Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Secretary of State Dennis Richardson Audits Division, Director Kip Memmott
Report 2017 – 18
StateofOregonOregonDepartmentofTransportation:TheOregonFuelsTaxSystemAccuratelyAssessesandCollectsFuelsTaxesforStateandLocalJurisdictionsSeptember2017
Thispageintentionallyleftblank.
SecretaryofStateAuditHighlightsSeptember2017
ODOT: The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes for Oregon and Local Jurisdictions
Key Findings
1. OFTS accurately calculates, assesses, and collects fuels tax for the state of Oregon and local jurisdictions, but manual processes governing refund payments should be improved to ensure accurate refund payments.
2. Application design flaws result in a small number of refund overpayments and minor reporting inaccuracies.
3. Changes to OFTS computer code are appropriately managed to reasonably ensure that the system and its data will not be compromised as the result of a code change.
4. System back‐up processes have never been tested to ensure system data can be restored in the event of a disruption.
5. Security weaknesses exist in processes for granting and reviewing system access, monitoring activities of internal and third‐party users with significant system access, and identifying and remediating system security vulnerabilities. In addition, password parameters should be more robust, and safeguards protecting some Personally Identifiable Information (PII) need improving.
Recommendations
The report includes nine recommendations to the Oregon Department of Transportation focused on addressing weaknesses in the refund review processes, fixing system design flaws, testing backups, and correcting security weaknesses.
The Department of Transportation agreed with our findings and recommendations. The agency’s response can be found at the end of the report.
Report Highlights
The Secretary of State’s Audits Division found that the Oregon Fuels Tax System (OFTS) accurately assesses and collects fuels taxes for Oregon and local jurisdictions, collecting over $564 million in 2016. However, processes for issuing fuels tax refunds and system design flaws result in minor overpayments and reporting inaccuracies. Additionally, ODOT should enhance processes for testing system backup files, granting and monitoring user access, setting user password parameters, implementing safeguards over personally identifiable information, and identifying security weaknesses.
Background
In 2013, ODOT contracted with Avalara to implement a new fuels tax system for $2.8 million, replacing an outdated paper based system previously used to handle Oregon Fuels Tax returns.
Purpose
The purpose of our audit was to review and evaluate the effectiveness of key general and application controls that protect and ensure the integrity of the Oregon Fuels Tax System and its data.
SecretaryofState,DennisRichardsonOregonAuditsDivision,KipMemmott,Director
About the Secretary of State Audits Division
The Oregon Constitution provides that the Secretary of State shall be, by virtue of his office, Auditor of Public Accounts. The Audits Division exists to carry out this duty. The division reports to the elected Secretary of State and is independent of other agencies within the Executive, Legislative, and Judicial branches of Oregon government. The division is authorized to audit all state officers, agencies, boards, and commissions and oversees audits and financial reporting for local governments.
Audit Team Will Garber, CGFM, MPA, Deputy Director
Teresa Furnish, CISA, Audit Manager
Matthew Owens, CISA, MBA, Principal Auditor
Luis Sandoval, MPA, Staff Auditor
This report, a public record, is intended to promote the best possible management of public resources. Copies may be obtained from:
website: sos.oregon.gov/audits
phone: 503‐986‐2255
mail: Oregon Audits Division 255 Capitol Street NE, Suite 500 Salem, Oregon 97310
The courtesies and cooperation extended by officials and employees of the Oregon Department of Transportation during the course of this audit were commendable and sincerely appreciated.
Number 2017‐18 September 2017 Oregon Fuels Tax System Page 1
Secretary of State Audit Report
ODOT: The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes for Oregon and Local Jurisdictions
Introduction
Photo courtesy of the Oregon Department of Transportation.
TheOregonDepartmentofTransportation(ODOT)usesfuelstaxesalongwithotherfundsfromstate,federal,county,andcitysources,topreserve,improveandoperateOregon’sroadsystem.Thesetaxesaredeterminedinaccordancewiththreeprinciples:
1. Thosewhousetheroadspayforthem.2. Roaduserspayinproportiontotheroadcostsforwhichtheyare
responsible.3. Taxesareusedforconstructing,improving,andmaintaining
roads.
