Audit Release: Energy Trust Administrative Costs are Generally Reasonable, but the Public Utility Commission Can Improve Oversight of These Costs


Report Highlights

The Oregon Public Utility Commission (PUC) has designed controls to ensure administrative and program support costs at Energy Trust of Oregon are reasonable. Energy Trust is a nonprofit organization and is not subject to state administrative cost requirements. However, PUC could strengthen its oversight of Energy Trust administrative costs by more clearly defining what constitutes reasonable costs, revising key performance metrics, and clarifying financial reporting requirements.

Background

Energy Trust is a nonprofit organization funded by a grant agreement with PUC to develop and administer energy efficiency and renewable energy programs in certain utility service territories in Oregon. The grant funding comes from three separate charges on bills of customers of electric and natural gas utilities regulated by PUC.

Purpose

The purpose of the audit was to determine whether Energy Trust administrative costs are reasonable and whether PUC has reasonable controls in place to oversee Energy Trust’s administrative costs.

Key Findings

  1. Energy Trust complies with PUC’s administrative cost control requirements. We found these controls to be reasonable, and Energy Trust has consistently spent below the established administrative cost cap of 8% of revenue per year. However, Energy Trust’s administrative costs increased from $1.6 million to $10.1 million between 2002 and 2017, as its annual revenues increased from $30.6 million to $194.2 million during the same period. Improved oversight could help PUC better ensure that Energy Trust makes reasonable administrative spending decisions.
  2. We determined Energy Trust’s administrative costs are generally reasonable. However, we identified a small percentage of questionable administrative costs that do not align with state agency standards or the grant guidelines that govern Energy Trust operations. PUC could improve its oversight by providing guidance for acceptable administrative costs.
  3. Increased clarity and detail in financial reporting would improve transparency and stakeholder oversight. PUC monitors Energy Trust’s administrative costs through an enforced spending cap and public budget and reporting processes. Revised reporting methodologies would increase the transparency of Energy Trust’s administrative costs and spending trends.

Recommendations

Our report includes recommendations to PUC regarding the clarity of its grant agreement with Energy Trust, revision of performance metrics, and reporting of administrative costs.

PUC generally agreed with our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Oregon State Police: Forensic Division Has Taken Appropriate Steps to Address Oregon’s Sexual Assault Kit Testing Backlog

Report Highlights


Oregon State Police (OSP) has taken appropriate steps to manage an influx of Sexual Assault Forensic Evidence (SAFE) kits sent by local law enforcement agencies after Melissa’s Law passed in 2016, including adding staff and equipment, changing how they prioritize the testing of DNA evidence, and using more efficient technologies for DNA processing. Many of these changes occurred too recently to definitively determine whether they will successfully eliminate the remaining backlog. However, the actions taken are aligned with best practices and OSP officials estimate they will largely eliminate the backlog by the end of 2018.

Background

The Forensic Services Division of OSP provides Oregon’s only full-service forensic lab system. The intent of Melissa’s Law is to prevent a future SAFE kit testing backlog at local law enforcement agencies by mandating all non-anonymous kits be sent to OSP for testing.

Purpose

The purpose of this audit was to report on whether OSP has taken actions consistent with statute and best practices to address the SAFE kit backlog.

Key Findings

  1. OSP has complied with Melissa’s Law by increasing lab capacity and reporting results to legislators on efforts to reduce the SAFE kit backlog.
  2. OSP is following best practices outlined by the National Institute of Justice for forensic labs that process SAFE kits. For example, OSP’s “high-throughput” approach to obtaining DNA profiles from SAFE kits is recommended for decreasing kit backlogs.
  3. The agency’s decision to suspend DNA processing of property crime evidence to focus on SAFE kits could lead to a backlog of DNA evidence of this type at local law enforcement agencies. Local law enforcement agencies are eager for OSP to resume accepting DNA evidence for property crimes.
  4. As of January 2018, many of OSP’s capacity-building and process improvement efforts have been implemented. Since then, OSP has shown substantial improvement in the number of kits processed each month. Also, there has been a significant reduction in the statewide backlog. A 2017 survey of local law enforcement agencies found approximately 1,100 kits needing testing, down from approximately 4,900 in 2015. For these reasons, OSP believes it can eliminate the backlog by the end of 2018.

