State of OregonThe Oregon Department of Transportation (ODOT) uses fuels taxes along with other...

Secretary of State Dennis Richardson Audits Division, Director Kip Memmott

Report 2017 – 18

StateofOregonOregonDepartmentofTransportation:TheOregonFuelsTaxSystemAccuratelyAssessesandCollectsFuelsTaxesforStateandLocalJurisdictionsSeptember2017

Thispageintentionallyleftblank.

SecretaryofStateAuditHighlightsSeptember2017

ODOT: The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes for Oregon and Local Jurisdictions

Key Findings

1. OFTS accurately calculates, assesses, and collects fuels tax for the state of Oregon and local jurisdictions, but manual processes governing refund payments should be improved to ensure accurate refund payments.

2. Application design flaws result in a small number of refund overpayments and minor reporting inaccuracies.

3. Changes to OFTS computer code are appropriately managed to reasonably ensure that the system and its data will not be compromised as the result of a code change.

4. System back‐up processes have never been tested to ensure system data can be restored in the event of a disruption.

5. Security weaknesses exist in processes for granting and reviewing system access, monitoring activities of internal and third‐party users with significant system access, and identifying and remediating system security vulnerabilities. In addition, password parameters should be more robust, and safeguards protecting some Personally Identifiable Information (PII) need improving.

Recommendations

The report includes nine recommendations to the Oregon Department of Transportation focused on addressing weaknesses in the refund review processes, fixing system design flaws, testing backups, and correcting security weaknesses.

The Department of Transportation agreed with our findings and recommendations. The agency’s response can be found at the end of the report.

Report Highlights

The Secretary of State’s Audits Division found that the Oregon Fuels Tax System (OFTS) accurately assesses and collects fuels taxes for Oregon and local jurisdictions, collecting over $564 million in 2016. However, processes for issuing fuels tax refunds and system design flaws result in minor overpayments and reporting inaccuracies. Additionally, ODOT should enhance processes for testing system backup files, granting and monitoring user access, setting user password parameters, implementing safeguards over personally identifiable information, and identifying security weaknesses.

Background

In 2013, ODOT contracted with Avalara to implement a new fuels tax system for $2.8 million, replacing an outdated paper based system previously used to handle Oregon Fuels Tax returns.

Purpose

The purpose of our audit was to review and evaluate the effectiveness of key general and application controls that protect and ensure the integrity of the Oregon Fuels Tax System and its data.

SecretaryofState,DennisRichardsonOregonAuditsDivision,KipMemmott,Director

About the Secretary of State Audits Division

The Oregon Constitution provides that the Secretary of State shall be, by virtue of his office, Auditor of Public Accounts. The Audits Division exists to carry out this duty. The division reports to the elected Secretary of State and is independent of other agencies within the Executive, Legislative, and Judicial branches of Oregon government. The division is authorized to audit all state officers, agencies, boards, and commissions and oversees audits and financial reporting for local governments.

Audit Team Will Garber, CGFM, MPA, Deputy Director

Teresa Furnish, CISA, Audit Manager

Matthew Owens, CISA, MBA, Principal Auditor

Luis Sandoval, MPA, Staff Auditor

This report, a public record, is intended to promote the best possible management of public resources. Copies may be obtained from:

website: sos.oregon.gov/audits

phone: 503‐986‐2255

mail: Oregon Audits Division 255 Capitol Street NE, Suite 500 Salem, Oregon 97310

The courtesies and cooperation extended by officials and employees of the Oregon Department of Transportation during the course of this audit were commendable and sincerely appreciated.

Number 2017‐18 September 2017 Oregon Fuels Tax System Page 1

Secretary of State Audit Report

ODOT: The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes for Oregon and Local Jurisdictions

Introduction

Photo courtesy of the Oregon Department of Transportation.

TheOregonDepartmentofTransportation(ODOT)usesfuelstaxesalongwithotherfundsfromstate,federal,county,andcitysources,topreserve,improveandoperateOregon’sroadsystem.Thesetaxesaredeterminedinaccordancewiththreeprinciples:

1. Thosewhousetheroadspayforthem.2. Roaduserspayinproportiontotheroadcostsforwhichtheyare

responsible.3. Taxesareusedforconstructing,improving,andmaintaining

roads.

