Audit Release- ODOT: The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes for Oregon and Local Jurisdictions

Report Highlights


The Secretary of State’s Audits Division found that the Oregon Fuels Tax System (OFTS) accurately assesses and collects fuels taxes for Oregon and local jurisdictions, collecting over $564 million in 2016. However, processes for issuing fuels tax refunds and system design flaws result in minor overpayments and reporting inaccuracies. Additionally, ODOT should enhance processes for testing system backup files, granting and monitoring user access, setting user password parameters, implementing safeguards over personally identifiable information, and identifying security weaknesses.

Read full report here.

Background

In 2013, ODOT contracted with Avalara to implement a new fuels tax system for $2.8 million, replacing an outdated paper based system previously used to handle Oregon Fuels Tax returns.

Purpose

The purpose of our audit was to review and evaluate the effectiveness of key general and application controls that protect and ensure the integrity of the Oregon Fuels Tax System and its data.

Key Findings

1. OFTS accurately calculates, assesses, and collects fuels tax for the state of Oregon and local jurisdictions, but manual processes governing refund payments should be improved to ensure accurate refund payments.
2. Application design flaws result in a small number of refund overpayments and minor reporting inaccuracies.
3. Changes to OFTS computer code are appropriately managed to reasonably ensure that the system and its data will not be compromised as the result of a code change.
4. System back-up processes have never been tested to ensure system data can be restored in the event of a disruption.
5. Security weaknesses exist in processes for granting and reviewing system access, monitoring activities of internal and third-party users with significant system access, and identifying and remediating system security vulnerabilities. In addition, password parameters should be more robust, and safeguards protecting some Personally Identifiable Information (PII) need improving.

Recommendations

The report includes nine recommendations to the Oregon Department of Transportation focused on addressing weaknesses in the refund review processes, fixing system design flaws, testing backups, and correcting security weaknesses.

Featured IT Audit New Audit Release

Audit Release: Automated Medicaid eligibility is processed appropriately at OHA, yet manual input accuracy and eligibility override monitoring need improvement

AUDIT PURPOSE

In Oregon, over one million individuals have Medicaid coverage. Medicaid expenditures totaled $9.3 billion in fiscal year 2016, including $1.2 billion in state general funds. We conducted this audit to determine if two critical automated computer programs managed by the Oregon Health Authority accurately verify Medicaid client eligibility and accurately issue payments to healthcare providers. If these programs do not function properly, clients may inappropriately receive, or be denied, Medicaid benefits.

FINDINGS IMPACT

Manual input errors and lack of monitoring of overrides can cause inappropriate eligibility determinations and payments to providers. If agency leadership implements more effective monitoring of caseworker eligibility overrides and improves manual input accuracy, the state will better comply with eligibility requirements and increase accuracy of payments. Inaction will allow overrides and manual input errors to continue causing inappropriate payments to providers.

Read full report here.

KEY FINDINGS

  • Two critical automated computer programs appropriately determined eligibility, enrolled Medicaid clients in coordinated care organizations, and made appropriate payments to those organizations based on eligibility information received.
  • Automated computer processes appropriately validated the Social Security number and citizenship status of applicants over 99.7% of the time in our review of over 425,000 records.
  • We reviewed 30 eligibility determinations and found seven (23%) had manual input errors. While only one error resulted in a client being determined eligible when they were not, each of the errors related to application information that could have resulted in inappropriate eligibility determinations.
  • Although their volume has significantly decreased over time, overrides of eligibility are not sufficiently monitored, meaning unauthorized overrides of Medicaid eligibility could occur.
  • Our review of 72 overridden eligibility segments showed caseworkers did not take proper action to clear 25 (35%). Overridden segments are not subject to automated processes that redetermine eligibility for certain clients.
  • Our 2011 audit recommendations to OHA and DHS concerning access to the Medicaid Management Information System have not been fully implemented, increasing security risk.

RECOMMENDATIONS SUMMARY

  • OHA should continue efforts to improve caseworker manual input accuracy through additional training, and implement a review process for input where errors negatively affect eligibility determination.
  • OHA managers should monitor eligibility overrides to prevent unauthorized validation and ensure state resources are spent appropriately.
  • OHA and DHS should fully implement our 2011 audit logical access recommendations.
Featured IT Audit New Audit Release Performance Audit

Oregon Department of Education: Computer Systems Ensure Integrity of Data, But Other Processes Need Improvement

Executive Summary


The Oregon Department of Education (department) oversees the education of over 560,000 students in Oregon’s public K-12 education system. The annual distribution of the State School Fund of $3 billion and federal funding of about $750 million help fund Oregon’s public education.
The department’s computer systems reasonably ensure the integrity of data used to distribute the State School Fund and appropriately process school district claims for federal funding. However, improvements are needed to provide better security for computer systems and student data, manage changes to computer systems, and ensure systems can be restored in the event of a disaster.

