Oregon Health Authority Audit Release: Constraints on Oregon’s Prescription Drug Monitoring Program Limit the State’s Ability to Help Address Opioid Drug Misuse and Abuse


Report Highlights

The Prescription Drug Monitoring Program provides an important tool to address prescription drug abuse, including opioid abuse, and help improve health outcomes. Oregon’s laws have put constraints on the program that limit its effectiveness and impact. Restrictions are placed on what data are collected, analyses that can be done with the data, and with whom information can be shared. Correcting weaknesses in Oregon’s program will maximize its potential and help address opioid and other substance abuse issues the state faces.

Background

Oregon has the highest rate in the nation of seniors hospitalized for opioid-related issues such as overdose, abuse, and dependence. The state also has the sixth highest percentage of teenage drug users. The Oregon Health Authority (OHA) manages the state’s Prescription Drug Monitoring Program (PDMP), which collects information on controlled substance prescriptions within the state. The program was designed to promote public health and safety and to help improve patient care. It was also developed to support the appropriate use of prescription drugs.

Purpose

The purpose of this audit was to determine if Oregon can better leverage its PDMP to help with the opioid epidemic.

Key Findings

  1. OHA could better use PDMP data to analyze trends in prescribed drugs, including identifying patterns of possible opioid misuse and abuse. State laws prevent OHA from sharing information with key stakeholders, such as health licensing boards and law enforcement, on questionable activity. Our analysis found people who have received opioid prescriptions from excessive numbers of prescribers, as well as instances of dangerous drug combinations and prescriptions for excessive dosages of drugs. One person who received an excessive amount of opioid prescriptions had some of those prescriptions paid for by Medicaid.
  2. Oregon is one of only nine states that does not require prescribers or pharmacies to use the PDMP database before an opioid prescription is written or dispensed. Mandating use can be effective in reducing opioid misuse and other health related outcomes.
  3. Due to statutory restrictions, Oregon’s PDMP does not collect some prescription information that could be critical in preventing prescription drug abuse. This includes prescriptions filled by pharmacies other than only retail, veterinarian prescribed prescriptions, prescriptions for Schedule V drugs and drugs known to be abused or misused such as gabapentin, and prescription details such as method of payment, lock-in status, and diagnosis information.

Recommendations

Our report includes 12 recommendations to OHA for optimizing the state’s PDMP. OHA can implement some of
these within existing statutes and rules, and for others it needs to work with the Legislature. OHA agreed with
all of the recommendations, but stated that because seven fall outside the scope of its statutory authority, its
ability to implement them is limited. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: Progress has been Made to Address Security Weaknesses at the State Data Center, but Improvements are Still Needed


Report Highlights

Security at the Enterprise Technology Services State Data Center (data center) has improved due to organizational and staffing changes and the increased role of the Enterprise Security Office. Several longstanding security challenges have been addressed, yet more work remains to further refine and improve security capabilities and to address other areas where roles are not sufficiently defined. The operating environment for the data center remains stable and appropriately controlled. Disaster recovery capabilities have improved, although prioritization of recovery order needs to occur to ensure that the most critical state systems can be restored timely in the event of a major disaster.

Background

The data center is comprised of an extensive inventory of computer operating system platforms and networks. It provides centralized computer services such as networking, email, backup, and server services for more than 100 state agencies, boards, and commissions. Since the creation of the data center in 2006, numerous prior audits have identified significant security weaknesses. Starting in 2015, organizational changes moved overall responsibility for the data center to the Office of the State Chief Information Officer (OSCIO) and expanded the staffing and role of the Enterprise Security Office.

Purpose

Because of the critical services the data center provides, we audit it every two to three years. This audit followed up on the status of prior audit findings and evaluated the current security framework and stability of the operating environment.

Key Findings

We found:

  1. The OSCIO has made significant progress in improving security at the data center through security planning and staffing, vulnerability assessments, security event monitoring, and anti-malware and patching processes. Further progress is needed to refine these processes and better track vulnerability remediation.
  2. Some security areas require improvement, including privileged access, asset and configuration management, and security incident response. Work is underway to improve Windows privileged access.
  3. Day-to-day computing remains stable and disaster recovery capabilities have improved. While additional disaster recovery capabilities are being built, data center customers need to prioritize which systems should be recovered first in the event of disaster.

Recommendations

We recommend improvements in defining roles and responsibilities, refining vulnerability scanning and security event monitoring, monitoring privileged access, and disaster recovery prioritization.

