Audit Release: Automated Medicaid eligibility is processed appropriately at OHA, yet manual input accuracy and eligibility override monitoring need improvement

AUDIT PURPOSE

In Oregon, over one million individuals have Medicaid coverage. Medicaid expenditures totaled $9.3 billion in fiscal year 2016, including $1.2 billion in state general funds. We conducted this audit to determine if two critical automated computer programs managed by the Oregon Health Authority accurately verify Medicaid client eligibility and accurately issue payments to healthcare providers. If these programs do not function properly, clients may inappropriately receive, or be denied, Medicaid benefits.

FINDINGS IMPACT

Manual input errors and lack of monitoring of overrides can cause inappropriate eligibility determinations and payments to providers. If agency leadership implements more effective monitoring of caseworker eligibility overrides and improves manual input accuracy, the state will better comply with eligibility requirements and increase accuracy of payments. Inaction will allow overrides and manual input errors to continue causing inappropriate payments to providers.

Read full report here.

KEY FINDINGS

  • Two critical automated computer programs appropriately determined eligibility, enrolled Medicaid clients in coordinated care organizations, and made appropriate payments to those organizations based on eligibility information received.
  • Automated computer processes appropriately validated the Social Security number and citizenship status of applicants over 99.7% of the time in our review of over 425,000 records.
  • We reviewed 30 eligibility determinations and found seven (23%) had manual input errors. While only one error resulted in a client being determined eligible when they were not, each of the errors related to application information that could have resulted in inappropriate eligibility determinations.
  • Although their volume has significantly decreased over time, overrides of eligibility are not sufficiently monitored, meaning unauthorized overrides of Medicaid eligibility could occur.
  • Our review of 72 overridden eligibility segments showed caseworkers did not take proper action to clear 25 (35%). Overridden segments are not subject to automated processes that redetermine eligibility for certain clients.
  • Our 2011 audit recommendations to OHA and DHS concerning access to the Medicaid Management Information System have not been fully implemented, increasing security risk.

RECOMMENDATIONS SUMMARY

  • OHA should continue efforts to improve caseworker manual input accuracy through additional training, and implement a review process for input where errors negatively affect eligibility determination.
  • OHA managers should monitor eligibility overrides to prevent unauthorized validation and ensure state resources are spent appropriately.
  • OHA and DHS should fully implement our 2011 audit logical access recommendations.
Featured IT Audit New Audit Release Performance Audit

Oregon Department of Education: Computer Systems Ensure Integrity of Data, But Other Processes Need Improvement

Executive Summary


The Oregon Department of Education (department) oversees the education of over 560,000 students in Oregon’s public K-12 education system. The annual distribution of the State School Fund of $3 billion and federal funding of about $750 million help fund Oregon’s public education.
The department’s computer systems reasonably ensure the integrity of data used to distribute the State School Fund and appropriately process school district claims for federal funding. However, improvements are needed to provide better security for computer systems and student data, manage changes to computer systems, and ensure systems can be restored in the event of a disaster.

Read full report here.

Computer systems ensure integrity of student and school data

Department staff use the Consolidated Collection System to analyze and aggregate school and student data. They use information from this system to allocate monies to Oregon’s schools and education service districts. Computer systems reasonably ensured the integrity of student and school information through automated processes that accurately identify students and detect potential data errors. In addition, department analysts use system information to validate student and school data.

Computer systems appropriately receive and process School district claims for federal funding

The department uses the Electronic Grant Management System and the Federal Cash Ordering System to receive and process requests for federal program expenditure reimbursements. We found that computer controls reasonably ensure that these systems could appropriately receive and process school district claims for federal funding. These systems ensure grant claims do not exceed available balances and reject claims that otherwise would be ineligible for reimbursement.