Recommendations

We recommend that OSP publicly post backlog status reports, examine options for a statewide SAFE kit tracking system, and plan for reintroducing DNA testing in property crimes.

OSP generally agrees with our recommendation. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Audit Release – Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement

Report Highlights


The Oregon Department of Revenue (DOR) designed and implemented controls in their GenTax system to provide reasonable assurance that tax return and payment information remains complete, accurate, and valid from input through processing and output. Logical access controls and change management controls are generally sufficient, but some areas need improvement. In addition, existing controls ensure the creation of appropriate backup of GenTax system files, though DOR does not have assurance they could timely restore the system in the event of a disaster or major disruption.

Background

The Oregon Department of Revenue replaced its legacy tax systems with GenTax, an integrated tax processing software package. This system processed about $10.3 billion in payments and $1.2 billion in refunds for tax periods ending in 2016.

Audit Purpose

The purpose of our audit was to review and evaluate key application and general computer controls governing DOR’s GenTax system. We focused on personal income, withholding, and corporate income and excise tax programs.

Key Findings

  1. GenTax controls ensure accurate input of tax return and payment information for personal income, withholding, and corporate income and excise tax programs. Additional processing and output controls provide further assurance that GenTax issues appropriate refunds and bills to taxpayers for taxes due.
  2. Logical access controls are generally sufficient, but DOR needs to make improvements to ensure managers have enough information to request appropriate access. DOR should also ensure that access remains appropriate for users who change jobs and is removed for users who are terminated.
  3. DOR monitors and tracks changes to GenTax to ensure system developers implement only approved program modifications, but better guidance is needed for testing procedures to ensure program modifications meet business needs.
  4. DOR does not have sufficient assurance that it could timely restore GenTax in the event of a disaster or major disruption.
  5. DOR has not obtained independent verification that the GenTax vendor has implemented appropriate controls over servers at an external data center to provide additional assurance that Oregon data is secure.

Recommendations

The report includes 11 recommendations to DOR regarding needed improvements to logical access procedures, disaster recovery plans and tests, and independent assurance of controls over servers at an external data center. DOR generally agreed with our recommendations. DOR’s response can be found at the end of the report.

Read the full report here.

Featured IT Audit New Audit Release

Audit Release: OLCC Cannabis Information Systems are Properly Functioning but Monitoring and Security Enhancements are Needed

Report Highlights


Although the Oregon Liquor Control Commission (OLCC) has taken positive steps to establish information systems for recreational marijuana regulation, we identified several weaknesses associated with OLCC’s new IT systems used for marijuana licensing and tracking. They include data reliability issues and insufficient processes for managing marijuana applications and vendors. In addition, OLCC has not implemented an appropriate agency-wide IT security management program. We identified eight IT security issues that significantly increase the risk that OLCC’s computer systems could be compromised, resulting in a disruption of OLCC business processes.

Background

In 2014, voters approved Measure 91, which legalized the production, sale, and use of recreational marijuana in Oregon. To help regulate and support this new industry, OLCC implemented the Marijuana Licensing System and the Cannabis Tracking System.

Audit Purpose

The purpose of our audit was to review and evaluate key general computer controls governing OLCC’s IT security management program, and application controls over the Cannabis Tracking and Marijuana Licensing Systems.

