Audit Release: Improving State Computer System Security will take Time, Resources, and Cooperation

Executive Summary


Most state agencies we reviewed do not have adequate security plans, processes, or staffing to carry out fundamental security functions that protect their information systems and data. The Office of the State Chief Information Officer is responsible for ensuring agencies carry out these critical functions, but has not yet provided sufficient standards and oversight to help agencies achieve appropriate information technology security. In September 2016, the Governor signed an executive order to unify cyber security in Oregon, but much work and cooperation remains to fulfill the requirements of the executive order and improve statewide security.

Read full report here.

State agency security efforts fall short

securityfunctionsWe reviewed 13 state agencies’ information security plans and a selection of security functions to determine if agencies were adequately protecting their systems and data. More than half of the agencies had security weaknesses in six of the seven fundamental security controls reviewed and all agencies had at least two weaknesses.

These agencies represented a cross section of state government agencies. They process and store different types of information ranging from mostly public documents to highly sensitive tax, court, and medical records that require a higher level of protection to comply with federal law.

Overall, planning efforts were often perfunctory, security staffing was generally insufficient, and critical security functions were not always performed. These weaknesses collectively increase the risk of a security incident at one or more of the agencies.

Office of the State Chief Information Officer not fully prepared to centrally administer the state’s security function

State law gives the state Chief Information Officer responsibility for planning statewide security, setting security standards and policies, and ensuring remedial actions are undertaken to correct known security weaknesses. However, the Office of the State Chief Information Officer (OSCIO) has not yet provided state agencies with sufficient and appropriate information technology security standards and oversight. In addition, the OSCIO does not have processes to ensure that agencies comply with the published statewide standards and the regulations imposed by federal requirements.

Recent executive order shifts security functions from the agencies to the Office of the State Chief Information Officer but much work remains

In September 2016, the Governor signed Executive Order No. 16-13 Unifying Cyber Security in Oregon. This directive outlines a process to unify information technology security, including a process to transfer state agency security functions and staffing into the OSCIO until June 30, 2017. In addition, it directs agencies to work with the OSCIO’s newly formed security group to develop and implement security plans, rules, policies, and standards. The directive also requires agencies to fully cooperate with the OSCIO to implement a statewide agency-by-agency risk-based security assessment and remediation program.

However, the executive order may not fully resolve the state’s information technology security weaknesses. The need to securely operate information systems competes for resources with the needs of the agencies to provide services to Oregonians. The executive order transfers security functions but does not add additional resources or describe how agency security staff will work with the OSCIO while remaining under agency management direction for day-to-day activities. In addition, at the time of this report, the OSCIO has not yet developed plans detailing how the OSCIO and agencies will achieve the requirements of the executive order.

Ultimately, the Governor, the OSCIO, agency directors, and the Legislature must cooperate to create, fund, endorse, and implement a statewide security plan. Without full cooperation of these key stakeholders, it is unlikely that the state’s security posture will significantly improve.

Recommendations

We recommend that the Office of the State Chief Information Officer:

  • Collaborate with state agencies to develop detailed plans in order to fully implement the requirements of Executive Order No. 16-13.
  • Develop sufficient statewide standards and processes for oversight to ensure security of agency computer systems.
  • Collaborate with state agencies to ensure remediation of the specific weaknesses communicated to state agencies in separate management letters.
  • Work with the Governor, Legislature, and agency directors to ensure staffing and resources are available to implement agency security measures.

Agency Response

The Office of the State Chief Information Officer generally agrees with the findings and recommendations in this report.  The full agency response can be found at the end of the report.

Featured IT Audit New Audit Release

Oregon Department of Agriculture: Improved management practices, use of resources could help Food Safety Program achieve its mission

Executive Summary


The Oregon Department of Agriculture’s (ODA) Food Safety Program is struggling with a backlog of establishments needing inspection. This backlog was caused by an increase in the number of licensed businesses and complexity of business practices, and an inspection staff busy with other duties. By implementing stronger management practices, making better use of data, and more strategically deploying its resources, the program can reduce its backlog of inspections, better achieve its mission of preventing the spread of foodborne illness, and prepare for more regulatory challenges in the near future.

