Audit Release: Oregon Department of Revenue Cybersecurity Controls Assessment


Report Highlights

This audit was conducted to assess critical security controls and the Department of Revenue’s (DOR) information technology (IT) security management program.  We concluded the agency should update its security management program to reflect recent statewide changes to IT security governance structures, as well as correct weaknesses in inventory management, vulnerability management, control of administrative accounts, configuration change management, and audit logging processes.

Background

DOR handles sensitive information, including taxpayer personal information and tax data. The agency, in collaboration with the Enterprise Security Office at the Office of the State Chief Information Officer (OSCIO), is responsible for implementing a security management program to ensure the confidentiality, availability, and integrity of the information with which it is entrusted.

Purpose

The purpose of this audit was to determine whether DOR has implemented an appropriate IT security management program and the basic cyber security controls necessary to ensure cyber defense readiness.

Key Findings

  1. DOR had implemented a security management program, but associated plans and procedures have not been updated to reflect current staffing levels and reorganization of statewide security by the OSCIO.
  2. DOR lacks specific policies and fully automated controls for many elements of the basic security controls identified by the Center for Internet Security. These basic controls should be implemented in every organization to reduce the risk that attackers could compromise systems and data.

Recommendations

We recommend DOR improve its security management program and remedy weaknesses we identified in the basic controls defined by the Center for Internet Security.

DOR agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Audit Release, Oregon Department of Revenue: Enhancing Organizational Culture and Addressing Customer Service Challenges Will Optimize Agency Performance


Report Highlights

Organizational culture is key to shaping how members interact with each other and how they achieve their mission and objectives. However, organizational culture in an organization, such as the Department of Revenue (DOR), can be difficult to assess or change. Both DOR staff and management have identified a desire to shift towards a more collaborative agency culture and share perspectives on how culture can be enhanced to meet employees’ needs. DOR leadership makes decisions regarding agency operations; this report provides information that can help inform some of those decisions. DOR leadership has been engaged with the audit and acknowledged that enhancing the culture is a good opportunity within the agency.

Background

DOR has undergone tremendous change in the last five years. This include several changes in leadership positions, including the Director, and implementation of a critical and expansive information technology system. These significant governance and operational changes affected both internal and external stakeholders. For example, DOR’s customer service rating decreased dramatically, drawing the attention of the Legislature in 2017. We utilized a specialized methodology to assess how enhancing culture could help optimize the agency’s performance. The DOR Director has been supportive of our methodology and appears committed to enhancing the agency’s culture.

Purpose

The purpose of this audit was to determine how changes to DOR’s culture could improve agency performance and to identify factors for the decline in customer service satisfaction from 2013 through 2016 that can be addressed to enhance customer service moving forward.

Key Findings

  1. Opportunities exist to enhance DOR’s operating culture and employee morale. Specifically, DOR management should develop a formal strategy and take action to better incorporate collaborative values within the agency. The strategy should include robust internal communications, an effective accountability framework, a collaborative feedback process, and improved workplace interactions.
  2. The agency’s customer satisfaction declined between 2013 and 2016. A portion of this decrease was due to implementation of a critical and complex IT system known as GenTax. DOR has already identified and addressed a number of customer service deficiencies; as a result, customer service ratings increased in 2017 and 2018. DOR should complete efforts underway to address these challenges.

Recommendations

We made five recommendations to DOR for actions needed to improve its organizational culture and customer satisfaction. DOR agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release Performance Audit

Audit Release – Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement

Report Highlights


The Oregon Department of Revenue (DOR) designed and implemented controls in their GenTax system to provide reasonable assurance that tax return and payment information remains complete, accurate, and valid from input through processing and output. Logical access controls and change management controls are generally sufficient, but some areas need improvement. In addition, existing controls ensure the creation of appropriate backup of GenTax system files, though DOR does not have assurance they could timely restore the system in the event of a disaster or major disruption.

Background

The Oregon Department of Revenue replaced its legacy tax systems with GenTax, an integrated tax processing software package. This system processed about $10.3 billion in payments and $1.2 billion in refunds for tax periods ending in 2016.

Audit Purpose

The purpose of our audit was to review and evaluate key application and general computer controls governing DOR’s GenTax system. We focused on personal income, withholding, and corporate income and excise tax programs.

Key Findings

  1. GenTax controls ensure accurate input of tax return and payment information for personal income, withholding, and corporate income and excise tax programs. Additional processing and output controls provide further assurance that GenTax issues appropriate refunds and bills to taxpayers for taxes due.
  2. Logical access controls are generally sufficient, but DOR needs to make improvements to ensure managers have enough information to request appropriate access. DOR should also ensure that access remains appropriate for users who change jobs and is removed for users who are terminated.
  3. DOR monitors and tracks changes to GenTax to ensure system developers implement only approved program modifications, but better guidance is needed for testing procedures to ensure program modifications meet business needs.
  4. DOR does not have sufficient assurance that it could timely restore GenTax in the event of a disaster or major disruption.
  5. DOR has not obtained independent verification that the GenTax vendor has implemented appropriate controls over servers at an external data center to provide additional assurance that Oregon data is secure.

Recommendations

The report includes 11 recommendations to DOR regarding needed improvements to logical access procedures, disaster recovery plans and tests, and independent assurance of controls over servers at an external data center. DOR generally agreed with our recommendations. DOR’s response can be found at the end of the report.

Read the full report here.

Featured IT Audit New Audit Release