SecretaryofStateDennisRichardsonAuditsDivision,DirectorKipMemmott

Report2018–08

StateofOregon

OregonDepartmentofRevenue:GenTaxAccuratelyProcessesTaxReturnsandPayments,butLogicalAccessandDisasterRecoveryProceduresNeedImprovementFebruary2018

Thispageintentionallyleftblank.

SecretaryofStateAuditHighlightsFebruary2018

Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement

  

Purpose

The purpose of our audit was to review and evaluate key application and general computer controls governing DOR’s GenTax system. We focused on personal income, withholding, and corporate income and excise tax programs. 

Key Findings

1. GenTax controls ensure accurate input of tax return and payment information for personal income, withholding, and corporate income and excise tax programs. Additional processing and output controls provide further assurance that GenTax issues appropriate refunds and bills to taxpayers for taxes due. 

2. Logical access controls are generally sufficient, but DOR needs to make improvements to ensure managers have enough information to request appropriate access. DOR should also ensure that access remains appropriate for users who change jobs and is removed for users who are terminated.  

3. DOR monitors and tracks changes to GenTax to ensure system developers implement only approved program modifications, but better guidance is needed for testing procedures to ensure program modifications meet business needs. 

4. DOR does not have sufficient assurance that it could timely restore GenTax in the event of a disaster or major disruption. 

5. DOR has not obtained independent verification that the GenTax vendor has implemented appropriate controls over servers at an external data center to provide additional assurance that Oregon data is secure. 

Background

The Oregon Department of Revenue replaced its legacy tax systems with GenTax, an integrated tax processing software package. This system processed about  $10.3 billion in payments and $1.2 billion in refunds for tax periods ending in 2016. 

Report Highlights

The Oregon Department of Revenue (DOR) designed and implemented controls in their GenTax system to provide reasonable assurance that tax return and payment information remains complete, accurate, and valid from input through processing and output. Logical access controls and change management controls are generally sufficient, but some areas need improvement. In addition, existing controls ensure the creation of appropriate backup of GenTax system files, though DOR does not have assurance they could timely restore the system in the event of a disaster or major disruption. 

Recommendations

The report includes 11 recommendations to DOR regarding needed improvements to logical access procedures, disaster recovery plans and tests, and independent assurance of controls over servers at an external data center. 

SecretaryofState,DennisRichardsonOregonAuditsDivision,KipMemmott,Director

DOR generally agreed with our recommendations. DOR’s response can be found at the end of the report. 

About the Secretary of State Audits Division

The Oregon Constitution provides that the Secretary of State shall be, by virtue of his office, Auditor of Public Accounts. The Audits Division performs this duty. The division reports to the elected Secretary of State and is independent of other agencies within the Executive, Legislative, and Judicial branches of Oregon government. The division has constitutional authority to audit all state officers, agencies, boards, and commissions and oversees audits and financial reporting for local governments. 

 

Audit Team 

Will Garber, CGFM, MPA, Deputy Director 

Teresa Furnish, CISA, Audit Manager 

Erika Ungern, CISSP, CISA, Principal Auditor 

Sherry Kurk, CISA, Staff Auditor 

Sheila Faulkner, Staff Auditor 

 

This report is intended to promote the best possible management of public resources. Copies may be obtained from: 

website:  sos.oregon.gov/audits 

phone:  503‐986‐2255 

mail:  Oregon Audits Division 255 Capitol Street NE, Suite 500 Salem, Oregon  97310 

We sincerely appreciate the courtesies and cooperation extended by officials and employees of the Oregon Department of Revenue during the course of this audit.

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 1

Secretary of State Audit Report

Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement

Introduction

TheOregonDepartmentofRevenue(DOR)designedandimplementedcontrolsintheirGenTaxsystemtoprovidereasonableassurancethattaxreturnandpaymentinformationremainscomplete,accurate,andvalidfrominputthroughprocessingandoutput.Logicalaccesscontrolsandchangemanagementcontrolsaregenerallysufficient,butsomeareasneedimprovement.Inaddition,existingcontrolsensurethecreationofappropriatebackupofGenTaxsystemfiles,thoughDORdoesnothaveassurancethattheycouldtimelyrestorethesystemintheeventofadisasterormajordisruption.

DORadministersover30taxprograms,includingthestate’spersonalincome,withholding,andcorporateincomeandexcisetaxprograms.

2015‐2017 Revenues by Tax Program 

Source: Oregon Department of Revenue 2015‐2017 budget 

DORprojected$18.5billiontotaltaxrevenueforthe2015‐17biennium.DORtransfers91.4%ofthisrevenuetotheGeneralFund,3.8%tocounties,and3.1%tootherstateagencies.TheremainingrevenuesupportsDORoperations.ThetaxrevenueDORcollectsiscomprisedof83.8%personal

The Oregon Department of Revenue administers multiple tax programs

2015‐17Revenue

DORprojected$18.5billiontotaltaxrevenueforthe2015‐17biennium.DORtransfers91.4%ofthisrevenuetotheGeneralFund,3.8%tocounties,and3.1%tootherstateagencies.

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 2

incometax,5.6%corporatetaxes,3.7%otheremployerandemployeetaxes,2.0%cigarettetaxes,and4.9%fromsmallprogramssuchasinheritancetaxes.

The GenTax system processes tax returns and payments 

In2013,DORreceivedinitialprojectfundingandapprovalforitsCoreSystemReplacement(CSR)projecttoimplementGenTax,anintegratedtaxprocessingsoftwarepackage.GenTaxreplacedmostofDOR’slegacycoresystems,whichwerebuiltonagingandobsoletesoftwareapplicationsanddatabasesfromthe1980s.ThetotalcostoftheCSRprojectasreportedinthe2017‐2019Governor’sBudgetwas$78million,includingdebtfundingandpreliminaryplanningphases.