Read the full report here.

The Food Safety Program has an inspection backlog

According to ODA, a backlogged firm is one that is three or more months late for an inspection. We found that, as of October 2016, 2,841 firms were late for an inspection.

Inspectors have not kept up with this workload in part because the number of licensed businesses has been steadily increasing for the last 10 years. There are now more than 12,000 licensees needing regular inspection by the Food Safety Program.

Inspectors are also spending significant amounts of time on duties that are not related to inspections, such as attending training courses in specialized license types or answering licensee questions on the phone. Management has established goals for how much time inspectors should be spending on inspection-related tasks, but it is not clear these goals are being met.

Federal grants, contracts take time away from inspections

Many firms in Oregon are subject to inspection not only by ODA, but also by the federal Food and Drug Administration, or FDA. The Food Safety Program has a contract with FDA to conduct some of these inspections in exchange for reimbursement. Currently, ODA conducts 500 contract inspections each year, one of the highest contract workloads in the country. These inspections take significantly longer than a routine ODA inspection.

ODA’s Food Safety Program was one of the first in the country to enroll in the federal Manufactured Food Regulatory Program Standards, or MFRPS. Through MFRPS, the program has developed policies and procedures related to enforcement actions, responding to food-related illness, and training. This work has taken time away from conducting food safety inspections and was one of the factors contributing to the backlog.

Staff turnover is a challenge

Since 2006, 28 inspectors have either left the agency or retired. Retiring inspectors often take decades of expertise and experience with them. Hiring and training new staff to replace them is time-intensive. And there is no formal succession plan to prepare for their departure.

Turnover has been especially challenging for the program’s two field operations managers, who are responsible for supervising inspectors. ODA has struggled to keep people in these two positions.

The program uses a tool from FDA that allows food safety regulatory programs to calculate the number of inspectors required to manage the workload. But we found the Food Safety Program was incorrectly using this tool and may not have an accurate estimate of its own staffing needs.

The program needs more management oversight

More oversight of food safety inspectors is needed to ensure the quality and consistency of inspections. Field operations managers only review the inspection reports of new inspectors while they are trained. Although field operations managers are expected to supervise inspectors in the field, this is not happening because managers are busy with office work.

Management could offer more guidance to help inspectors be more consistent in their interactions with licensees. Currently, inspectors are inconsistent in how they issue enforcement actions and how much time they spend explaining the rules and regulations to food establishments.

The program is also at risk of overlooking some businesses that are operating without a license. Currently, ODA relies on new businesses to contact them to obtain a license. But for businesses that may not, there is no formal policy or procedure to proactively identify them.

The program could benefit from better use of data

We found the Food Safety Program is missing several opportunities to use data to help make decisions.

Although management can access the program’s Be Food Safe database to see how many firms are overdue for an inspection, they have not been consistently tracking and storing these data. Keeping track of these numbers could be helpful in identifying patterns and strategies to reduce the backlog.

Some data are not being kept in the most efficient form for analysis. Inspectors fill out daily paper reports of how they spend their hours, but management does not analyze these. By keeping these data in a digital format that can be easily accessed, and regularly analyzing them, management could identify how staff spend their time and look for opportunities for improvement.

We also found that the program could benefit from a designated data analysis position. Managers say they do not have time to collect and analyze data because of their other responsibilities. By having someone whose role is primarily data analysis, the program could benefit from this data without compromising these other duties.

Recommendations

To work toward the goal of reducing the backlog of inspections, we recommend ODA reconsider some of its workload, provide more guidance to inspectors, and better track and analyze data to inform these decisions. To help the program better achieve its mission, we recommend ODA develop policies and procedures to improve oversight of inspectors and develop partnerships with other agencies. And to address some of the staffing challenges, we recommend the program use data to analyze its staffing needs and develop a succession plan for retiring inspectors. Our specific recommendations can be found on page 22 of the report.