TaxesonfuelareappliedtoallfueltypesusedtooperatemotorvehiclesonOregon’sroadsandhighways.OregonRevisedStatutes(ORS)Chapter319givesODOTtheauthoritytocollectmotorvehicletaxes,aircraftfueltaxes,andusefueltaxes.Motorvehiclefuelismostlylimitedtogasolineand

ODOT Uses Fuels Taxes for Building and Maintaining Roads and Highways in Oregon

Inacampaignto“getOregonoutofthemud,”in1919,OregonbecamethefirstU.S.statetoimposeataxonfueltofundroadbuilding.At1¢pergallon,itraised$342,000initsfirstyear.


ethanolblends.Oregonusefuelisdefinedasdiesel,biodiesel,propane,compressednaturalgas,andanyfuelotherthangasolineusedinamotorvehicle.

Thecurrenttaxratesarelistedinthetablebelow;however,the2017OregonTransportationPackage,passedbytheOregonStateLegislatureinJuly2017,increasestheMotorVehicleFuelto40¢pergallonoverthenextsevenyears.Thefirstincreaseof4¢isscheduledtotakeeffectin2018.

Table 1: 2016 Oregon Fuels Tax Rates

Fuel Type Tax Rate per Gallon

Motor Vehicle Fuel 30¢

Aviation Gasoline 11¢

Jet Fuel 3¢

Use Fuel 30¢

Collecting fuels taxes

InOregon,motorvehiclefuelstaxesarepaidbylicensedfueldealersatthepointof“firstsale,”orwithdrawal.Whendriversfilltheirvehiclesatthepump,thepurchasepriceincludesthetaxespaidbythedealer.Thelicensedfueldealer,throughfilingmonthly1fuelstaxreturns,thenremitstaxesbacktothestate.Monthlyfuelstaxreturnsareduebythe25thofeachmonth.

LicenseeshavetheoptiontosubmitfuelstaxreturnsonpaperoronlinethroughtheOregonFuelsTaxSystemwebportal.Alllicenseeswith1,000ormoretransactionsarerequiredtosubmittheirfuelstaxreturnselectronically.Anyamountowedisalsopaidatthetimeofsubmission.Currently,approximately80%offuelstaxreturnsaresubmittedonline.Theremaining20%ofreturnsareeithermailedtothedepartmentalongwithpayment,ordroppedoffatlockboxlocationsatU.S.Bank.AllfuelstaxpaperreturnsmustbeenteredintothesystembyODOTstaff.

WithintheFinancialServicesBranchofODOT,theFuelsTaxGroup(FTG)isresponsibleforadministeringfuelstaxlicensing,fuelstaxreportprocessing,andcollectingfuelstaxfromMotorVehicleFueldealersandUseFuellicensees.Fuelstaxrefundprocessing,taxcomplianceauditservices,andcollectingdelinquentaccountsarepartoftheseresponsibilities.Additionally,thedepartmentcollectsfuelstaxesonbehalfofsomelocaljurisdictionsthathaveimposedfuelstaxordinancesanddistributesthemoniesonamonthlybasis.TheFTGcurrentlyconsistsof21employees,includingmanagersandfrontlinestaff.

1ORS319.020(a):Notlaterthanthe25thdayofeachcalendarmonth,renderastatementtotheDepartmentofTransportationofallmotorvehiclefueloraircraftfuelsold,used,distributedorsowithdrawnbythedealerintheStateofOregonaswellasallsuchfuelsold,usedordistributedinthisstatebyapurchaserthereofuponwhichsale,useordistributionthedealerhasassumedliabilityfortheapplicablelicensetaxduringtheprecedingcalendarmonth.Thedealershallrenderthestatementtothedepartmentinthemannerprovidedbythedepartmentbyrule.

The2017OregonTransportationPackagewillincreasetheMotorVehicleFueltaxrateby10¢overthenext7yearsto40¢pergallon.


