Secretary of State

Oregon Audits Division

2020-21
AUDIT PLAN
Bev Clarno, Secretary of State
Kip Memmott, Audits Director
TABLE OF CONTENTS

Letter from the Secretary of State

3 Welcome to the Annual Audit Plan

Letter from the Audits Director

4 What to expect for this year’s audit listing

Overview of the Annual Audit Plan

5 How our risk assessment works

About the Audits Division

6 How we are uniquely structured as an audit function

Audit Functions and Strategies

7 Our strengths, skills, and goals

Performance Audits
10 Assessing the efficiency of agency operations

Information Technology Audits

14 Cybersecurity and information systems

Financial Audits
15 Accounting for public monies
LETTER FROM THE
SECRETARY OF STATE
February 2020
I am pleased to present the 2020-21 Annual Audit Plan for the Secretary of State
Audits Division.

This is the third annual audit plan and the first released since I have been Secretary.
Many things about the plan have remained constant:

• A focus on government transparency and accountability.

• A robust listing of performance, financial, and information technology audits.
• A citizen-centric focus that keeps us accountable to Oregonians.

At the same time, we are always striving for improvement. This year’s plan demonstrates my ongoing
commitment to ensure we are spending tax dollars effectively and efficiently and for the benefit of all
Oregonians, urban and rural alike.

I also believe strongly that the best audit function is one that works collaboratively with state agencies for
the betterment of government as a whole. The risk assessment process that informs this audit plan works in
partnership with state agencies to identify topics that will benefit and improve operations.

This year’s audit plan includes audits about inmate substance use disorders and mental health treatment,
disease prevention and response, civil rights, how we provide funding to ensure the success of our students,
and climate change.

One of the great pleasures of serving as Secretary of State has been seeing up close the important work the
Audits Division does to improve Oregon government. I am proud of our division staff for their competence,
professionalism, and commitment to keep government accountable to the Legislature and, especially, the
public. Those values are reflected in the diverse array of audits included in this year’s plan.

Respectfully,

Bev Clarno
Secretary of State

Oregon Secretary of State Audit Plan | February 2020 | page 3

LETTER FROM THE
AUDITS DIRECTOR
February 2020

In alignment with our citizen-centric reporting approach, the Oregon Secretary of State
has developed the 2020-21 audit plan.

The purpose of the audit plan is to identify agencies, programs, entities receiving state
monies, and state operational areas to be examined by the Audits Division during 2020-
21. The audit plan reflects both Secretary Clarno’s and the division’s strategic focus on
public safety, public health, vulnerable populations, education, infrastructure, environment,
information technology governance, cybersecurity, fiscal responsibility, and transparency.

The plan highlights the division’s use of innovative auditing techniques designed to maximize audit impact
and value. These techniques include: real-time and assurance auditing, expert utilization of data analytics,
cybersecurity audits, integrated auditing, equity auditing, and a robust audit follow-up program. The plan
also identifies mandated annual financial audits that the division’s team of financial auditors expertly execute.
These audits are critical for ensuring the state receives federal funding and for providing a transparent view
into the state’s financial condition.

The plan includes the first-ever joint audit to be executed in a collaborative manner between the Audits
Division and the internal audit group at another state agency: in this case, the Oregon Department of
Transportation. The plan also includes the state’s first audit examining climate change risks and strategies.

The Audits Division’s risk assessment approach utilized to develop the 2020-21 audit plan is described
herein. A key risk assessment methodology is focused on obtaining audit plan input and suggestions from key
stakeholders, including the Governor’s Office, legislators, agency directors, state employees, and citizens.

The input we garner from these stakeholders is instrumental in ensuring maximum audit impact and value and
I want to thank the Governor’s Office, agency leadership, and legislators — especially members of the Joint
Legislative Audit Committee — for their support of the State Auditor function.

I want to sincerely thank Secretary Clarno for her strong leadership and outstanding support of the Audits
Division. Oregonians continue to receive the benefit of her amazing legacy of public service and strong
values. I also want to thank the Audits Division team for their commitment to public service and for their
outstanding efforts to ensure the division fulfills its responsibilities and adds real value to the citizens and
residents of our great state.