TaxesonfuelareappliedtoallfueltypesusedtooperatemotorvehiclesonOregon’sroadsandhighways.OregonRevisedStatutes(ORS)Chapter319givesODOTtheauthoritytocollectmotorvehicletaxes,aircraftfueltaxes,andusefueltaxes.Motorvehiclefuelismostlylimitedtogasolineand
ODOT Uses Fuels Taxes for Building and Maintaining Roads and Highways in Oregon
Inacampaignto“getOregonoutofthemud,”in1919,OregonbecamethefirstU.S.statetoimposeataxonfueltofundroadbuilding.At1¢pergallon,itraised$342,000initsfirstyear.
Number 2017‐18 September 2017 Oregon Fuels Tax System Page 2
ethanolblends.Oregonusefuelisdefinedasdiesel,biodiesel,propane,compressednaturalgas,andanyfuelotherthangasolineusedinamotorvehicle.
Thecurrenttaxratesarelistedinthetablebelow;however,the2017OregonTransportationPackage,passedbytheOregonStateLegislatureinJuly2017,increasestheMotorVehicleFuelto40¢pergallonoverthenextsevenyears.Thefirstincreaseof4¢isscheduledtotakeeffectin2018.
Table 1: 2016 Oregon Fuels Tax Rates
Fuel Type Tax Rate per Gallon
Motor Vehicle Fuel 30¢
Aviation Gasoline 11¢
Jet Fuel 3¢
Use Fuel 30¢
Collecting fuels taxes
InOregon,motorvehiclefuelstaxesarepaidbylicensedfueldealersatthepointof“firstsale,”orwithdrawal.Whendriversfilltheirvehiclesatthepump,thepurchasepriceincludesthetaxespaidbythedealer.Thelicensedfueldealer,throughfilingmonthly1fuelstaxreturns,thenremitstaxesbacktothestate.Monthlyfuelstaxreturnsareduebythe25thofeachmonth.
LicenseeshavetheoptiontosubmitfuelstaxreturnsonpaperoronlinethroughtheOregonFuelsTaxSystemwebportal.Alllicenseeswith1,000ormoretransactionsarerequiredtosubmittheirfuelstaxreturnselectronically.Anyamountowedisalsopaidatthetimeofsubmission.Currently,approximately80%offuelstaxreturnsaresubmittedonline.Theremaining20%ofreturnsareeithermailedtothedepartmentalongwithpayment,ordroppedoffatlockboxlocationsatU.S.Bank.AllfuelstaxpaperreturnsmustbeenteredintothesystembyODOTstaff.
WithintheFinancialServicesBranchofODOT,theFuelsTaxGroup(FTG)isresponsibleforadministeringfuelstaxlicensing,fuelstaxreportprocessing,andcollectingfuelstaxfromMotorVehicleFueldealersandUseFuellicensees.Fuelstaxrefundprocessing,taxcomplianceauditservices,andcollectingdelinquentaccountsarepartoftheseresponsibilities.Additionally,thedepartmentcollectsfuelstaxesonbehalfofsomelocaljurisdictionsthathaveimposedfuelstaxordinancesanddistributesthemoniesonamonthlybasis.TheFTGcurrentlyconsistsof21employees,includingmanagersandfrontlinestaff.
1ORS319.020(a):Notlaterthanthe25thdayofeachcalendarmonth,renderastatementtotheDepartmentofTransportationofallmotorvehiclefueloraircraftfuelsold,used,distributedorsowithdrawnbythedealerintheStateofOregonaswellasallsuchfuelsold,usedordistributedinthisstatebyapurchaserthereofuponwhichsale,useordistributionthedealerhasassumedliabilityfortheapplicablelicensetaxduringtheprecedingcalendarmonth.Thedealershallrenderthestatementtothedepartmentinthemannerprovidedbythedepartmentbyrule.
The2017OregonTransportationPackagewillincreasetheMotorVehicleFueltaxrateby10¢overthenext7yearsto40¢pergallon.