New Oregon Fuels Tax System

TheOregonFuelsTaxSystem(OFTS)wentliveinJuly2015.Duringcalendaryear2016,OFTSprocessedapproximately14,000taxreturnsandcollectedover$564millioninfuelstaxrevenueforthestateandlocaljurisdictions.(SeeTable2)

Table 2: 2016 Collection of Fuels Taxes by Jurisdiction

Jurisdiction Amount Oregon $ 547,863,939

Astoria $ 208,401

Canby $ 347,158

Coburg $ 72,523

Coquille $ 91,676

Cottage Grove $ 440,181

Eugene $ 3,104,372

Hood River $ 325,425

Milwaukie $ 177,467

Newport $ 172,720

Springfield $ 1,140,909

Tigard $ 788,950

Veneta $ 119,249

Warrenton $ 325,585

Woodburn $ 128,783

Multnomah County $ 7,005,247

Washington County $ 2,128,607

Total $ 564,441,191

Thedepartment’sprevioussystemreliedheavilyonpaper‐drivenprocesses.FuelstaxlicenseesconductingbusinessinOregonpreviouslyhadtosubmitmanualapplications,wereissuedpaperlicenses,andwererequiredtosubmitmanualreportsandsupportingdocumentationtoODOT’scentraloffice.FTGpersonnelmanuallyenteredthisinformationintothesystemandthereportsandsupportingscheduleshadtobemanuallyfiledforreviewbyfuelstaxauditorsduringanaudit.

Todecreasetheirrelianceonmanualprocesses,ODOTcontractedwithAvalaratoimplementanewfuelstaxsystemfor$2.8million.Thisnewsystemwasdesignedto:

provideelectronicfilingcapabilityforexternaluserswhoconductbusinesswithODOT; enableimprovedbusinessprocessesandauditcapabilitiesandincreasestaffproductivitythroughautomatedworkflows;and enhancereportingandanalyticfunctionality.


Objectives, Scope and Methodology

ThepurposeofourauditwastoreviewandevaluatetheeffectivenessofkeygeneralandapplicationcontrolsgoverningtheOregonFuelsTaxSystem(OFTS)atODOT.Ourspecificobjectivesweretodeterminewhether:

informationsystemcontrolsprovidereasonableassurancethatOFTStransactionsremaincomplete,accurateandvalidduringinput,processingandoutput; changestoOFTScomputercodeareappropriatelycontrolledtoensuretheintegrityofinformationsystemsanddata; OFTSfilesanddataareappropriatelybackedupandcanbetimelyrestoredwhenneeded;and OFTSanditsdataareprotectedagainstunauthorizeduse,disclosure,ormodification.

ThescopeofourauditincludedprocessesforcollectingandrecordingfuelstaxandrelatedITcontrolsthatwereineffectduringcalendaryear2016.Weconductedinterviewswithdepartmentpersonnel,observeddepartmentoperations,andexaminedavailablesystemdocumentation.Tofulfillourauditobjectives,weevaluatedortested:

FuelsTaxreturnsanddatafromcalendaryear2016; processesusedtoupdatecomputercodeandsupportingdocumentationforselectedchangestotheOregonFuelsTaxSystem; processesandschedulesforbackingupthesystemanditsdata;and processesusedtoprovideaccesstothesystem,accessprivilegesgrantedtoselectedusers,anddocumentationrelatingtosecuritysystems.

Toidentifygenerallyacceptedcontrolobjectivesandpracticesforinformationsystems,weusedtheITGovernanceInstitute’spublication“ControlObjectivesforInformationandRelatedTechnologies,”theUnitedStatesGovernmentAccountabilityOffice’spublication“FederalInformationSystemControlsAuditManual,”andOregonStatewideInformationSecurityStandards.

Weconductedthisperformanceauditinaccordancewithgenerallyacceptedgovernmentauditingstandards.Thosestandardsrequirethatweplanandperformtheaudittoobtainsufficient,appropriateevidencetoprovideareasonablebasisforourfindingsandconclusionsbasedonourauditobjective.Webelievethattheevidenceobtainedandreportedprovidesareasonablebasistoachieveourauditobjective.