GenTax,aweb‐based,commercial,off‐the‐shelfproductdevelopedbyFASTEnterprises,isusedby26staterevenueagenciesnationwide,includingOregon.GenTaxusesstandardizedcorecodingwithconfigurationtomeetindividualstaterequirements.

DORimplementedGenTaxinfourmajorrollouts,withthefourthrolloutcompletedinNovember2017.

Source: Oregon Department of Revenue 

DORpersonnelcontinuetoworkcloselywithcontractorsfromFASTEnterprisestodevelopandconfigurethesystemtomeetOregon’sspecificneeds,aswellasforproductionsupport.FASTEnterprisespersonnelwillcontinuetoprovideon‐siteoperationalsupportthroughNovember2021,basedonthecurrentcontract.

OtheragenciesarealsoinvolvedwithGenTaxoperationanduse.TheDepartmentofAdministrativeService’s(DAS)statedatacenterhousestheserversonwhichGenTaxoperatesandDASemployeesperformactivitiessuchasbatchmonitoring,serveradministration,andexecutionofbackuproutines.SomeemployeesfromtheOregonEmploymentDepartmentandtheDepartmentofConsumerandBusinessServicesalsohavelimitedaccesstoGenTax,asDORreceivesOregonCombinedPayrollpaymentsthentransfersthemoniestotaxprogramsattheseotheragencies.

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 3

OurauditobjectivesweretodeterminewhetherinformationsystemcontrolsatDORgoverningtheGenTaxsystemprovidereasonableassurancethat:

Selectedtaxprogramtransactiondataremaincomplete,accurate,andvalidduringinput,processing,andoutput; Systeminformationisprotectedagainstunauthorizeduse,disclosure,modification,damage,orloss; Changestocomputercodeandconfigurationsaremanagedtoensureintegrityofthesystemandthatonlyapprovedprogrammodificationsareimplemented;and Systemfilesareappropriatelybackedupandcanbetimelyrestoredintheeventofadisasterormajordisruption.

OurreviewoftheGenTaxapplicationfocusedonthepersonalincome,withholding,andcorporateincomeandexcisetaxprogramsfortaxperiodsendingin2016.Wereviewedinputassociatedwithtaxreturnsandpayments,andtheprocessingandoutputactivitiesassociatedwiththisdataentry.Sometestsofcorporatetaxesincludedtaxperiodsduringstatefiscalyear2017,whichendedonJune30,2017.DORimplementedthewithholdingtaxprograminGenTaxinNovember2016,somostofourtestsassociatedwithwithholdingpaymentsusedconverteddata.Testsofrefundscoveredmultipletaxperiods.Together,theareascoveredinthisauditrepresentedapproximately90%ofthe$10.3billioninallocatedpaymentsand98%ofthe$1.2billioninrefundsprocessedfortaxperiodsendingin2016.

WealsoreviewedlogicalaccessovertheGenTaxapplicationandprivilegedaccess1toGenTaxservers.Forchangemanagement,wefocusedonmaintenancechangestoGenTax,asopposedtoprocessesusedformajorprojectrollouts.OurreviewofbackupanddisasterrecoveryfocusedonproceduresatDOR,notthoseoftheDASstatedatacenter,whichexecutesbackuproutinesforGenTaxservers.

WeassessedthereliabilityofGenTaxdatabyreviewingdocumentation,evaluatinghigh‐levelcontrolsoverprocessestoupdatedatabasetables,andinterviewingagencyandcontractorofficialsaboutthedataandsystem.Weobtainedaccesstoabackupdatabasecontainingrelevantdatatablesandperformedqueriestoextractdatafortesting.Weevaluatedinformationinspecifictablesagainstinformationinothertablestoassessdatacompletenessandaccuracy.Inaddition,throughoutourtestingprocedures,wecomparedthedataagainstsourcedocumentationandGenTaxdatafromtheproductionenvironment,asapplicable.We

1DORdefinesprivilegedaccessasanyrights“elevated”beyondwhatthetypicaluserreceives,includingadministrativerightstoservers.

Objective, Scope and Methodology

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 4

determinedthatthedataweresufficientlyreliableforthepurposesofthisauditreport.

WealsoconductedinterviewswithknowledgeableDORstaffandmanagers,observedprocessesandcontrolprocedures,andreviewedrelevantpoliciesandprocedures.Wealsoevaluatedortested:

1.9millionpersonalincometaxreturnsforthe2016taxyear; 3.2millionW‐2recordssubmittedbyemployersfortaxperiodsendingin2016; 0.8million1099Rrecordsfortaxperiodsendingin2016; 3.3millionrefundrecordsforalltaxperiodsinGenTax; 3.6millionpaymentrecordsfortaxperiodsendingin2016; 60corporatetaxreturnsandassociatedpaymentandwithholdingrecordsoutofapopulationof83,297corporatetaxaccountsfortaxperiodsendingbetweenJuly1,2016andJune30,2017;and groups,functionsandaccountinformationassociatedwith1,479GenTaxuseraccounts.

WeusedtheISACApublication“ControlObjectivesforInformationandRelatedTechnology”(COBIT),andtheUnitedStatesGovernmentAccountabilityOffice’spublication“FederalInformationSystemControlsAuditManual”(FISCAM)toidentifygenerallyacceptedcontrolobjectivesandpracticesforinformationsystems.

Weconductedthisperformanceauditinaccordancewithgenerallyacceptedgovernmentauditingstandards.Thosestandardsrequirethatweplanandperformtheaudittoobtainsufficient,appropriateevidencetoprovideareasonablebasisforourfindingsandconclusionsbasedonourauditobjectives.Webelievethattheevidenceobtainedandreportedprovidesareasonablebasistoachieveourauditobjectives.