Number 2017‐18 September 2017 Oregon Fuels Tax System Page 3
New Oregon Fuels Tax System
TheOregonFuelsTaxSystem(OFTS)wentliveinJuly2015.Duringcalendaryear2016,OFTSprocessedapproximately14,000taxreturnsandcollectedover$564millioninfuelstaxrevenueforthestateandlocaljurisdictions.(SeeTable2)
Table 2: 2016 Collection of Fuels Taxes by Jurisdiction
Jurisdiction Amount Oregon $ 547,863,939
Astoria $ 208,401
Canby $ 347,158
Coburg $ 72,523
Coquille $ 91,676
Cottage Grove $ 440,181
Eugene $ 3,104,372
Hood River $ 325,425
Milwaukie $ 177,467
Newport $ 172,720
Springfield $ 1,140,909
Tigard $ 788,950
Veneta $ 119,249
Warrenton $ 325,585
Woodburn $ 128,783
Multnomah County $ 7,005,247
Washington County $ 2,128,607
Total $ 564,441,191
Thedepartment’sprevioussystemreliedheavilyonpaper‐drivenprocesses.FuelstaxlicenseesconductingbusinessinOregonpreviouslyhadtosubmitmanualapplications,wereissuedpaperlicenses,andwererequiredtosubmitmanualreportsandsupportingdocumentationtoODOT’scentraloffice.FTGpersonnelmanuallyenteredthisinformationintothesystemandthereportsandsupportingscheduleshadtobemanuallyfiledforreviewbyfuelstaxauditorsduringanaudit.
Todecreasetheirrelianceonmanualprocesses,ODOTcontractedwithAvalaratoimplementanewfuelstaxsystemfor$2.8million.Thisnewsystemwasdesignedto:
provideelectronicfilingcapabilityforexternaluserswhoconductbusinesswithODOT; enableimprovedbusinessprocessesandauditcapabilitiesandincreasestaffproductivitythroughautomatedworkflows;and enhancereportingandanalyticfunctionality.
Number 2017‐18 September 2017 Oregon Fuels Tax System Page 4
Objectives, Scope and Methodology
ThepurposeofourauditwastoreviewandevaluatetheeffectivenessofkeygeneralandapplicationcontrolsgoverningtheOregonFuelsTaxSystem(OFTS)atODOT.Ourspecificobjectivesweretodeterminewhether:
informationsystemcontrolsprovidereasonableassurancethatOFTStransactionsremaincomplete,accurateandvalidduringinput,processingandoutput; changestoOFTScomputercodeareappropriatelycontrolledtoensuretheintegrityofinformationsystemsanddata; OFTSfilesanddataareappropriatelybackedupandcanbetimelyrestoredwhenneeded;and OFTSanditsdataareprotectedagainstunauthorizeduse,disclosure,ormodification.
ThescopeofourauditincludedprocessesforcollectingandrecordingfuelstaxandrelatedITcontrolsthatwereineffectduringcalendaryear2016.Weconductedinterviewswithdepartmentpersonnel,observeddepartmentoperations,andexaminedavailablesystemdocumentation.Tofulfillourauditobjectives,weevaluatedortested:
FuelsTaxreturnsanddatafromcalendaryear2016; processesusedtoupdatecomputercodeandsupportingdocumentationforselectedchangestotheOregonFuelsTaxSystem; processesandschedulesforbackingupthesystemanditsdata;and processesusedtoprovideaccesstothesystem,accessprivilegesgrantedtoselectedusers,anddocumentationrelatingtosecuritysystems.
Toidentifygenerallyacceptedcontrolobjectivesandpracticesforinformationsystems,weusedtheITGovernanceInstitute’spublication“ControlObjectivesforInformationandRelatedTechnologies,”theUnitedStatesGovernmentAccountabilityOffice’spublication“FederalInformationSystemControlsAuditManual,”andOregonStatewideInformationSecurityStandards.
Weconductedthisperformanceauditinaccordancewithgenerallyacceptedgovernmentauditingstandards.Thosestandardsrequirethatweplanandperformtheaudittoobtainsufficient,appropriateevidencetoprovideareasonablebasisforourfindingsandconclusionsbasedonourauditobjective.Webelievethattheevidenceobtainedandreportedprovidesareasonablebasistoachieveourauditobjective.