Report Number 2017‐18 September 2017 Oregon Fuels Tax System Page 5

Audit Results

WefoundtheOregonFuelsTaxSystem(OFTS)accuratelycalculates,assesses,andcollectsfuelstaxforthestateofOregonandlocaljurisdictionsandappropriatelytransfersinformationtoODOT’saccountingsystems.However,manualprocessesgoverningrefundpaymentsshouldbeimprovedtoensurethatallrefundpaymentsissuedareappropriate.Additionally,applicationdesignflawsresultinasmallnumberofover‐refundsandinaccuratereporting.

Fuels Tax Return Calculated Assessments are Accurate

Duringcalendaryear2016,OFTSprocessedapproximately14,000fuelstaxreturnsandcollectedover$564millioninfuelstaxrevenueforthestateandlocaljurisdictions.Wedeterminedthesystem’scalculationstobecorrectfor99.5%ofallreturns.Theremaining0.5%ofrecordsweredifferentfromtheexpectedamountduetoroundingerrorsormanualoverridesbydepartmentstaffofsystem‐calculatedinterestandpenaltyamounts.

Thedepartmentreceivesmostfuelstaxdatafromelectronicreturnsuploadedfromexternalsystemsofthelicensee.Additionally,departmentstaffmanuallyentersfuelstaxreturndataandrefundrequestsreceivedthroughthemailintothesystem.

Transactionsenteredandprocessedthroughcomputersystemsshouldgothroughavarietyofmanualandautomatedprocedurestoensuretheyareappropriate.Inparticular,proceduresshouldensureonlycomplete,accurateandvalidinformationisenteredintoasystem,dataintegrityismaintainedduringprocessing,andsystemoutputsmeetexpectedresults.

Toachievethis,OFTSusesExtensibleMarkupLanguage(XML)toensurethatuploadedormanuallyentereddataisformattedappropriatelyandthatalloftherequiredinformationisincludedintheupload.Additionally,OFTSincludesmultipletolerancecalculations2tohelpensurethatreturnsareaccurateandconsistentwithpreviousreturns.Forexample,ifanewreturnhasabeginninginventoryoffuelthatdoesnotmatchtheendingbalanceofthepreviousreturn,OFTSwillissueanerrormessagetothelicenseethatsubmittedthenewreturn.

2 Tolerancecalculationsaresystemchecksthatdeterminewhethersubmitteddataiswithincertainparameters.Dataoutsideallowabletolerancegenerateanerrornotification.

The Oregon Fuels Tax System Accurately Assesses and Collects Fuels Taxes but Review Processes and System Design Flaws Need Attention

Duringcalendaryear2016,OFTSprocessedapproximately14,000fuelstaxreturnsandcollectedover$564millioninfuelstaxrevenueforthestateandlocaljurisdictions.


OFTS Accurately Transfers Information to ODOT’s Accounting System

OFTSaccuratelyandreliablytransfersfuelstaxpaymentandrefundtransactiondataintoODOT’smainaccountingsystem,theTransportationEnvironmentAccountingandManagementSystem(TEAMS),throughanelectronicinterfaceonadailybasis.

Controlssurroundinginterfaceprocessingshouldreasonablyensurethatdataistransferredfromthesourcesystemtothetargetsystemcompletely,accurately,andtimely.Withoutthesecontrols,thedepartmentwouldnotbeabletoaccuratelyrecordfuelstaxrevenue,orissuefuelstaxrefundstolicenseesfromTEAMS.

TodeterminewhetherrecordstransferredsuccessfullyintoTEAMSwithalltheappropriatetransactioninformation,wereviewedallpaymentandrefundrecordsinOFTSwithatransferdatebetweenJanuary1andDecember31,2016.Intotal,wetested11,530transactionsandfoundthat11,513(or99.9%)ofthesetransactionstransferredsuccessfullyandappropriatelyfromOFTStoTEAMS.