Most importantly, I want to thank Oregonians. This plan is crafted specifically with their interests in mind and
I am confident that, when the plan is executed, the citizens will be better informed about and served by their
state government.

Respectfully,

Kip Memmott
Audits Division Director

Oregon Secretary of State Audit Plan | February 2020 | page 4

OVERVIEW OF THE
ANNUAL AUDIT PLAN
The mission of the Oregon Audits Division is to protect the public interest while helping improve Oregon
government. A key component of this mission is the division’s annual audit plan, which lists the agencies,
programs, and topics that are prioritized for audits in the coming year. The annual audit plan demonstrates
two key philosophies of the Audits Division: our commitment to transparency and our emphasis on being agile
and responsive to current and critical issues facing the state.

To that end, while we are committed to completing the audits listed in the plan, our risk assessment process
is continuous. As such, the plan is a flexible document and we will redirect audit resources as necessary. We
follow professional standards and guidelines at all times in both developing and executing this audit plan.
Should we choose to terminate an audit, standards require we document the rationale for doing so.

PREPARING THE AUDIT PLAN

We select and prioritize audits using a risk-assessment approach. Our risk assessment is based on specific risk
factors related to the quality of internal controls and the liability and level of exposure to the state of various
agencies, programs, or activities.
We consider the following factors when determining audits to include in the annual plan:

• Industry-standard risk assessment criteria;

• Previous audits of agency operations and internal controls; RISK ASSESSMENT CRITERIA
• Trend analyses to identify recurring audit findings and control
deficiencies; The Audits Division considers the
following risk factors when developing
• Audit follow-up and recommendation tracking; a risk-based audit plan. These factors
• The state’s Comprehensive Annual Financial Reports (CAFRs), are based on their relevance to the
Single Audit Reports, and audit management letters; objectives of our audit approach and the
• Input from elected officials, including members of the Joint environment in which we operate:
Legislative Audit Committee (JLAC);
• Input from agency management, other public sector audit • Size of audited agency or program
organizations, and members of the public; • Compliance and regulations
• Priorities and work products of other leading government audit • Pending or recent legislation
functions; • Complexity of transactions
• Topics informed and suggested by research conducted by • Fiscal sustainability
Audits Division staff; and • Management accountability
• Quality of internal control system
• Current events and trends, financial conditions, and public • Age of program or operation
policy issues, including emerging policy. • Audit history
• Public health and safety
This risk assessment process allows for an efficient allocation of • Critical infrastructure
limited resources based on risk; provides a flexible mechanism • Short- and long-term strategic risks
for managing competing needs; limits the potential for duplicate • Related litigation
and overlapping work with other audit functions; and provides a • Emerging risk areas
foundation for obtaining sufficient resources required to execute
our mission.

The annual audit plan includes a list of the performance, financial, and information technology (IT) audits we
plan to conduct in the coming year. The plan also describes ongoing initiatives that improve upon our audit
work, including our data analytics portfolio and recommendation follow-up program.

The following pages include a description of our audit philosophy, approach, and capabilities, as well as a
description of our continuous improvement initiatives.

Oregon Secretary of State Audit Plan | February 2020 | page 5

ABOUT THE
AUDITS DIVISION
The strategy of the Audits Division is to focus on impact, transparency, and citizen-centric reporting. Key to our
audit philosophy are the concepts of flexibility, responsiveness, and innovation.

Per the Oregon Constitution, the Secretary of State serves as the State Auditor. While state agencies are key
stakeholders, it is ultimately the citizens — and their elected representatives — who are our primary audience.
The audit plan reflects this citizen-centric focus.

Our staff comprises approximately 70 auditors with a broad range of professional and educational
backgrounds. Many of our auditors have attained advanced graduate degrees as well as professional
certifications and credentials, including: Certified Fraud Examiner, Certified Public Accountant, Certified
Internal Auditor, Certified Government Auditing Professional, and Certified Information Systems Auditor.

Our audit philosophy is focused on providing diverse and widespread audit coverage of state agencies,
programs, and services. While all state functions provide important services, our philosophy is particularly
focused on matters involving public safety, public health, vulnerable populations, education, infrastructure,
environment, information technology governance, cybersecurity, fiscal responsibility, and transparency.

