Audit Release: Severe Deficiencies in Disaster Recovery Program and Insufficient Information Technology Planning Pose Substantial Risks to Beneficiaries and the State

Report Highlights

The agency charged with administering the Public Employees Retirement System, or PERS, should improve Information Technology (IT) strategic planning efforts to ensure that IT investments return the most value and minimize risk. Additionally, PERS should immediately correct deficiencies with existing disaster recovery plans so the agency can effectively respond to catastrophic events that would prevent the use of existing IT hardware and software. PERS is working to update current plans and implement a recovery site, but a more urgent effort is needed.

This audit includes an assessment of critical security controls and the agency’s IT security management practices. PERS should improve security management roles and training, as well as correct weaknesses in inventory management, configuration change management, vulnerability management, and controlling administrative accounts.


PERS has over 365,000 members and is responsible for administering employee pension programs for state agencies as well as approximately 900 local governments. PERS provides $310 million in retirement benefits each month. The agency’s Information Services Division provides PERS with information technology, such as pension benefit calculation software, to support agency operations.


The purpose of this audit was to determine whether PERS could improve IT security and IT strategic planning efforts and to assess the agency’s preparedness to restore critical IT systems in response to a disaster.

Key Findings

PERS’s IT strategic planning lacks sufficient detail to help ensure IT investments return the most value, pose the least amount of risk, and are completed timely. Insufficient planning has contributed to mismanagement of some agency initiatives.

While PERS has identified a method to issue most pension payments in the event of a disaster, it has not fully addressed changes in payment processing by the Oregon State Treasury. The agency’s disaster recovery plans pose serious risks because they are insufficient to restore critical IT systems. Furthermore, the agency has not tested those plans and has not yet complied with legislative mandates to acquire an alternative recovery site and improve disaster recovery planning. The agency’s strategy to re-issue the prior month’s payments poses risk of benefit payment errors and has never been tested.


Our report includes ten recommendations to PERS to implement improved IT strategic planning and to take immediate action to remedy weaknesses in its disaster recovery plans. In addition, we make six recommendations to PERS and the Office of the State Chief Information Officer related to Critical Security Controls.

PERS agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release

Association of Local Government Auditors ReBlog: Auditing in the dark corners

A police officer sees a drunken man closely searching the ground near a lamppost and asks if he can help. The man replies that he is looking for his keys. After a few minutes of looking the officer asks whether the man is certain he dropped his keys near the lamppost. “No,” he says, “I lost the keys somewhere across the street.” “Then why are we looking here?” asks the officer. “The light is much better,” the man responds.

That’s a very old joke, and it’s also a parable for auditors.

Do you audit where the light is better? Where you know the data is reliable? Where procedures are established? Where clear criteria exist? Where you’ve audited before? Do you choose your audit topics sitting at your desk without exploring around the agency?

Gary Blackmer (who needs no introduction in the auditing community. But, for those not ‘in the know,’ he has a long and storied career in public auditing in Oregon and most recently served as the Director of the Secretary of State Oregon Audits Division.) speaks to the need for auditors to peer into the darkest, most frustrating corners to identify the most serious problems that agencies and the communities they serve face. He encourages fellow auditors not to be lured and lulled by the prospect of a quick and easy audit. The smoothest path may not yield the biggest reward. After all, it’s been traveled many times before.

There is no doubt that groping around in the dark is difficult and unpleasant, but it often produces the biggest audit impacts. Conducting surprise inspections of adult care homes was emotionally difficult, but resulted in several negligent homes getting shut down. Tabulating deployment of 500 patrol officers for four months was pure drudgery, but it pointed out the mismatch with workload. It required patience and perseverance to interview a dozen agencies to learn why they were accomplishing more, but showed a pathway to success for the collections agency.

Read more here, and learn a bit about ALGA here!

Accountability and Media Featured

GAO Reblog: Key trends with a major impact on our nation and its government

On September 13th, GAO shared their five-year strategic plan, which addresses 8 trends identified as having potentially negative effects on our society and government.

Read more here, or watch the video below to learn more.