Theremaining17recordssuccessfullytransferredintoTEAMSbuthadaslightlydifferenttransferdatethanwhatwasstatedinOFTS.Thiswasprimarilyduetoatimingdifferenceinhowcertainmanualpaymentsareprocessedbythesystem.

Controls Over Refund Payments Need Improvement

AlthoughmosttaxpaymentsareaccuratelyreceivedandaccountedforbyOFTS,wefoundthatthedepartmentdoesnothaveasufficientreviewprocessinplacetoensurethatrefundsareappropriateandhaveadequatesupportingdocumentationtojustifytheamountspaidforalltransactions.

Duringcalendaryear2016,OFTSprocessedapproximately$5.5millioninrefunds.Therearefoursituationsinwhicharefundpaymentcanbeissuedtoafuelstaxlicensee:

1. Thelicenseefilesanamendedreturnwhichresultsinarefund.

2. Thelicenseepaidmorethanwhatwasowedonagiventaxreturnresultinginarefund.

3. Thelicenseeusedfuelfornon‐roadusepurposes,suchasinfarmequipment,andhasrequestedarefundfortaxesalreadypaid.

4. Contractualagreementswithlocaltribalentities.

Transactionsthatresultinrefundsbeingissuedtoalicenseeshouldbesubjecttoavarietyofcontrolstocheckforaccuracyandvalidity.Thesecontrolsoftenconsistofacombinationofmanualandautomatedprocesses.

However,wefoundthedepartment’sreviewprocessforapprovingrefundclaimsisbasedlargelyonthe“honorsystem”withoutrequiringpropersupportingdocumentation.Additionally,weidentifiedseveralrefundswith

ODOThascontractsinplacewiththreeFederallyRecognizedTribesthatallowfor100%offueltaxespaidtoberefundedwhentheyareusedforthepurposeofprovidingessentialgovernmentalfunctions,and80%offueltaxpaidbytribalmemberstoberefunded.During2016,$2.5millioninfuelstaxrefundswereissuedtotribes.

Auditorstested11,530transactionsandfoundthat99.9%transferredsuccessfullyandappropriatelytoODOT’smainaccountingsystem.


supportingdocumentationthatdidnotmatchtherefundamountandrequiredsignificantresearchtodeterminetheappropriaterefundamount.Whilethesystemallowsforcommentsandsupportingdocumentationtobeaddedforeachrefund,wefoundthatthesefeatureswerenotutilizedconsistentlytoallowforacompleteaudittrailforalltransactions.

Wetested150refundtransactionsinthesystem,totalingapproximately$1.12million,toensuretherefundswereappropriate.Ofthose,weidentified5transactionstotaling$8,454thatwerepaidinerrorand4transactionstotaling$47,007thatlackedsufficientsupportingdocumentation.However,ourfollowupreviewdeterminedthattheserefundswereappropriate.

System Design Flaw Allows for Overpayments

Asystemdesignflawconcerninghowamendedreturnsareprocessedresultedinoverpaymentstolicenseestotaling$3,850during2016.

Whenalicenseefilesanamendedreturnafterthemonthlyorquarterlyduedatethatresultsinadditionaltaxesowed,thesystemappropriatelyassessesa10%penaltyontheadditionalamountowed,aswellasinterestof.0329%perdaylate.However,whenalicenseefilesanamendedreturnthatresultsinarefund,OFTSisinappropriatelyassessinganegativelatefeeof10%andinteresttotherefund,resultinginanoverpaymenttothelicensee.Thelatefeeandinterestshouldnotbeappliedtotherefund.

Forexample,ifthelicenseefilesanamendedreturn60daysaftertheoriginalduedatethatresultsina$1,000refund,OFTSissuesarefundoftheoriginalpaymentplusa$100negativepenaltyand$19.74ininterest.Thiswouldresultinanoverallrefundof$1,119.74tothelicensee.

Whilethetotaldollaramountwasrelativelysmall,wefoundthatthesysteminappropriatelyassessednegativeinterestorpenalties105timesforatotalof$3,850thatwaspaidtothelicenseesinerror.

