Oregon Health Authority Audit Release: Constraints on Oregon’s Prescription Drug Monitoring Program Limit the State’s Ability to Help Address Opioid Drug Misuse and Abuse


Report Highlights

The Prescription Drug Monitoring Program provides an important tool to address prescription drug abuse, including opioid abuse, and help improve health outcomes. Oregon’s laws have put constraints on the program that limit its effectiveness and impact. Restrictions are placed on what data are collected, analyses that can be done with the data, and with whom information can be shared. Correcting weaknesses in Oregon’s program will maximize its potential and help address opioid and other substance abuse issues the state faces.

Background

Oregon has the highest rate in the nation of seniors hospitalized for opioid-related issues such as overdose, abuse, and dependence. The state also has the sixth highest percentage of teenage drug users. The Oregon Health Authority (OHA) manages the state’s Prescription Drug Monitoring Program (PDMP), which collects information on controlled substance prescriptions within the state. The program was designed to promote public health and safety and to help improve patient care. It was also developed to support the appropriate use of prescription drugs.

Purpose

The purpose of this audit was to determine if Oregon can better leverage its PDMP to help with the opioid epidemic.

Key Findings

  1. OHA could better use PDMP data to analyze trends in prescribed drugs, including identifying patterns of possible opioid misuse and abuse. State laws prevent OHA from sharing information with key stakeholders, such as health licensing boards and law enforcement, on questionable activity. Our analysis found people who have received opioid prescriptions from excessive numbers of prescribers, as well as instances of dangerous drug combinations and prescriptions for excessive dosages of drugs. One person who received an excessive amount of opioid prescriptions had some of those prescriptions paid for by Medicaid.
  2. Oregon is one of only nine states that does not require prescribers or pharmacies to use the PDMP database before an opioid prescription is written or dispensed. Mandating use can be effective in reducing opioid misuse and other health related outcomes.
  3. Due to statutory restrictions, Oregon’s PDMP does not collect some prescription information that could be critical in preventing prescription drug abuse. This includes prescriptions filled by pharmacies other than only retail, veterinarian prescribed prescriptions, prescriptions for Schedule V drugs and drugs known to be abused or misused such as gabapentin, and prescription details such as method of payment, lock-in status, and diagnosis information.

Recommendations

Our report includes 12 recommendations to OHA for optimizing the state’s PDMP. OHA can implement some of
these within existing statutes and rules, and for others it needs to work with the Legislature. OHA agreed with
all of the recommendations, but stated that because seven fall outside the scope of its statutory authority, its
ability to implement them is limited. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: ODOT Effectively Implementing Two Keep Oregon Moving Programs, but Could Do More to Enhance These Efforts


Report Highlights

Oregon House Bill 2017 (Keep Oregon Moving) is estimated to produce $5.2 billion in net revenue for the Oregon Department of Transportation (ODOT) to target congestion, public transportation and safety, and infrastructure repairs throughout the state. In addition to other initiatives, Keep Oregon Moving established two new programs: the Statewide Transportation Improvement Fund and Safe Routes to Schools infrastructure program. ODOT has developed and implemented frameworks to fulfill its statutory obligations for these two programs, but areas for improvement remain.

Background

Keep Oregon Moving was passed in 2017 as a significant investment in needed improvements to the state’s highway system, public transportation services, and routes for pedestrians, cyclists, and students. Its legislative intent is to increase the overall availability of public transit throughout the state, reduce congestion, increase safety, and provide public accountability. ODOT is charged with overseeing its implementation.

Purpose

The purpose of this audit was to examine ODOT’s strategic planning activities, governance approach, and control framework for implementing the state transportation investment package. The objective of the audit was to assess the accountability, equity, and transparency of the Statewide Transportation Improvement Fund (STIF) and Safe Routes to Schools (SRTS) programs established by Keep Oregon Moving. This real-time audit was conducted in alignment with our strategic focus of being timely and responsive. Real-time auditing focuses on evaluating front-end strategic planning, service delivery processes, controls, and performance measurement frameworks before or at the onset of signficant program or public policy implementations by state agencies.

Key Findings

We found ODOT has developed effective frameworks to meet its obligations for the STIF and SRTS programs. For example, ODOT developed timelines, engaged participants, and established milestones in order to meet Keep Oregon Moving requirements. However, ODOT still needs to refine the following areas:

  1. The STIF and SRTS programs lack performance measures to track the success of either program.
  2. The agency does not have documented internal policies and procedures for monitoring the use of STIF funds or for the review, approval, and monitoring process of submitted SRTS applications.
  3. Active Transportation Liaisons, who coordinate SRTS projects within ODOT regions, need better defined expectations and job duties as they relate to administering the SRTS program.

Recommendations

We include seven recommendations for ODOT intended to enhance the efficiency and effectiveness of the STIF and SRTS programs.

ODOT agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Audit Recommendation Follow-Up: Department of Administrative Services Should Enhance Succession Planning to Address Workforce Risks and Challenges


Recommendation Follow-Up Results

The Department of Administrative Services (DAS) agreed with the original audit, which identified eight recommendations for implementing a succession planning framework. Our follow-up work shows DAS has fully implemented six of those recommendations since the initial report. This significant progress still requires a little more work to implement the remaining two recommendations.