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 5

Audit Results: GenTax accurately processes tax returns and payments, but improvements are needed to strengthen logical access and disaster recovery procedures

DORdesignedandimplementedcontrolstoprovidereasonableassurancethattaxreturnandpaymentinformationremainscomplete,accurate,andvalidduringinput,processing,andoutputforthepersonalincome,withholding,andcorporateincomeandexcisetaxprograms.

LogicalaccesscontrolsaregenerallysufficienttorestrictGenTaxaccesstoappropriateusers.However,wenotedcontrolsneedstrengtheningtoensuremanagershaveenoughinformationtorequestappropriateaccess.BettercontrolsarealsoneededtoensureongoingaccessremainsappropriateforuserswhochangejobsandtoensureuserswhohaveleftemploymentwithDORorwithotherentitieshavetheiraccessterminatedtimely.

Changemanagementcontrolsprovidesufficientassurancethatallprogrammodificationsreceiveapprovalpriortoimplementation.However,DORneedstodevelopbetterguidancefortestingprocedurestoensureprogrammodificationsmeetbusinessneedsanddonotadverselyaffectotherportionsoftheapplication.

ExistingcontrolsalsoensurethecreationofappropriatebackupsofGenTaxsystemfiles.However,DORdoesnothavesufficientassurancethatthesystemcouldberestoredinatimelymannerintheeventofadisasterormajordisruption.

Further,GenTaxsendssometaxpayerinformationtoservershostedatanexternaldatacenterforfraudanalysis.However,DORhasnotobtainedindependentverificationthattheGenTaxvendorhasimplementedappropriatecontrolsovertheseserverstoprovideadditionalassurancethatOregondataissecure.

Effectiveapplicationcontrolsincludebothmanualandautomatedprocessesthatensure:

Onlycomplete,accurate,andvalidinformationisenteredintoacomputersystem; Dataintegrityismaintainedduringprocessing;and Systemoutputsconformtoanticipatedresults.

WefoundthedesignandimplementationofGenTaxapplicationcontrolsprovidesreasonableassurancethattaxreturnandpaymentinformationremainscomplete,accurate,andvalidduringinput,processing,andoutput.

GenTax application controls ensure proper processing of tax returns and payments

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 6

Wefocusedonthepersonalincome,withholding,andcorporateincomeandexcisetaxprograms.

Input and interface routines provide reasonable assurance that information is complete and accurate 

Inputcontrolsshouldbeinplacetoprovidereasonableassurancethatallauthorizedsourcedocumentsandinputfilesarecompleteandaccurate,properlyaccountedfor,andtransmittedinatimelymannerforinputintothecomputersystem.ForGenTax,suchcontrolshelpensurethattaxreturnsandpaymentsreceivedarecompletelyandaccuratelyentered,andassociatedaccountsarecreditedappropriately.

DORreceivestaxreturnsandpaymentsbymailorthroughelectronicmethods,withthemajoritysentelectronically.DORimplementedcontrolstoensuretheaccurateentryforbothtypes.

Themailprocessingcenterreceivespapertaxreturnsandsendsthemtootherbusinessunitsformanualdataentryorscanning.Dataentryprimarilytakesplacethroughseveralintakesystems,whichthensendtheinformationtoGenTaxviainterfacefiles.Toensuretheappropriateentryofreturndata,DORemployeesdoubleenterthedataandperformbatchbalancingtoensuretheyenteredallreturnsreceived.GenTaxproductioncontrolprocessesmonitorinterfacefilesfromintakesystemstoensureappropriatereceiptofallexpectedfiles.

Forpaymentsreceivedbymail,taxpayersidentifywheretoapplytheirpaymentthroughpaymentvouchers.DORemployeesbatch,image,andbalancepaperchecksandcashthroughanintakesystem,whichinterfacestheinformationtothebankandtoGenTax.DOR’sbankingunitbalanceseachbatchtoensureaccurateinputoccurredandreconcilesbankdepositstoGenTax.Iftaxpayersdonotsendpaymentvoucherswiththeirpaperpayments,DOR’smiscellaneouscashunitperformsresearchandcreatesmanualvoucherstoapplythepaymentstotheappropriateaccounts.

ElectronictaxreturnsareprimarilyprocessedthroughtheModernizedeFilesystemthatrunsthroughagatewaywiththeInternalRevenueService(IRS).Taxpayerssubmitreturnselectronicallythroughcommercialtaxsoftware,whichsendstheinformationtotheIRSgateway.TheIRSpackagesthisinformationandsendsittoalocationwhereGenTaxwebservicesretrieve,open,andvalidatethetaxreturns.GenTaxsendsanacknowledgmentbacktotheIRStoindicatewhetherthereturnwasacceptedorrejected.TheIRSthenprovidesthisinformationtothesoftwarevendor,whichshouldnotifytaxpayers,whoareresponsibleforcorrectingandresubmittingtheirreturnifitwasrejected.

DORmainlyreceiveselectronicpaymentsthroughAutomatedClearingHouse(ACH)paymentprocesses.TaxpayersinitiateACHpayments,whichmustincludespecificinstructionsonhowtoapplythepayment.DORcontrolstheseACHpaymentsprimarilythroughinterfacemonitoringandbyrequiringpaymentheaderstomeetacceptedformats.GenTaxrejects

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 7

incorrectlyformatteddata.Inaddition,DORperformsmonthlyreconciliationsbetweenGenTaxandOregonStateTreasurydatatoensurethatACHandotherpaymentsmatch.

Automated processing routines accurately verify and edit returns and payments 

DORdesignedandimplementedcontrolsthatprovidereasonableassurancethatGenTaxcorrectsoridentifiesreturnandpaymenterrorsandroutesthemtoemployeestoreviewandtakeactionbeforefurtherprocessingoccurs.

Bestpracticesindicateproceduresshouldbeestablishedfordataprocessingtohelpassurethatdataareprocessedcompletelyandaccurately,thatdataretainsvalidity,andthatappropriatedataconfidentialityismaintainedduringprocessing.Expectedcontrolsincludeapplyingeditandvalidationchecksofdata,suspendingtransactionswitherrorsfromfurtherprocessinguntilcorrected,andmonitoringautomatedroutinestoensureinformationiscompletelyprocessed.