Key Findings

Within the context that legal marijuana is an emergent and unique public policy and the state is understandably still in the process of implementing governance programs, regulations, controls, and resources, we found:

  1. Data reliability issues with self-reported data in the Cannabis Tracking System (CTS) and an insufficient number of trained compliance inspectors inhibit OLCC’s ability to monitor the recreational marijuana program in Oregon.
  2. OLCC should improve processes for ensuring the security and reliability of data in the CTS and the Marijuana Licensing System. In addition, better processes are needed to monitor vendors that host and support these applications.
  3. OLCC has not implemented an effective IT security management program for the agency as a whole.
  4. OLCC has not formally developed a disaster recovery plan and has not tested backup files to ensure they can be used to restore mission-critical applications and data.

Recommendations

The report includes 17 recommendations to the Oregon Liquor Control Commission focused on addressing the weaknesses in the CTS data reliability, management of software as a service, IT security management, and disaster recovery and backup processes.

The Commission generally agreed with our recommendations.  The Commission’s response can be found at the end of the report.

Read full report here.

 

Featured New Audit Release

Audit Release – Foster Care in Oregon: Chronic management failures and high caseloads jeopardize the safety of some of the state’s most vulnerable children

Report Highlights


Oregon’s most vulnerable children are being placed into a foster care system that has serious problems. Child welfare workers are burning out and consistently leaving the system in high numbers. The supply of suitable foster homes and residential facilities is dwindling, resulting in some children spending days and weeks in hotels. Foster parents are struggling with limited training, support and resources. Agency management’s response to these problems has been slow, indecisive and inadequate. DHS and child welfare managers have not strategically addressed caseworker understaffing, recruitment and retention of foster homes, and a poorly implemented computer system that leaves caseworkers with inadequate information.

Background

Since 2011, there have been over 11,000 children in the Oregon foster care system each year. These children are vulnerable and are often the victims of child abuse and neglect.

Audit Purpose

The purpose of the audit was to determine what changes and improvements DHS can make to better promote the wellbeing of children in foster care and ensure they are better protected and cared for.

Key Findings

  1. DHS and Child Welfare struggle with chronic and systemic management shortcomings that have a detrimental effect on the agency’s ability to protect child safety. Management has failed to address a work culture of blame and distrust, plan adequately for costly initiatives, address the root causes of systemic issues, use data to inform key decisions, and promote lasting program improvements. As a result, the child welfare system, which includes the foster care program, is disorganized, inconsistent, and high risk for the children it serves.
  2. DHS does not have enough foster placements to meet the needs of at-risk children, due in part to a lack of a robust foster parent recruitment program. The agency struggles to retain and support the foster homes it does have within its network. The agency also lacks crucial data regarding how many foster placements are needed and the capacity of current foster homes, inhibiting the agency’s ability to fully understand the scope of the problem.
  3. A number of staffing challenges compromise the division’s ability to perform essential child welfare functions. These challenges include chronic understaffing, overwhelming workloads, high turnover, and a large proportion of inexperienced staff in need of better training, supervision, and guidance.

Recommendations

We make 24 recommendations that address the agency’s management challenges, foster parent recruitment and retention, and child welfare staffing. Our recommendations also affirm the foundational recommendations Public Knowledge LLC made in September 2016.

The Department generally agrees with our recommendations. The Department’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Audit Release: The State Must Do More to Prepare Oregon for a Catastrophic Disaster

Report Highlights


Oregon is at risk of a major Cascadia earthquake and tsunami that will threaten infrastructure, cost potentially billions of dollars, and result in numerous deaths. The state must do more to prepare for such a disaster, including completing and implementing critical plans, fulfilling minimum standards for an effective emergency management program, and adequately staffing the agency charged with coordinating emergency management efforts.

Background

The emergency management system encompasses local governments and almost all of state government. The Office of Emergency Management (OEM) is charged with coordinating Oregon’s emergency management efforts, including mitigation, preparedness, response, and recovery.

Audit Purpose

The purpose of this audit was to determine the status of state agency and local emergency management efforts to prepare for a catastrophic event, such as a Cascadia earthquake and tsunami.