Security measures for computer systems were insufficient

Although the department provides important protection measures for security, improvements are needed to better secure their computer systems and data. Weaknesses we identified relate to the department’s processes for planning, configuring, managing, and monitoring information technology security components. As such, the department does not provide an appropriate layered defense to protect agency computer applications. Thus, confidential student level information is at increased risk of disclosure or compromise.

Management of changes to computer systems needs improvement

The department has formal processes and tools for managing changes to their systems, but staff do not always fully utilize them. Independent and technical reviews of computer code changes did not always occur and processes were not in place to ensure only approved code could be placed in production. These weaknesses increase the risk that developers could introduce unauthorized or untested changes to the systems.

System files and data are appropriately backed up but procedures for timely restoration after a disaster are absent

The department has processes in place to back up critical data and can restore individual files as needed. However, department management and staff have not fully developed and tested a comprehensive disaster recovery plan capable of restoring critical systems and data in the event of a disaster or major disruption. Without a disaster recovery plan, the department cannot ensure it can timely restore operations in the event of a disaster.

Recommendations

We recommend that Department of Education management ensure resolution of identified security weaknesses, improve processes for changing computer code, and fully develop and test processes for restoring computer systems after a disaster.

Agency Response

The full agency response can be found at the end of the report.

Featured IT Audit New Audit Release

Audit Release: Improving State Computer System Security will take Time, Resources, and Cooperation

Executive Summary


Most state agencies we reviewed do not have adequate security plans, processes, or staffing to carry out fundamental security functions that protect their information systems and data. The Office of the State Chief Information Officer is responsible for ensuring agencies carry out these critical functions, but has not yet provided sufficient standards and oversight to help agencies achieve appropriate information technology security. In September 2016, the Governor signed an executive order to unify cyber security in Oregon, but much work and cooperation remains to fulfill the requirements of the executive order and improve statewide security.

Read full report here.

State agency security efforts fall short

securityfunctionsWe reviewed 13 state agencies’ information security plans and a selection of security functions to determine if agencies were adequately protecting their systems and data. More than half of the agencies had security weaknesses in six of the seven fundamental security controls reviewed and all agencies had at least two weaknesses.

These agencies represented a cross section of state government agencies. They process and store different types of information ranging from mostly public documents to highly sensitive tax, court, and medical records that require a higher level of protection to comply with federal law.

Overall, planning efforts were often perfunctory, security staffing was generally insufficient, and critical security functions were not always performed. These weaknesses collectively increase the risk of a security incident at one or more of the agencies.

Office of the State Chief Information Officer not fully prepared to centrally administer the state’s security function

State law gives the state Chief Information Officer responsibility for planning statewide security, setting security standards and policies, and ensuring remedial actions are undertaken to correct known security weaknesses. However, the Office of the State Chief Information Officer (OSCIO) has not yet provided state agencies with sufficient and appropriate information technology security standards and oversight. In addition, the OSCIO does not have processes to ensure that agencies comply with the published statewide standards and the regulations imposed by federal requirements.

Recent executive order shifts security functions from the agencies to the Office of the State Chief Information Officer but much work remains

In September 2016, the Governor signed Executive Order No. 16-13 Unifying Cyber Security in Oregon. This directive outlines a process to unify information technology security, including a process to transfer state agency security functions and staffing into the OSCIO until June 30, 2017. In addition, it directs agencies to work with the OSCIO’s newly formed security group to develop and implement security plans, rules, policies, and standards. The directive also requires agencies to fully cooperate with the OSCIO to implement a statewide agency-by-agency risk-based security assessment and remediation program.

However, the executive order may not fully resolve the state’s information technology security weaknesses. The need to securely operate information systems competes for resources with the needs of the agencies to provide services to Oregonians. The executive order transfers security functions but does not add additional resources or describe how agency security staff will work with the OSCIO while remaining under agency management direction for day-to-day activities. In addition, at the time of this report, the OSCIO has not yet developed plans detailing how the OSCIO and agencies will achieve the requirements of the executive order.