Afterreceivingsubmittedreturnsandpayments,GenTaxvalidatestheinput,appliesprocessingeditstoensuretheymeetexpectedformatsandtaxrules,andpoststhemtotaxpayeraccountsasneeded.IfGenTaxidentifiesanerror,differentactionsoccurdependingonthetypeoferrorencountered.Forreturnsprocessing,GenTaxautomaticallyfixessomeerrors,suchasmathmistakes,andthencontinuesprocessingthereturn.OthererrorscausethereturnorpaymenttobesuspendedforreviewbyDORemployees.GenTaxplacessuspendeditemsintoworkqueues,whichDORmanagersusetosetprioritiesandreviewwhethersuspendeditemsarebeingresolved.

Inaddition,GenTaxusesaseriesofriskrulestoidentifypotentiallyfraudulentpersonalincometaxreturns.ThisprocesspreventsareturnfromfurtherprocessinguntilGenTaxreceivesadditionalinformationthatallowsthereturntopasstherules,orDORemployeesmanuallyreleasethereturn.Thismaydelaytheprocessingofrefunds,butallowsDORtotakeactionssuchasverifyingwithholdingorverifyingthetaxpayer’sidentity.

OurtestsofdatashowedGenTaxappropriatelyprocessedtaxreturns.Forexample,weconcludedGenTax:

Appropriatelycalculatedtaxesduebasedonthetaxableamountidentifiedonthereturnorasadjustedfromotherreturnprocessingroutines; Verifiedthatdeductions,credits,andexemptionsforpersonalincometaxreturnswereappropriatelyappliedandforthecorrectamounts,includingthoseforthestandarddeduction,personalexemptions,federaltaxliabilityamount,earnedincomecredits,andthecorrectuseofstandardoritemizeddeductions;

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 8

Checkedthatdependenttotalsforpersonalincometaxreturnswereappropriateandthatthosewhowereclaimedasdependentsdidnotinturnclaimdependentsontheirtaxreturn;and Appliedmatheditstoensuretotalsusedtocalculatetaxes,refunds,andtax‐to‐paywereappropriate.

GenTax and DOR employees verify that withholding reported by taxpayers matches external records 

WeconcludedthatGenTaxandDORemployeesreasonablyensureincometaxwithholdingclaimedbypersonalincometaxpayersontheirtaxreturnsmatcheswithholdingrecordssubmittedbyemployers.

EmployerssubmitW‐2sand1099stoDORtoreporttaxeswithheldfromtheiremployees’paychecks.Whenfilingtaxreturns,personalincometaxpayersreporttheamountofwithholdingandsubmitW‐2sand1099sassupport.GenTaxperformsmatchingroutinestoevaluatewhethertheclaimedwithholdingmatcheswhatwasreportedbytheemployer.IfGenTaxcannotmatchtherecordsaccordingtobusinessrules,thereturnishelduntilDORreceivesadditionalinformationoraDORemployeemanuallyreleasesit.

WeconfirmedtheeffectivenessofGenTax’smatchingroutinesandDORprocedurestoverifywithholdingmanuallybycomparingW‐2sand1099ssubmittedbyemployerstothewithholdingclaimedbypersonalincometaxpayersontheirtaxreturns.Basedonourreview,weconcludedthatover99.7%ofpersonalincometaxreturnsreportedwithholdingthatwasadequatelysupportedbyW‐2sand1099s.

Duringourtesting,weidentified3,427Form40returns,or0.2%ofthesereturns,representingonly0.04%ofwithholdingsforthesereturns,wherethetaxpayerclaimednowithholding,butW‐2and1099recordssubmittedbyemployersshowedwithholdingforthetaxpayer.DORmanagersnotedthatGenTaxwasnotconfiguredtoreviewwithholdingwhenthetaxpayerdoesnotclaimit.Asaresult,thesetaxpayersdidnotreceivecreditfortheirwithholdingpayments.AccordingtoDOR,taxpayershavetheresponsibilitytofileaccuratetaxreturns.Inthesecases,thetaxpayermadeanerror,andcouldamendtheirreturnsifmadeawareoftheerror.However,DORdoesnotissueanycorrespondencetotaxpayersinformingthemthatwithholdingexistedthattheydidnotreportontheirtaxreturn.

Batch and interface monitoring ensure complete processing 

GenTaxprocessesnightlybatchesandinterfacefilesautomaticallyandgeneratesreportsoralertstoidentifyerrors.DORhasimplementedcontrolstomonitorandresolvebatchandinterfaceerrors.Thesecontrolshelpensurethaterrorsaredetectedandresolvedsothattaxreturnsandpaymentsareprocessedtimelyandaccurately.WhileDORhasnotbeentrackingresolutionofallinterfaceerrorstoensureresolutionandtoidentifyrepetitiveerrors,ithasdevelopedplanstobeginthistypeoftracking.

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 9

Duringdataprocessing,transactionsmayfailtoprocesscompletelyoraccuratelyduetoerrorsorinconsistenciesinthedataorsysteminterruptions.Toidentifytheseinstances,organizationsshouldmonitorbatchprocessingandinterfaceswithothersystemstoensurethereceiptandprocessingofalltransactions.

GenTaxperformsmostprocessingduringnightlybatchprocessing2jobs.DORestablishedparametersforthesebatchprocessesandproductioncontrolattheDASstatedatacenterexecutesandmonitorsthem.Ifabatchprocessfails,GenTaxgeneratesaneventrecordknownasaninterventiontologtheprocessinerror,theserveronwhichitoccurred,andwhentheerroroccurred.Dependingonthebusinessrulesestablishedforaparticularerror,theinterventionmaycausetheentireprocessingcycletostop,requiringmanualactiontoresolvetheerrorandrestartprocessing.However,GenTaxusuallyallowsprocessingtocontinuewithouthaltingtheprocessingcycle.DORmonitorsinterventionsdailyandassignsthemtodevelopersforinvestigation.