LEGAL AUDIT MODEL FRAMEWORK

Both statute and the State Constitution authorize the Secretary of State’s Office to conduct audits of state
government and other specified public entities. Several key components serve as the cornerstone for the Secretary
of State audit model.

The statutory requirement for the Secretary of State’s Office to comply with standards, combined with other key
components making up the model’s framework, ensure that Oregon has one of the most structurally independent
government audit functions in the country.

ELECTED SECRETARY
The Secretary of State is an elected official who leads the office independently from other elected
officials and state operational management.

COMPREHENSIVE ACCESS
The State Constitution authorizes the Secretary of State to have access to all officers, employees, records,
and property maintained by the State and to all external entities, records, and personnel related to their
business interactions with the State.

ADHERENCE TO PROFESSIONAL AUDIT STANDARDS

The Audits Division conducts all audits in accordance with Generally Accepted Government Auditing
Standards (GAGAS) promulgated by the United States Comptroller General.

JOINT LEGISLATIVE AUDIT COMMITTEE

The Secretary of State works closely with the Joint Legislative Audit Committee (JLAC) to communicate
audit results and to ensure optimal audit impact. ORS 171.585 establishes JLAC as a core legislative
committee whose responsibility is to “select audit reports for review and make recommendations for
change.”

Oregon Secretary of State Audit Plan | February 2020 | page 6

AUDIT FUNCTIONS AND
STRATEGIES
With each year, the Audits Division continues to improve and enhance our existing capabilities and functions.
We continue to maintain robust performance, IT, and financial auditing functions. Simultaneously, we are
exploring innovative strategies and methods by which we can optimize our impact and value to Oregon
government and citizens, including our data analytics portfolio and real-time audits.

PERFORMANCE AUDITING
The plan reflects a strong emphasis on performance auditing, particularly in the areas of program
effectiveness and assessing the economy and efficiency of various state agencies and programs.

Many of the performance audits included in this year’s plan build upon audit work conducted in previous
years. One such planned audit would assess the contract administration of Coordinated Care Organizations,
or CCOs, by the Oregon Health Authority. This audit will build upon several audits that examined the risks
around Medicaid and detecting and preventing improper payments. Similarly, a planned audit of inmate
substance use disorders and mental health treatment services at the Department of Corrections will build upon
prior audit work examining the opioid crisis in Oregon and how well the state delivers mental health services.
Just as many planned audits also break new ground, including the first Secretary of State audit that will focus
explicitly on climate change and an audit examining the state’s response to the homelessness crisis.

FINANCIAL AUDITING
The audit plan leverages the long-standing professionalism and institutional knowledge of our staff with audit
work covering the accounting and financial reporting activities of the state.

A primary responsibility of the Audits Division is to conduct financial audits. Financial audits provide
assurance as to whether a state agency has followed generally accepted accounting principles in preparing
its financial records and compiling its financial statements, and whether the amounts presented in those
financial statements are materially complete and accurate.

The division annually audits the state’s financial statements and federal programs at state agencies to ensure
agencies are complying with financial reporting and federal program requirements. The largest financial audit
we conduct is the annual Statewide Single Audit, which includes an audit of the state’s financial statements
included in the Comprehensive Annual Financial Report and an audit of the state’s internal controls and
compliance with federal program requirements.

We perform the single audit to satisfy the Legislature, the Governor, and citizens that the state’s financial
statements are presented fairly and that significant deficiencies in its fiscal systems are identified and
corrected. We also conduct this audit to fulfill the federal government’s mandate to audit the administration
and use of more than $11 billion in federal monies provided to Oregon each year.

The Audits Division also administers Municipal Audit Law, which requires Oregon’s local governments to
submit annual financial reports to the Secretary of State. In the interest of transparency and accountability, we
assist with understanding and complying with the law and prepare an annual summary report of municipal
corporations’ fiscal reporting.

IT AND CYBERSECURITY AUDITING

The audit plan also addresses the ongoing risks associated with IT and cybersecurity with a strong emphasis
on IT audits, a specialized type of performance audit.

One of these IT audits will examine a common theme that emerged among several IT audits in recent years:
the role, reorganization, and governance structure of the Office of the State Chief Information Officer.