System Design Flaw Results in Reporting Inaccuracies

Thedepartmentusestwosystem‐generatedreports(theRevenueJournalSummaryandTaxableDistributionReport)toidentifyfundsthatareowedtolocaljurisdictionsthatwerecollectedontheirbehalf.Duetoadesignflawinvolvinghowthesereportspullinformationfromthesystembasedontheaccountingperiodinsteadofthetransactiondate,wefoundthereportmaynotaccuratelyreflectwhatwas,orshouldbe,distributedtolocaljurisdictions.

Whilethisflawdoesnotcauseerrorsinthesereportswhenlicenseesfiletimely,taxpaymentsfromlatereturnsoramendedreturnsmaynotbeaccuratelyreflectedinthereportsfortheperiodinwhichtheywereactuallypaid.Forexample,theoriginalmonthlyTaxableDistributionSummaryforMay2016wasgeneratedbythesystemonMay31,2016.Thereportshowsthat$41,363,586inmotorvehiclefueltaxeswasdistributedtostateandlocaljurisdictionsfortheperiod.However,whenwere‐ranthis


reportforthesameperioditshowedthat$41,412,677wasdistributedduringthistime,adifferenceof$49,091.

Whiletheoveralleffectofthisissuewasminimalduringthisperiodreviewed,itindicatesthatthedepartmentmaynotbeabletoaccuratelyreconcileandverifyrevenuefromfuelstaxes,resultinginpotentialoverorunder‐paymentstolocaljurisdictions.

Processesforimplementingsystemcodechangesandbackingupsystemfileswereeffective.However,becausesystembackupfileshavenotbeentestedtoensureusability,thedepartmentcannotbesurethattheycanberestoredtimelywhenneeded.Furthermore,wenotedthatbecausethesystemisrelativelynewtoODOT,ithasnotyetbeenincorporatedintothedepartment’soverallDisasterRecoveryPlan.

Effective Controls Established for System Changes

OFTScomputercodemodificationsareappropriatelycontrolledtoensuretheintegrityofthesystemdataismaintained.

Changestocomputerapplicationsshouldbemanagedtoensureonlytestedandapprovedmodificationsareplacedintoproduction.Thesystemvendor,Avalara,controlsandmaintainstheOFTSsourcecode.AvalarasendsoutupdatesintheformofpatchesforthesystemonamonthlyandquarterlybasisthatmustbeinstalledbyODOTtechnicalstaff.

WereviewedtheprocessforimplementingOFTSupdatestoensure:properauthorizationexistsforsystempatching,systemupdatesaretestedpriortoimplementinginproduction,andthatappropriatechangemanagementreviewprocessesarefollowed.WefoundthatchangestoOFTScomputercodeareappropriatelycontrolledandimplemented.

Backup Files Have Not Been Tested to Ensure Usability

Thedepartmenthasprocessesinplacetoensurethatthesystemdataarebackedup.However,becausebackupfileshaveneverbeentested,thedepartmentdoesnothaveassurancethatthesystemanditsdatacouldberestoredintheeventofamajordisruptionoroutage.

Weevaluatedthedepartment’sprocessforbackingupOFTSincludingbackupfrequency,notificationsofbackupsuccessorfailure,andwhetherornotbackupsaretestedonaperiodicbasis.Weconcludedthatthedepartment,incooperationwiththestatedatacenter,isbackingupthesystemanditsdatausingspecializedbackupsoftware.However,withouttesting,managementhasnoassurancethatthesystemanditsdatacouldbetimelyrestoredintheeventofadisruption.

OFTS Change Management and Backup Processes are Effective but Further Enhancement Warranted


Wealsonotedthatthedepartmenthasnotyetincorporatedthissystemintotheirentitywidedisasterrecoveryplans.Intheeventofadisasterormajordisruption,thedepartmentmaynotbeabletotimelyrestoreoperations,puttingfuelstaxrevenueatrisk.