DORalsomonitorsinterfacesintoGenTax.GenTaxproducesadailyreportthatidentifieseachinterfaceprocessedthatdayandidentifieserrorsencountered,includingpersonnelassignedtoresolvetheerror.WeconcludedmostinterfacefailuresoccurbecauseGenTaxdidnotprocessafile,whichcanbeappropriateiftherewerenorecordsforthespecificinterfaceforthatday.Interfacesthatprocessbutexperienceothererrorsgenerateinterventions,whichpersonneltrackseparately.

Mostinterventionsareresolvedquickly,butsomerequireadditionalmanualactions,andmayrequireresolutionofanunderlyingissuetopreventfuturereoccurrences.Ourreviewfound97.5%ofallinterventionsloggedinGenTaxwereresolvedwithinthreedays.Atthetimeofourreview,alltheinterventionsstillopenweretrackedonaspreadsheetwithmosttiedtoopenservicetickets.

Ourreviewofaselectionofdailyinterfacereportsshowedthatmanagementhadassignedadeveloperorananalysttoreviewallidentifiedmissingfilesanderrors.DORhasnotbeendocumentingresolutionofmissinginterfacefilestoensuretheywereallresolved,butbeganplanningtodevelopaprocessforthistrackingattheendofouraudit.Betterdocumentationofinterfaceerrorscouldhelpidentifypossiblepatternsandensureappropriateresolutionforallmissingfiles.

GenTax issued accurate refunds and bills for taxes due 

GenTaxcontrolsprovidedsufficientassurancethattaxpayersreceivedaccuraterefunds.Inaddition,GenTaxissuedaccuratebillsfortaxowedaccordingtoDOR’sbusinessrules.

2Batchprocessingistheexecutionofaseriesofjobsinacomputersystemwithoutmanualintervention.

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 10

Basedontheprocessingofpaymentsandtaxreturns,GenTaxautomaticallyproducesmultipleoutputs,includingrefundsandcorrespondencetotaxpayers,suchasnoticestotaxpayerswhodidnotpaythefulltaxdue.Aspartofthisprocess,GenTaxautomaticallycalculatestheamountsandanyassociatedinterestorpenaltiesrelatedtotherefundorthebilling.

Wetestedthebillingprocessandconcluded:

Correspondencetotaxpayersincludedaccuratetaxdueandinterestandpenaltycalculations; Correspondencetotaxpayerswassentaccordingtotheexpectedschedule;and Billstagesforcollectionsactionswerestartedaccordingtotheexpectedschedule.

Ifthecombinationofreturnsandpaymentsindicatesarefundisdue,GenTaxautomaticallygeneratesarefundrecordandappliesaseriesofriskrulesthatdeterminethelevelofapprovalrequiredfortherefundtobeprocessed.Mostrefundsareautomaticallyapproved,buthigher‐riskrefundsneedapprovalbyDORemployeesthroughuptothreelevelsofreview.

Ourtestingofrefundsshowed:

Refundamountswereappropriatelycalculated; Allissuedrefundswereapproved;and High‐riskrefundswereapprovedatappropriatelevels,perriskrules,andbydifferentindividualsateachlevel.

GenTaxlogicalaccesscontrolsaregenerallysufficient,butDORshouldmakeimprovementstoensuretheenforcementofsegregationofduties,thatmanagershavesufficientinformationtorequestappropriateaccess,andthatongoingaccessremainsappropriateforuserswhochangejobsorisremovedforterminatedemployees.Inaddition,DORneedstomonitortheactionsofuserswithprivilegedaccesstoGenTaxservers.

Accesstocomputersystemsshouldberestrictedtoeachuser’sindividualjobrequirementsforviewing,adding,oralteringinformation.Managementshouldperiodicallyreviewandconfirmusers’accessrightstoensuretheyremainappropriate.Userswhonolongerneedaccessshouldhavetheiraccessrightsterminatedtimely.Inaddition,organizationsshouldspecificallymonitortheactionsofuserswithelevatedaccess,suchassecurityadministrators,toprovideadditionalaccountability.

GenTax logical access controls are generally sufficient but could be improved

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 11

Logical access controls are generally sufficient for most access 

GenTaxlogicalaccesscontrolsaregenerallysufficienttoensureusersareuniquelyidentifiableandappropriatelyauthenticated,andthatmostaccessisappropriate.

DOR’sproceduresgenerallyensurethataccessisappropriatelyrestrictedandthatactionstakentiebacktoauniqueindividualwhoperformedthataction.Forexample:

Managersrequestaccessfortheiremployees,whichisthengrantedbyaseparategroupofindividuals; Uniqueusernamesareusedtoallowusersandtheiractionstobeidentified; GenTaxaccesstotheproductionenvironmentisautomaticallydisabledafter120daysofnon‐use; GenTaxmaintainslogsofuseractivitiesthatmaybereviewediftherearepotentialproblemsidentified,suchasapotentialviolationofprivacypolicies; GenTaxautomaticallyendsusersessionsafteraperiodofinactivity;and UsersarelockedoutofGenTaxafteraspecifiednumberoffailedloginattempts.

Access and segregation of duties documentation needs improvement 

Aspartofgrantingappropriateaccess,systemownersshouldidentifyandpreventgrantingaccesstoincompatibletransactions.Forexample,thesameusershouldnotbeabletocreateandapproveapayment.Inaddition,thoserequestingaccessshouldhaveinstructionstoensuretheyfullyunderstandwhichaccessrightstheyarerequesting.

GenTaxusesrole‐basedlogicalaccesswith153groupsattachedtooneormoreof415definedfunctions.ManagersshouldrequestaccessfortheirusersbasedonthegroupsasdocumentedwithinGenTax.

