Audit Recommendation Follow-Up: Department of Administrative Services Should Enhance Succession Planning to Address Workforce Risks and Challenges


Recommendation Follow-Up Results

The Department of Administrative Services (DAS) agreed with the original audit, which identified eight recommendations for implementing a succession planning framework. Our follow-up work shows DAS has fully implemented six of those recommendations since the initial report. This significant progress still requires a little more work to implement the remaining two recommendations.

Highlights from the Original Audit

The Secretary of State’s Audits Division found that DAS should play a stronger leadership role in addressing key workforce risks and challenges within the state executive branch through enhanced workforce succession planning.  Multiple factors indicate these risks and challenges are important including changing workforce demographics, and citizens’ needs for essential services that require skilled and experienced staff.

Background

Our original audit reviewed succession planning within Oregon’s executive branch. Succession planning is an ongoing management process used to ensure workforce continuity and effectiveness, particularly in key leadership and technical functions.

Purpose

The purpose of the audit was to determine if and how the State of Oregon could better plan for future key workforce needs, including preparing state employees to fill key roles.  The purpose of this follow-up report is to provide a status on the auditee’s efforts to implement our recommendations.

Key Findings

Within the context that effective succession planning is difficult, complex, and is frequently not a priority within the public sector, we found:

  1. DAS has not developed or implemented a state-level succession planning framework, despite recognizing the importance of succession planning.
  2. The lack of a succession planning framework increases workforce risks, such as not developing or retaining knowledgeable and skilled employees to perform critical functions.
  3. These risks are exacerbated by demographic and economic trends, including increasing retirement rates, and a lack of formal succession planning processes within state agencies.
  4. State agencies also report challenges, including inaccessible workforce information that may hinder strategic human capital management practices and should be addressed at a state level.

Read the full report here.

Audit Recommendation Follow-Up Featured New Audit Release

Audit Release: Progress has been Made to Address Security Weaknesses at the State Data Center, but Improvements are Still Needed


Report Highlights

Security at the Enterprise Technology Services State Data Center (data center) has improved due to organizational and staffing changes and the increased role of the Enterprise Security Office. Several longstanding security challenges have been addressed, yet more work remains to further refine and improve security capabilities and to address other areas where roles are not sufficiently defined. The operating environment for the data center remains stable and appropriately controlled. Disaster recovery capabilities have improved, although prioritization of recovery order needs to occur to ensure that the most critical state systems can be restored timely in the event of a major disaster.

Background

The data center is comprised of an extensive inventory of computer operating system platforms and networks. It provides centralized computer services such as networking, email, backup, and server services for more than 100 state agencies, boards, and commissions. Since the creation of the data center in 2006, numerous prior audits have identified significant security weaknesses. Starting in 2015, organizational changes moved overall responsibility for the data center to the Office of the State Chief Information Officer (OSCIO) and expanded the staffing and role of the Enterprise Security Office.

Purpose

Because of the critical services the data center provides, we audit it every two to three years. This audit followed up on the status of prior audit findings and evaluated the current security framework and stability of the operating environment.

Key Findings

We found:

  1. The OSCIO has made significant progress in improving security at the data center through security planning and staffing, vulnerability assessments, security event monitoring, and anti-malware and patching processes. Further progress is needed to refine these processes and better track vulnerability remediation.
  2. Some security areas require improvement, including privileged access, asset and configuration management, and security incident response. Work is underway to improve Windows privileged access.
  3. Day-to-day computing remains stable and disaster recovery capabilities have improved. While additional disaster recovery capabilities are being built, data center customers need to prioritize which systems should be recovered first in the event of disaster.

Recommendations

We recommend improvements in defining roles and responsibilities, refining vulnerability scanning and security event monitoring, monitoring privileged access, and disaster recovery prioritization.

The Department of Administrative Services and the OSCIO agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Audit Release: Severe Deficiencies in Disaster Recovery Program and Insufficient Information Technology Planning Pose Substantial Risks to Beneficiaries and the State


Report Highlights

The agency charged with administering the Public Employees Retirement System, or PERS, should improve Information Technology (IT) strategic planning efforts to ensure that IT investments return the most value and minimize risk. Additionally, PERS should immediately correct deficiencies with existing disaster recovery plans so the agency can effectively respond to catastrophic events that would prevent the use of existing IT hardware and software. PERS is working to update current plans and implement a recovery site, but a more urgent effort is needed.

This audit includes an assessment of critical security controls and the agency’s IT security management practices. PERS should improve security management roles and training, as well as correct weaknesses in inventory management, configuration change management, vulnerability management, and controlling administrative accounts.

Background

PERS has over 365,000 members and is responsible for administering employee pension programs for state agencies as well as approximately 900 local governments. PERS provides $310 million in retirement benefits each month. The agency’s Information Services Division provides PERS with information technology, such as pension benefit calculation software, to support agency operations.