Report Number 2017‐18 September 2017 Oregon Fuels Tax System Page 5
Audit Results
WefoundtheOregonFuelsTaxSystem(OFTS)accuratelycalculates,assesses,andcollectsfuelstaxforthestateofOregonandlocaljurisdictionsandappropriatelytransfersinformationtoODOT’saccountingsystems.However,manualprocessesgoverningrefundpaymentsshouldbeimprovedtoensurethatallrefundpaymentsissuedareappropriate.Additionally,applicationdesignflawsresultinasmallnumberofover‐refundsandinaccuratereporting.
Fuels Tax Return Calculated Assessments are Accurate
Duringcalendaryear2016,OFTSprocessedapproximately14,000fuelstaxreturnsandcollectedover$564millioninfuelstaxrevenueforthestateandlocaljurisdictions.Wedeterminedthesystem’scalculationstobecorrectfor99.5%ofallreturns.Theremaining0.5%ofrecordsweredifferentfromtheexpectedamountduetoroundingerrorsormanualoverridesbydepartmentstaffofsystem‐calculatedinterestandpenaltyamounts.
Thedepartmentreceivesmostfuelstaxdatafromelectronicreturnsuploadedfromexternalsystemsofthelicensee.Additionally,departmentstaffmanuallyentersfuelstaxreturndataandrefundrequestsreceivedthroughthemailintothesystem.
Transactionsenteredandprocessedthroughcomputersystemsshouldgothroughavarietyofmanualandautomatedprocedurestoensuretheyareappropriate.Inparticular,proceduresshouldensureonlycomplete,accurateandvalidinformationisenteredintoasystem,dataintegrityismaintainedduringprocessing,andsystemoutputsmeetexpectedresults.
Toachievethis,OFTSusesExtensibleMarkupLanguage(XML)toensurethatuploadedormanuallyentereddataisformattedappropriatelyandthatalloftherequiredinformationisincludedintheupload.Additionally,OFTSincludesmultipletolerancecalculations2tohelpensurethatreturnsareaccurateandconsistentwithpreviousreturns.Forexample,ifanewreturnhasabeginninginventoryoffuelthatdoesnotmatchtheendingbalanceofthepreviousreturn,OFTSwillissueanerrormessagetothelicenseethatsubmittedthenewreturn.
2 Tolerancecalculationsaresystemchecksthatdeterminewhethersubmitteddataiswithincertainparameters.Dataoutsideallowabletolerancegenerateanerrornotification.
The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes but Review Processes and System Design Flaws Need Attention
Duringcalendaryear2016,OFTSprocessedapproximately14,000fuelstaxreturnsandcollectedover$564millioninfuelstaxrevenueforthestateandlocaljurisdictions.
Number 2017‐18 September 2017 Oregon Fuels Tax System Page 6
OFTS Accurately Transfers Information to ODOT’s Accounting System
OFTSaccuratelyandreliablytransfersfuelstaxpaymentandrefundtransactiondataintoODOT’smainaccountingsystem,theTransportationEnvironmentAccountingandManagementSystem(TEAMS),throughanelectronicinterfaceonadailybasis.
Controlssurroundinginterfaceprocessingshouldreasonablyensurethatdataistransferredfromthesourcesystemtothetargetsystemcompletely,accurately,andtimely.Withoutthesecontrols,thedepartmentwouldnotbeabletoaccuratelyrecordfuelstaxrevenue,orissuefuelstaxrefundstolicenseesfromTEAMS.
TodeterminewhetherrecordstransferredsuccessfullyintoTEAMSwithalltheappropriatetransactioninformation,wereviewedallpaymentandrefundrecordsinOFTSwithatransferdatebetweenJanuary1andDecember31,2016.Intotal,wetested11,530transactionsandfoundthat11,513(or99.9%)ofthesetransactionstransferredsuccessfullyandappropriatelyfromOFTStoTEAMS.
