The URL can be used to link to this page

Home My WebLink About2425-4 2024 Global Follow-up report (Final 12-10-24)2024 Global Follow-up #24/25-4 December 2024 Audit Report 2024 Global Follow-up and Annual Report To request this information in an alternate format, please call (541) 330-4674 or send email to internal.audit@Deschutes.org 2024 Global Follow-up #24/25-4 December 2024 Table of Contents 2024 Global Follow-up Executive Summary ........................................... 3 1. Introduction .................................................................................................... 1 Office Mission and Goals ........................................................................................... 1 2. Annual Report ................................................................................................. 2 Performance Metrics .................................................................................................. 2 Informational Metrics ................................................................................................. 6 3. Global Follow-Up ............................................................................................ 7 Auditor Highlights ....................................................................................................... 7 Progress towards resolution ..................................................................................... 9 4. Appendix A: Updated workplan (status as of December 2024) ................ 14 5. Appendix B: Authority, Objective, Scope, and Methodology ................... 30 Audit Authority .......................................................................................................... 30 Objective and Scope ................................................................................................. 30 Methodology ............................................................................................................. 30 6. Appendix C: Audit Reports Issued ............................................................... 31 2024 Global Follow-up #24/25-4 December 2024 2024 Global Follow-up Executive Summary Since December 2020, the Office of County Internal Audit has released 31 audit reports comprising a total of 209 recommendations, with subsequent follow-ups. This report emphasizes the County’s achievements made thus far and identifies areas requiring further attention. The table below summarizes the status of those audit reports: Resolved Underway Planned Fully completed. Auditor will no longer monitor In Progress. Auditor will continue to monitor. Agreed to without progress. Auditor will continue to monitor. Link to Audit Report Key Follow-up Findings Status of Recommendations Resolved Underway Planned Munis Security and Workflows Implemented enhanced financial controls. 18 0 0 Munis Vendor Master Increased efficiency and compliance in financial processes. 12 0 0 Munis P-Cards Anticipating new vendor updates and policy changes. 3 2 2 County Clerk Transition Improved Office security measures. 7 0 2 2021 County Fair Ticketing Implemented improved fiscal procedures. 17 0 0 Munis Analyses Guidance and training strengthened the financial system. 9 0 1 Management of Pandemic Case Investigation and Contact Tracing Need further improvement in managing temporary labor. 0 3 2 Adult Parole and Probation – Cash Handling Streamlining fiscal controls for infrequent client payments. 1 0 0 Administration and Risk – Cash Handling Optimizing County infrastructure for OLCC permit payments and reviews. 3 0 0 Assessor’s Office – Cash Handling Strengthened fiscal controls and processes. 10 0 0 2024 Global Follow-up #24/25-4 December 2024 Link to Audit Report Key Follow-up Findings Status of Recommendations Resolved Underway Planned Initial Cybersecurity Assessment Prioritized cybersecurity efforts. 3 0 0 Justice Court – Cash Handling Improved reconciliation process for external payments. 2 0 0 Sheriff’s Office - Cash handling Making progress toward a stronger control environment. 0 3 0 Vacation and Sick Leave Improved system data; policy revisions still needed. 5 5 0 Elected District Attorney Transition Expanded fiscal controls. 5 0 0 Personal Information Data Privacy Implemented physical and electronic privacy safeguards. 4 0 0 Treasurer Transition 2022 Collaborating to define the newly elected County Treasurer position. 7 0 0 Finance/Tax – Controls over receipts Developed oversight in key areas. 4 0 0 Continuity of Operations Plans Resumed planning to strengthen resiliency. 5 0 1 Behavioral Health – Practices Improvement Developing productivity measures. 5 4 0 Office of the District Attorney – Cash Handling Documented processes to reduce fraud risk. 1 0 0 Facilities and Property Management – Cash Handling Need clarification of conflict- of-interest procedures. 3 0 1 Overtime and Compensatory Time Revising policies. 4 4 0 Fair and Expo - Cash Handling Need fraud risk assessment to implement procedures. 3 2 0 Wage Equity Anticipating salary study and market review results. 2 2 1 Custom Developed Software Create policies and advisory group for software lifecycle and selection. 0 2 11 2024 Global Follow-up #24/25-4 December 2024 Link to Audit Report Key Follow-up Findings Status of Recommendations Resolved Underway Planned Clerk’s Office Integrated Control settings mitigate risks by safeguarding system integrity. 9 2 2 County Legal Integrated Documented fiscal procedures. 2 1 0 Recreational Vehicle Park Integrated Planning to improve fiscal control and information security. 0 0 5 Courthouse Pre- Construction Management Planning safeguards for future capital investments. 0 0 3 Health Benefits Program Need improvement in third- party reporting. 2 0 2 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 1 of 33 1. Introduction This is the sixteenth annual global follow-up looking back at recommendations included in prior follow-ups. This year also marks the first time the Office is presenting performance metrics comprehensively in this format, aligning them closely with our mission and goals. In previous years, these data were shared through various platforms, including the County’s online dashboard, reports to the audit committee, and the Global Follow-Up Report. The Office tracks performance using key data points, such as: • Reader survey satisfaction rate • Audit duration • Audit work schedule adherence • Recommendation resolution rates Additionally, other metrics, used primarily for annual risk assessments, are included in this report for informational purposes. Office Mission and Goals The mission of the Office of Internal Audit is to improve the performance of Deschutes County government and to provide accountability to residents. We examine and evaluate the effectiveness, efficiency, and equity of operations through an objective, disciplined, and systematic approach. Our goals are to: 1. Increase public trust in Deschutes County government. 2. Be a trusted advisor to Elected officials and County management. 