Oregon Secretary of State Audit Plan | February 2020 | page 7

Additionally, the audit plan continues our cybersecurity audits, wherein we focus narrowly on a set of IT
controls related to cybersecurity — an area that continues to pose a high threat not only to the state of
Oregon, but nationwide.

LEADING AUDIT METHODOLOGIES AND DATA ANALYTICS PORTFOLIO

We are proud to report the Audits Division continues to serve as a leader in pioneering innovative audit
methodologies to further improve upon our audit work.

Data analytics is the process of inspecting, cleansing, transforming, and modeling data with the goal of
discovering useful information, informing conclusions, and supporting decision-making.

Our work in this area has already drawn national attention — auditors in our office have used data analytics
in partnership with the Department of Health and Human Services and the FBI to identify fraud within the
Supplemental Nutrition Assistance Program, otherwise known as SNAP.

We are also the first audit shop to engage with the U.S. Treasury’s Do Not Pay program to conduct data
matching and reduce improper payments in Oregon’s Medicaid program. Our data analytics focus and
capacity will continue to expand in 2020-21, as we have established an internal audit team specifically
focused on maximizing data analytics audit methodologies.

REAL-TIME AUDITING
In alignment with our strategic focus on being timely and responsive, the division will continue conducting
“real-time” audits. “Real-time” auditing focuses on evaluating front-end strategic planning, service delivery
processes, controls, and performance measurement frameworks before or at the onset of program or policy
implementations by state agencies.

A common critique is that audits do not provide timely information. In this paradigm, auditors can be
perceived as providing information on issues that have already been identified and as providing information
too late to prevent negative and costly outcomes. This is especially the case for large-scale state projects and
expenditures. Real-time auditing mitigates this risk.

This year’s plan includes an innovative real-time audit focusing on the implementation of the recently passed
Student Success Act. We will work closely with the Deputy Superintendent of Public Instruction and the
Department of Education to ensure this real-time audit offers maximum value.

ASSURANCE-BASED AUDITING
In alignment with our citizen-centric strategy based upon transparency, accountability, and public education,
we will include assurance-based findings in our audit reports, when possible.

In addition to identifying issues and problems with government operations, the division believes we have a
responsibility to report on government effectiveness and successes, based on audit evidence. This approach
places audit work within context and helps to enhance collaborative relationships with audited entities and
build public trust in government.

Assurance-based auditing is commonplace in the private sector as executive management and stockholders
want to know what is working, as well as what is not working, within their organizations. This allows them to
execute effective strategic planning and better prioritize and allocate resources. We intend to have the same
effect with our approach, which we will continue to refine and enhance.

INTEGRATED AUDITING
Previous audit plans have pioneered an auditing approach that blends attributes of financial, performance,
and IT auditing, as well as contract review activities, to expand our aggregate impact.

This approach was successful in expanding and enhancing our audit coverage while leveraging the
expertise of our staff and providing them with growth opportunities. We plan to continue building upon and
further improving this approach with audits reviewing processes and activities including, but not limited to,

Oregon Secretary of State Audit Plan | February 2020 | page 8

procurement, contract review, and state regulatory boards.

EQUITY AUDITING
The plan includes audits with equity objectives. In this context, equity refers to the fair and impartial treatment
of all people, regardless of differences in sex, gender, race, ethnicity, income, or other classification.

Government entities are constitutionally required to treat all citizens equally. The provision of government
services, and the quality of such services, should be consistent regardless of ethnicity, income, or other
differences — that is, it should be free from bias or favoritism. This also applies to government regulatory and
enforcement actions. To audit equity is to assess the ability of government agencies, services, or programs to
rise to this standard.

Auditing equity has been a challenging and somewhat nebulous area in the past, but the emergence of new
audit methodologies such as data analytics and Geographic Information System databases has empowered
auditors to pursue equity objectives. For example, the Portland City Auditor conducted an audit in 2017 of the
city’s economic development agency, Prosper Portland. Auditors found that, without income goals or equity
plans, the agency had limited ability to overcome a legacy of gentrification and displacement within the city
of Portland.

The Oregon Audits Division is committed to ensuring state government is equitable in how it addresses the
diverse needs of Oregon citizens. To that end, this year’s plan includes a performance audit of the Office of
Public Defense Services, which will include an equity objective.