Agency Response

The full agency response can be found at the end of the report.

 

Featured New Audit Release

Department of Geology and Mineral Industries: Actions taken to better manage federal funds, but further improvements needed

Executive Summary


The Department of Geology and Mineral Industries encountered challenges that contributed to serious financial reporting and cash flow issues. In 2016, new department management started to make improvements and has implemented some financial controls, but further improvement is needed.

Department is addressing lack of controls over federal grant processing

The majority of the department’s revenue is derived from Other Funds and Federal Funds, which are received through cooperative agreements and fee-for-services projects. In fiscal year 2015, the department recorded $4.7 million of federal revenues and expected about the same for fiscal year 2016.

From fiscal year 2014 through fiscal year 2015, the department experienced significant turnover in leadership and fiscal staff positions, resulting in a loss of institutional knowledge and experience and contributing to serious financial reporting and cash flow issues at the department.

Further, a lack of adequate controls contributed to the department using inappropriate grant management practices including 1) drawing down federal monies prior to incurring expenditures; 2) inaccurately reporting federal expenditures in the Schedule of Expenditures of Federal Awards; 3) untimely reporting indirect costs; and 4) inadequate supporting documentation.

In collaboration with a review team from the Department of Administrative Services, in 2016 new management began implementing a number of changes to strengthen controls over financial processes.

Management is also in the process of developing policies and procedures over financial processes. At the time of our audit, however, formal policies and procedures had not yet been adopted.

Recommendations

We recommend the Department of Geology and Mineral Industries continue to improve internal controls over financial processes, including the proper recording and reporting of federal program monies. Our specific recommendations can be found on Page 10 of this report.

Agency Response

The Department of Geology and Mineral Industries (department) concurs with the findings and recommendations of the audit report. The department will implement all recommendations as part of its ongoing efforts to improve financial and business practices. The department’s full response, including the implementation status of each recommendation, can be found at the end of this report.

Read full report here.

Featured New Audit Release

Oregon Office of Economic Analysis Reblog: Oregon County Update, September 2016

 

Checking in on employment across Oregon’s counties reveals a number of encouraging trends. First, in recent years, job growth has returned to all regions of the state. Every region and every single county has seen some gains from the depths of the Great Recession. That said, the growth has not been evenly distributed of course. Painting with a broad brush shows that urban Oregon has outperformed rural Oregon, even as the latter is now up to 80 percent recovered overall.

Read more at: Oregon County Update, September 2016 — Oregon Office of Economic Analysis

Accountability and Media Featured New Audit Release

Department of Human Services: To Better Achieve its Mission, Vision, and Goals, DHS Must Increase Efforts to Address Employees’ Concerns

Executive Summary


The engagement level of employees can directly influence their ability to do their job and thrive professionally and personally. In April 2016, we conducted a survey of Department of Human Services (DHS) employees to help DHS management identify work environment factors positively or negatively affecting employee engagement.

Survey respondents generally reported they know the agency’s mission vision, and goals and are proud to work there. But their responses also highlighted areas within DHS that need improvement. These included tools and resources to accomplish the work, compensation, hiring practices, recognition, professional development, stress and workload distribution, and communication. Addressing these issues will help DHS improve employee engagement and better achieve the agency’s mission, vision and values.

Read the full report here.

Overview of DHS

The Department of Human Services’ (DHS) mission is to help Oregonians in their own communities achieve safety, well-being, and independence through services that protect, empower, respect choice, and preserve dignity. The agency’s biennial budget is about $10 billion with 7,897 full time equivalent staff.

The agency serves over a million Oregonians each year through two support services units and five program areas. The five programs provide services through numerous field and local offices throughout the state. Central Services, which includes the Director’s office, and Shared Services, provide support and leadership to the following programs: Aging and People with Disabilities, Child Welfare, Intellectual/Developmental Disabilities, Self-Sufficiency, and Vocational Rehabilitation.

