orientation and religion, among other factors. For some of their leaders, numerical diversity is seen as the most important — and at times, the only — thing needed to create a varied and vibrant community. But by focusing on headcount, they are making the mistake of believing that diversity and inclusion are the same.

Dolly Chugh, a social psychologist at the NYU Stern School of Business, lays down some words of advice on how to tailor your meetings to create pathways to genuine inclusion. She recommends asking the following four questions, and explains why they should be asked:

Question #1: Who speaks at meetings?

Question #2: Who sits next to whom?

Question #3: Who is listened to?

Question #4: Who gets the credit?

While pathway moments may seem relatively small — those moments when we feel like we’re more or less part of the meeting, when we’re more or less listened to, when we’re more or less credited for our work — they are the ones that help determine whether we’re given greater chances for success and effectiveness, or held back. We can all cultivate the capacity to notice failures of inclusion if and when they happen, and then try to do better going forward.

Read more here, or watch the TED talk below.

 

 

Accountability and Media Featured

Audit Release: Progress has been Made to Address Security Weaknesses at the State Data Center, but Improvements are Still Needed


Report Highlights

Security at the Enterprise Technology Services State Data Center (data center) has improved due to organizational and staffing changes and the increased role of the Enterprise Security Office. Several longstanding security challenges have been addressed, yet more work remains to further refine and improve security capabilities and to address other areas where roles are not sufficiently defined. The operating environment for the data center remains stable and appropriately controlled. Disaster recovery capabilities have improved, although prioritization of recovery order needs to occur to ensure that the most critical state systems can be restored timely in the event of a major disaster.

Background

The data center is comprised of an extensive inventory of computer operating system platforms and networks. It provides centralized computer services such as networking, email, backup, and server services for more than 100 state agencies, boards, and commissions. Since the creation of the data center in 2006, numerous prior audits have identified significant security weaknesses. Starting in 2015, organizational changes moved overall responsibility for the data center to the Office of the State Chief Information Officer (OSCIO) and expanded the staffing and role of the Enterprise Security Office.

Purpose

Because of the critical services the data center provides, we audit it every two to three years. This audit followed up on the status of prior audit findings and evaluated the current security framework and stability of the operating environment.

Key Findings

We found:

  1. The OSCIO has made significant progress in improving security at the data center through security planning and staffing, vulnerability assessments, security event monitoring, and anti-malware and patching processes. Further progress is needed to refine these processes and better track vulnerability remediation.
  2. Some security areas require improvement, including privileged access, asset and configuration management, and security incident response. Work is underway to improve Windows privileged access.
  3. Day-to-day computing remains stable and disaster recovery capabilities have improved. While additional disaster recovery capabilities are being built, data center customers need to prioritize which systems should be recovered first in the event of disaster.

Recommendations

We recommend improvements in defining roles and responsibilities, refining vulnerability scanning and security event monitoring, monitoring privileged access, and disaster recovery prioritization.

The Department of Administrative Services and the OSCIO agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release