Purpose

The purpose of this audit was to determine whether PERS could improve IT security and IT strategic planning efforts and to assess the agency’s preparedness to restore critical IT systems in response to a disaster.

Key Findings

PERS’s IT strategic planning lacks sufficient detail to help ensure IT investments return the most value, pose the least amount of risk, and are completed timely. Insufficient planning has contributed to mismanagement of some agency initiatives.

While PERS has identified a method to issue most pension payments in the event of a disaster, it has not fully addressed changes in payment processing by the Oregon State Treasury. The agency’s disaster recovery plans pose serious risks because they are insufficient to restore critical IT systems. Furthermore, the agency has not tested those plans and has not yet complied with legislative mandates to acquire an alternative recovery site and improve disaster recovery planning. The agency’s strategy to re-issue the prior month’s payments poses risk of benefit payment errors and has never been tested.

Recommendations

Our report includes ten recommendations to PERS to implement improved IT strategic planning and to take immediate action to remedy weaknesses in its disaster recovery plans. In addition, we make six recommendations to PERS and the Office of the State Chief Information Officer related to Critical Security Controls.

PERS agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release

Audit Release: Opportunities Exist to Increase the Impact of State Agency Internal Audit Functions


Report Highlights

When internal audit functions are properly structured and resourced, they are a valuable asset for mitigating risks and improving agency performance and accountability. However, internal auditing has not been a priority in Oregon. Although the Department of Administrative Services (DAS) has the authority to create policy and a legal requirement to support audit functions, the agency has not strategically promoted the role of internal audit functions due to a number of factors. DAS has not effectively monitored, coordinated, or reported on internal audit function impacts, challenges, and resource needs to state legislators and other stakeholders.

Background

Internal audit functions help organizations achieve their objectives and improve performance. The Oregon Legislature determined internal audit activities within state government should be coordinated to promote effectiveness, and directed DAS to adopt rules and set standards to ensure the integrity of internal auditing.

Purpose

The purpose of this audit was to determine the steps DAS should take to more effectively coordinate state internal audit functions, and what actions can be taken to increase the impact of these critical functions.

Key Findings

  1. The effectiveness of an agency’s internal audit function is defined by the tone at the top. In general, the internal audit function at state agencies in Oregon is not prioritized or well understood by agency management and the Legislature. Many current challenges and deficiencies have persisted for more than two decades.
  2. Internal audit independence and impact is directly influenced by the effectiveness of the audit committee and the committee’s relationship with agency leadership. Internal audit functions in some state agencies do not follow important elements of professional audit standards that ensure independence from management. These deficiencies reduce the effectiveness of the functions and leave agencies more vulnerable to fraud, wasted taxpayer dollars, and other substantial risks.
  3. Poor guidance and a lack of strategic management and effective coordination from DAS has contributed to internal audit challenges at state agencies. DAS reporting on statewide internal audit activities and impact could be a valuable tool for both internal auditors and policymakers, but DAS reports are often inaccurate, confusing, and uninformative.
  4. Many internal audit functions are staffed by well-trained, qualified professionals who make contributions to the agencies they serve despite governance and resource challenges. With additional emphasis and resources they could increase their value and return on investment potential.

Recommendations

We include 16 recommendations to DAS intended to enhance the value and impact of state agency internal audit functions. DAS agreed with 13 of 16 recommendations. The agency declined to say whether it agreed or disagreed with three recommendations.

 

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: Energy Trust Administrative Costs are Generally Reasonable, but the Public Utility Commission Can Improve Oversight of These Costs


Report Highlights

The Oregon Public Utility Commission (PUC) has designed controls to ensure administrative and program support costs at Energy Trust of Oregon are reasonable. Energy Trust is a nonprofit organization and is not subject to state administrative cost requirements. However, PUC could strengthen its oversight of Energy Trust administrative costs by more clearly defining what constitutes reasonable costs, revising key performance metrics, and clarifying financial reporting requirements.

Background

Energy Trust is a nonprofit organization funded by a grant agreement with PUC to develop and administer energy efficiency and renewable energy programs in certain utility service territories in Oregon. The grant funding comes from three separate charges on bills of customers of electric and natural gas utilities regulated by PUC.

Purpose

The purpose of the audit was to determine whether Energy Trust administrative costs are reasonable and whether PUC has reasonable controls in place to oversee Energy Trust’s administrative costs.

Key Findings

  1. Energy Trust complies with PUC’s administrative cost control requirements. We found these controls to be reasonable, and Energy Trust has consistently spent below the established administrative cost cap of 8% of revenue per year. However, Energy Trust’s administrative costs increased from $1.6 million to $10.1 million between 2002 and 2017, as its annual revenues increased from $30.6 million to $194.2 million during the same period. Improved oversight could help PUC better ensure that Energy Trust makes reasonable administrative spending decisions.
  2. We determined Energy Trust’s administrative costs are generally reasonable. However, we identified a small percentage of questionable administrative costs that do not align with state agency standards or the grant guidelines that govern Energy Trust operations. PUC could improve its oversight by providing guidance for acceptable administrative costs.
  3. Increased clarity and detail in financial reporting would improve transparency and stakeholder oversight. PUC monitors Energy Trust’s administrative costs through an enforced spending cap and public budget and reporting processes. Revised reporting methodologies would increase the transparency of Energy Trust’s administrative costs and spending trends.