Wefoundthedocumentationformostgroupsprovidedgeneralinformationaboutthetypesofactionsavailableforusebysomeoneinthegroup.Somegenericgroupsallowedaccesstomultipleviewonlyfunctionsthatweconcludedrepresentedanappropriatedescription.However,thedescriptionsofasmallnumberofgroupsdidnotidentifythefunctionsincludedinthatgroup.

Inaddition,DORmanagersindicatedthattheydiscussedsegregationofdutiesconsiderationswhendevelopingtherolesandgroupstopreventthecombinationofincompatibleduties.However,DORdidnotdevelopdocumentationidentifyingincompatibleroles.

Wealsonotedmanagersvariedinhowtheyrequestedaccess.Somerequestedgroups,whileothersspecifiedfunctionsorageneraltypeofaccesswithoutspecifyinggrouporfunction.Whilemostfunctionsallowing

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 12

theabilitytoaddormodifydatawereassociatedwithonlyonegroup,somehadmultiplepossiblegroups.

Withoutsufficientdefinition,documentation,andguidancetomanagersandaccessadministrators,managersmayinadvertentlyrequestaccessforusersthatexceedswhatisrequiredtoperformjobduties.Inaddition,withoutdocumentationofincompatibleroles,managersmayinadvertentlyrequestaccesstoincompatibleduties,resultinginimpropersegregationofduties.

Termination of access was not always timely 

DORhasnotadequatelyensuredthatGenTaxaccessendspromptlyafteremployeesleaveDOR.Managersshouldrequestremovalofaccesswhenemployeesleave,butDOR’sreviewprocessdoesnotensurethattimelyaccessterminationoccurs.

Organizationsshouldremovetheaccessrightsofallemployees,contractors,andthird‐partyuserstosysteminformationuponterminationoftheiremployment,contract,oragreement.Failuretoremoveaccesstimelyincreasestheriskthatinappropriateactivitymayoccur.

WhenemployeesleaveDOR,managersshouldrequestremovalofGenTaxaccess.Programcoordinatorsreviewreportsofterminatedemployeesagainstalistofaccessrequeststoevaluatewhethermanagershadrequestedaccesstobeterminated.However,thisprocesstakesplaceapproximatelyoncepermonth,withnosetscheduleforthereview.Inaddition,thereviewonlyevaluatesrequests,withoutverifyingthataccesswasremoved.

InadditiontoaccessforDORemployees,DORgrantslimitedGenTaxaccesstosomeemployeesfromtheDepartmentofConsumerandBusinessServices(DCBS)andtheOregonEmploymentDepartment(OED).ADORemployeecontactstheseagenciesmonthlytoaskwhetherusersstillrequireaccess.However,otherexternalpartners,suchasDASorFASTemployees,alsohaveaccesstoGenTaxbutDORmanagershavenoformalregularreviewprocesstoensuretheaccessisstillrequired.

Wereviewedthelogicalaccessaccountsof162userswhoseemploymentwithDOR,DCBS,orOEDhadendedandevaluatedwhethertheiraccesswastimelyremoved.Wefound11usersretainedtheiraccessformorethan31daysaftertermination,indicatingmanagersdidnotalwaysrequesttimelyremovalofaccess,andthemanualreviewprocesseswerenoteffective.

WealsofoundthreeDORemployees,twoOEDemployeesandoneexternalvendorwhonolongerrequiredaccesstoGenTaxretainedactiveGenTaxgroupaccesseventhoughtheiraccountsweredisabled.Whiletheseuserscouldnolongerlogin,notendingthegroupaccesscouldresultininappropriateaccessiftheuserweretoregainGenTaxaccess.Forexample,usersmayleaveDORandlaterreturninadifferentrolewheretheiraccessshouldbemorerestricted.Ifemployeesresponsibleforsettingupthe

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 13

renewedaccessdonotnoticethatpreviousgroupsremainactive,theymayinadvertentlygrantexcessiveaccess.

Manager review of access is not formally required  

DORpolicydoesnotrequiremanagerstoperformperiodicreviewsofaccessprovidedtousersandDORdoesnothaveprocessesinplaceformanagerstoperformordocumentadhocreviews.

Bestpracticesindicatethatsystemownersshouldperiodicallyreviewandconfirmusers’accessrightstoensuretheyremainappropriate.

AlthoughDORofficialsindicatedthatmanagerswhorequestlogicalaccesstoGenTaxshouldperiodicallyreviewtheaccessprovided,theyhavenotdevelopedwrittenproceduresforthisreview,andthereisnorequirementdefinedinthelogicalaccesspolicy.Theseweaknessesincreasetheriskthatuserswillhavemoreaccesstothesystemthantheyneedtoperformtheirduties,whichcouldresultinthecompromiseofthesystemoritsdata.

Weevaluatedaccessgrantedtousersineightgroupsthatprovidedspecializedabilities,suchastheabilitytoapproverefundsatdifferentlevels.Therewere206userswithaccesstoatleastoneofthesegroups.Ofthese,wefound19userswithinappropriateaccessfortheuser’scurrentrole.Mostofthesewereduetotheuserhavingchangedpositionswithoutappropriateupdatestotheiraccess.Forothers,theuserhadaccesstoperformfunctionsinGenTaxthattheydidnotroutinelyperform,and,whenquestioned,managersindicatedtheaccesswasinappropriateandshouldberemoved.

Inaddition,wespecificallyreviewedaccesstofiveGenTaxgroupsprovidedto10businessusersassignedtotheGenTaxprojectteam.Threeoftheseusershadtheabilitytoadd,delete,andmodify,whichwasnotrequiredfortheircurrentroleontheprojectteam.Thisaccessappearedtobeanartifactoftheaccesstheywouldhavehadintheirbusinessunitspriortojoiningtheprojectteam.Inaddition,sixmembersoftheprojectteamhadvirtuallyunlimitedaccesstoGenTaxproductionfunctions,withtheabilitytoperformactionssuchasapprovinghigh‐riskrefunds.DORmanagementremovedthisabilitywhenweidentifiedthisissue.