Employee engagement is important

Engaged employees are passionate, energetic, and dedicated to their job and organization. One study indicates that a higher level of employee engagement correlates with higher rates of success in achieving strategic goals, higher employee retention, and fewer days of sick leave and lost time.

Work environment surveys can help an organization measure its level of employee engagement. DHS has been conducting an employee survey since 2012 that consists of seven questions designed to measure employee engagement.

Our survey was designed to measure the factors that influence employee engagement. DHS management could use the results of our survey to identify areas to improve, and set priorities for action.

Core knowledge and respectful work units given high ratings among respondents

Survey results indicate that DHS is doing well in four areas that influence engagement: mission, vision, goals; job suitability; respectful work units and reporting of harassing and discriminating behavior; and teamwork.

Nearly all respondents reported they knew the mission, vision, and goals of the agency; and how their work relates to these goals. Furthermore, over 85% of respondents reported they are proud to work at DHS. Almost all of the respondents reported they found their work to be meaningful.

Survey highlights concerns DHS management should address

DHS management should address perceived deficiencies that influence employee engagement. We surveyed 7,426 DHS employees and received 4,580 completed surveys, resulting in a 62% response rate. Employees rated their level of agreement with survey questions regarding factors that influence employee engagement. The response benchmarks we used were based on the existing DHS metrics, which are as follows: 85% and above means the respondent perceives DHS as doing well for that factor; between 66% – 84% means a factor that needs some improvement; and 65% and below means a factor that is in critical need of management attention.

Survey respondents identified seven factors in need of improvement – tools and resources, compensation, hiring practices, recognition, stress and workload, professional development, and communication.

Only 55% of respondents felt they had sufficient tools and resources to do their job. At least 50% of respondents across two units and five programs reported a high level of stress. Many respondents reported concerns about the fairness and competitiveness of hiring practices, and a lack of recognition for the work they do.

Another key factor related to employee engagement and organizational success is communication. For an agency as large as DHS, with offices all over the state, communication can be particularly challenging. However, according to a Newfoundland and Labrador Statistics Agency’s work environment survey, direct and timely communication from senior leaders can go a long way in making employees feel informed and connected.

Leaders also need honest feedback from employees who provide services to clients, in order to help them make the best decisions. Overall, less than half of the respondents felt that communication and information flows effectively between the central office and the field offices.

Recommendations

To better achieve its mission, vision, and goals, we recommend DHS management develop and implement a plan to address the seven areas needing improvement: tools and resources, compensation, hiring practices, recognition, professional development, stress and workload, and communication.

To gauge whether efforts are improving engagement, we recommend DHS management administer a work environment survey at least annually that includes the factors we identified that influence engagement.

Last, we recommend management use the future survey results to revise the plan, as needed.

Agency Response

The agency generally agreed with our recommendations. The full agency response can be found at the end of the report.

Featured New Audit Release Noteworthy

Audits in the News: September

Audits in the News: A third-party audit, commissioned by the Audits Division, gets some attention.

We here in the audits division are proud that the work we do makes a difference. Our work attracts the attention of the legislature, statewide news sources, and even local media outlets. Local media coverage of our audits is just another way we communicate with the people of Oregon about the work that we’re doing on their behalf to make government better. This is part of an ongoing series of posts rounding up recent instances in which the Oregon Audits Division makes a cameo in the local news.

The Secretary of State and the Oregon Audits Division commissioned a third-party audit of Oregon’s Business Energy Tax Credit, known as BETC. The credit, administered by the Department of Energy, had been the subject of a number of news articles in the past few months.

Earlier this month, the results of that investigation were released, also to some media coverage. You can read the Secretary’s letter, explaining the purpose for the audit and its findings, here.

Also be sure to read the full report here.

The Oregonian – Audit finds ‘suspicious behavior’ in dozens of energy projects that got Oregon tax credits

Read the story here.

“More than a quarter of the large business energy tax credits issued by the Oregon Department of Energy over eight years ‘seemed improper, violated statutes or rules, or exhibited suspicious activity,’ a first-ever independent audit of the controversial program found.”

