Methods (to our Madness): How IT audits help keep your $$$ safe

Recently, the Secretary of State Oregon Audits Division released an IT audit of GenTax, the software system that Oregon’s Department of Revenue uses to process tax payments and returns. This month, I sat down to talk to Erika Ungern, an 18 year veteran of the Audits division and the lead for the audit.

Why was the GenTax system selected for an audit?

A lot of the work we do on the IT team supports financial auditors. They need to know that the information they use for their audits is reliable. GenTax is a fairly new system – the Department of Revenue completed the last of four rollouts in November 2017 – so it was a good time to take a look.

What was the goal of this audit?

We were auditing to answer the question: Does the system do what it needs to do? That meant primarily looking to see if there are application controls in place so data remains complete, accurate, and valid during input, processing and output. In this case, GenTax is the software DOR uses to process tax returns and payments – which is something all taxpayers may be interested in.

What sort of criteria do you use to assess how well the controls are in place?

We currently use the Federal Information System Controls Audit Manual, or FISCAM. It’s a standard methodology for auditing information system controls in federal and other governmental entities. It provides guidance for evaluating the confidentiality, integrity, and availability of information systems. The information included in FISCAM ties back to National Institute of Standards and Technology (NIST) publications.

How did you go about gathering information?

This audit, like all IT audits, started with interviews and a review of agency policies and procedures. We need to know how agencies have implemented the technology and how staff are using it. We test different pieces of the technology depending on the answers we get. For instance, if we hear that the agency has specific controls in place, we’ll test those controls. If they tell us they don’t have controls, then that’s our finding. For instance, a lot of agencies don’t have strong disaster recovery controls in place for IT systems. That was the case for this one. We check back on their progress in follow-up audits.

Was there anything unique about this audit?

It was somewhat unique in that we were looking at a system that DOR purchased, and both DOR and the vendor are actively involved in supporting the software. Agencies used to build their systems all in-house, and when we would do an audit, we would only talk to agency personnel. When we do an audit of purchased software, system changes are sometimes made exclusively by the vendor, and our audit questions focus on how the agency makes sure those changes are correct, since we are not auditing the vendor’s change management procedures. In this case, DOR and the vendor both make changes to the system, so we asked both agency and vendor personnel about their processes to ensure the changes were correct.

Another new thing was reporting some results that didn’t hit the materiality threshold. This audit reported on a few things that only affect a small percentage of returns the software processes, like the fact the software doesn’t currently provide notification when taxpayers make a mistake in reporting withholding on their returns that causes them to overpay taxes. These results may end up going hand in hand with the performance audit of DOR’s culture that’s going on right now.

Any other thoughts on auditing for IT auditors, or auditors in general?

You know, IT audits are like a lot of other audits. Getting good results is all about asking the right questions. You don’t always know what they are when you start, but do your best to figure them out!

Read the full audit HERE

Members of the audit team included:
Will Garber, CGFM, MPA, Deputy Director
Teresa Furnish, CISA, Audit Manager
Erika Ungern, CISSP, CISA, Principal Auditor
Sherry Kurk, CISA, Staff Auditor
Sheila Faulkner, Staff Auditor

Accountability and Media Auditors at Work Featured

Internal Auditor Repost: Emotional Intelligence for Internal Auditors

//player.ooyala.com/static/v4/stable/4.20.8/skin-plugin/iframe.html?ec=NpbTA2ZTE6qtYxwpXqzFPtB4FdwHk_Z3&pbid=25fa4687ddd4a7bb20f5b365516e6c9&pcode=Y1OXYxOr3VNhbNvow5X2KeFUvXVM

Mike Jacka discusses the usefulness of emotional intelligence for internal auditors.

Accountability and Media Featured

Oregon Office of Economic Analysis ReBlog: Oregon’s Unprecedented Growth?

A common refrain our office hears is that Oregon’s growth in recent years is unprecedented. Meaning that we’ve never seen population growth like this before. This is usually in the context of the housing market and explaining away our shortage more as a function of extremely high demand, and less about the supply issues. As such, I think it may be helpful to take a graphical trip down memory lane. The bottom line is that yes, in many places in Oregon, mostly urban, we’re seeing population gains that are better than in the 2000s but on par with the 1970s and the 1990s. Remember, people have been packing up and moving to this part of the world since before Lewis & Clark. Population growth and migration is nothing new. It is ingrained in our community and economy and remains our number one comparative advantage.