Theremaining17recordssuccessfullytransferredintoTEAMSbuthadaslightlydifferenttransferdatethanwhatwasstatedinOFTS.Thiswasprimarilyduetoatimingdifferenceinhowcertainmanualpaymentsareprocessedbythesystem.
Controls Over Refund Payments Need Improvement
AlthoughmosttaxpaymentsareaccuratelyreceivedandaccountedforbyOFTS,wefoundthatthedepartmentdoesnothaveasufficientreviewprocessinplacetoensurethatrefundsareappropriateandhaveadequatesupportingdocumentationtojustifytheamountspaidforalltransactions.
Duringcalendaryear2016,OFTSprocessedapproximately$5.5millioninrefunds.Therearefoursituationsinwhicharefundpaymentcanbeissuedtoafuelstaxlicensee:
1. Thelicenseefilesanamendedreturnwhichresultsinarefund.
2. Thelicenseepaidmorethanwhatwasowedonagiventaxreturnresultinginarefund.
3. Thelicenseeusedfuelfornon‐roadusepurposes,suchasinfarmequipment,andhasrequestedarefundfortaxesalreadypaid.
4. Contractualagreementswithlocaltribalentities.
Transactionsthatresultinrefundsbeingissuedtoalicenseeshouldbesubjecttoavarietyofcontrolstocheckforaccuracyandvalidity.Thesecontrolsoftenconsistofacombinationofmanualandautomatedprocesses.
However,wefoundthedepartment’sreviewprocessforapprovingrefundclaimsisbasedlargelyonthe“honorsystem”withoutrequiringpropersupportingdocumentation.Additionally,weidentifiedseveralrefundswith
ODOThascontractsinplacewiththreeFederallyRecognizedTribesthatallowfor100%offueltaxespaidtoberefundedwhentheyareusedforthepurposeofprovidingessentialgovernmentalfunctions,and80%offueltaxpaidbytribalmemberstoberefunded.During2016,$2.5millioninfuelstaxrefundswereissuedtotribes.
Auditorstested11,530transactionsandfoundthat99.9%transferredsuccessfullyandappropriatelytoODOT’smainaccountingsystem.
Number 2017‐18 September 2017 Oregon Fuels Tax System Page 7
supportingdocumentationthatdidnotmatchtherefundamountandrequiredsignificantresearchtodeterminetheappropriaterefundamount.Whilethesystemallowsforcommentsandsupportingdocumentationtobeaddedforeachrefund,wefoundthatthesefeatureswerenotutilizedconsistentlytoallowforacompleteaudittrailforalltransactions.
Wetested150refundtransactionsinthesystem,totalingapproximately$1.12million,toensuretherefundswereappropriate.Ofthose,weidentified5transactionstotaling$8,454thatwerepaidinerrorand4transactionstotaling$47,007thatlackedsufficientsupportingdocumentation.However,ourfollowupreviewdeterminedthattheserefundswereappropriate.
System Design Flaw Allows for Overpayments
Asystemdesignflawconcerninghowamendedreturnsareprocessedresultedinoverpaymentstolicenseestotaling$3,850during2016.
Whenalicenseefilesanamendedreturnafterthemonthlyorquarterlyduedatethatresultsinadditionaltaxesowed,thesystemappropriatelyassessesa10%penaltyontheadditionalamountowed,aswellasinterestof.0329%perdaylate.However,whenalicenseefilesanamendedreturnthatresultsinarefund,OFTSisinappropriatelyassessinganegativelatefeeof10%andinteresttotherefund,resultinginanoverpaymenttothelicensee.Thelatefeeandinterestshouldnotbeappliedtotherefund.
Forexample,ifthelicenseefilesanamendedreturn60daysaftertheoriginalduedatethatresultsina$1,000refund,OFTSissuesarefundoftheoriginalpaymentplusa$100negativepenaltyand$19.74ininterest.Thiswouldresultinanoverallrefundof$1,119.74tothelicensee.
Whilethetotaldollaramountwasrelativelysmall,wefoundthatthesysteminappropriatelyassessednegativeinterestorpenalties105timesforatotalof$3,850thatwaspaidtothelicenseesinerror.