Accountability and Media Featured

TEDx Reblog: The 5 types of mentors you need in your life

Everyone can use a mentor. Scratch that — as it turns out, we could all use five mentors. “The best mentors can help us define and express our inner calling,” says Anthony Tjan, CEO of Boston venture capital firm Cue Ball Group and author of Good People. “But rarely can one person give you everything you need to grow.”

At the Oregon Audits Division, we give all our staff, both new and well-worn, the opportunity to participate in mentoring relationships with others in the division. These relationships allow the person being mentored to grow by tapping into the wisdom and experience of others, and gives the mentor a chance to help develop the proficiency of those around them- and by extension, the whole office.

Mentoring relationships can be formal or informal, and as Julia Fawal writing for TEDx explains, can cover a broad array of development, learning, and support needs for all those who take part. When it comes to mentoring, more is more.

Read more here, or watch the video below.



Accountability and Media Featured

Audit Release: Opportunities Exist to Increase the Impact of State Agency Internal Audit Functions

Report Highlights

When internal audit functions are properly structured and resourced, they are a valuable asset for mitigating risks and improving agency performance and accountability. However, internal auditing has not been a priority in Oregon. Although the Department of Administrative Services (DAS) has the authority to create policy and a legal requirement to support audit functions, the agency has not strategically promoted the role of internal audit functions due to a number of factors. DAS has not effectively monitored, coordinated, or reported on internal audit function impacts, challenges, and resource needs to state legislators and other stakeholders.


Internal audit functions help organizations achieve their objectives and improve performance. The Oregon Legislature determined internal audit activities within state government should be coordinated to promote effectiveness, and directed DAS to adopt rules and set standards to ensure the integrity of internal auditing.


The purpose of this audit was to determine the steps DAS should take to more effectively coordinate state internal audit functions, and what actions can be taken to increase the impact of these critical functions.

Key Findings

  1. The effectiveness of an agency’s internal audit function is defined by the tone at the top. In general, the internal audit function at state agencies in Oregon is not prioritized or well understood by agency management and the Legislature. Many current challenges and deficiencies have persisted for more than two decades.
  2. Internal audit independence and impact is directly influenced by the effectiveness of the audit committee and the committee’s relationship with agency leadership. Internal audit functions in some state agencies do not follow important elements of professional audit standards that ensure independence from management. These deficiencies reduce the effectiveness of the functions and leave agencies more vulnerable to fraud, wasted taxpayer dollars, and other substantial risks.
  3. Poor guidance and a lack of strategic management and effective coordination from DAS has contributed to internal audit challenges at state agencies. DAS reporting on statewide internal audit activities and impact could be a valuable tool for both internal auditors and policymakers, but DAS reports are often inaccurate, confusing, and uninformative.
  4. Many internal audit functions are staffed by well-trained, qualified professionals who make contributions to the agencies they serve despite governance and resource challenges. With additional emphasis and resources they could increase their value and return on investment potential.


We include 16 recommendations to DAS intended to enhance the value and impact of state agency internal audit functions. DAS agreed with 13 of 16 recommendations. The agency declined to say whether it agreed or disagreed with three recommendations.


Read full report here.

Featured New Audit Release Performance Audit

Methods (to our madness): Municipal audits at the state

Each summer, the state’s municipal audit manager, Amy Dale, heads out to perform field reviews of accounting firms around Oregon, as well as a few in Idaho. The firms she visits perform financial audits for Oregon’s municipalities. It’s part of Amy’s unique role as a municipal auditor manager for the state of Oregon to help ensure local governments provide annual financial reports. I sat down with Amy between some of her field reviews this month to learn more about it.

Oregon’s municipalities are any cities, counties, school districts, special districts, or corporations subject to local government control that receive tax dollars from Oregon residents. A municipal audit law, passed in the early 1900s and updated most recently in 2015, requires that municipalities file a financial report each year. These are made public on the Secretary of State’s website.  Annual filing helps promote transparency and accountability regarding the money they collect from residents, and the summary of audit reports completed by the state’s municipal program provides an overview of the status of larger municipalities.

