Audit Release: Significant Cost Savings Can Be Achieved by Modernizing Oregon’s Procurement Systems and Practices


Report Highlights

The Department of Administrative Services (DAS) has taken steps to develop a strategic approach for procuring goods and services more efficiently and at lower costs. However, a lack of detailed purchase data inhibits the agency’s ability to analyze its spending, resulting in missed opportunities for potentially millions of dollars in cost savings. Additionally, although the Office of the State Chief Information Officer (OSCIO) has made some improvements in project oversight processes for major information technology (IT) procurements, those processes remain immature, resulting in inefficiencies and confusion for state agencies.

Background

DAS has the authority and responsibility to oversee procurements for state agencies. The OSCIO, a component of DAS, is responsible for overseeing major IT procurements conducted by the state. The OSCIO also has authority to require agencies to obtain independent quality assurance (QA) for IT projects.

Purpose

The purpose of this audit was to determine whether DAS has implemented effective processes to reduce risk and minimize costs associated with IT procurements. Furthermore, we sought to determine whether costs for QA services for major IT investments align with best practices and are appropriately independent.

Key Findings

  1. Due to reliance on legacy systems and outdated procurement processes, DAS Procurement Services does not adequately analyze state spending data. As a result, during the 2015-17 biennium, the state missed the opportunity to potentially reduce costs between $400 million and $1.6 billion based on DAS Procurement Services’ estimate of $8 billion in procurements during that time.
  2. Although efforts to improve procurement efficiencies and reduce costs through Oregon’s new Basecamp program generally align with best practices, the effectiveness of these efforts is limited due to a lack of detailed purchase data.
  3. The OSCIO has made progress in establishing oversight processes to mitigate significant procurement risks associated with major IT projects. However, some processes remain immature, and lack of training and guidance have contributed to confusion and frustration for agencies with projects subject to OSCIO oversight.
  4. The cost for QA services is below industry norms, averaging 3.5% of total project costs, with a median of 5.1%. Additionally, controls are appropriate to ensure QA remains independent, but report tracking should be strengthened.

Recommendations

Our report includes one recommendation to DAS to modernize strategic sourcing efforts and four recommendations to the OSCIO to strengthen IT investment oversight processes. DAS and the OSCIO agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read full report here.

Auditors at Work Featured IT Audit New Audit Release

Audit Release: Improving State Computer System Security will take Time, Resources, and Cooperation

Executive Summary


Most state agencies we reviewed do not have adequate security plans, processes, or staffing to carry out fundamental security functions that protect their information systems and data. The Office of the State Chief Information Officer is responsible for ensuring agencies carry out these critical functions, but has not yet provided sufficient standards and oversight to help agencies achieve appropriate information technology security. In September 2016, the Governor signed an executive order to unify cyber security in Oregon, but much work and cooperation remains to fulfill the requirements of the executive order and improve statewide security.

Read full report here.

State agency security efforts fall short

securityfunctionsWe reviewed 13 state agencies’ information security plans and a selection of security functions to determine if agencies were adequately protecting their systems and data. More than half of the agencies had security weaknesses in six of the seven fundamental security controls reviewed and all agencies had at least two weaknesses.

These agencies represented a cross section of state government agencies. They process and store different types of information ranging from mostly public documents to highly sensitive tax, court, and medical records that require a higher level of protection to comply with federal law.

Overall, planning efforts were often perfunctory, security staffing was generally insufficient, and critical security functions were not always performed. These weaknesses collectively increase the risk of a security incident at one or more of the agencies.

Office of the State Chief Information Officer not fully prepared to centrally administer the state’s security function

State law gives the state Chief Information Officer responsibility for planning statewide security, setting security standards and policies, and ensuring remedial actions are undertaken to correct known security weaknesses. However, the Office of the State Chief Information Officer (OSCIO) has not yet provided state agencies with sufficient and appropriate information technology security standards and oversight. In addition, the OSCIO does not have processes to ensure that agencies comply with the published statewide standards and the regulations imposed by federal requirements.

Recent executive order shifts security functions from the agencies to the Office of the State Chief Information Officer but much work remains

In September 2016, the Governor signed Executive Order No. 16-13 Unifying Cyber Security in Oregon. This directive outlines a process to unify information technology security, including a process to transfer state agency security functions and staffing into the OSCIO until June 30, 2017. In addition, it directs agencies to work with the OSCIO’s newly formed security group to develop and implement security plans, rules, policies, and standards. The directive also requires agencies to fully cooperate with the OSCIO to implement a statewide agency-by-agency risk-based security assessment and remediation program.

However, the executive order may not fully resolve the state’s information technology security weaknesses. The need to securely operate information systems competes for resources with the needs of the agencies to provide services to Oregonians. The executive order transfers security functions but does not add additional resources or describe how agency security staff will work with the OSCIO while remaining under agency management direction for day-to-day activities. In addition, at the time of this report, the OSCIO has not yet developed plans detailing how the OSCIO and agencies will achieve the requirements of the executive order.

Ultimately, the Governor, the OSCIO, agency directors, and the Legislature must cooperate to create, fund, endorse, and implement a statewide security plan. Without full cooperation of these key stakeholders, it is unlikely that the state’s security posture will significantly improve.

Recommendations

We recommend that the Office of the State Chief Information Officer:

  • Collaborate with state agencies to develop detailed plans in order to fully implement the requirements of Executive Order No. 16-13.
  • Develop sufficient statewide standards and processes for oversight to ensure security of agency computer systems.
  • Collaborate with state agencies to ensure remediation of the specific weaknesses communicated to state agencies in separate management letters.
  • Work with the Governor, Legislature, and agency directors to ensure staffing and resources are available to implement agency security measures.

Agency Response

The Office of the State Chief Information Officer generally agrees with the findings and recommendations in this report.  The full agency response can be found at the end of the report.

Featured IT Audit New Audit Release