Statesman Journal – Audit finds problems with some Oregon energy tax credits

Read the story here.

“An independent investigation of Oregon’s Business Energy Tax Credit (BETC) program found ‘concerning’ risk factors in more than one-third of the $1 billion in credits issued since 2007.

The Portland Tribune –Audit: ‘Suspicious behavior’ on energy credits forwarded to DOJ

Read the story here.

“Finding no direct evidence of fraud, Oregon Secretary of State Jeanne Atkins nevertheless has forwarded ‘circumstantial evidence of suspicious behavior’ in 79 projects that received business energy tax credits to the Oregon Department of Justice.”

Oregon Public Broadcasting –Audit: Shuttered Oregon Tax Credit Program Issued Money for Suspicious Projects

Read the story here.

“More than a third of the credits issued under a tax credit program for renewable energy companies in Oregon went to problematic projects.

That’s according to an independent analysis issued Thursday by the Oregon Secretary of State’s office.

The report was prepared by a Portland-based consulting firm that specializes in financial crimes. It was paid for by the Secretary of State’s office.”

Audits in the News Featured New Audit Release

Oregon Department of Education: Clearer Communication, Consistent Use of Results and an Ongoing Commitment to Improvement Could Help Address Testing Concerns

Executive Summary


Our audit responds to House Bill 2713 (2015), developed with input from the State Auditor. It called for a Secretary of State audit to review the impacts of the statewide summative assessment on Oregon’s public schools, and make recommendations for improvement.

Through a series of surveys, site visits and interviews, we learned many schools faced challenges in the first year of administering the new Smarter Balanced test, including adjusting to the demands on staff and school resources. Some reported fewer challenges in the second year.

Some educators are concerned that certain student populations may experience more negative impacts than others. Some also told us that a more comprehensive assessment system would be useful.

Read full report here.

Oregon introduced Smarter Balanced in 2015

The Smarter Balanced assessment is a new test introduced by the Oregon Department of Education to all public schools in the spring of 2015. Smarter Balanced tests 3rd – 8th graders and 11th graders in math and English language arts near the end of the school year. The test assesses students’ progress toward meeting Oregon’s college- and career-ready standards, the Common Core State Standards. Smarter Balanced requires more time and depth of knowledge than the previous test.

There is not clear agreement on the test’s purpose

The Smarter Balanced test is intended to provide a measure for accountability, data to identify achievement gaps, and information about whether students meet standards overall, and many value these purposes. We also heard from educators who feel the test should be more useful in the classroom. However, other tools may be better suited for that purpose. The Oregon Department of Education could take a more active role in communicating about the test’s purpose.

The results of the test are not used consistently

Schools, school districts and the state use Smarter Balanced test results inconsistently, and sometimes not at all. Educators told us that it would be easier to use results if they received them sooner. Many reported that additional guidance on how to use results would be helpful. Some also reported that a more comprehensive assessment system would be useful.

Many reported test administration challenges

Educators described schoolwide challenges in the first year of administering Smarter Balanced. Testing did not just affect the classrooms that were actively testing, but could also place additional staffing and resource demands on the entire school. However, some said there were fewer challenges in the second year.

Testing took away from other duties of school and school district personnel. Some schools hired additional staff or substitutes specifically for testing. Testing also tied up computer labs for months at some schools. Time spent taking and preparing for the test took away from instruction time.

Some student populations may experience more negative impacts than others

Standardized testing may affect certain student groups more than others. Despite having accommodations, we heard concerns that the test’s greater use of technology and language may increase the risk that some students will not be able to demonstrate their abilities accurately. Students who take longer to complete the assessment may miss more instruction time.

Students in special education, English Language Learners, and students with less exposure to technology and typing may be particularly affected.

Recommendations

We recommend that the Oregon Department of Education improve communication, foster consistent use of results and continue its commitment to improve test administration. Our specific recommendations can be found on page 18 of the report.

Agency Response

The full agency response can be found at the end of the report.

Featured New Audit Release Noteworthy