COLLABORATIVE AUDITING
The plan includes the first-ever joint audit to be executed in a collaborative manner between the Audits
Division and a state agency internal audit group: the Oregon Department of Transportation.

There are several strategic goals for this project, including leveraging state audit resources to maximize
audit value and impact and demonstrating the teamwork and collaboration opportunities between the State
Auditor and state agencies.

The division released a comprehensive performance audit examining the state’s internal audit functions in
2018. This collaborative audit is well aligned with our strategy of assisting and enhancing these important
functions.

AUDIT FOLLOW-UP PROGRAM

Our improved recommendation follow-up program includes more in-depth audit work to determine whether
prior audit findings have been appropriately addressed by audited entities to mitigate risks. This work
culminates in the issuance of formal recommendation follow-up reports.

We will continue to refine our follow-up procedures as we implement new methods of follow-up work with
our auditees. In 2019, the division released nine recommendation follow-up reports assessing the progress of
several agencies toward implementing audit recommendations. These follow-ups focused on audits previously
conducted of foster care, sexual assault evidence kits, graduation rates, and emergency management, among
others.

HOTLINE ADMINISTRATION AND ANTI-FRAUD FOCUS

The division administers the State’s Fraud, Waste and Abuse Hotline. The Government Waste Hotline was
established in 1995 for public employees and members of the public to report waste, inefficiency, or abuse
by state agencies, state employees, or persons under contract with state agencies. Anyone can contact the
hotline by calling (800) 336-8218 or going online to [Link].

In addition to assessing fraud risk, audits in the plan will include procedures for assessing the effectiveness
of internal controls established by management to detect and prevent fraud. By highlighting potential gaps
within internal control systems, the opportunity for fraud can be reduced.

Oregon Secretary of State Audit Plan | February 2020 | page 9

2020-21 AUDIT PLAN
PERFORMANCE AUDITS
Audit Topic Entity(ies) Potential Scope and Objectives

Medicaid is inherently high risk and expensive. We have already

executed several high-impact audits in this area, but there are
Coordinated Care many remaining risks. Oregon’s Coordinated Care Organization
Organization Oregon Health (CCO) model has some specific risks. This audit will assess whether
2.0 Contract Authority OHA is effectively overseeing state monies allocated to CCOs.
Administration The audit will leverage other audit work the division has performed
examining Medicaid.

With the rise of new infectious diseases, significant outbreaks

of influenza, and the threat of bioterrorism, this audit will assess
the state’s readiness to address epidemics and other potentially
catastrophic biological events, as well as programs and controls
to manage more common epidemiological risks to the community.
The audit will leverage recent evaluations and legislation related
Oregon Health to modernizing Oregon’s public health system, including House
Disease Prevention Authority, Bill 3100 and a 2016 external assessment. The audit will assess
and Response selected county progress made to meet legislative intent and the issues identified
governments by the 2016 assessment and may include an objective reviewing,
on a sample basis, county public health modernization efforts.
The audit may include an objective assessing disease prevention
and response in long-term care facilities receiving Medicaid
monies. The audit may revisit themes from the Office of Emergency
Management audit our office released in 2017 related to the
state’s level of readiness with a focus on epidemiological risks.

The audit will examine the division’s staffing strategy and personnel
costs (including overtime) to determine if staffing is aligned with
leading practices and optimal for ensuring both public and police
safety. The audit will also identify any requirements, processes,
Oregon State
Highway Patrol or practices that reduce troopers’ ability to perform their primary
Police public safety function. Leading practices for ensuring officer safety
will also be identified and cited. The audit will seek to identify
opportunities for efficiencies, cost savings, and possible alternative
strategies for addressing any staffing shortages identified.

