Audit Release: Oregon’s Framework for Regulating Marijuana Should Be Strengthened to Better Mitigate Diversion Risk and Improve Laboratory Testing


Report Highlights

Gaps in Oregon’s developing marijuana regulatory framework increase the risk of legal marijuana diverting to the black market, especially in the medical marijuana program. To improve marijuana laboratory testing and protect public health, the state should consider requiring testing for heavy metals and microbiological contaminants, enhance test oversight, and ensure labs meet accreditation standards.

Background

Voters approved Measure 91 in 2014, legalizing the production and sale of recreational marijuana in Oregon. However, marijuana remains illegal federally, and federal officials have expressed serious concerns about marijuana from Oregon crossing into other states. The Oregon Liquor Control Commission (OLCC) regulates the recreational marijuana market, while the Oregon Health Authority (OHA) oversees medical marijuana and marijuana lab testing rules. As of November 2018, retail sales had generated $207 million in tax revenue.

Purpose

This audit’s purpose was to determine whether Oregon has adequate controls to deter the diversion of legal marijuana to the black market and to oversee marijuana laboratory testing to ensure test results are accurate.

Key Findings

  1. OLCC is still establishing a regulatory framework for recreational marijuana and has put many controls in place, such as requiring seed-to-sale product tracking and surveillance cameras. However, with no cap on the number of licenses and more applications than expected, staffing and inspections have not kept pace. As a result, only 3% of retailers and 32% of growers have had a compliance inspection.
  2. Structural weaknesses in the medical marijuana program greatly increase the risk of diversion. In contrast to OLCC, OHA lacks the authority to put important controls in place, such as requiring medical growers to have surveillance cameras. The agency has only four permanent staff to inspect roughly 14,000 grow sites and has struggled with decreasing revenues, turnover, and performance management.
  3. All recreational marijuana in Oregon must be tested for pesticides and solvents, but most medical marijuana is not required to be tested. Also, OHA does not require heavy metal and microbiological testing, in contrast to some other states. These contaminants could pose a risk to consumers.
  4. Without a mechanism for verifying test results, Oregon’s marijuana testing program cannot ensure that test results are reliable and products are safe. Limited authority, inadequate staffing, and inefficient processes reduce OHA’s ability to ensure Oregon marijuana labs consistently operate under accreditation standards and industry pressures may affect lab practices and the accuracy of results.

Recommendations

OLCC and OHA agreed with all 23 of our recommendations; for three of them, OHA indicated it would be unable to take action without further statutory authority. The agencies’ responses are included at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: Oregon Department of Revenue Cybersecurity Controls Assessment


Report Highlights

This audit was conducted to assess critical security controls and the Department of Revenue’s (DOR) information technology (IT) security management program.  We concluded the agency should update its security management program to reflect recent statewide changes to IT security governance structures, as well as correct weaknesses in inventory management, vulnerability management, control of administrative accounts, configuration change management, and audit logging processes.

Background

DOR handles sensitive information, including taxpayer personal information and tax data. The agency, in collaboration with the Enterprise Security Office at the Office of the State Chief Information Officer (OSCIO), is responsible for implementing a security management program to ensure the confidentiality, availability, and integrity of the information with which it is entrusted.

Purpose

The purpose of this audit was to determine whether DOR has implemented an appropriate IT security management program and the basic cyber security controls necessary to ensure cyber defense readiness.

Key Findings

  1. DOR had implemented a security management program, but associated plans and procedures have not been updated to reflect current staffing levels and reorganization of statewide security by the OSCIO.
  2. DOR lacks specific policies and fully automated controls for many elements of the basic security controls identified by the Center for Internet Security. These basic controls should be implemented in every organization to reduce the risk that attackers could compromise systems and data.

Recommendations

We recommend DOR improve its security management program and remedy weaknesses we identified in the basic controls defined by the Center for Internet Security.

DOR agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Audit Release, Oregon Department of Revenue: Enhancing Organizational Culture and Addressing Customer Service Challenges Will Optimize Agency Performance


Report Highlights

Organizational culture is key to shaping how members interact with each other and how they achieve their mission and objectives. However, organizational culture in an organization, such as the Department of Revenue (DOR), can be difficult to assess or change. Both DOR staff and management have identified a desire to shift towards a more collaborative agency culture and share perspectives on how culture can be enhanced to meet employees’ needs. DOR leadership makes decisions regarding agency operations; this report provides information that can help inform some of those decisions. DOR leadership has been engaged with the audit and acknowledged that enhancing the culture is a good opportunity within the agency.