The Department of Administrative Services and the OSCIO agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

TEDx Reblog: The 5 types of mentors you need in your life

Everyone can use a mentor. Scratch that — as it turns out, we could all use five mentors. “The best mentors can help us define and express our inner calling,” says Anthony Tjan, CEO of Boston venture capital firm Cue Ball Group and author of Good People. “But rarely can one person give you everything you need to grow.”

At the Oregon Audits Division, we give all our staff, both new and well-worn, the opportunity to participate in mentoring relationships with others in the division. These relationships allow the person being mentored to grow by tapping into the wisdom and experience of others, and gives the mentor a chance to help develop the proficiency of those around them- and by extension, the whole office.

Mentoring relationships can be formal or informal, and as Julia Fawal writing for TEDx explains, can cover a broad array of development, learning, and support needs for all those who take part. When it comes to mentoring, more is more.

Read more here, or watch the video below.

 

 

Accountability and Media Featured

Audit Release: Opportunities Exist to Increase the Impact of State Agency Internal Audit Functions


Report Highlights

When internal audit functions are properly structured and resourced, they are a valuable asset for mitigating risks and improving agency performance and accountability. However, internal auditing has not been a priority in Oregon. Although the Department of Administrative Services (DAS) has the authority to create policy and a legal requirement to support audit functions, the agency has not strategically promoted the role of internal audit functions due to a number of factors. DAS has not effectively monitored, coordinated, or reported on internal audit function impacts, challenges, and resource needs to state legislators and other stakeholders.

Background

Internal audit functions help organizations achieve their objectives and improve performance. The Oregon Legislature determined internal audit activities within state government should be coordinated to promote effectiveness, and directed DAS to adopt rules and set standards to ensure the integrity of internal auditing.

Purpose

The purpose of this audit was to determine the steps DAS should take to more effectively coordinate state internal audit functions, and what actions can be taken to increase the impact of these critical functions.

Key Findings

  1. The effectiveness of an agency’s internal audit function is defined by the tone at the top. In general, the internal audit function at state agencies in Oregon is not prioritized or well understood by agency management and the Legislature. Many current challenges and deficiencies have persisted for more than two decades.
  2. Internal audit independence and impact is directly influenced by the effectiveness of the audit committee and the committee’s relationship with agency leadership. Internal audit functions in some state agencies do not follow important elements of professional audit standards that ensure independence from management. These deficiencies reduce the effectiveness of the functions and leave agencies more vulnerable to fraud, wasted taxpayer dollars, and other substantial risks.
  3. Poor guidance and a lack of strategic management and effective coordination from DAS has contributed to internal audit challenges at state agencies. DAS reporting on statewide internal audit activities and impact could be a valuable tool for both internal auditors and policymakers, but DAS reports are often inaccurate, confusing, and uninformative.
  4. Many internal audit functions are staffed by well-trained, qualified professionals who make contributions to the agencies they serve despite governance and resource challenges. With additional emphasis and resources they could increase their value and return on investment potential.

Recommendations

We include 16 recommendations to DAS intended to enhance the value and impact of state agency internal audit functions. DAS agreed with 13 of 16 recommendations. The agency declined to say whether it agreed or disagreed with three recommendations.

 

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: DEQ Should Improve the Air Quality Permitting Process to Reduce Its Permit Backlog and Better Safeguard Oregon’s Air

Report Highlights


The Secretary of State’s Audits Division found that the Oregon Department of Environmental Quality (DEQ) should evaluate staffing and workloads among air quality permit writers and provide better guidance to both staff and businesses to help reduce the agency’s air quality permit backlog.

Background

This audit reviewed air quality permitting at the Oregon Department of Environmental Quality. Air quality permits regulate the types and amounts of air pollution businesses are allowed to emit, based on federal pollution limits set by the Clean Air Act and state limits established in state laws and DEQ rules.

Audit Purpose

The purpose of this audit was to determine how DEQ could improve its air quality permitting process to better safeguard Oregon’s air quality.

Key Findings

The Oregon Department of Environmental Quality has a significant backlog in air quality permit renewals. We found that:

  1. 43% (106 out of 246) of DEQ’s largest and most complex federal and state air quality permit renewals are overdue for renewal. Additionally, more than 40% of the most complex permits issued from 2007 to 2017 exceeded timeframes established by DEQ or the Clean Air Act, some by several years.
  2. DEQ struggles to issue timely permits and renewals due to a variety of factors, including competing priorities, vacancies, and position cuts that have created unmanageable workloads. Other factors include inconsistent support and guidance for staff; a lack of clear, accessible guidance for applicants; and increased time for the public engagement process.
  3. Untimely permits, combined with a current backlog of inspections, endanger the state’s air quality and the health of Oregonians. For example, when DEQ does not issue permit renewals on time, businesses may not provide DEQ with data showing they are complying with new or updated rules.