Recommendations

Our report includes recommendations to PUC regarding the clarity of its grant agreement with Energy Trust, revision of performance metrics, and reporting of administrative costs.

PUC generally agreed with our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Oregon State Police: Forensic Division Has Taken Appropriate Steps to Address Oregon’s Sexual Assault Kit Testing Backlog

Report Highlights


Oregon State Police (OSP) has taken appropriate steps to manage an influx of Sexual Assault Forensic Evidence (SAFE) kits sent by local law enforcement agencies after Melissa’s Law passed in 2016, including adding staff and equipment, changing how they prioritize the testing of DNA evidence, and using more efficient technologies for DNA processing. Many of these changes occurred too recently to definitively determine whether they will successfully eliminate the remaining backlog. However, the actions taken are aligned with best practices and OSP officials estimate they will largely eliminate the backlog by the end of 2018.

Background

The Forensic Services Division of OSP provides Oregon’s only full-service forensic lab system. The intent of Melissa’s Law is to prevent a future SAFE kit testing backlog at local law enforcement agencies by mandating all non-anonymous kits be sent to OSP for testing.

Purpose

The purpose of this audit was to report on whether OSP has taken actions consistent with statute and best practices to address the SAFE kit backlog.

Key Findings

  1. OSP has complied with Melissa’s Law by increasing lab capacity and reporting results to legislators on efforts to reduce the SAFE kit backlog.
  2. OSP is following best practices outlined by the National Institute of Justice for forensic labs that process SAFE kits. For example, OSP’s “high-throughput” approach to obtaining DNA profiles from SAFE kits is recommended for decreasing kit backlogs.
  3. The agency’s decision to suspend DNA processing of property crime evidence to focus on SAFE kits could lead to a backlog of DNA evidence of this type at local law enforcement agencies. Local law enforcement agencies are eager for OSP to resume accepting DNA evidence for property crimes.
  4. As of January 2018, many of OSP’s capacity-building and process improvement efforts have been implemented. Since then, OSP has shown substantial improvement in the number of kits processed each month. Also, there has been a significant reduction in the statewide backlog. A 2017 survey of local law enforcement agencies found approximately 1,100 kits needing testing, down from approximately 4,900 in 2015. For these reasons, OSP believes it can eliminate the backlog by the end of 2018.

Recommendations

We recommend that OSP publicly post backlog status reports, examine options for a statewide SAFE kit tracking system, and plan for reintroducing DNA testing in property crimes.

OSP generally agrees with our recommendation. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Audit Release – Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement

Report Highlights


The Oregon Department of Revenue (DOR) designed and implemented controls in their GenTax system to provide reasonable assurance that tax return and payment information remains complete, accurate, and valid from input through processing and output. Logical access controls and change management controls are generally sufficient, but some areas need improvement. In addition, existing controls ensure the creation of appropriate backup of GenTax system files, though DOR does not have assurance they could timely restore the system in the event of a disaster or major disruption.

Background

The Oregon Department of Revenue replaced its legacy tax systems with GenTax, an integrated tax processing software package. This system processed about $10.3 billion in payments and $1.2 billion in refunds for tax periods ending in 2016.

Audit Purpose

The purpose of our audit was to review and evaluate key application and general computer controls governing DOR’s GenTax system. We focused on personal income, withholding, and corporate income and excise tax programs.

Key Findings

  1. GenTax controls ensure accurate input of tax return and payment information for personal income, withholding, and corporate income and excise tax programs. Additional processing and output controls provide further assurance that GenTax issues appropriate refunds and bills to taxpayers for taxes due.
  2. Logical access controls are generally sufficient, but DOR needs to make improvements to ensure managers have enough information to request appropriate access. DOR should also ensure that access remains appropriate for users who change jobs and is removed for users who are terminated.
  3. DOR monitors and tracks changes to GenTax to ensure system developers implement only approved program modifications, but better guidance is needed for testing procedures to ensure program modifications meet business needs.
  4. DOR does not have sufficient assurance that it could timely restore GenTax in the event of a disaster or major disruption.
  5. DOR has not obtained independent verification that the GenTax vendor has implemented appropriate controls over servers at an external data center to provide additional assurance that Oregon data is secure.

Recommendations

The report includes 11 recommendations to DOR regarding needed improvements to logical access procedures, disaster recovery plans and tests, and independent assurance of controls over servers at an external data center. DOR generally agreed with our recommendations. DOR’s response can be found at the end of the report.

Read the full report here.

Featured IT Audit New Audit Release