Read full report here.

Computer systems ensure integrity of student and school data

Department staff use the Consolidated Collection System to analyze and aggregate school and student data. They use information from this system to allocate monies to Oregon’s schools and education service districts. Computer systems reasonably ensured the integrity of student and school information through automated processes that accurately identify students and detect potential data errors. In addition, department analysts use system information to validate student and school data.

Computer systems appropriately receive and process School district claims for federal funding

The department uses the Electronic Grant Management System and the Federal Cash Ordering System to receive and process requests for federal program expenditure reimbursements. We found that computer controls reasonably ensure that these systems could appropriately receive and process school district claims for federal funding. These systems ensure grant claims do not exceed available balances and reject claims that otherwise would be ineligible for reimbursement.

Security measures for computer systems were insufficient

Although the department provides important protection measures for security, improvements are needed to better secure their computer systems and data. Weaknesses we identified relate to the department’s processes for planning, configuring, managing, and monitoring information technology security components. As such, the department does not provide an appropriate layered defense to protect agency computer applications. Thus, confidential student level information is at increased risk of disclosure or compromise.

Management of changes to computer systems needs improvement

The department has formal processes and tools for managing changes to their systems, but staff do not always fully utilize them. Independent and technical reviews of computer code changes did not always occur and processes were not in place to ensure only approved code could be placed in production. These weaknesses increase the risk that developers could introduce unauthorized or untested changes to the systems.

System files and data are appropriately backed up but procedures for timely restoration after a disaster are absent

The department has processes in place to back up critical data and can restore individual files as needed. However, department management and staff have not fully developed and tested a comprehensive disaster recovery plan capable of restoring critical systems and data in the event of a disaster or major disruption. Without a disaster recovery plan, the department cannot ensure it can timely restore operations in the event of a disaster.

Recommendations

We recommend that Department of Education management ensure resolution of identified security weaknesses, improve processes for changing computer code, and fully develop and test processes for restoring computer systems after a disaster.

Agency Response

The full agency response can be found at the end of the report.

Featured IT Audit New Audit Release

Audit Release: Improving State Computer System Security will take Time, Resources, and Cooperation

Executive Summary


Most state agencies we reviewed do not have adequate security plans, processes, or staffing to carry out fundamental security functions that protect their information systems and data. The Office of the State Chief Information Officer is responsible for ensuring agencies carry out these critical functions, but has not yet provided sufficient standards and oversight to help agencies achieve appropriate information technology security. In September 2016, the Governor signed an executive order to unify cyber security in Oregon, but much work and cooperation remains to fulfill the requirements of the executive order and improve statewide security.

Read full report here.

State agency security efforts fall short

securityfunctionsWe reviewed 13 state agencies’ information security plans and a selection of security functions to determine if agencies were adequately protecting their systems and data. More than half of the agencies had security weaknesses in six of the seven fundamental security controls reviewed and all agencies had at least two weaknesses.

These agencies represented a cross section of state government agencies. They process and store different types of information ranging from mostly public documents to highly sensitive tax, court, and medical records that require a higher level of protection to comply with federal law.

Overall, planning efforts were often perfunctory, security staffing was generally insufficient, and critical security functions were not always performed. These weaknesses collectively increase the risk of a security incident at one or more of the agencies.

Office of the State Chief Information Officer not fully prepared to centrally administer the state’s security function

State law gives the state Chief Information Officer responsibility for planning statewide security, setting security standards and policies, and ensuring remedial actions are undertaken to correct known security weaknesses. However, the Office of the State Chief Information Officer (OSCIO) has not yet provided state agencies with sufficient and appropriate information technology security standards and oversight. In addition, the OSCIO does not have processes to ensure that agencies comply with the published statewide standards and the regulations imposed by federal requirements.

Recent executive order shifts security functions from the agencies to the Office of the State Chief Information Officer but much work remains

In September 2016, the Governor signed Executive Order No. 16-13 Unifying Cyber Security in Oregon. This directive outlines a process to unify information technology security, including a process to transfer state agency security functions and staffing into the OSCIO until June 30, 2017. In addition, it directs agencies to work with the OSCIO’s newly formed security group to develop and implement security plans, rules, policies, and standards. The directive also requires agencies to fully cooperate with the OSCIO to implement a statewide agency-by-agency risk-based security assessment and remediation program.