Highlights from the Original Audit

The Secretary of State’s Audits Division found that DAS should play a stronger leadership role in addressing key workforce risks and challenges within the state executive branch through enhanced workforce succession planning.  Multiple factors indicate these risks and challenges are important including changing workforce demographics, and citizens’ needs for essential services that require skilled and experienced staff.

Background

Our original audit reviewed succession planning within Oregon’s executive branch. Succession planning is an ongoing management process used to ensure workforce continuity and effectiveness, particularly in key leadership and technical functions.

Purpose

The purpose of the audit was to determine if and how the State of Oregon could better plan for future key workforce needs, including preparing state employees to fill key roles.  The purpose of this follow-up report is to provide a status on the auditee’s efforts to implement our recommendations.

Key Findings

Within the context that effective succession planning is difficult, complex, and is frequently not a priority within the public sector, we found:

  1. DAS has not developed or implemented a state-level succession planning framework, despite recognizing the importance of succession planning.
  2. The lack of a succession planning framework increases workforce risks, such as not developing or retaining knowledgeable and skilled employees to perform critical functions.
  3. These risks are exacerbated by demographic and economic trends, including increasing retirement rates, and a lack of formal succession planning processes within state agencies.
  4. State agencies also report challenges, including inaccessible workforce information that may hinder strategic human capital management practices and should be addressed at a state level.

Read the full report here.

Audit Recommendation Follow-Up Featured New Audit Release

Audit Release: Progress has been Made to Address Security Weaknesses at the State Data Center, but Improvements are Still Needed


Report Highlights

Security at the Enterprise Technology Services State Data Center (data center) has improved due to organizational and staffing changes and the increased role of the Enterprise Security Office. Several longstanding security challenges have been addressed, yet more work remains to further refine and improve security capabilities and to address other areas where roles are not sufficiently defined. The operating environment for the data center remains stable and appropriately controlled. Disaster recovery capabilities have improved, although prioritization of recovery order needs to occur to ensure that the most critical state systems can be restored timely in the event of a major disaster.

Background

The data center is comprised of an extensive inventory of computer operating system platforms and networks. It provides centralized computer services such as networking, email, backup, and server services for more than 100 state agencies, boards, and commissions. Since the creation of the data center in 2006, numerous prior audits have identified significant security weaknesses. Starting in 2015, organizational changes moved overall responsibility for the data center to the Office of the State Chief Information Officer (OSCIO) and expanded the staffing and role of the Enterprise Security Office.

Purpose

Because of the critical services the data center provides, we audit it every two to three years. This audit followed up on the status of prior audit findings and evaluated the current security framework and stability of the operating environment.

Key Findings

We found:

  1. The OSCIO has made significant progress in improving security at the data center through security planning and staffing, vulnerability assessments, security event monitoring, and anti-malware and patching processes. Further progress is needed to refine these processes and better track vulnerability remediation.
  2. Some security areas require improvement, including privileged access, asset and configuration management, and security incident response. Work is underway to improve Windows privileged access.
  3. Day-to-day computing remains stable and disaster recovery capabilities have improved. While additional disaster recovery capabilities are being built, data center customers need to prioritize which systems should be recovered first in the event of disaster.

Recommendations

We recommend improvements in defining roles and responsibilities, refining vulnerability scanning and security event monitoring, monitoring privileged access, and disaster recovery prioritization.

The Department of Administrative Services and the OSCIO agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Audit Release: Severe Deficiencies in Disaster Recovery Program and Insufficient Information Technology Planning Pose Substantial Risks to Beneficiaries and the State


Report Highlights

The agency charged with administering the Public Employees Retirement System, or PERS, should improve Information Technology (IT) strategic planning efforts to ensure that IT investments return the most value and minimize risk. Additionally, PERS should immediately correct deficiencies with existing disaster recovery plans so the agency can effectively respond to catastrophic events that would prevent the use of existing IT hardware and software. PERS is working to update current plans and implement a recovery site, but a more urgent effort is needed.

This audit includes an assessment of critical security controls and the agency’s IT security management practices. PERS should improve security management roles and training, as well as correct weaknesses in inventory management, configuration change management, vulnerability management, and controlling administrative accounts.

Background

PERS has over 365,000 members and is responsible for administering employee pension programs for state agencies as well as approximately 900 local governments. PERS provides $310 million in retirement benefits each month. The agency’s Information Services Division provides PERS with information technology, such as pension benefit calculation software, to support agency operations.

Purpose

The purpose of this audit was to determine whether PERS could improve IT security and IT strategic planning efforts and to assess the agency’s preparedness to restore critical IT systems in response to a disaster.

Key Findings

PERS’s IT strategic planning lacks sufficient detail to help ensure IT investments return the most value, pose the least amount of risk, and are completed timely. Insufficient planning has contributed to mismanagement of some agency initiatives.