Of the state’s 35 financial auditors, only two work fulltime in the municipal audit program. In addition to supporting the firms who provide the audits, Amy works directly with the municipalities throughout their submission process, oversees the review of a sampling of financial reports each year, and, with her team, provides feedback on whether the reports meet financial reporting requirements.

Amy Dale, Municipal Audit Manager for the Secretary of State Audits Division

“I love this role because it’s interesting,” says Amy. “There’s always something different happening, and there’s a strong sense of helping residents and local governments, which is something I value.”

Amy’s role may have been a bit simpler in the early days, when there were a lot fewer of these municipalities. Now, around 1800 municipalities of a variety of size and purpose must file financial reports. Oregon’s cities, counties, and school districts make up about a third of them. The remaining 1000+ districts are special districts. They perform specialized services for the area where they operate, such as water, irrigation, fire, emergency management, pesticide, parks and recreation, and many more. To fund these services, they collect money through separate taxes, assessments, or fees. A county or city can have several special districts in its geographical area. For instance, in Marion County alone there are almost a hundred special districts.

Amy and her team help the many municipalities submit accurate and timely reports. “Our reviews shouldn’t be seen as punitive for those who didn’t meet standards, but rather to help them get it right,” Amy explains. “Reviewing audit reports is great practice for our financial auditors, too, especially as audit and reporting standards continue to change.”

If the municipal audits team finds reporting errors they’ll let the organization know what didn’t go right. Says Amy, “The municipalities don’t always like getting a letter from us with corrections, but the goal is to be helpful. Sometimes we end up getting thanks.”

The state takes this reporting requirement seriously; as of 2015, the municipal audit program will place cities and counties who haven’t filed a report on time on a withholding list. Until they file their reports, these municipalities will not receive 10% of state revenue contributions they’d otherwise collect.

Reports go up on the Secretary of State’s website so any resident can read them. The Secretary of State’s summary reports of the previous fiscal year’s audits filed are also on the website.

Want to know even more about municipal audits and last year’s summary report? Check out the full report on the Oregon Audit Division website from FY 2016 HERE.

Auditors at Work Featured Financial Audit

Audit Release: Energy Trust Administrative Costs are Generally Reasonable, but the Public Utility Commission Can Improve Oversight of These Costs

Report Highlights

The Oregon Public Utility Commission (PUC) has designed controls to ensure administrative and program support costs at Energy Trust of Oregon are reasonable. Energy Trust is a nonprofit organization and is not subject to state administrative cost requirements. However, PUC could strengthen its oversight of Energy Trust administrative costs by more clearly defining what constitutes reasonable costs, revising key performance metrics, and clarifying financial reporting requirements.


Energy Trust is a nonprofit organization funded by a grant agreement with PUC to develop and administer energy efficiency and renewable energy programs in certain utility service territories in Oregon. The grant funding comes from three separate charges on bills of customers of electric and natural gas utilities regulated by PUC.


The purpose of the audit was to determine whether Energy Trust administrative costs are reasonable and whether PUC has reasonable controls in place to oversee Energy Trust’s administrative costs.

Key Findings

  1. Energy Trust complies with PUC’s administrative cost control requirements. We found these controls to be reasonable, and Energy Trust has consistently spent below the established administrative cost cap of 8% of revenue per year. However, Energy Trust’s administrative costs increased from $1.6 million to $10.1 million between 2002 and 2017, as its annual revenues increased from $30.6 million to $194.2 million during the same period. Improved oversight could help PUC better ensure that Energy Trust makes reasonable administrative spending decisions.
  2. We determined Energy Trust’s administrative costs are generally reasonable. However, we identified a small percentage of questionable administrative costs that do not align with state agency standards or the grant guidelines that govern Energy Trust operations. PUC could improve its oversight by providing guidance for acceptable administrative costs.
  3. Increased clarity and detail in financial reporting would improve transparency and stakeholder oversight. PUC monitors Energy Trust’s administrative costs through an enforced spending cap and public budget and reporting processes. Revised reporting methodologies would increase the transparency of Energy Trust’s administrative costs and spending trends.


Our report includes recommendations to PUC regarding the clarity of its grant agreement with Energy Trust, revision of performance metrics, and reporting of administrative costs.

PUC generally agreed with our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release