Key Findings

  1. Oregon does not meet key emergency management program standards. These national baseline standards are a tool to strengthen preparedness and response, demonstrate accountability, and identify resource needs.
  2. Planning efforts across all levels of Oregon’s emergency management system are lacking. Critical continuity plans that ensure functional government services in the wake of a disaster are either missing or incomplete. Additionally, insufficient staff resources put the state at risk of losing potentially millions of dollars in federal grant funding for future disasters.
  3. Current statewide staffing is inadequate to reduce Oregon’s vulnerability to disasters. OEM in particular is understaffed, despite repeated budget requests to the Legislature, which inhibits the agency’s capacity to coordinate emergency management efforts in the state.
  4. More accountability, such as public reporting and tracking, is needed to ensure progress on long-term resilience goals and projects and to enhance public awareness.

To reach our findings, we conducted a survey of state agencies and local emergency management programs. We also interviewed staff at OEM, other executive branch agencies, and the legislative and judicial branches of state government. We researched programs in other states and assessed emergency management program standards.

Recommendations

This audit includes 11 recommendations, five to OEM and six to the Governor’s Office. These recommendations include such actions as completing, implementing, and exercising emergency and continuity plans; meeting minimum emergency management program standards; reporting on efforts to improve state resilience; defining roles and responsibilities and assessing and filling resource gaps.

OEM agreed with all the recommendations we made to them. The Governor’s Office agreed with all but one of our recommendations. That recommendation, they believe they have already implemented. Both OEM and the Governor’s Office’s responses can be found at the end of the report.

Read the full report here.

Emergency Management Framework

Featured New Audit Release Performance Audit

Audit Release: DEQ Should Improve the Air Quality Permitting Process to Reduce Its Permit Backlog and Better Safeguard Oregon’s Air

Report Highlights


The Secretary of State’s Audits Division found that the Oregon Department of Environmental Quality (DEQ) should evaluate staffing and workloads among air quality permit writers and provide better guidance to both staff and businesses to help reduce the agency’s air quality permit backlog.

Background

This audit reviewed air quality permitting at the Oregon Department of Environmental Quality. Air quality permits regulate the types and amounts of air pollution businesses are allowed to emit, based on federal pollution limits set by the Clean Air Act and state limits established in state laws and DEQ rules.

Audit Purpose

The purpose of this audit was to determine how DEQ could improve its air quality permitting process to better safeguard Oregon’s air quality.

Key Findings

The Oregon Department of Environmental Quality has a significant backlog in air quality permit renewals. We found that:

  1. 43% (106 out of 246) of DEQ’s largest and most complex federal and state air quality permit renewals are overdue for renewal. Additionally, more than 40% of the most complex permits issued from 2007 to 2017 exceeded timeframes established by DEQ or the Clean Air Act, some by several years.
  2. DEQ struggles to issue timely permits and renewals due to a variety of factors, including competing priorities, vacancies, and position cuts that have created unmanageable workloads. Other factors include inconsistent support and guidance for staff; a lack of clear, accessible guidance for applicants; and increased time for the public engagement process.
  3. Untimely permits, combined with a current backlog of inspections, endanger the state’s air quality and the health of Oregonians. For example, when DEQ does not issue permit renewals on time, businesses may not provide DEQ with data showing they are complying with new or updated rules.

To reach our findings, we conducted interviews, analyzed air permit data, reviewed documents and reported practices, and researched leading practices.

Key Recommendations

Based on our review of leading practices and air quality agencies in other states, the report includes ten recommendations to the Department of Environmental Quality. Recommendations include evaluating permit writer workloads and staffing, clarifying the public engagement process, providing better guidance to permit writers and businesses, and conducting a process improvement effort.

The agency agreed with our findings and recommendations. Its response can be found at the end of the report.

Read the full report here.

Featured New Audit Release Performance Audit