Departmentmanagementhasimplementedimportantprotectionmeasuresforsystemsecurity,suchasfirewallsandsystemactivitylogs,butimprovementsareneededtobettersecurethesystemanditsdata.Weaknessesrelatetothedepartment’sprocessesforgrantingandreviewingsystemaccess,monitoringactivitiesofinternalandthird‐partyuserswithsignificantsystemaccess,andprotectingtheconfidentialityofsomePersonallyIdentifiableInformation(PII).Additionally,wenotedsystempasswordparametersshouldbemorerobust,andsystemsecurityvulnerabilitiesneedaddressing.

User Account Management Needs Improvement

UserAccountManagementprocessesgoverningaccesstoOFTSarenotsufficienttoensurethatusersonlyhaveaccesstosystemfunctionalityneededtoperformtheirduties.

Logicalaccesstocomputerapplicationsshouldberestrictedaccordingtoeachuser’sindividualneedtoview,add,oralterinformation.Inordertomaintainthisprincipleof“leastprivilege,”organizationsshouldhaveformalprocessesfortimelygranting,suspending,andclosinguseraccounts.Managementshouldalsoperiodicallyreviewandconfirmusers’accessrightstoensuretheyremainappropriate.

OFTSutilizesrole‐basedaccessgroupstosimplifyuseraccountmanagement.Thesystemcurrentlyhas19vendor‐createdusergroupprofilesbasedondutiestheFuelsTaxGroup(FTG)staffperformandtoenforcetheseparationofincompatibleduties,suchasenteringandapprovingcertaintransactions.

WereviewedprocessesFTGstaffusetograntandmaintainusers’logicalaccesstothesystemandidentifiedseveralproceduresthatneedimprovement.Specifically,wefoundthat:

proceduresforrequesting,documenting,andgrantingsystemuseraccessarenotclearlydefinedorconsistentlyfollowed; processesarenotinplacetoreviewsystemaccessonaperiodicbasistoensureaccessremainsappropriate;and processesarenotinplacetoremoveaccesswhenemployeesleaveortransferpositions.

Wenotedoneuserretainedsystemaccesssixmonthsafterleavingthedepartment;accesswasterminatedasaresultofourreview.These

System Security Should Be Improved to Better Protect the System and its Data


weaknessesincreasethelikelihoodthatuserswillhavemoreaccesstothesystemthantheyneedtoperformtheirdutiesandincreasestheriskthatthesystemoritsdatacouldbecompromised.

Department Staff Do Not Routinely Monitor Privileged User Logs

Thedepartmentdoesnotregularlymonitortheactionsofuserswhohaveprivilegedaccess,includingactionstakenbythevendor,intheOFTSproductionenvironment.

Securityleadingpracticesindicatethatauditlogsshouldcontainappropriateinformationtofacilitateeffectivereview,includingsufficientinformationtoestablishwhateventsoccurred,whentheytranspired,andtheirsourcesandoutcomes.Theactionsofusershavingprivilegedaccess,suchassystemadministrators,shouldbespecificallymonitoredtodetectanyunauthorizedactivity.Additionally,appropriatepoliciesandproceduresshouldexistformonitoringexternalthirdpartyactivitieswithinthesystem,suchasthesystemvendorAvalara.

Wefoundthedepartmentdoesnothaveaprocessinplacetomonitortheactivityofinternalprivilegedusersandexternalthird‐partieswithsignificantaccess.Furthermore,whilethesystemlogsallactivity,securityalertshavebeenturnedoffwithinthesystemsettings,andsystemlogsarenotreviewedonaregularbasis.Thisincreasestheriskthatunauthorizedactionswillgoundetected,andthatthesystemanditsdatamaybecompromised.

Better Protection Needed for Personally Identifiable Information

ThedepartmentdoesnothavesufficientcontrolsinplacetosafeguardPIIonfuelstaxreturnsthathavebeenmailedtothedepartmentandscannedintothesystem.

InOregon,somelicensees,suchasfarmers,fileUseFuelreportsshowinghowmuchfuelwasfornon‐roaduse(tractors,generators,etc.).InsteadofusingFederalEmployerIdentificationNumbersforreturns,afewfilersusetheirSocialSecurityNumber(SSN)andsubmittheirFuelsTaxreturnsthroughthemail.Thefiler’snameandaddressarealsoincludedonthesereturns.Inreviewing2016fuelstaxreturns,weidentifiedthreereturnsthatcontainedSSNs.