Oregon Secretary of State Audit Plan | February 2020 | page 10

2020-21 AUDIT PLAN
PERFORMANCE AUDITS
Audit Topic Entity(ies) Potential Scope and Objectives

The homeless population in Oregon is increasing; related public

health and safety risks are as well. The Oregon Department of
Housing and Community Services (DHCS) recently released the
Oregon Statewide Housing Plan and is spearheading state efforts
to address homelessness. This audit will be a collaborative effort
working closely with DHCS management. The Audits Division will
work with the DHCS team and other key stakeholders to execute a
risk assessment to establish the audit scope and objectives. The risk
Homeless Services Statewide assessment will likely include a review of the state’s “architecture”
for addressing homelessness. A possible audit objective may
include a review of efforts by the Department of Veterans’ Affairs to
identify, address, and reduce instances of veterans being homeless.
The audit may include an objective examining, on a sample
basis, counties, third-party contractors, or grantees receiving state
monies to address homelessness and assessing the efficiency and
effectiveness of these monies. The audit will assess actions taken to
address homelessness during the 2020 legislative session.

This audit will address correctional institutions’ treatment of

substance use disorders and mental health services provided
to inmates. Audit objectives may include an assessment of the
Inmate Substance Use agency’s mental health intake assessment processes, treatment
Disorders and Mental Department of plan development and execution, transition practices, prevention
Health Treatment Corrections services and funding, and records management. The audit will
Services include a review of recent legislative activity related to this issue,
including an assessment of implementation progress related to
legislative mandates.

The audit will examine the overall governance structure and

staffing resources for these boards and will likely include one or
Oregon Dentistry both of the following two objectives: (1) a review of the board’s
Licensing and and Mortuary and licensing practices and (2) a review of board investigative
Investigation Processes Cemetery Boards practices. The assessment of the Dental Board will leverage other
audit work examining Oregon’s Prescription Drug Monitoring
Program and public health risks related to the opioid crisis.

Measure 76 (2010) requires the Secretary of State to "regularly"

audit any state agency that receives money from the Parks and
Measure 76 - State Natural Resources Fund. Audit objectives may include, on a
Lottery Monies Selected state sample basis, financial integrity, compliance with applicable laws,
Distribution and agencies and efficiency and effectiveness of the use of the monies by various
Utilization state agencies and sub-recipients. In addition, audit objectives may
include a review of biennial performance reports from agencies
that receive monies from the fund.

Oregon Secretary of State Audit Plan | February 2020 | page 11

2020-21 AUDIT PLAN
PERFORMANCE AUDITS
Audit Topic Entity(ies) Potential Scope and Objectives

This audit will assess programs and services for people

experiencing developmental and intellectual disabilities. Audit
objectives may include a review of activities to increase service
Office of access and quality, ensure the equitable delivery of services,
Department of
Developmental comply with federal and state guidelines, measure outcomes, and
Human Services
Disabilities Services solicit customer feedback. This audit may include a review of how
the agency’s current efforts to adopt an integrated social service
delivery model, and data-driven decision making, impacts this
program.

There have been consistent reports of significant issues related to

public defense in Oregon, including a highly critical assessment
report issued in early 2019. The audit will leverage this analysis
to assess progress being made on these issues and risks and will
Public Defense generally assess whether the Office of Public Defense Services
Office of Public Services is providing timely, effective, and efficient legal services. Audit
Defense Services Commission objectives will also assess costs and seek to identify possible cost
savings and efficiency opportunities. The audit will likely include an
equity objective to assess whether there are disparities in access
and quality of public defense services provided to minority and
non-minority populations.

Climate change is cited on the Government Accountability Office’s

(GAO) 2019 High Risk List and the GAO has performed several
audits on the subject. The audit will assess whether the state has
a cohesive climate change strategy that is outcome-driven and
measurable. The audit fits our strategy of addressing emerging
Climate Change Risk and complex challenges facing the state in a timely and proactive
Statewide
Management Strategy manner. The audit could possibly involve several state functions
and would entail a detailed risk assessment to determine the audit
scope and objectives. Possible entities within the scope of the audit
include the Governor’s Carbon Policy Office and the Oregon
Global Warming Commission. The audit will assess climate
change-related actions resulting from the 2020 legislative session.

Procurement The audit will focus on Treasury’s procurement and contract

and Contract Oregon State administration practices. Audit objectives will include reviewing
Administration Treasury Treasury policies, procedures, systems, data, and personnel
Practices responsibilities related to contract procurement and administration.