Background

DOR has undergone tremendous change in the last five years. This include several changes in leadership positions, including the Director, and implementation of a critical and expansive information technology system. These significant governance and operational changes affected both internal and external stakeholders. For example, DOR’s customer service rating decreased dramatically, drawing the attention of the Legislature in 2017. We utilized a specialized methodology to assess how enhancing culture could help optimize the agency’s performance. The DOR Director has been supportive of our methodology and appears committed to enhancing the agency’s culture.

Purpose

The purpose of this audit was to determine how changes to DOR’s culture could improve agency performance and to identify factors for the decline in customer service satisfaction from 2013 through 2016 that can be addressed to enhance customer service moving forward.

Key Findings

  1. Opportunities exist to enhance DOR’s operating culture and employee morale. Specifically, DOR management should develop a formal strategy and take action to better incorporate collaborative values within the agency. The strategy should include robust internal communications, an effective accountability framework, a collaborative feedback process, and improved workplace interactions.
  2. The agency’s customer satisfaction declined between 2013 and 2016. A portion of this decrease was due to implementation of a critical and complex IT system known as GenTax. DOR has already identified and addressed a number of customer service deficiencies; as a result, customer service ratings increased in 2017 and 2018. DOR should complete efforts underway to address these challenges.

Recommendations

We made five recommendations to DOR for actions needed to improve its organizational culture and customer satisfaction. DOR agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release Performance Audit

Audit Release: ODE and PPS Must Do More to Monitor Spending and Address Systemic Obstacles to Student Performance, Particularly at Struggling Schools


Report Highlights

At the Oregon Department of Education (ODE) and Portland Public Schools (PPS), monitoring of spending and evaluation of performance is limited and inconsistent, even as student performance continues to lag. This lack of sustained focus limits achievement gains and affects students at high-poverty schools the most. Oregon’s K-12 education funding has fallen into the lower half among states and retirement costs are rising quickly, increasing the importance of ensuring effective education spending.

Background

Since the 1990s, K-12 education funding has shifted substantially to the state, which spends about $4.3 billion a year in addition to local property taxes collected for education. Despite some recent improvement, the state as a whole and PPS specifically still face low graduation rates and large achievement gaps, underscoring the need to improve returns on this investment. However, improving K-12 education requires navigating multiple layers of government, from local to state to federal. PPS’s new leadership has taken important steps toward developing a uniform core curriculum, improving training, and adding student support, but still has substantial work to do. The state is also transitioning to the latest in a series of accountability systems. These challenges increase the risk that a sharp, unified focus on improving student achievement will be further delayed.

Purpose

The purpose of this audit was to examine spending at ODE and PPS, the state’s largest school district, including transparency, controls, and priorities, and determine additional steps these agencies could take to improve returns on the state’s education investments and increase achievement. As a component of the audit, we honored a request from the Oregon Legislature to audit ODE grant management.

Key Findings

  1. ODE does relatively little to support and monitor efficient district spending. The Legislature has not required detailed reviews of school district efficiency outside of narrowly focused initiatives.
  2. PPS has more money to spend per student than many of its state and national peer districts, but the district is spending proportionately less on instruction and more on support services than many of its peers. Potential savings areas we identified include executive administration, substitute teacher use, health benefits, bus service, and legal costs.
  3. PPS needs to develop a more transparent budget, publicly report on the results of its investments in student achievement, and detail how its revenues and spending compare to peer districts. The district also needs to better control increasing employee use of purchasing cards.
  4. ODE and PPS are not adequately evaluating whether grants, contracts, and other dollars, often intended for Oregon’s most vulnerable students, are improving student performance. At PPS, contract issues include poor oversight of alternative education contracts and limited scrutiny of non-competitive contracts. ODE has not adequately evaluated its school improvement efforts under the federal Title I program, focused on some of the most vulnerable children in the state. The lack of sustained focus at PPS and statewide has the most detrimental effect on schools serving high numbers of African-American, Latino, and economically disadvantaged students.
  5. At PPS, inequities affecting these students include relatively high rates of teacher turnover and absences at high-poverty schools, a disconnect between teachers and administrators on managing student conduct, and a teacher hiring and transfer system that contributes to high-poverty schools having less experienced teachers. The district has also not prioritized principal or teacher stability at high-poverty schools, adequately supported principals, or developed a consistent and effective performance evaluation system.
  6. In comparison to students in peer districts, PPS does relatively poorly with African-American, Latino, and economically disadvantaged students. Conversely, the district does relatively well compared to peers with white students and students who are not economically disadvantaged.
  7. ODE’s limited enforcement of district standards, a new K-12 accountability system at risk of delays, a reliance on short-lived improvement initiatives, and a disjointed system of education funding all increase the risk that the state’s student performance will continue to lag. ODE enforcement of standards designed to improve student achievement is limited, and education leaders and the Legislature have not resolved how best to improve districts without infringing on local control.