To reach our findings, we conducted interviews, analyzed air permit data, reviewed documents and reported practices, and researched leading practices.

Key Recommendations

Based on our review of leading practices and air quality agencies in other states, the report includes ten recommendations to the Department of Environmental Quality. Recommendations include evaluating permit writer workloads and staffing, clarifying the public engagement process, providing better guidance to permit writers and businesses, and conducting a process improvement effort.

The agency agreed with our findings and recommendations. Its response can be found at the end of the report.

Read the full report here.

Featured New Audit Release Performance Audit

DHS – Aging and People with Disabilities: Consumer-Employed Provider Program Needs Immediate Action to Ensure In-Home Care Consumers Receive Required Care and Services

Report Highlights


The Secretary of State’s Audits Division found that the Aging and People with Disabilities (APD) program should take immediate action to address gaps in program design and oversight in order to improve the safety and well-being of participants in the Consumer-Employed Provider (CEP) program.

Read full report here.

Background

Oregon is a leader in providing in-home long- term care options for older adults and people with disabilities. The most used in-home care program is the Consumer-Employed Provider program, which positions consumers as employers of their homecare worker.

Purpose

The purpose of this audit was to assess the policies and processes used by APD to ensure the needs of consumers in the CEP program are met.

Key Findings

The effectiveness of the Consumer-Employed Provider program is dependent on the consumer, the case manager, and the homecare worker. If each is capable, competent, and supported in their role, the current model can be successful. Our audit found:

1. Some consumers are not receiving the support necessary to ensure required employer duties are being performed, which adds to case managers’ and homecare workers’ responsibilities.
2. Case managers are not consistently contacting consumers, or monitoring services consumers receive due to excessive workloads.
3. Agency requirements do not ensure that homecare workers are prepared to provide the care and assistance consumers need.
4. Due to current data collection and utilization practices, it is difficult for APD to determine if consumers are safe and receiving the care and services they need.
5. Current deficiencies in the program may put consumers’ health and well-being at risk and keep the program from operating as intended.

To reach our findings, we conducted interviews and case file reviews, collected and analyzed CEP consumer data, and researched federal and state standards.

Recommendations

The report includes recommendations to improve Consumer-Employed Provider program implementation and support. Recommendations include consistently following existing monitoring policies, addressing case managers’ excessive workload and responsibilities, and providing more support to consumers and homecare workers.
The Department generally agreed with our findings and recommendations. Its response can be found at the end of the report.

Featured New Audit Release Performance Audit

Audit Release- ODOT: The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes for Oregon and Local Jurisdictions

Report Highlights


The Secretary of State’s Audits Division found that the Oregon Fuels Tax System (OFTS) accurately assesses and collects fuels taxes for Oregon and local jurisdictions, collecting over $564 million in 2016. However, processes for issuing fuels tax refunds and system design flaws result in minor overpayments and reporting inaccuracies. Additionally, ODOT should enhance processes for testing system backup files, granting and monitoring user access, setting user password parameters, implementing safeguards over personally identifiable information, and identifying security weaknesses.

Read full report here.

Background

In 2013, ODOT contracted with Avalara to implement a new fuels tax system for $2.8 million, replacing an outdated paper based system previously used to handle Oregon Fuels Tax returns.

Purpose

The purpose of our audit was to review and evaluate the effectiveness of key general and application controls that protect and ensure the integrity of the Oregon Fuels Tax System and its data.

Key Findings

1. OFTS accurately calculates, assesses, and collects fuels tax for the state of Oregon and local jurisdictions, but manual processes governing refund payments should be improved to ensure accurate refund payments.
2. Application design flaws result in a small number of refund overpayments and minor reporting inaccuracies.
3. Changes to OFTS computer code are appropriately managed to reasonably ensure that the system and its data will not be compromised as the result of a code change.
4. System back-up processes have never been tested to ensure system data can be restored in the event of a disruption.
5. Security weaknesses exist in processes for granting and reviewing system access, monitoring activities of internal and third-party users with significant system access, and identifying and remediating system security vulnerabilities. In addition, password parameters should be more robust, and safeguards protecting some Personally Identifiable Information (PII) need improving.

Recommendations

The report includes nine recommendations to the Oregon Department of Transportation focused on addressing weaknesses in the refund review processes, fixing system design flaws, testing backups, and correcting security weaknesses.

Featured IT Audit New Audit Release