However, the executive order may not fully resolve the state’s information technology security weaknesses. The need to securely operate information systems competes for resources with the needs of the agencies to provide services to Oregonians. The executive order transfers security functions but does not add additional resources or describe how agency security staff will work with the OSCIO while remaining under agency management direction for day-to-day activities. In addition, at the time of this report, the OSCIO has not yet developed plans detailing how the OSCIO and agencies will achieve the requirements of the executive order.

Ultimately, the Governor, the OSCIO, agency directors, and the Legislature must cooperate to create, fund, endorse, and implement a statewide security plan. Without full cooperation of these key stakeholders, it is unlikely that the state’s security posture will significantly improve.

Recommendations

We recommend that the Office of the State Chief Information Officer:

  • Collaborate with state agencies to develop detailed plans in order to fully implement the requirements of Executive Order No. 16-13.
  • Develop sufficient statewide standards and processes for oversight to ensure security of agency computer systems.
  • Collaborate with state agencies to ensure remediation of the specific weaknesses communicated to state agencies in separate management letters.
  • Work with the Governor, Legislature, and agency directors to ensure staffing and resources are available to implement agency security measures.

Agency Response

The Office of the State Chief Information Officer generally agrees with the findings and recommendations in this report.  The full agency response can be found at the end of the report.

Featured IT Audit New Audit Release

Methods (to our Madness): A 2 Minute Primer on IT Auditing, Through the Lens of an Employment Audit

Periodically, we will highlight some of the methods used in a recently released audit. Every performance audit is unique and can require creative thinking and methodologies to answer our audit objective. Some of these methods could be replicated or present valuable lessons for future projects.

Given some of Oregon’s high profile computer system failures, the global risk of IT security and the age of some Oregon agencies’ legacy computer systems, it is easy to see the importance of the Secretary of State’s team of Information Technology (IT) auditors. But what exactly do IT auditors do?

Here are some lessons learned and basic steps taken in IT auditing that I learned from Erika Ungern, Principal Auditor, and Matthew Owens, Senior Auditor in a conversation about their recently released IT audit, which found that computer programs for unemployment tax returns and claims at the Oregon Employment Department need attention.

When doing an IT audit, always test the data

In the Oregon Employment Department audit, the audit team followed a typical process for IT audits, including identifying the computer systems to evaluate, examining the process and expected controls of those systems, and testing the data to make sure that the systems were operating as intended.

When I asked the team if they always do the final step of testing the data, their faces lit up. (I’m not sure if it was due to the excitement of thinking about data or shock that I would even ask such a question). They replied in near unison that yes, you always have to test the data. Even if everything looks good on paper, the only way you can know if a system is working is to test it.

Compared to an ideal world, the Department’s computer systems fell short

COBIT and FISCAM are two criteria frameworks that describe an ideal world for government IT systems. IT auditors can measure a computer system against these frameworks to identify areas for improvement.

When IT auditors do this, they look at different points in the system and the controls that they would expect to find at each point. They look at the inputs. What is supposed to get into the system? They look at what the system does. How does it process or manipulate the data? And they look at the output. What happens at the end? Is there a report? Is the data transferred to another system? Or, as is the case here, is the output hundreds of millions of dollars in payments for unemployment claims?

At each point, they look for controls, or processes and checks built into the system or staff operations, that can prevent, detect or correct errors and ensure accuracy. For example, system “edits” are intended to ensure that unemployment insurance claims are not paid to recipients whose claim applications were denied.

The audit team looked at two of the Department’s systems and found that they were set up to handle routine claims and to process most employer tax payments automatically. However, the systems were old. Changes were not well documented and workarounds had been developed. Sometimes the team had to look at the computer code to understand what was going on. Uncorrected system problems could lead to some tax returns bypassing automated checks or requiring manual verification. The team proceeded to the next step to test the data and find examples of cases that were bypassing the system.

Data testing created an example for the Department to replicate

Employers submit unemployment insurance tax return data in two ways, one at the detailed employee wage level and one at the summary payroll level. The audit team took these two data sources and performed various analyses. In one instance, the audit team recalculated taxable wages to identify employers who may have under-reported (or over-reported) taxable wages, which in turn led to under or overpaying unemployment taxes. This analysis was so useful that the Department asked the audit team for a step-by-step explanation (see below) so that they could replicate it.

Finding million dollar issues now could save even more during a busy recession

Based on this analysis, the team found that nearly 2,000 employers had overpaid taxes by approximately $850,000 in 2014 and had not been notified. One non-profit overpaid by $17,000. They also found potentially $2.9 million in underpayments that had not been collected. While these amounts are a small portion of the overall tax collections, they could increase dramatically when unemployment increases, such as during a recession. Additionally, as evidenced by the non-profit example, missing these errors could have a large impact on small employers.