Josh Lehner explores Oregon’s history of population growth and shares some hard facts and a nuanced perspective on this hot button topic. Read more here.

Accountability and Media Featured

GAO Watchblog ReBlog: Office Space

The federal government spends billions of dollars every year to operate and maintain the roughly 273,000 buildings it owns or leases. But we’ve reported for years on problems with how the federal government manages its real estate—in fact, federal real property management has been on our High-Risk list since 2003.

So, has anything changed? How effectively is the government using its real estate assets? Today’s WatchBlog explores our recent work on reducing office space in federal buildings and telework as a space planning tool.

Read more here.

Accountability and Media Featured

Data-Smart City Solutions RePost — Map Monday: Beyond Floods

People tend not to think that bad things will happen to them. This psychological proclivity towards optimism—logically termed “optimism bias”—is in many ways a beneficial feature of the human psyche, as most live better lives when they’re not constantly obsessing over the possibility of some calamity befalling them.

However, the optimism bias also has its disadvantages, as it may discourage people from preparing for emergencies. This was the case during Hurricane Sandy, during which 77 percent of New Yorkers reported that inland flooding was much higher than they expected. In New York City alone, the storm damaged 90,000 buildings, created $19 billion in damage,and killed nearly 50 people.

Chris Bousquet, a Research Assistant and Writer with Harvard’s Ash Center, explores how data sharing can influence human action through the Beyond Floods CARTO platform.

Read more here.

Accountability and Media Data Wonk Featured

Audit Release – Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement

Report Highlights


The Oregon Department of Revenue (DOR) designed and implemented controls in their GenTax system to provide reasonable assurance that tax return and payment information remains complete, accurate, and valid from input through processing and output. Logical access controls and change management controls are generally sufficient, but some areas need improvement. In addition, existing controls ensure the creation of appropriate backup of GenTax system files, though DOR does not have assurance they could timely restore the system in the event of a disaster or major disruption.

Background

The Oregon Department of Revenue replaced its legacy tax systems with GenTax, an integrated tax processing software package. This system processed about $10.3 billion in payments and $1.2 billion in refunds for tax periods ending in 2016.

Audit Purpose

The purpose of our audit was to review and evaluate key application and general computer controls governing DOR’s GenTax system. We focused on personal income, withholding, and corporate income and excise tax programs.

Key Findings

  1. GenTax controls ensure accurate input of tax return and payment information for personal income, withholding, and corporate income and excise tax programs. Additional processing and output controls provide further assurance that GenTax issues appropriate refunds and bills to taxpayers for taxes due.
  2. Logical access controls are generally sufficient, but DOR needs to make improvements to ensure managers have enough information to request appropriate access. DOR should also ensure that access remains appropriate for users who change jobs and is removed for users who are terminated.
  3. DOR monitors and tracks changes to GenTax to ensure system developers implement only approved program modifications, but better guidance is needed for testing procedures to ensure program modifications meet business needs.
  4. DOR does not have sufficient assurance that it could timely restore GenTax in the event of a disaster or major disruption.
  5. DOR has not obtained independent verification that the GenTax vendor has implemented appropriate controls over servers at an external data center to provide additional assurance that Oregon data is secure.

Recommendations

The report includes 11 recommendations to DOR regarding needed improvements to logical access procedures, disaster recovery plans and tests, and independent assurance of controls over servers at an external data center. DOR generally agreed with our recommendations. DOR’s response can be found at the end of the report.

Read the full report here.

Featured IT Audit New Audit Release

GAO WatchBlog ReBlog: The Internet of Things — Are we ready for 50 billion things?

Your Fitbit, TV remote, microwave, and other wireless devices that use a network to communicate are part of the “Internet of Things” (IoT). Their use is growing fast—some experts forecast that 25-50 billion devices will be in use by 2025.

But the IoT depends on the availability of a finite resource—the radio frequency spectrum.

Read more here about the GAO’s recommendations to the FCC to expand efforts to make more spectrum available, use it more efficiently, or expand spectrum sharing.

Accountability and Media Featured