Oregon Secretary of State Audit Plan | February 2020 | page 12

2020-21 AUDIT PLAN
PERFORMANCE AUDITS
Audit Topic Entity(ies) Potential Scope and Objectives

In alignment with the Audits Division’s strategy of enhancing audit

impact, strengthening agency-to-agency relations, and leveraging
audit capabilities and efficiencies, this project would entail a joint
Oregon
Special Joint Audit audit to be performed collaboratively between the Secretary
Department of
Project of State Audits Division and ODOT internal audit function. In
Transportation consultation with the ODOT director and Chief Auditor, the Audits
Division will jointly execute an audit supporting a topic listed on
ODOT’s internal audit plan.

This will be a real-time audit of enhancement of education

funds passed by the 2019 Legislature through the SSA. The
Oregon audit will focus on ODE and selected districts’ initial strategies
Student Success Act Department of for implementing elements of the SSA and accounting for SSA
(SSA) Implementation Education, spending. The audit will assess the department’s implementation
Strategy and Controls selected districts strategy for the SSA, including staffing, communication,
performance data collection, and improvement efforts for districts,
contractors, and grantees.

Oregon Secretary of State Audit Plan | February 2020 | page 13

2020-21 AUDIT PLAN
INFORMATION TECHNOLOGY AUDITS
Audit Topic Entity(ies) Potential Scope and Objectives

Previous audits have identified significant ongoing IT risks across

Office of the State the state. In response to numerous risks and failures, IT functions,
Chief Information roles, and responsibilities have been shifted and reorganized
Oregon Department of Officer, several times in recent years. The audit will examine the state’s
Administrative Services Enterprise current IT governance and operational structure and activities
Information of Enterprise Information Services to identify opportunities for
Services enhancing IT controls, services, and tools.

Oregon State
Lottery, These IT security audits focus on a set of IT controls related to
Department of
IT Security Controls cybersecurity. The Audits Division chooses agencies for inclusion
Corrections,
Assessment Program through a risk assessment process and plans to perform four
Veteran's Affairs, reviews at the agencies listed.
and Oregon State
Treasury

The state has been moving to more web-based services in recent

years. This audit would focus on how agencies are hosting their
Web Application Selected agencies web applications and how they ensure that servers are configured
Hosting Security appropriately. A risk-based assessment will be utilized to
determine which agencies will be included in the audit sample.

Oregon Secretary of State Audit Plan | February 2020 | page 14

2020-21 AUDIT PLAN
FINANCIAL AUDITS
Audit Topic Entity(ies) Potential Scope and Objectives

A single audit is required by the federal government to receive

federal financial assistance and has two main components, the first
being an audit of the State’s financial statements and reporting on
the schedule of expenditures of federal awards (SEFA) in relation
to those financial statements. Based on prior year audits, the FY20
audit will most likely include audit procedures at the following
agencies:

Department of Administrative Services

Department of Consumer and Business Services
Oregon Business Development Department
Department of Corrections
Department of Education
Oregon Employment Department
Department of Environmental Quality
Oregon Department of Fish and Wildlife
Oregon Department of Forestry
Oregon Health Authority
Higher Education Coordinating Commission
Statewide Single Department of Human Services
Audit: Part One, Statewide Oregon Judicial Department
Financial Department of Justice
Oregon Liquor Control Commission
Oregon Military Department
Oregon Parks and Recreation Department
Public Defense Services Commission
Department of Revenue
Oregon Department of Transportation

The FY20 audit will also include financial statement audits at the
following agencies.

Oregon Housing and Community Services

Oregon State Lottery
Oregon Department of Veterans’ Affairs
Public Employees Retirement System*
State Accident Insurance Fund*
Common School Fund at the Department of State Lands*

*Indicates audits that we contract with CPA firms to conduct.

Statewide Single The second component is a compliance audit of major federal

Audit: Part Two, Statewide awards expended during the fiscal year. During the planning phase
Federal of the FY20 audit, we will determine the federal programs to audit.

Oregon Secretary of State Audit Plan | February 2020 | page 15

2020-21 AUDIT PLAN
FINANCIAL AUDITS
Audit Topic Entity(ies) Potential Scope and Objectives

FY20 Oregon Short-Term

FY20 Oregon Local Government Investment Fund
FY20 Oregon Intermediate Term Pool
Oregon State
Financial Statement Treasury To review internal accounting and compliance control procedures
and to obtain reasonable assurance about whether the amounts
reported in the financial statements are materially correct and
adequately supported.