The Employment Department was not catching these discrepancies because they were not looking at generated reports they may have been able to help them identify these issues.

Lessons learned: document as you go along

When I asked the team what lessons they had learned, they told me to document the steps you are taking as you do your data analysis. Hm, I think I have heard that advice before.

Breaking down the methodology

Here is a step-by-step look at how the team analyzed the data for incorrect unemployment insurance tax payment:

  1. The team took individual wage data and created a calculated field that rerecorded any amount of wages over $35,000 as $35,000 (since $35,000 was the taxable limit). Any value under $35,000 retained its original value.
  2. They summarized the data to get a total of calculated taxable wages for each employer.
  3. They filtered the table to show only taxable employers.
  4. The team then compared the taxable wages field with another field of payroll reported by employers. To do this, they created a new field that subtracted the taxable wages from the payroll field.
  5. They followed up on the results for any employer where the difference was greater than one dollar.
  6. They calculated a potential overpayment or underpayment of taxes using the employer’s assigned tax rate.

 

 

CZ_photo

Caroline Zavitkovski, OAD Senior Performance Auditor, MPA

Auditing and Methodology Data Wonk Featured IT Audit

Portland City Auditor: Payment Card Data Security Audit

In 2014, the Portland City auditor released a report stating the City was not in compliance with the standard with its handling of payment card transactions.  Now, certified external assessors report that the City complies with the standard.  Outsourcing payment card processing services, improving data security, and discontinuing some payment options for customers brought the City into compliance.

City of Portland Credit Card audit

The City received more than 10 million payments using credit or debit cards last year for water and sewer services, Parks and Recreation classes or permits, and parking – including City-owned parking garages.

The industry standards for security apply to merchants, like the city, that accept credit or debit cards for payment.  Failing tests in any of 12 sub-categories means the merchant fails to meet the overall standard.  Portland was out of compliance for the previous seven years.  Now that the City is in compliance, it will be tested each year by an outside assessor to make sure it continues to meet the standard.

Read the full audit online 

News coverage of the audit

Koin 6  Portland promises it’s safe to use credit cards: City auditor discovered the city failed security requirements since 2009

Portland Tribune Coverage City improves credit card payment security, but work remains

Auditors at Work Featured IT Audit

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

Executive Summary


Oregon Employment Department computer programs correctly process most individual unemployment insurance claims and associated employer tax returns, but these outdated computer programs should be replaced. Additional work is also needed to improve security, processes for changing computer code, and disaster recovery capability.

Computer programs correctly handle most unemployment benefit claims and tax statements, but should be replaced

oed_post_pulloutOregon Employment Department (Employment) computer systems handle routine unemployment claims accurately. Systems also process most employer quarterly unemployment tax returns appropriately. However, due to system limitations, Employment staff must identify and manually correct some unemployment claim errors. In addition, some unemployment tax returns bypass automated routines that provide needed scrutiny to detect and correct errors.

These computer programs are inflexible, poorly documented, and difficult to maintain. Considering these factors, Employment should take steps to replace them with more robust and maintainable computer code.

Computer security problems increase risk that data could be compromised

Coordinated use of multiple security components is necessary to protect the integrity of computer systems and their data. Although Employment management and the state’s data center have done much to protect Employment’s computer systems, improvements are needed.

Areas of most concern include ensuring users have the appropriate level of access to computer programs, monitoring actions of users having the most powerful access to systems, and addressing state data center security weaknesses we identified in previous audits.

Processes to better control changes to computer code are needed

Our 2003 and 2012 audits noted problems managing programming changes to these systems. These conditions remain largely unchanged, and increase the risk that programmers could introduce unauthorized or untested changes to the system.

Although these weaknesses are long-standing, Employment managers and staff recently began work to resolve them. They currently have a project to acquire a software solution that could significantly enhance their ability to address many of the identified problems.

Disaster recovery capability is greatly improved, but Employment should ensure plans and processes are complete

Responsibility for recovering the use of computer systems in the event of a disaster is shared with the state data center where these computer systems are hosted. In 2014, the data center entered into an agreement with the state of Montana to place copies of Oregon’s computer systems and data inside Montana’s data center.

This innovative approach to disaster recovery significantly improves Employment’s ability to resume operations in the event of a disaster but additional work is needed to ensure these systems and data are secure and can be made fully operational when needed.

Recommendations

We recommend that management take steps to improve processes for detecting and correcting unemployment tax return errors, improve system documentation, resolve security weaknesses, and fully develop and test disaster recovery procedures.

Agency Response

The agency’s response to the report is included at the end of the audit report.

 

Photo courtesy of © Dana Rothstein | Dreamstime Stock Photos

Featured IT Audit Noteworthy