DOR does not monitor the activities of privileged users 

DORdoesnothaveaprocesstomonitortheactivityofGenTaxprivilegedusers.Privilegedaccessenablesanindividualtotakeactionsthatmayaffectcomputingsystems,networkcommunication,systemanduserfiles,applicationdata,anduseraccounts,includingthecreationanddeletionofaccounts.

Statewideinformationsecuritystandardsindicatethatagenciesshallrequireserverstologsecurityevents.3Inaddition,controlsshouldexistto

3Securityeventsincludeactionsthatcouldalterthesecurityofasystem,suchaspolicychangesorthecreationofanaccessgroupwithelevatedprivileges.

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 14

monitortheuseofsensitiveorprivilegedaccountstoensureonlyapprovedactionsoccur.

DORfollowsproceduresestablishedbyDAStorequestprivilegedaccesstoGenTaxservers.ThisaccesshasbeengrantedtomultiplepersonnelatDAS,aswellastoindividualsatDOR.Securitypersonnelperiodicallymonitoraccessassignmentstothegroupsallowingprivilegedaccesstoensuretheyremainappropriate.Additionally,DORmanagersreportedtheymaintainlogsofadministratoractivities.

However,thereisnocurrentprocessinplacetomonitorthoselogs.FailuretomonitortheactivitiesofprivilegedusersincreasestheriskthatunauthorizedactionmaycompromiseGenTaxanditsdata.

Controlsaregenerallysufficienttoensurethatdevelopersimplementonlyapprovedprogrammodifications.However,DORneedstoprovideadditionalguidanceontestingprocedurestoensureprogrammodificationsmeetbusinessneedsanddonotadverselyaffectotherportionsoftheapplication.

DOR staff tracks changes and sufficiently controls software versions 

DORemployeesadequatelytrackchangestoGenTaxcomputercodeandusesoftwaretoensuredifferentversionsofcomputercodearecontrolled.Thissoftwareensuresthesameuserwhomadethechangecannotpromotethesoftwarecodetotheproductionenvironment.

Organizationsshouldhaveformalchangemanagementprocessesandprocedurestohandleallrequestsforchangestoapplications.Theseproceduresshouldensurethatorganizationsevaluate,approve,andtrackrequestspriortoimplementation,andthenreviewthemagainstplannedoutcomesfollowingimplementation.Thismitigatestheriskofinstabilityordamagetodataintheproductionenvironmentbyprovidingassurancethatdeveloperspromoteonlyapprovedchangestoproduction.

DORhasimplementedanddocumentedcontrolstoassess,track,andevaluatechangerequests,andhowDORwillmakecorrections,changes,andenhancementstoGenTaxcomputercode.Forexample,DOR:

FormallydefinedresponsibilitiesfortheGenTaxbusinessandsupportteams; ImplementedatrackingtooltologandtrackallGenTaxchanges; Developedprocessestodocument,review,prioritizeandauthorizenewsolutionrequests(SQRs)forimpactandeffort; Developedprocessestoevaluateandapprovecompletedchanges,includingrequirementstocomparemodifiedcodetoexistingcode;

Change management controls are generally strong, but better guidance is needed for testing

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 15

DevelopedprocessestorollbackandreworkanSQRifthereisafailureduringanystageofchange; Implementedautomatedcontrolswhichrequireatleasttwolevelsofapprovalpriortopromotingthemodifiedcodetoproduction;and Implementedautomatedcontrolstopreventtheemployeewhodevelopedthecodefrompromotingittoproduction.

Documentation of test expectations needs improvement 

DORpersonnelresponsibleforensuringcodeorsystemchangesmeetusers’needshaveminimalguidanceonteststoperformanddocumentationrequirements.Asaresult,itissometimesunclearwhattestsDORperformedandwhethertheyweresufficienttoensurethesolutionmeetsbusinessneeds.

Bestpracticesindicateorganizationsshouldestablishtestplansthatdefineroles,responsibilities,andsuccesscriteria.Suchplansshouldconsidertheriskofsystemfailureandimplementationerrors,andshouldincluderequirementsforperformance,stress,usability,pilot,andsecuritytesting.

DORprovidessomeguidanceregardingtestingofSQRchanges.Itincludesgeneraldescriptionsofthetypeoftestingdevelopersandbusinessanalystsshouldperform.Thebusinessanalystsareresponsibleandaccountableforreviewingeachrequest,verifyingtheproblemorenhancement,gatheringbusinessrequirements,proposingorconfirmingasolution,developingandperformingfunctionalanduseracceptancetests,maintainingandprovidingtraining,andcoordinatinglegislativefiscalimpactrequests.

However,businessanalystshavelittleguidanceorcriteriatomeettheseresponsibilitiesandensureadequatetestinganddocumentationoccur.Inparticular,DORhasnotdevelopedstandardtestplanformatsforroutinechanges,orspecifiedtherequiredlevelofdocumentationoftestsperformedandtheirresults.Wealsonotedinconsistenciesinthelevelofdocumentationforchangerequests.WeconcludedthiswaspartlyduetotheabsenceofdocumentedguidanceandstandardplansandpartlyduetochangestotherequirementsassociatedwithSQRsasDORshiftedfocusfromtheprojecttooperations.

Lackofguidanceorcriteriadocumentingthetypesoftestplansrequiredfordifferentchangesmayresultinchangesnotmeetingtheneedsofthebusinessusers.

ControlsaresufficienttoensurethatDORappropriatelybacksupGenTaxsystemfiles.However,DORdoesnothaveassurancethattheycouldtimelyrestoreGenTaxintheeventofadisasterormajordisruption.

