Audit Release: Severe Deficiencies in Disaster Recovery Program and Insufficient Information Technology Planning Pose Substantial Risks to Beneficiaries and the State


Report Highlights

The agency charged with administering the Public Employees Retirement System, or PERS, should improve Information Technology (IT) strategic planning efforts to ensure that IT investments return the most value and minimize risk. Additionally, PERS should immediately correct deficiencies with existing disaster recovery plans so the agency can effectively respond to catastrophic events that would prevent the use of existing IT hardware and software. PERS is working to update current plans and implement a recovery site, but a more urgent effort is needed.

This audit includes an assessment of critical security controls and the agency’s IT security management practices. PERS should improve security management roles and training, as well as correct weaknesses in inventory management, configuration change management, vulnerability management, and controlling administrative accounts.

Background

PERS has over 365,000 members and is responsible for administering employee pension programs for state agencies as well as approximately 900 local governments. PERS provides $310 million in retirement benefits each month. The agency’s Information Services Division provides PERS with information technology, such as pension benefit calculation software, to support agency operations.

Purpose

The purpose of this audit was to determine whether PERS could improve IT security and IT strategic planning efforts and to assess the agency’s preparedness to restore critical IT systems in response to a disaster.

Key Findings

PERS’s IT strategic planning lacks sufficient detail to help ensure IT investments return the most value, pose the least amount of risk, and are completed timely. Insufficient planning has contributed to mismanagement of some agency initiatives.

While PERS has identified a method to issue most pension payments in the event of a disaster, it has not fully addressed changes in payment processing by the Oregon State Treasury. The agency’s disaster recovery plans pose serious risks because they are insufficient to restore critical IT systems. Furthermore, the agency has not tested those plans and has not yet complied with legislative mandates to acquire an alternative recovery site and improve disaster recovery planning. The agency’s strategy to re-issue the prior month’s payments poses risk of benefit payment errors and has never been tested.

Recommendations

Our report includes ten recommendations to PERS to implement improved IT strategic planning and to take immediate action to remedy weaknesses in its disaster recovery plans. In addition, we make six recommendations to PERS and the Office of the State Chief Information Officer related to Critical Security Controls.

PERS agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release

Audit Release: Opportunities Exist to Increase the Impact of State Agency Internal Audit Functions


Report Highlights

When internal audit functions are properly structured and resourced, they are a valuable asset for mitigating risks and improving agency performance and accountability. However, internal auditing has not been a priority in Oregon. Although the Department of Administrative Services (DAS) has the authority to create policy and a legal requirement to support audit functions, the agency has not strategically promoted the role of internal audit functions due to a number of factors. DAS has not effectively monitored, coordinated, or reported on internal audit function impacts, challenges, and resource needs to state legislators and other stakeholders.

Background

Internal audit functions help organizations achieve their objectives and improve performance. The Oregon Legislature determined internal audit activities within state government should be coordinated to promote effectiveness, and directed DAS to adopt rules and set standards to ensure the integrity of internal auditing.

Purpose

The purpose of this audit was to determine the steps DAS should take to more effectively coordinate state internal audit functions, and what actions can be taken to increase the impact of these critical functions.

Key Findings

  1. The effectiveness of an agency’s internal audit function is defined by the tone at the top. In general, the internal audit function at state agencies in Oregon is not prioritized or well understood by agency management and the Legislature. Many current challenges and deficiencies have persisted for more than two decades.
  2. Internal audit independence and impact is directly influenced by the effectiveness of the audit committee and the committee’s relationship with agency leadership. Internal audit functions in some state agencies do not follow important elements of professional audit standards that ensure independence from management. These deficiencies reduce the effectiveness of the functions and leave agencies more vulnerable to fraud, wasted taxpayer dollars, and other substantial risks.
  3. Poor guidance and a lack of strategic management and effective coordination from DAS has contributed to internal audit challenges at state agencies. DAS reporting on statewide internal audit activities and impact could be a valuable tool for both internal auditors and policymakers, but DAS reports are often inaccurate, confusing, and uninformative.
  4. Many internal audit functions are staffed by well-trained, qualified professionals who make contributions to the agencies they serve despite governance and resource challenges. With additional emphasis and resources they could increase their value and return on investment potential.

Recommendations

We include 16 recommendations to DAS intended to enhance the value and impact of state agency internal audit functions. DAS agreed with 13 of 16 recommendations. The agency declined to say whether it agreed or disagreed with three recommendations.

 

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: Energy Trust Administrative Costs are Generally Reasonable, but the Public Utility Commission Can Improve Oversight of These Costs


Report Highlights

The Oregon Public Utility Commission (PUC) has designed controls to ensure administrative and program support costs at Energy Trust of Oregon are reasonable. Energy Trust is a nonprofit organization and is not subject to state administrative cost requirements. However, PUC could strengthen its oversight of Energy Trust administrative costs by more clearly defining what constitutes reasonable costs, revising key performance metrics, and clarifying financial reporting requirements.