System Design Flaw Results in Reporting Inaccuracies
Thedepartmentusestwosystem‐generatedreports(theRevenueJournalSummaryandTaxableDistributionReport)toidentifyfundsthatareowedtolocaljurisdictionsthatwerecollectedontheirbehalf.Duetoadesignflawinvolvinghowthesereportspullinformationfromthesystembasedontheaccountingperiodinsteadofthetransactiondate,wefoundthereportmaynotaccuratelyreflectwhatwas,orshouldbe,distributedtolocaljurisdictions.
Whilethisflawdoesnotcauseerrorsinthesereportswhenlicenseesfiletimely,taxpaymentsfromlatereturnsoramendedreturnsmaynotbeaccuratelyreflectedinthereportsfortheperiodinwhichtheywereactuallypaid.Forexample,theoriginalmonthlyTaxableDistributionSummaryforMay2016wasgeneratedbythesystemonMay31,2016.Thereportshowsthat$41,363,586inmotorvehiclefueltaxeswasdistributedtostateandlocaljurisdictionsfortheperiod.However,whenwere‐ranthis
Number 2017‐18 September 2017 Oregon Fuels Tax System Page 8
reportforthesameperioditshowedthat$41,412,677wasdistributedduringthistime,adifferenceof$49,091.
Whiletheoveralleffectofthisissuewasminimalduringthisperiodreviewed,itindicatesthatthedepartmentmaynotbeabletoaccuratelyreconcileandverifyrevenuefromfuelstaxes,resultinginpotentialoverorunder‐paymentstolocaljurisdictions.
Processesforimplementingsystemcodechangesandbackingupsystemfileswereeffective.However,becausesystembackupfileshavenotbeentestedtoensureusability,thedepartmentcannotbesurethattheycanberestoredtimelywhenneeded.Furthermore,wenotedthatbecausethesystemisrelativelynewtoODOT,ithasnotyetbeenincorporatedintothedepartment’soverallDisasterRecoveryPlan.
Effective Controls Established for System Changes
OFTScomputercodemodificationsareappropriatelycontrolledtoensuretheintegrityofthesystemdataismaintained.
Changestocomputerapplicationsshouldbemanagedtoensureonlytestedandapprovedmodificationsareplacedintoproduction.Thesystemvendor,Avalara,controlsandmaintainstheOFTSsourcecode.AvalarasendsoutupdatesintheformofpatchesforthesystemonamonthlyandquarterlybasisthatmustbeinstalledbyODOTtechnicalstaff.
WereviewedtheprocessforimplementingOFTSupdatestoensure:properauthorizationexistsforsystempatching,systemupdatesaretestedpriortoimplementinginproduction,andthatappropriatechangemanagementreviewprocessesarefollowed.WefoundthatchangestoOFTScomputercodeareappropriatelycontrolledandimplemented.
Backup Files Have Not Been Tested to Ensure Usability
Thedepartmenthasprocessesinplacetoensurethatthesystemdataarebackedup.However,becausebackupfileshaveneverbeentested,thedepartmentdoesnothaveassurancethatthesystemanditsdatacouldberestoredintheeventofamajordisruptionoroutage.
Weevaluatedthedepartment’sprocessforbackingupOFTSincludingbackupfrequency,notificationsofbackupsuccessorfailure,andwhetherornotbackupsaretestedonaperiodicbasis.Weconcludedthatthedepartment,incooperationwiththestatedatacenter,isbackingupthesystemanditsdatausingspecializedbackupsoftware.However,withouttesting,managementhasnoassurancethatthesystemanditsdatacouldbetimelyrestoredintheeventofadisruption.
OFTS Change Management and Backup Processes are Effective but Further Enhancement Warranted
Number 2017‐18 September 2017 Oregon Fuels Tax System Page 9
Wealsonotedthatthedepartmenthasnotyetincorporatedthissystemintotheirentitywidedisasterrecoveryplans.Intheeventofadisasterormajordisruption,thedepartmentmaynotbeabletotimelyrestoreoperations,puttingfuelstaxrevenueatrisk.
