Courtesy Oregon Department of Transportation
SALEM — State auditors have found that Oregon’s new tax processing system works well, but that the Department of Revenue could take extra precautions to protect taxpayers’ personal information.
The findings are something of a bright spot for the state’s beleaguered Department of Revenue, which has been under the Legislature’s microscope of late.
Last year, lawmakers sought a comprehensive review of the department’s operations, including a financial audit and management assessment, and have told the department to report regularly to the Legislature on its progress.
In addition to the processing system audit released Wednesday morning, the Secretary of State’s Office also plans to audit the agency’s “governance and culture” within the next year.
Since 2013, the revenue department has been standing up GenTax, an off-the-shelf, integrated tax processing system developed by FAST Enterprises.
The project was intended to update the state’s decades-old tax software and databases. According to the governor’s 2017-19 recommended budget, the total cost of the new system is $78 million.
Overall, auditors say the new system works well, but there are some weaknesses:
• The agency can do a better job monitoring who has access to GenTax. For instance, the audit recommended that the agency remove access rights for DOR employees, employees of other state agencies or contractors when their employment is terminated. Access lists are reviewed about once a month, but there’s no regular schedule for that review.
• The Department of Revenue hasn’t sought an independent security review of the outside contractor, FAST Data Services, that analyzes Oregonians’ personal income tax return data. The GenTax system sends encrypted data to servers at an external data center to be analyzed by FAST. While DOR discussed security measures with the contractor’s security personnel, auditors recommended getting a third party to confirm that the security controls are sufficient.
• GenTax system files are backed up, but there’s no guarantee that the state could restore the system in the event of a “disaster or major disruption.” Backup files are kept off site, but the agency hasn’t tested the process to restore GenTax and data files.
DOR’s director, Nia Ray, who has been leading the department since October 2016, agreed with auditors’ recommendations and says the agency has begun to implement some of them.
In the 2015-17 budget cycle, the department collected $18.5 billion in tax revenues, about 84 percent of that in income taxes, according to the audit.