Recommendations

We made 26 recommendations to help improve return on education investments at ODE and PPS.

Among the key recommendations for ODE:

  • Coordinate with the Governor’s Office, the State Board of Education, the Legislature, and districts to develop a plan to align education investments for the long-term.
  • Work with the State Board and stakeholders to evaluate Division 22 district standards for clarity and enforceability and ensure that ODE has adequate resources to review compliance and enforce standards when districts fall short.
  • For key grants, incorporate best-practice performance management, including setting quantitative and qualitative performance expectations in contracts, establishing baseline measurements, and providing timely and constructive feedback to grantees.

Among the key recommendations for PPS:

  • Investigate and report on potential savings areas in depth, including the level of executive administration, use of substitute teachers and educational assistants due to educator absences, health benefits, bus services, legal services, and building utilization.
  • While working to improve instructional quality, address other obstacles that create inequities at high-poverty schools. Strategies include changes to attendance rules, boundary changes, and practices that could encourage retention of high-quality principals and teachers at high-poverty schools, such as additional pay, enhanced training, and additional classroom support.

We also made a recommendation to the PPS school board. In general, the board should ensure that district administrators prioritize key steps to improve the efficiency and effectiveness of district operations. These steps include developing a strategic plan that focuses on long-term investment and measurement of results, and addressing inequities at high-poverty schools.

ODE and PPS agreed with all of our recommendations, with agency leaders detailing steps the agencies have already taken and providing timelines for completion. The auditees’ responses are at the end of the report.

Read the full report here.

Featured New Audit Release Performance Audit

Audit Release: Significant Cost Savings Can Be Achieved by Modernizing Oregon’s Procurement Systems and Practices


Report Highlights

The Department of Administrative Services (DAS) has taken steps to develop a strategic approach for procuring goods and services more efficiently and at lower costs. However, a lack of detailed purchase data inhibits the agency’s ability to analyze its spending, resulting in missed opportunities for potentially millions of dollars in cost savings. Additionally, although the Office of the State Chief Information Officer (OSCIO) has made some improvements in project oversight processes for major information technology (IT) procurements, those processes remain immature, resulting in inefficiencies and confusion for state agencies.

Background

DAS has the authority and responsibility to oversee procurements for state agencies. The OSCIO, a component of DAS, is responsible for overseeing major IT procurements conducted by the state. The OSCIO also has authority to require agencies to obtain independent quality assurance (QA) for IT projects.

Purpose

The purpose of this audit was to determine whether DAS has implemented effective processes to reduce risk and minimize costs associated with IT procurements. Furthermore, we sought to determine whether costs for QA services for major IT investments align with best practices and are appropriately independent.

Key Findings

  1. Due to reliance on legacy systems and outdated procurement processes, DAS Procurement Services does not adequately analyze state spending data. As a result, during the 2015-17 biennium, the state missed the opportunity to potentially reduce costs between $400 million and $1.6 billion based on DAS Procurement Services’ estimate of $8 billion in procurements during that time.
  2. Although efforts to improve procurement efficiencies and reduce costs through Oregon’s new Basecamp program generally align with best practices, the effectiveness of these efforts is limited due to a lack of detailed purchase data.
  3. The OSCIO has made progress in establishing oversight processes to mitigate significant procurement risks associated with major IT projects. However, some processes remain immature, and lack of training and guidance have contributed to confusion and frustration for agencies with projects subject to OSCIO oversight.
  4. The cost for QA services is below industry norms, averaging 3.5% of total project costs, with a median of 5.1%. Additionally, controls are appropriate to ensure QA remains independent, but report tracking should be strengthened.

Recommendations

Our report includes one recommendation to DAS to modernize strategic sourcing efforts and four recommendations to the OSCIO to strengthen IT investment oversight processes. DAS and the OSCIO agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read full report here.

Auditors at Work Featured IT Audit New Audit Release

Oregon Health Authority Audit Release: Constraints on Oregon’s Prescription Drug Monitoring Program Limit the State’s Ability to Help Address Opioid Drug Misuse and Abuse


Report Highlights

The Prescription Drug Monitoring Program provides an important tool to address prescription drug abuse, including opioid abuse, and help improve health outcomes. Oregon’s laws have put constraints on the program that limit its effectiveness and impact. Restrictions are placed on what data are collected, analyses that can be done with the data, and with whom information can be shared. Correcting weaknesses in Oregon’s program will maximize its potential and help address opioid and other substance abuse issues the state faces.