While PERS has identified a method to issue most pension payments in the event of a disaster, it has not fully addressed changes in payment processing by the Oregon State Treasury. The agency’s disaster recovery plans pose serious risks because they are insufficient to restore critical IT systems. Furthermore, the agency has not tested those plans and has not yet complied with legislative mandates to acquire an alternative recovery site and improve disaster recovery planning. The agency’s strategy to re-issue the prior month’s payments poses risk of benefit payment errors and has never been tested.

Recommendations

Our report includes ten recommendations to PERS to implement improved IT strategic planning and to take immediate action to remedy weaknesses in its disaster recovery plans. In addition, we make six recommendations to PERS and the Office of the State Chief Information Officer related to Critical Security Controls.

PERS agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release

Audit Release: Opportunities Exist to Increase the Impact of State Agency Internal Audit Functions


Report Highlights

When internal audit functions are properly structured and resourced, they are a valuable asset for mitigating risks and improving agency performance and accountability. However, internal auditing has not been a priority in Oregon. Although the Department of Administrative Services (DAS) has the authority to create policy and a legal requirement to support audit functions, the agency has not strategically promoted the role of internal audit functions due to a number of factors. DAS has not effectively monitored, coordinated, or reported on internal audit function impacts, challenges, and resource needs to state legislators and other stakeholders.

Background

Internal audit functions help organizations achieve their objectives and improve performance. The Oregon Legislature determined internal audit activities within state government should be coordinated to promote effectiveness, and directed DAS to adopt rules and set standards to ensure the integrity of internal auditing.

Purpose

The purpose of this audit was to determine the steps DAS should take to more effectively coordinate state internal audit functions, and what actions can be taken to increase the impact of these critical functions.

Key Findings

  1. The effectiveness of an agency’s internal audit function is defined by the tone at the top. In general, the internal audit function at state agencies in Oregon is not prioritized or well understood by agency management and the Legislature. Many current challenges and deficiencies have persisted for more than two decades.
  2. Internal audit independence and impact is directly influenced by the effectiveness of the audit committee and the committee’s relationship with agency leadership. Internal audit functions in some state agencies do not follow important elements of professional audit standards that ensure independence from management. These deficiencies reduce the effectiveness of the functions and leave agencies more vulnerable to fraud, wasted taxpayer dollars, and other substantial risks.
  3. Poor guidance and a lack of strategic management and effective coordination from DAS has contributed to internal audit challenges at state agencies. DAS reporting on statewide internal audit activities and impact could be a valuable tool for both internal auditors and policymakers, but DAS reports are often inaccurate, confusing, and uninformative.
  4. Many internal audit functions are staffed by well-trained, qualified professionals who make contributions to the agencies they serve despite governance and resource challenges. With additional emphasis and resources they could increase their value and return on investment potential.

Recommendations

We include 16 recommendations to DAS intended to enhance the value and impact of state agency internal audit functions. DAS agreed with 13 of 16 recommendations. The agency declined to say whether it agreed or disagreed with three recommendations.

 

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: Energy Trust Administrative Costs are Generally Reasonable, but the Public Utility Commission Can Improve Oversight of These Costs


Report Highlights

The Oregon Public Utility Commission (PUC) has designed controls to ensure administrative and program support costs at Energy Trust of Oregon are reasonable. Energy Trust is a nonprofit organization and is not subject to state administrative cost requirements. However, PUC could strengthen its oversight of Energy Trust administrative costs by more clearly defining what constitutes reasonable costs, revising key performance metrics, and clarifying financial reporting requirements.

Background

Energy Trust is a nonprofit organization funded by a grant agreement with PUC to develop and administer energy efficiency and renewable energy programs in certain utility service territories in Oregon. The grant funding comes from three separate charges on bills of customers of electric and natural gas utilities regulated by PUC.

Purpose

The purpose of the audit was to determine whether Energy Trust administrative costs are reasonable and whether PUC has reasonable controls in place to oversee Energy Trust’s administrative costs.

Key Findings

  1. Energy Trust complies with PUC’s administrative cost control requirements. We found these controls to be reasonable, and Energy Trust has consistently spent below the established administrative cost cap of 8% of revenue per year. However, Energy Trust’s administrative costs increased from $1.6 million to $10.1 million between 2002 and 2017, as its annual revenues increased from $30.6 million to $194.2 million during the same period. Improved oversight could help PUC better ensure that Energy Trust makes reasonable administrative spending decisions.
  2. We determined Energy Trust’s administrative costs are generally reasonable. However, we identified a small percentage of questionable administrative costs that do not align with state agency standards or the grant guidelines that govern Energy Trust operations. PUC could improve its oversight by providing guidance for acceptable administrative costs.
  3. Increased clarity and detail in financial reporting would improve transparency and stakeholder oversight. PUC monitors Energy Trust’s administrative costs through an enforced spending cap and public budget and reporting processes. Revised reporting methodologies would increase the transparency of Energy Trust’s administrative costs and spending trends.

Recommendations

Our report includes recommendations to PUC regarding the clarity of its grant agreement with Energy Trust, revision of performance metrics, and reporting of administrative costs.

PUC generally agreed with our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release