Ultimately, the Governor, the OSCIO, agency directors, and the Legislature must cooperate to create, fund, endorse, and implement a statewide security plan. Without full cooperation of these key stakeholders, it is unlikely that the state’s security posture will significantly improve.

Recommendations

We recommend that the Office of the State Chief Information Officer:

  • Collaborate with state agencies to develop detailed plans in order to fully implement the requirements of Executive Order No. 16-13.
  • Develop sufficient statewide standards and processes for oversight to ensure security of agency computer systems.
  • Collaborate with state agencies to ensure remediation of the specific weaknesses communicated to state agencies in separate management letters.
  • Work with the Governor, Legislature, and agency directors to ensure staffing and resources are available to implement agency security measures.

Agency Response

The Office of the State Chief Information Officer generally agrees with the findings and recommendations in this report.  The full agency response can be found at the end of the report.

Featured IT Audit New Audit Release

Methods (to our Madness): A 2 Minute Primer on IT Auditing, Through the Lens of an Employment Audit

Periodically, we will highlight some of the methods used in a recently released audit. Every performance audit is unique and can require creative thinking and methodologies to answer our audit objective. Some of these methods could be replicated or present valuable lessons for future projects.

Given some of Oregon’s high profile computer system failures, the global risk of IT security and the age of some Oregon agencies’ legacy computer systems, it is easy to see the importance of the Secretary of State’s team of Information Technology (IT) auditors. But what exactly do IT auditors do?

Here are some lessons learned and basic steps taken in IT auditing that I learned from Erika Ungern, Principal Auditor, and Matthew Owens, Senior Auditor in a conversation about their recently released IT audit, which found that computer programs for unemployment tax returns and claims at the Oregon Employment Department need attention.

When doing an IT audit, always test the data

In the Oregon Employment Department audit, the audit team followed a typical process for IT audits, including identifying the computer systems to evaluate, examining the process and expected controls of those systems, and testing the data to make sure that the systems were operating as intended.

When I asked the team if they always do the final step of testing the data, their faces lit up. (I’m not sure if it was due to the excitement of thinking about data or shock that I would even ask such a question). They replied in near unison that yes, you always have to test the data. Even if everything looks good on paper, the only way you can know if a system is working is to test it.

Compared to an ideal world, the Department’s computer systems fell short

COBIT and FISCAM are two criteria frameworks that describe an ideal world for government IT systems. IT auditors can measure a computer system against these frameworks to identify areas for improvement.

When IT auditors do this, they look at different points in the system and the controls that they would expect to find at each point. They look at the inputs. What is supposed to get into the system? They look at what the system does. How does it process or manipulate the data? And they look at the output. What happens at the end? Is there a report? Is the data transferred to another system? Or, as is the case here, is the output hundreds of millions of dollars in payments for unemployment claims?

At each point, they look for controls, or processes and checks built into the system or staff operations, that can prevent, detect or correct errors and ensure accuracy. For example, system “edits” are intended to ensure that unemployment insurance claims are not paid to recipients whose claim applications were denied.

The audit team looked at two of the Department’s systems and found that they were set up to handle routine claims and to process most employer tax payments automatically. However, the systems were old. Changes were not well documented and workarounds had been developed. Sometimes the team had to look at the computer code to understand what was going on. Uncorrected system problems could lead to some tax returns bypassing automated checks or requiring manual verification. The team proceeded to the next step to test the data and find examples of cases that were bypassing the system.

Data testing created an example for the Department to replicate

Employers submit unemployment insurance tax return data in two ways, one at the detailed employee wage level and one at the summary payroll level. The audit team took these two data sources and performed various analyses. In one instance, the audit team recalculated taxable wages to identify employers who may have under-reported (or over-reported) taxable wages, which in turn led to under or overpaying unemployment taxes. This analysis was so useful that the Department asked the audit team for a step-by-step explanation (see below) so that they could replicate it.