Background

Energy Trust is a nonprofit organization funded by a grant agreement with PUC to develop and administer energy efficiency and renewable energy programs in certain utility service territories in Oregon. The grant funding comes from three separate charges on bills of customers of electric and natural gas utilities regulated by PUC.

Purpose

The purpose of the audit was to determine whether Energy Trust administrative costs are reasonable and whether PUC has reasonable controls in place to oversee Energy Trust’s administrative costs.

Key Findings

  1. Energy Trust complies with PUC’s administrative cost control requirements. We found these controls to be reasonable, and Energy Trust has consistently spent below the established administrative cost cap of 8% of revenue per year. However, Energy Trust’s administrative costs increased from $1.6 million to $10.1 million between 2002 and 2017, as its annual revenues increased from $30.6 million to $194.2 million during the same period. Improved oversight could help PUC better ensure that Energy Trust makes reasonable administrative spending decisions.
  2. We determined Energy Trust’s administrative costs are generally reasonable. However, we identified a small percentage of questionable administrative costs that do not align with state agency standards or the grant guidelines that govern Energy Trust operations. PUC could improve its oversight by providing guidance for acceptable administrative costs.
  3. Increased clarity and detail in financial reporting would improve transparency and stakeholder oversight. PUC monitors Energy Trust’s administrative costs through an enforced spending cap and public budget and reporting processes. Revised reporting methodologies would increase the transparency of Energy Trust’s administrative costs and spending trends.

Recommendations

Our report includes recommendations to PUC regarding the clarity of its grant agreement with Energy Trust, revision of performance metrics, and reporting of administrative costs.

PUC generally agreed with our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Oregon State Police: Forensic Division Has Taken Appropriate Steps to Address Oregon’s Sexual Assault Kit Testing Backlog

Report Highlights


Oregon State Police (OSP) has taken appropriate steps to manage an influx of Sexual Assault Forensic Evidence (SAFE) kits sent by local law enforcement agencies after Melissa’s Law passed in 2016, including adding staff and equipment, changing how they prioritize the testing of DNA evidence, and using more efficient technologies for DNA processing. Many of these changes occurred too recently to definitively determine whether they will successfully eliminate the remaining backlog. However, the actions taken are aligned with best practices and OSP officials estimate they will largely eliminate the backlog by the end of 2018.

Background

The Forensic Services Division of OSP provides Oregon’s only full-service forensic lab system. The intent of Melissa’s Law is to prevent a future SAFE kit testing backlog at local law enforcement agencies by mandating all non-anonymous kits be sent to OSP for testing.

Purpose

The purpose of this audit was to report on whether OSP has taken actions consistent with statute and best practices to address the SAFE kit backlog.

Key Findings

  1. OSP has complied with Melissa’s Law by increasing lab capacity and reporting results to legislators on efforts to reduce the SAFE kit backlog.
  2. OSP is following best practices outlined by the National Institute of Justice for forensic labs that process SAFE kits. For example, OSP’s “high-throughput” approach to obtaining DNA profiles from SAFE kits is recommended for decreasing kit backlogs.
  3. The agency’s decision to suspend DNA processing of property crime evidence to focus on SAFE kits could lead to a backlog of DNA evidence of this type at local law enforcement agencies. Local law enforcement agencies are eager for OSP to resume accepting DNA evidence for property crimes.
  4. As of January 2018, many of OSP’s capacity-building and process improvement efforts have been implemented. Since then, OSP has shown substantial improvement in the number of kits processed each month. Also, there has been a significant reduction in the statewide backlog. A 2017 survey of local law enforcement agencies found approximately 1,100 kits needing testing, down from approximately 4,900 in 2015. For these reasons, OSP believes it can eliminate the backlog by the end of 2018.

Recommendations

We recommend that OSP publicly post backlog status reports, examine options for a statewide SAFE kit tracking system, and plan for reintroducing DNA testing in property crimes.

OSP generally agrees with our recommendation. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Audit Release – Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement

Report Highlights


The Oregon Department of Revenue (DOR) designed and implemented controls in their GenTax system to provide reasonable assurance that tax return and payment information remains complete, accurate, and valid from input through processing and output. Logical access controls and change management controls are generally sufficient, but some areas need improvement. In addition, existing controls ensure the creation of appropriate backup of GenTax system files, though DOR does not have assurance they could timely restore the system in the event of a disaster or major disruption.

Background

The Oregon Department of Revenue replaced its legacy tax systems with GenTax, an integrated tax processing software package. This system processed about $10.3 billion in payments and $1.2 billion in refunds for tax periods ending in 2016.

Audit Purpose

The purpose of our audit was to review and evaluate key application and general computer controls governing DOR’s GenTax system. We focused on personal income, withholding, and corporate income and excise tax programs.

Key Findings

  1. GenTax controls ensure accurate input of tax return and payment information for personal income, withholding, and corporate income and excise tax programs. Additional processing and output controls provide further assurance that GenTax issues appropriate refunds and bills to taxpayers for taxes due.
  2. Logical access controls are generally sufficient, but DOR needs to make improvements to ensure managers have enough information to request appropriate access. DOR should also ensure that access remains appropriate for users who change jobs and is removed for users who are terminated.
  3. DOR monitors and tracks changes to GenTax to ensure system developers implement only approved program modifications, but better guidance is needed for testing procedures to ensure program modifications meet business needs.
  4. DOR does not have sufficient assurance that it could timely restore GenTax in the event of a disaster or major disruption.
  5. DOR has not obtained independent verification that the GenTax vendor has implemented appropriate controls over servers at an external data center to provide additional assurance that Oregon data is secure.

