The Secretary of State’s Audits Division found that the Oregon Fuels Tax System (OFTS) accurately assesses and collects fuels taxes for Oregon and local jurisdictions, collecting over $564 million in 2016. However, processes for issuing fuels tax refunds and system design flaws result in minor overpayments and reporting inaccuracies. Additionally, ODOT should enhance processes for testing system backup files, granting and monitoring user access, setting user password parameters, implementing safeguards over personally identifiable information, and identifying security weaknesses.
In 2013, ODOT contracted with Avalara to implement a new fuels tax system for $2.8 million, replacing an outdated paper based system previously used to handle Oregon Fuels Tax returns.
The purpose of our audit was to review and evaluate the effectiveness of key general and application controls that protect and ensure the integrity of the Oregon Fuels Tax System and its data.
1. OFTS accurately calculates, assesses, and collects fuels tax for the state of Oregon and local jurisdictions, but manual processes governing refund payments should be improved to ensure accurate refund payments.
2. Application design flaws result in a small number of refund overpayments and minor reporting inaccuracies.
3. Changes to OFTS computer code are appropriately managed to reasonably ensure that the system and its data will not be compromised as the result of a code change.
4. System back-up processes have never been tested to ensure system data can be restored in the event of a disruption.
5. Security weaknesses exist in processes for granting and reviewing system access, monitoring activities of internal and third-party users with significant system access, and identifying and remediating system security vulnerabilities. In addition, password parameters should be more robust, and safeguards protecting some Personally Identifiable Information (PII) need improving.
The report includes nine recommendations to the Oregon Department of Transportation focused on addressing weaknesses in the refund review processes, fixing system design flaws, testing backups, and correcting security weaknesses.