GenTax may not be timely or completely recovered in the event of a disaster

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 16

Restoringcomputerapplicationsafteradisasterorseriousdisruptionrequiressignificantadvanceplanning,coordination,andtesting.Thisstrategyshouldensurethecopyingofallcriticalcomputerfilestoanoff‐sitelocationasfrequentlyasneededtomeetbusinessrequirements.Organizationsshouldalsodocumentdisasterrecoveryproceduresinadisasterrecoveryplanandperiodicallytesttheplantoensureeffectiveness.

DOR’sGenTaxserversresideattheDASstatedatacenter.DASandDORshareresponsibilityforrecoveringthesesystemsintheeventofaseriousdisruption.

WeevaluatedDOR’sprocessforbackingupGenTax,includingbackupfrequency,notificationforbackupsuccessorfailure,recoverypriorityofbusinesscriticaltasks,andwhetherornotbackupsaretestedonaperiodicbasis.WefoundDORhasaprocessinplacetoensurethatGenTaxsystemfilesarebackeduplocallyandisverifyingthatrequiredfilesarebeingbackeduptooff‐sitestorage.However,DORhasnottestedtheprocesstorestoretheGenTaxapplicationanddatafilesusingtheoff‐sitebackups.

Inaddition,wenotedthatDORhasnotdevelopedadisasterrecoveryplanforGenTaxforincorporationintotheiragencywidebusinesscontinuityplan.Becauseofthis,DORdoesnothaveassurancethatitcouldrestorethesystemanditsdataintheeventofamajordisruptionoroutage.

ThelackofadisasterrecoveryplanispartiallyduetothestatusofGenTaxasanewcomputersystemforDOR.DORwasalsointheprocessofupdatingtheiragencywidebusinesscontinuityplanduringtheaudit,astheexistingversionwascreatedbeforeGenTaxwasimplemented.DORindicateditwasworkingonupdatingtheplantoincludeGenTax.

DORhasnotgainedindependentassurancethatFASTDataServiceshasimplementedappropriatecontrolsoverserversatanexternaldatacenterhousingOregonpersonalincometaxdata.

Bestpracticesindicatethatwheninformationisprocessedbyexternalinformationsystems,organizationsshouldverifythatrequiredsecuritycontrolsonthoseexternalsystemsareappropriate.Thisverificationcanbeachievedbythird‐party,independentassessmentsofthosecontrols.Entitiesprovidingsuchassuranceshouldbeindependentoftheorganizationswhosecontrolsarebeingassessed.Wehavenotedthistobeanemergingissueinmanyorganizationsusingexternalentitiestohostorprocesstheirdata.Currently,therearenoDORpoliciesdevelopedtoaddresssecurityrequirementsforthistypeofservice.

Aspartofpersonalincometaxreturnprocessing,DORutilizesservicesprovidedbyFASTDataServices,which,alongwithFASTEnterprises,isa

DOR has not obtained independent assurance of FAST Data Services controls

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 17

subsidiaryofFASTLP.GenTaxsendsencryptedOregonpersonalincometaxreturndatatoserversatanexternaldatacenterwhereFASTDataServicesanalyzesthemandassignsariskscore.FASTDataServicesownsandmaintainstheservers.DORdidnotobtainindependentverificationthatthecontrolsgoverningtheseserversareinplaceandfunctioningasdesigned.

DORsecurityprofessionalsstatedtheydiscussedthesecuritymeasuresinplacewithFASTDataServicessecuritypersonnelandweresatisfiedwiththestatedcontrols.DORalsoobtainedamemofromFASTDataServicesthatoutlineswhattheyreferenceaswell‐definedmethodsandbestpracticestoensuredataissecure.Ourreviewofthisdocumentdidnotrevealanyweaknesses,andwesawnoindicationthatthevendorhasnotimplementedthestatedcontrols.However,DORdidnotrequestanindependentsecurityreviewtoprovideindependentassurancethattheinternalcontrolsandpracticesidentifiedbythevendorfunctionasintended.AnindependentreviewoftheorganizationwouldprovideadditionalassurancetoDORthatOregondataissecure.

Report Number 2018‐08  February 2018 DOR GenTax IT Controls  Page 18

Recommendations:

Toimproveapplicationcontrols,werecommendDORmanagement:

1. Considernotifyingtaxpayersclaimingnowithholdingifwithholdingrecordsarefound;and

2. Implementcontrolstotrackandanalyzehowinterfacefilefailuresareresolved.

Tostrengthenlogicalaccesscontrols,werecommendDORmanagement:

3. IdentifyanddocumentwhichGenTaxrolesshouldnotbecombinedwithothers;

4. FullydocumentGenTaxgroupsandfunctionsandensuremanagershavereceivedinstructionsonhowtorequestaccess;

5. Improveprocedurestoensureuseraccessisremovedtimelyandcompletelywhennolongerneeded;

6. UpdatepolicytorequireperiodicmanagerreviewoflogicalaccessgrantedtoGenTaxanddevelopamechanismtoenforceanddocumentthereview;and

7. Implementmonitoringoflogstoidentifyinappropriateactivitytakenbyserveradministrators.

Tostrengthenchangemanagementprocedures,werecommendmanagement:

8. Developmorespecificguidanceforindividualstestingsystemchangestoensurethatallelementsareappropriatelyconsidered.

Tostrengthendisasterrecoveryprocedures,werecommendmanagement:

9. DevelopandmaintainawrittendisasterrecoveryplanforGenTax;and

10. Periodicallytestbackupsstoredoff‐sitetoensuretheycanbeusedtorestoreGenTaxfullyintheeventofamajordisruptionoroutage.

Toprovideadditionalassurancethatpersonalincometaxdataisprotected,werecommendmanagement:

11. RequestanindependentsecurityreviewofcontrolsoverserversoperatedbyFASTDataServices.