Departmentmanagementhasimplementedimportantprotectionmeasuresforsystemsecurity,suchasfirewallsandsystemactivitylogs,butimprovementsareneededtobettersecurethesystemanditsdata.Weaknessesrelatetothedepartment’sprocessesforgrantingandreviewingsystemaccess,monitoringactivitiesofinternalandthird‐partyuserswithsignificantsystemaccess,andprotectingtheconfidentialityofsomePersonallyIdentifiableInformation(PII).Additionally,wenotedsystempasswordparametersshouldbemorerobust,andsystemsecurityvulnerabilitiesneedaddressing.
User Account Management Needs Improvement
UserAccountManagementprocessesgoverningaccesstoOFTSarenotsufficienttoensurethatusersonlyhaveaccesstosystemfunctionalityneededtoperformtheirduties.
Logicalaccesstocomputerapplicationsshouldberestrictedaccordingtoeachuser’sindividualneedtoview,add,oralterinformation.Inordertomaintainthisprincipleof“leastprivilege,”organizationsshouldhaveformalprocessesfortimelygranting,suspending,andclosinguseraccounts.Managementshouldalsoperiodicallyreviewandconfirmusers’accessrightstoensuretheyremainappropriate.
OFTSutilizesrole‐basedaccessgroupstosimplifyuseraccountmanagement.Thesystemcurrentlyhas19vendor‐createdusergroupprofilesbasedondutiestheFuelsTaxGroup(FTG)staffperformandtoenforcetheseparationofincompatibleduties,suchasenteringandapprovingcertaintransactions.
WereviewedprocessesFTGstaffusetograntandmaintainusers’logicalaccesstothesystemandidentifiedseveralproceduresthatneedimprovement.Specifically,wefoundthat:
proceduresforrequesting,documenting,andgrantingsystemuseraccessarenotclearlydefinedorconsistentlyfollowed; processesarenotinplacetoreviewsystemaccessonaperiodicbasistoensureaccessremainsappropriate;and processesarenotinplacetoremoveaccesswhenemployeesleaveortransferpositions.
Wenotedoneuserretainedsystemaccesssixmonthsafterleavingthedepartment;accesswasterminatedasaresultofourreview.These
System Security Should Be Improved to Better Protect the System and its Data
Number 2017‐18 September 2017 Oregon Fuels Tax System Page 10
weaknessesincreasethelikelihoodthatuserswillhavemoreaccesstothesystemthantheyneedtoperformtheirdutiesandincreasestheriskthatthesystemoritsdatacouldbecompromised.
Department Staff Do Not Routinely Monitor Privileged User Logs
Thedepartmentdoesnotregularlymonitortheactionsofuserswhohaveprivilegedaccess,includingactionstakenbythevendor,intheOFTSproductionenvironment.
Securityleadingpracticesindicatethatauditlogsshouldcontainappropriateinformationtofacilitateeffectivereview,includingsufficientinformationtoestablishwhateventsoccurred,whentheytranspired,andtheirsourcesandoutcomes.Theactionsofusershavingprivilegedaccess,suchassystemadministrators,shouldbespecificallymonitoredtodetectanyunauthorizedactivity.Additionally,appropriatepoliciesandproceduresshouldexistformonitoringexternalthirdpartyactivitieswithinthesystem,suchasthesystemvendorAvalara.
Wefoundthedepartmentdoesnothaveaprocessinplacetomonitortheactivityofinternalprivilegedusersandexternalthird‐partieswithsignificantaccess.Furthermore,whilethesystemlogsallactivity,securityalertshavebeenturnedoffwithinthesystemsettings,andsystemlogsarenotreviewedonaregularbasis.Thisincreasestheriskthatunauthorizedactionswillgoundetected,andthatthesystemanditsdatamaybecompromised.
Better Protection Needed for Personally Identifiable Information
ThedepartmentdoesnothavesufficientcontrolsinplacetosafeguardPIIonfuelstaxreturnsthathavebeenmailedtothedepartmentandscannedintothesystem.