Finding million dollar issues now could save even more during a busy recession

Based on this analysis, the team found that nearly 2,000 employers had overpaid taxes by approximately $850,000 in 2014 and had not been notified. One non-profit overpaid by $17,000. They also found potentially $2.9 million in underpayments that had not been collected. While these amounts are a small portion of the overall tax collections, they could increase dramatically when unemployment increases, such as during a recession. Additionally, as evidenced by the non-profit example, missing these errors could have a large impact on small employers.

The Employment Department was not catching these discrepancies because they were not looking at generated reports they may have been able to help them identify these issues.

Lessons learned: document as you go along

When I asked the team what lessons they had learned, they told me to document the steps you are taking as you do your data analysis. Hm, I think I have heard that advice before.

Breaking down the methodology

Here is a step-by-step look at how the team analyzed the data for incorrect unemployment insurance tax payment:

  1. The team took individual wage data and created a calculated field that rerecorded any amount of wages over $35,000 as $35,000 (since $35,000 was the taxable limit). Any value under $35,000 retained its original value.
  2. They summarized the data to get a total of calculated taxable wages for each employer.
  3. They filtered the table to show only taxable employers.
  4. The team then compared the taxable wages field with another field of payroll reported by employers. To do this, they created a new field that subtracted the taxable wages from the payroll field.
  5. They followed up on the results for any employer where the difference was greater than one dollar.
  6. They calculated a potential overpayment or underpayment of taxes using the employer’s assigned tax rate.

 

 

CZ_photo

Caroline Zavitkovski, OAD Senior Performance Auditor, MPA

Auditing and Methodology Data Wonk Featured IT Audit

Portland City Auditor: Payment Card Data Security Audit

In 2014, the Portland City auditor released a report stating the City was not in compliance with the standard with its handling of payment card transactions.  Now, certified external assessors report that the City complies with the standard.  Outsourcing payment card processing services, improving data security, and discontinuing some payment options for customers brought the City into compliance.

City of Portland Credit Card audit

The City received more than 10 million payments using credit or debit cards last year for water and sewer services, Parks and Recreation classes or permits, and parking – including City-owned parking garages.

The industry standards for security apply to merchants, like the city, that accept credit or debit cards for payment.  Failing tests in any of 12 sub-categories means the merchant fails to meet the overall standard.  Portland was out of compliance for the previous seven years.  Now that the City is in compliance, it will be tested each year by an outside assessor to make sure it continues to meet the standard.

Read the full audit online 

News coverage of the audit

Koin 6  Portland promises it’s safe to use credit cards: City auditor discovered the city failed security requirements since 2009

Portland Tribune Coverage City improves credit card payment security, but work remains

Auditors at Work Featured IT Audit

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

Executive Summary


Oregon Employment Department computer programs correctly process most individual unemployment insurance claims and associated employer tax returns, but these outdated computer programs should be replaced. Additional work is also needed to improve security, processes for changing computer code, and disaster recovery capability.

Computer programs correctly handle most unemployment benefit claims and tax statements, but should be replaced

oed_post_pulloutOregon Employment Department (Employment) computer systems handle routine unemployment claims accurately. Systems also process most employer quarterly unemployment tax returns appropriately. However, due to system limitations, Employment staff must identify and manually correct some unemployment claim errors. In addition, some unemployment tax returns bypass automated routines that provide needed scrutiny to detect and correct errors.

These computer programs are inflexible, poorly documented, and difficult to maintain. Considering these factors, Employment should take steps to replace them with more robust and maintainable computer code.

Computer security problems increase risk that data could be compromised

Coordinated use of multiple security components is necessary to protect the integrity of computer systems and their data. Although Employment management and the state’s data center have done much to protect Employment’s computer systems, improvements are needed.

Areas of most concern include ensuring users have the appropriate level of access to computer programs, monitoring actions of users having the most powerful access to systems, and addressing state data center security weaknesses we identified in previous audits.

