Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

Executive Summary


Oregon Employment Department computer programs correctly process most individual unemployment insurance claims and associated employer tax returns, but these outdated computer programs should be replaced. Additional work is also needed to improve security, processes for changing computer code, and disaster recovery capability.

Computer programs correctly handle most unemployment benefit claims and tax statements, but should be replaced

oed_post_pulloutOregon Employment Department (Employment) computer systems handle routine unemployment claims accurately. Systems also process most employer quarterly unemployment tax returns appropriately. However, due to system limitations, Employment staff must identify and manually correct some unemployment claim errors. In addition, some unemployment tax returns bypass automated routines that provide needed scrutiny to detect and correct errors.

These computer programs are inflexible, poorly documented, and difficult to maintain. Considering these factors, Employment should take steps to replace them with more robust and maintainable computer code.

Computer security problems increase risk that data could be compromised

Coordinated use of multiple security components is necessary to protect the integrity of computer systems and their data. Although Employment management and the state’s data center have done much to protect Employment’s computer systems, improvements are needed.

Areas of most concern include ensuring users have the appropriate level of access to computer programs, monitoring actions of users having the most powerful access to systems, and addressing state data center security weaknesses we identified in previous audits.

Processes to better control changes to computer code are needed

Our 2003 and 2012 audits noted problems managing programming changes to these systems. These conditions remain largely unchanged, and increase the risk that programmers could introduce unauthorized or untested changes to the system.

Although these weaknesses are long-standing, Employment managers and staff recently began work to resolve them. They currently have a project to acquire a software solution that could significantly enhance their ability to address many of the identified problems.

Disaster recovery capability is greatly improved, but Employment should ensure plans and processes are complete

Responsibility for recovering the use of computer systems in the event of a disaster is shared with the state data center where these computer systems are hosted. In 2014, the data center entered into an agreement with the state of Montana to place copies of Oregon’s computer systems and data inside Montana’s data center.

This innovative approach to disaster recovery significantly improves Employment’s ability to resume operations in the event of a disaster but additional work is needed to ensure these systems and data are secure and can be made fully operational when needed.

Recommendations

We recommend that management take steps to improve processes for detecting and correcting unemployment tax return errors, improve system documentation, resolve security weaknesses, and fully develop and test disaster recovery procedures.

Agency Response

The agency’s response to the report is included at the end of the audit report.

 

Photo courtesy of © Dana Rothstein | Dreamstime Stock Photos

Featured IT Audit Noteworthy

State Data Center: First steps to address longstanding security risks, much more to do

Executive Summary


Over the last nine years, security weaknesses at the state data center have put confidential information at risk. These weaknesses continued because the state abandoned initial security plans, did not assign security roles and responsibilities, or provide sufficient security staff. The Governor, Legislature, and Chief Information Officer have taken the first steps to fix these problems, but the solutions will take time, resources, and cooperation from state agencies..

Critical security issues were never resolved at the data center

Data CenterData center management and staff are meeting day-to-day computing needs of state agencies relying on its services. However, critical security issues identified throughout the past nine years were never resolved.

Security problems affect multiple components of the data center’s layered-defense strategy intended to make it more difficult for unauthorized users to compromise computer systems.

These weaknesses increase the risk that computer systems and data could be compromised, resulting in leaked confidential data such as social security numbers and medical records information.

Data center was never fully configured for security

Management got a good start on security planning, but during data center consolidation management abandoned the plan thinking they would complete some steps at a future time. Once the data center became operational, staff was overburdened and unable to make meaningful progress toward resolving critical security issues or implement security systems they purchased.

These adverse conditions continued because management did not assign overall responsibility or authority to plan, design, and manage security. In addition, they did not provide the necessary staffing to implement and operate security systems.

First steps have been taken to resolve longstanding data center problems

Data Center 2The Govenor, Legislature and Director of the Department of Administrative Services took steps in the last six months to address data center staffing and organizational issues.

Two key steps that occurred were the state Chief Information Officer (CIO) became responsible for data center operations and the state Chief Information Security Officer was moved to the data center and tasked to oversee its overall security function.

These actions increased management’s focus on security at the data center. However, it will take additional time, perseverance, significant resources, and cooperation to resolve all known weaknesses.

Some computer operations were stable but disaster recovery was only partially tested

Data Center 3Apart from security, data center staff provides important operational support to agencies, including routine backups and monitoring computer processing. Data center staff made significant strides to resolve prior disaster recovery weaknesses identified by earlier audits. Their innovative approach was to partner with the Montana State Data Center to establish an alternate site to store and process data.

However, additional work needs to be done to ensure data at that site is secure, update recovery plans, and test the system.

Recommendations

We recommend agency management take steps to reconfigure data center security to provide the layered-defense strategy needed to protect state data systems. To accomplish this, management should clearly define security roles, responsibility and authority to carry out the plans and provide sufficient staff.

We also recommend management update and fully test disaster recovery plans and ensure data is secure at the remote site.

Agency Response

The agency agreed with all of the audit findings and recommendations. The response includes specific plans to correct longstanding security weaknesses and improve overall security organization, plans and staffing.

Their full response is attached at the end of the audit report.

Featured IT Audit New Audit Release

Auditing critical state information systems: Behind the Scenes

The Legislature just approved our request for two more IT auditors to increase our ability to examine the thousands of IT systems in the state. We now have three teams of IT auditors- a 50% increase over the previous two! We make the best of our limited resources by focusing our skilled professionals on the systems most critical to the finances and operations of state government.

We will soon start recruiting for more IT auditors so if you’re interested watch the Secretary of State website in August when applications open.

OurNeal IT Audit Manager, Neal Weatherspoon, was recently featured in the Summer 2015 newsletter of the Willamette Valley chapter of ISACA, an association of IT audit and security professionals.

Auditors at Work Featured IT Audit

IT Audits help trigger budget action

In addition to a cyber attack, two of our audits helped prompt a state agency to request more resources for computer security and for better oversight of computer projects, as reported by the Portland Tribune.

Trib_IT_auditOur audits always include a security component and we prepare a confidential report on the weaknesses we find. State law allows confidential reporting to deny the information to hackers. Read our 2010 audit on security.

We recently issued an audit on IT Project Management, and concluded that inadequate resources would hamper the oversight by the Department of Administrative Services. Read our 2015 audit.

IT Audit

Major IT Projects: Continue Expanding Oversight and Strengthen Accountability


Major IT Projects: Continue Expanding Oversight and Strengthen Accountability


The new effort to monitor and control system development, “stage gate,” is a significant step in the right direction. However, the following weaknesses should be addressed:

  • DAS has not fully staffed or defined stage gate processes
  • Stage gate efforts may not sufficiently detect or prevent significant system development problems state agencies have experienced
  • Some state agencies lack expertise to manage large IT projects
  • Consequences of failure to meet stage gate requirements are unclear.
IT Audit