Background

Oregon has the highest rate in the nation of seniors hospitalized for opioid-related issues such as overdose, abuse, and dependence. The state also has the sixth highest percentage of teenage drug users. The Oregon Health Authority (OHA) manages the state’s Prescription Drug Monitoring Program (PDMP), which collects information on controlled substance prescriptions within the state. The program was designed to promote public health and safety and to help improve patient care. It was also developed to support the appropriate use of prescription drugs.

Purpose

The purpose of this audit was to determine if Oregon can better leverage its PDMP to help with the opioid epidemic.

Key Findings

  1. OHA could better use PDMP data to analyze trends in prescribed drugs, including identifying patterns of possible opioid misuse and abuse. State laws prevent OHA from sharing information with key stakeholders, such as health licensing boards and law enforcement, on questionable activity. Our analysis found people who have received opioid prescriptions from excessive numbers of prescribers, as well as instances of dangerous drug combinations and prescriptions for excessive dosages of drugs. One person who received an excessive amount of opioid prescriptions had some of those prescriptions paid for by Medicaid.
  2. Oregon is one of only nine states that does not require prescribers or pharmacies to use the PDMP database before an opioid prescription is written or dispensed. Mandating use can be effective in reducing opioid misuse and other health related outcomes.
  3. Due to statutory restrictions, Oregon’s PDMP does not collect some prescription information that could be critical in preventing prescription drug abuse. This includes prescriptions filled by pharmacies other than only retail, veterinarian prescribed prescriptions, prescriptions for Schedule V drugs and drugs known to be abused or misused such as gabapentin, and prescription details such as method of payment, lock-in status, and diagnosis information.

Recommendations

Our report includes 12 recommendations to OHA for optimizing the state’s PDMP. OHA can implement some of
these within existing statutes and rules, and for others it needs to work with the Legislature. OHA agreed with
all of the recommendations, but stated that because seven fall outside the scope of its statutory authority, its
ability to implement them is limited. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: ODOT Effectively Implementing Two Keep Oregon Moving Programs, but Could Do More to Enhance These Efforts


Report Highlights

Oregon House Bill 2017 (Keep Oregon Moving) is estimated to produce $5.2 billion in net revenue for the Oregon Department of Transportation (ODOT) to target congestion, public transportation and safety, and infrastructure repairs throughout the state. In addition to other initiatives, Keep Oregon Moving established two new programs: the Statewide Transportation Improvement Fund and Safe Routes to Schools infrastructure program. ODOT has developed and implemented frameworks to fulfill its statutory obligations for these two programs, but areas for improvement remain.

Background

Keep Oregon Moving was passed in 2017 as a significant investment in needed improvements to the state’s highway system, public transportation services, and routes for pedestrians, cyclists, and students. Its legislative intent is to increase the overall availability of public transit throughout the state, reduce congestion, increase safety, and provide public accountability. ODOT is charged with overseeing its implementation.

Purpose

The purpose of this audit was to examine ODOT’s strategic planning activities, governance approach, and control framework for implementing the state transportation investment package. The objective of the audit was to assess the accountability, equity, and transparency of the Statewide Transportation Improvement Fund (STIF) and Safe Routes to Schools (SRTS) programs established by Keep Oregon Moving. This real-time audit was conducted in alignment with our strategic focus of being timely and responsive. Real-time auditing focuses on evaluating front-end strategic planning, service delivery processes, controls, and performance measurement frameworks before or at the onset of signficant program or public policy implementations by state agencies.

Key Findings

We found ODOT has developed effective frameworks to meet its obligations for the STIF and SRTS programs. For example, ODOT developed timelines, engaged participants, and established milestones in order to meet Keep Oregon Moving requirements. However, ODOT still needs to refine the following areas:

  1. The STIF and SRTS programs lack performance measures to track the success of either program.
  2. The agency does not have documented internal policies and procedures for monitoring the use of STIF funds or for the review, approval, and monitoring process of submitted SRTS applications.
  3. Active Transportation Liaisons, who coordinate SRTS projects within ODOT regions, need better defined expectations and job duties as they relate to administering the SRTS program.

Recommendations

We include seven recommendations for ODOT intended to enhance the efficiency and effectiveness of the STIF and SRTS programs.

ODOT agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release