Processes to better control changes to computer code are needed

Our 2003 and 2012 audits noted problems managing programming changes to these systems. These conditions remain largely unchanged, and increase the risk that programmers could introduce unauthorized or untested changes to the system.

Although these weaknesses are long-standing, Employment managers and staff recently began work to resolve them. They currently have a project to acquire a software solution that could significantly enhance their ability to address many of the identified problems.

Disaster recovery capability is greatly improved, but Employment should ensure plans and processes are complete

Responsibility for recovering the use of computer systems in the event of a disaster is shared with the state data center where these computer systems are hosted. In 2014, the data center entered into an agreement with the state of Montana to place copies of Oregon’s computer systems and data inside Montana’s data center.

This innovative approach to disaster recovery significantly improves Employment’s ability to resume operations in the event of a disaster but additional work is needed to ensure these systems and data are secure and can be made fully operational when needed.

Recommendations

We recommend that management take steps to improve processes for detecting and correcting unemployment tax return errors, improve system documentation, resolve security weaknesses, and fully develop and test disaster recovery procedures.

Agency Response

The agency’s response to the report is included at the end of the audit report.

 

Photo courtesy of © Dana Rothstein | Dreamstime Stock Photos

Featured IT Audit Noteworthy

State Data Center: First steps to address longstanding security risks, much more to do

Executive Summary


Over the last nine years, security weaknesses at the state data center have put confidential information at risk. These weaknesses continued because the state abandoned initial security plans, did not assign security roles and responsibilities, or provide sufficient security staff. The Governor, Legislature, and Chief Information Officer have taken the first steps to fix these problems, but the solutions will take time, resources, and cooperation from state agencies..

Critical security issues were never resolved at the data center

Data CenterData center management and staff are meeting day-to-day computing needs of state agencies relying on its services. However, critical security issues identified throughout the past nine years were never resolved.

Security problems affect multiple components of the data center’s layered-defense strategy intended to make it more difficult for unauthorized users to compromise computer systems.

These weaknesses increase the risk that computer systems and data could be compromised, resulting in leaked confidential data such as social security numbers and medical records information.

Data center was never fully configured for security

Management got a good start on security planning, but during data center consolidation management abandoned the plan thinking they would complete some steps at a future time. Once the data center became operational, staff was overburdened and unable to make meaningful progress toward resolving critical security issues or implement security systems they purchased.

These adverse conditions continued because management did not assign overall responsibility or authority to plan, design, and manage security. In addition, they did not provide the necessary staffing to implement and operate security systems.

First steps have been taken to resolve longstanding data center problems

Data Center 2The Govenor, Legislature and Director of the Department of Administrative Services took steps in the last six months to address data center staffing and organizational issues.

Two key steps that occurred were the state Chief Information Officer (CIO) became responsible for data center operations and the state Chief Information Security Officer was moved to the data center and tasked to oversee its overall security function.

These actions increased management’s focus on security at the data center. However, it will take additional time, perseverance, significant resources, and cooperation to resolve all known weaknesses.

Some computer operations were stable but disaster recovery was only partially tested

Data Center 3Apart from security, data center staff provides important operational support to agencies, including routine backups and monitoring computer processing. Data center staff made significant strides to resolve prior disaster recovery weaknesses identified by earlier audits. Their innovative approach was to partner with the Montana State Data Center to establish an alternate site to store and process data.

However, additional work needs to be done to ensure data at that site is secure, update recovery plans, and test the system.

Recommendations

We recommend agency management take steps to reconfigure data center security to provide the layered-defense strategy needed to protect state data systems. To accomplish this, management should clearly define security roles, responsibility and authority to carry out the plans and provide sufficient staff.

We also recommend management update and fully test disaster recovery plans and ensure data is secure at the remote site.

Agency Response

The agency agreed with all of the audit findings and recommendations. The response includes specific plans to correct longstanding security weaknesses and improve overall security organization, plans and staffing.

Their full response is attached at the end of the audit report.

Featured IT Audit New Audit Release