Recommendations

The report includes 11 recommendations to DOR regarding needed improvements to logical access procedures, disaster recovery plans and tests, and independent assurance of controls over servers at an external data center. DOR generally agreed with our recommendations. DOR’s response can be found at the end of the report.

Read the full report here.

Featured IT Audit New Audit Release

Audit Release: OLCC Cannabis Information Systems are Properly Functioning but Monitoring and Security Enhancements are Needed

Report Highlights


Although the Oregon Liquor Control Commission (OLCC) has taken positive steps to establish information systems for recreational marijuana regulation, we identified several weaknesses associated with OLCC’s new IT systems used for marijuana licensing and tracking. They include data reliability issues and insufficient processes for managing marijuana applications and vendors. In addition, OLCC has not implemented an appropriate agency-wide IT security management program. We identified eight IT security issues that significantly increase the risk that OLCC’s computer systems could be compromised, resulting in a disruption of OLCC business processes.

Background

In 2014, voters approved Measure 91, which legalized the production, sale, and use of recreational marijuana in Oregon. To help regulate and support this new industry, OLCC implemented the Marijuana Licensing System and the Cannabis Tracking System.

Audit Purpose

The purpose of our audit was to review and evaluate key general computer controls governing OLCC’s IT security management program, and application controls over the Cannabis Tracking and Marijuana Licensing Systems.

Key Findings

Within the context that legal marijuana is an emergent and unique public policy and the state is understandably still in the process of implementing governance programs, regulations, controls, and resources, we found:

  1. Data reliability issues with self-reported data in the Cannabis Tracking System (CTS) and an insufficient number of trained compliance inspectors inhibit OLCC’s ability to monitor the recreational marijuana program in Oregon.
  2. OLCC should improve processes for ensuring the security and reliability of data in the CTS and the Marijuana Licensing System. In addition, better processes are needed to monitor vendors that host and support these applications.
  3. OLCC has not implemented an effective IT security management program for the agency as a whole.
  4. OLCC has not formally developed a disaster recovery plan and has not tested backup files to ensure they can be used to restore mission-critical applications and data.

Recommendations

The report includes 17 recommendations to the Oregon Liquor Control Commission focused on addressing the weaknesses in the CTS data reliability, management of software as a service, IT security management, and disaster recovery and backup processes.

The Commission generally agreed with our recommendations.  The Commission’s response can be found at the end of the report.

Read full report here.

 

Featured New Audit Release

Audit Release – Foster Care in Oregon: Chronic management failures and high caseloads jeopardize the safety of some of the state’s most vulnerable children

Report Highlights


Oregon’s most vulnerable children are being placed into a foster care system that has serious problems. Child welfare workers are burning out and consistently leaving the system in high numbers. The supply of suitable foster homes and residential facilities is dwindling, resulting in some children spending days and weeks in hotels. Foster parents are struggling with limited training, support and resources. Agency management’s response to these problems has been slow, indecisive and inadequate. DHS and child welfare managers have not strategically addressed caseworker understaffing, recruitment and retention of foster homes, and a poorly implemented computer system that leaves caseworkers with inadequate information.

Background

Since 2011, there have been over 11,000 children in the Oregon foster care system each year. These children are vulnerable and are often the victims of child abuse and neglect.

Audit Purpose

The purpose of the audit was to determine what changes and improvements DHS can make to better promote the wellbeing of children in foster care and ensure they are better protected and cared for.

Key Findings

  1. DHS and Child Welfare struggle with chronic and systemic management shortcomings that have a detrimental effect on the agency’s ability to protect child safety. Management has failed to address a work culture of blame and distrust, plan adequately for costly initiatives, address the root causes of systemic issues, use data to inform key decisions, and promote lasting program improvements. As a result, the child welfare system, which includes the foster care program, is disorganized, inconsistent, and high risk for the children it serves.
  2. DHS does not have enough foster placements to meet the needs of at-risk children, due in part to a lack of a robust foster parent recruitment program. The agency struggles to retain and support the foster homes it does have within its network. The agency also lacks crucial data regarding how many foster placements are needed and the capacity of current foster homes, inhibiting the agency’s ability to fully understand the scope of the problem.
  3. A number of staffing challenges compromise the division’s ability to perform essential child welfare functions. These challenges include chronic understaffing, overwhelming workloads, high turnover, and a large proportion of inexperienced staff in need of better training, supervision, and guidance.

Recommendations

We make 24 recommendations that address the agency’s management challenges, foster parent recruitment and retention, and child welfare staffing. Our recommendations also affirm the foundational recommendations Public Knowledge LLC made in September 2016.

The Department generally agrees with our recommendations. The Department’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release