WedeterminedtheprocessofscanningthesereturnsintothesystemdidnotincludetheappropriatesafeguardstoensurethatthisPIIremainsunderODOT’scontrolorisdeletedappropriately.

However,wefoundnoindication,orreasontobelieve,thatanyPIIhasbeencompromised.WhenweinformedODOT,staffimmediatelyalteredtheirproceduresandnowredactsanySSNsfoundinpaperreturnspriortoscanning.


OFTS Password Parameters are Insufficient

OFTSpasswordparametersarenotsufficientandarenotincompliancewithOregonStatewideInformationSecurityStandards.

OregonStatewideInformationSecurityStandardsrequireasystempasswordtobeatleasttencharactersinlengthwithadditionalcomplexityrequirementsformoresensitivedata.WenotedthatOFTSdoesnotcurrentlymeetoneormoreoftheserequirements.Thisincreasestheriskthatthesystemanditsdatamaybecompromised.

Follow up Needed on Application Security Scan Results

AnapplicationsecurityscanofOFTSbythedepartmentidentifiednumeroussecurityvulnerabilitiesthatrequireaswiftresponsebyboththesystemvendorandODOT.

Usingappropriatevulnerabilityscanningtoolsandtechniques,managementshouldscanforvulnerabilitiesinthesystemonaperiodicbasis,orwhensignificantnewvulnerabilitiesaffectingthesystemareidentifiedandreported.However,whenourauditbegan,thedepartmenthadnotyetperformedanapplicationsecurityscantoidentifyanypotentialvulnerabilitiesinOFTS.Whenwebroughtthistomanagement’sattention,theapplicationwasaddedtotheirscheduleforapplicationscans.

ThedepartmentsubsequentlyscannedtheapplicationforthefirsttimeinApril2017,22monthsaftertheapplicationwasimplemented.Thescanidentified240securityissuesfortheapplication,12ofwhichweremediumorhighseverity.Additionally,thescanidentified121OFTSwebsiteURLswithvulnerabilities,46ofwhicharemediumorhighseverity.

Duetothesensitivenatureoftheseresults,wecannotpubliclydisclosethespecificsofthevulnerabilities.However,thedepartmenthasalreadycontactedthevendorandhastakeninitialstepstoremediatetheissuesidentified.

Report Number 2017‐18 September 2017 Oregon Fuels Tax System Page 12

Recommendations

WerecommendthatODOTmanagement:

1. Increasescrutinyanddocumentationofrefundclaimstoensureallrefundpaymentsareappropriate.

2. Workwiththevendortoaddresssystemflawsregardinginappropriatepenaltyandinterestrefunds.

3. Performmanualreconciliationsofkeysystemreportstoensurethatlocaljurisdictionsreceiveallfuelstaxrevenuetowhichtheyareentitled.

4. PeriodicallytestsystemanddatabackupstoensureusabilityandincorporateOFTSintoitsoveralldisasterrecoveryplan.

5. Establishformalprocedurestoauthorize,document,review,andtimelyremoveaccesstothesystemasappropriate.

6. Utilizesystemfunctionalityalreadyavailabletoalertstafftopotentialsecurityviolationsandtomonitorthirdpartyactivity.

7. EstablishprocedurestoprotectPIIonfuelstaxreturnsandreevaluatetheneedforusingSSNsonfuelstaxreturnforms.

8. IncreasepasswordlengthandcomplexityrequirementsforOFTStocomplywithstatewideITstandards.

9. Workwiththevendortoprioritizeandcorrectidentifiedsecurityvulnerabilitiesandscheduleperiodicscansofthesystematregularintervalstoidentifyanynewvulnerabilities.

State of OregonThe Oregon Department of Transportation (ODOT) uses fuels taxes along with other...

Documents

Transcript of State of OregonThe Oregon Department of Transportation (ODOT) uses fuels taxes along with other...