InOregon,somelicensees,suchasfarmers,fileUseFuelreportsshowinghowmuchfuelwasfornon‐roaduse(tractors,generators,etc.).InsteadofusingFederalEmployerIdentificationNumbersforreturns,afewfilersusetheirSocialSecurityNumber(SSN)andsubmittheirFuelsTaxreturnsthroughthemail.Thefiler’snameandaddressarealsoincludedonthesereturns.Inreviewing2016fuelstaxreturns,weidentifiedthreereturnsthatcontainedSSNs.
WedeterminedtheprocessofscanningthesereturnsintothesystemdidnotincludetheappropriatesafeguardstoensurethatthisPIIremainsunderODOT’scontrolorisdeletedappropriately.
However,wefoundnoindication,orreasontobelieve,thatanyPIIhasbeencompromised.WhenweinformedODOT,staffimmediatelyalteredtheirproceduresandnowredactsanySSNsfoundinpaperreturnspriortoscanning.
Number 2017‐18 September 2017 Oregon Fuels Tax System Page 11
OFTS Password Parameters are Insufficient
OFTSpasswordparametersarenotsufficientandarenotincompliancewithOregonStatewideInformationSecurityStandards.
OregonStatewideInformationSecurityStandardsrequireasystempasswordtobeatleasttencharactersinlengthwithadditionalcomplexityrequirementsformoresensitivedata.WenotedthatOFTSdoesnotcurrentlymeetoneormoreoftheserequirements.Thisincreasestheriskthatthesystemanditsdatamaybecompromised.
Follow up Needed on Application Security Scan Results
AnapplicationsecurityscanofOFTSbythedepartmentidentifiednumeroussecurityvulnerabilitiesthatrequireaswiftresponsebyboththesystemvendorandODOT.
Usingappropriatevulnerabilityscanningtoolsandtechniques,managementshouldscanforvulnerabilitiesinthesystemonaperiodicbasis,orwhensignificantnewvulnerabilitiesaffectingthesystemareidentifiedandreported.However,whenourauditbegan,thedepartmenthadnotyetperformedanapplicationsecurityscantoidentifyanypotentialvulnerabilitiesinOFTS.Whenwebroughtthistomanagement’sattention,theapplicationwasaddedtotheirscheduleforapplicationscans.
ThedepartmentsubsequentlyscannedtheapplicationforthefirsttimeinApril2017,22monthsaftertheapplicationwasimplemented.Thescanidentified240securityissuesfortheapplication,12ofwhichweremediumorhighseverity.Additionally,thescanidentified121OFTSwebsiteURLswithvulnerabilities,46ofwhicharemediumorhighseverity.
Duetothesensitivenatureoftheseresults,wecannotpubliclydisclosethespecificsofthevulnerabilities.However,thedepartmenthasalreadycontactedthevendorandhastakeninitialstepstoremediatetheissuesidentified.
Report Number 2017‐18 September 2017 Oregon Fuels Tax System Page 12
Recommendations
WerecommendthatODOTmanagement:
1. Increasescrutinyanddocumentationofrefundclaimstoensureallrefundpaymentsareappropriate.
2. Workwiththevendortoaddresssystemflawsregardinginappropriatepenaltyandinterestrefunds.
3. Performmanualreconciliationsofkeysystemreportstoensurethatlocaljurisdictionsreceiveallfuelstaxrevenuetowhichtheyareentitled.
4. PeriodicallytestsystemanddatabackupstoensureusabilityandincorporateOFTSintoitsoveralldisasterrecoveryplan.
5. Establishformalprocedurestoauthorize,document,review,andtimelyremoveaccesstothesystemasappropriate.
6. Utilizesystemfunctionalityalreadyavailabletoalertstafftopotentialsecurityviolationsandtomonitorthirdpartyactivity.
7. EstablishprocedurestoprotectPIIonfuelstaxreturnsandreevaluatetheneedforusingSSNsonfuelstaxreturnforms.
8. IncreasepasswordlengthandcomplexityrequirementsforOFTStocomplywithstatewideITstandards.
9. Workwiththevendortoprioritizeandcorrectidentifiedsecurityvulnerabilitiesandscheduleperiodicscansofthesystematregularintervalstoidentifyanynewvulnerabilities.