To review internal accounting and compliance control procedures

Department of and to obtain reasonable assurance about whether the amounts
Consumer and reported in the financial statements are materially correct and
FY20 Financial Business Services, adequately supported. In addition, to verify compliance with
Statement and Oregon Health programmatic requirements set forth by 45 CFR part 155; report on
Compliance Insurance compliance as directed by the Centers for Medicare & Medicaid
Marketplace Services (CMS); and meet requirements of a performance audit as
directed in ORS 741.220.

Oregon Business
Development To review internal accounting and compliance control procedures
FY19 Financial Department, and to obtain reasonable assurance about whether the amounts
Statement Special Public Works reported in the financial statements are materially correct and
Fund and Water adequately supported.
Fund

Oregon Department To review internal accounting and compliance control procedures

FY19 Financial of Energy, and to obtain reasonable assurance about whether the amounts
Statement Small Scale Energy reported in the financial statements are materially correct and
Loan Program (SELP) adequately supported.

In accordance with the Interstate Cooperative Agreement between

the Washington State Auditor’s office and the Oregon Secretary
Columbia River
FY20 Financial of State Audits Division, we perform procedures to verify Oregon’s
Gorge
Statement share of the Columbia River Gorge Commission’s joint expenditures
Commission and commissioners’ compensation are in compliance with laws and
regulations of the State of Oregon.

Oregon Secretary of State Audit Plan | February 2020 | page 16

2020-21 AUDIT PLAN
FINANCIAL AUDITS
Audit Topic Entity(ies) Potential Scope and Objectives

Department of To review internal accounting and compliance control procedures

Environmental
FY19 Financial and to obtain reasonable assurance about whether the amounts
Quality,
Statement reported in the financial statements are materially correct and
Clean Water adequately supported.
Revolving Fund

Oregon Health As required by the U.S. Environmental Protection Agency, the State
Authority,
FY19 Agreed Upon of Oregon submits financial statements for the Safe Drinking Water
Safe Drinking Water
Procedures Revolving Loan Fund. We perform procedures that are agreed to
Agreed Upon by the Oregon Health Authority.
Procedures

Oregon Department
of Education, To review internal accounting and compliance control procedures
FY19 Financial High School and to obtain reasonable assurance about whether the amounts
Statement Graduation and reported in the financial statements are materially correct and
College and Career adequately supported.
Readiness Fund

Department of
Human Services,
Federal Cost Allocation This interim audit work supports the FY20 Statewide Single Audit.
Compliance Plan Childcare
Development Fund
Cluster

Department of
Administrative
Services,
Oregon State Payroll
Financial This interim audit work supports the FY20 Statewide Single Audit.
Application and
Statewide Financial
Management
Application

Keeping the State of Oregon Accountable: To summarize and issue

Statewide Summary Various a summary report on the results of the FY19 Statewide Single Audit
Single Audit financial and federal audits.

Oregon Secretary of State Audit Plan | February 2020 | page 17

2020-21 AUDIT PLAN
FINANCIAL AUDITS
Audit Topic Entity(ies) Potential Scope and Objectives

ORS 297.405 to 297.740 and 297.990 (Municipal Audit Law)

require local governments, including counties, cities, school districts,
Municipal Audit Local governments and special districts, to prepare and submit annual reports. Our
annual report summarizes the financial reporting activities of
Oregon’s municipal corporations for the prior fiscal year.

Risk Assessments To review agency records and programs to identify fiscal and
and Fiscal Resource Various program risks.
Reviews

Oregon Secretary of State Audit Plan | February 2020 | page 18

 Secretary of State
Oregon Audits Division

This Annual Audit Plan was prepared and designed by:

Bev Clarno, Secretary of State
Kip Memmott, Audits Director
Mary Wenger, Deputy Audits Director
Will Garber, Deputy Audits Director
Laura Fosmire, Communications Specialist
Julie Sparks, Office Manager

Photograph of the Oregon State Capitol courtesy of Gary Halvorson, Oregon Archives Division
All rights reserved