3. Create positive change in County government. 4. Strengthen team knowledge, skills, and fulfillment. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 2 of 33 2. Annual Report Performance Metrics Reader Survey Satisfaction Rate Each audit report includes a survey inviting the public and staff to provide feedback. In addition to evaluating the report, the public can also share comments or suggest topics for future audits. This valuable communication channel enables the Office to continuously assess and enhance the quality of its reports and services. Figure 1: Reader satisfaction exceeds target value but is lower than historical levels. Audit Duration The duration of an audit is a key indicator of the Office’s operational efficiency. Audit timelines vary significantly depending on the scope, complexity, and risk level of the subject being audited. The target timeline is less than historic average. While 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 3 of 33 streamlining processes and implementing improvements can help reduce audit times, the primary focus will remain on the thoroughness and accuracy of findings. Figure 2: Audits in 2024 took nearly two months less to complete than historical averages. Audit Work Schedule Adherence The Office Audit Work Schedule is developed every two years following a comprehensive risk assessment process designed to identify the most significant risks facing the County. This risk- based approach ensures that the allocation of audit resources is strategic, prioritizing areas that pose the greatest financial, operational, or compliance risks. The schedule is aligned with the County’s Fiscal Year, which begins each July 1st, and provides a clear roadmap for planned audits during the two-year cycle. The ability to follow the Work Schedule closely reflects the accuracy and reliability of the initial risk assessment process. A well-executed schedule indicates that the risk assessment was thorough and that planned audits adequately addressed the most critical areas. Unplanned audits are an inevitable and necessary part of the audit process, often triggered by new risks or developments that were not foreseeable during the initial 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 4 of 33 planning phase, such as legislative changes, fraud investigations, or issues raised by external stakeholders, regulatory bodies, or the public. Figure 3: All the audits started in Fiscal Year 2024 were planned. Recommendation Resolution Rate The percentage of audit recommendations that are agreed upon and fully resolved serves as a key indicator of the effectiveness and impact of audits on County operations. The Office aims to have 75% of recommendations resolved within four years of the original report. Out of 209 recommendations made, 197 had sufficient time to allow for progress1. During the initial follow-up process, 103 of these recommendations were successfully resolved. Of the 94 recommendations that remained open, 41 have since been resolved. This brings the overall four-year resolution rate to 73.10%. This resolution rate reflects the 1 Audit reports on Health Benefits Program, Courthouse Pre-Construction Management, and Recreational Vehicle Park Integrated Audit were released this fall. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 5 of 33 County’s commitment to implementing audit findings and improving its processes over time. Appendix C provides a comprehensive breakdown of the 28 audit reports issued and followed over the past four years, along with the percentage of recommendations resolved in each. This appendix allows for greater transparency and detailed insight into the effectiveness of individual audit reports. When assessing the status of recommendations, the Office of Internal Audit may adjust the resolution status initially provided by departments. These adjustments are based on additional communications or follow-up actions that clarify the extent to which the recommendations have been implemented. This process ensures that the status reported is both accurate and reflects the true level of progress made by the departments. Figure 4: The four-year resolution rate in 2024 slipped below the 75% target. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 6 of 33 Informational Metrics County Elected Offices and Departments Audit Coverage Distributing audit activities throughout the County ensures that risks are systematically identified, accountability is reinforced, and opportunities for improvement are maximized. This balanced allocation of resources ultimately strengthens the County's control environment and enhances its long-term resilience. The Office hopes to engage each elected office or department at least every eight years. Figure 5: The Office has not audited Adult Parole and Probation within the eight-year timeframe. Office Staffing Ratio An audit office’s ability to perform thorough, timely reviews is directly tied to its staffing levels relative to the size of the organization. An optimal ratio ensures the department has the capacity to manage its workload effectively and identify risks in a 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 7 of 33 timely manner. The large change in 2022 was due to the addition of audit staff and not a reduction in County full-time equivalents. Figure 6: Audit staff ratios are lower than when the Office was established in 2002. 3. Global Follow-Up The Office of County Internal Audit follows up on all recommendations until resolution. The details of this follow-up and the associated commentary are included at the end of the report in Appendix A. Auditor Highlights Certain recommendations deserve special recognition for their successful resolution, while others, particularly those that remain unresolved and pose significant risks, should be highlighted for immediate attention. Successful Resolution Implemented recommendations are a chance to highlight improved County practices and areas of decreased risk. These are areas where the County deserves recognition for making operations more effective and efficient. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 8 of 33 The Information Technology Department resolved recommendations related to cybersecurity that were rated the among the highest risk areas for the County in the 2023 Global Follow-up. In today’s landscape of escalating cyber threats, organizations face significant risks, including data breaches, financial losses, and reputational harm. A strong cybersecurity program is essential to protect sensitive information, ensure operational continuity, and counter evolving threats. Recognizing these risks, the department developed a cybersecurity program, approved by the Board of County Commissioners, emphasizing strategic planning, continuous monitoring, and enhanced security measures for the county’s information. To further strengthen these efforts, the department created a dedicated position to manage the program, raise awareness, and formalize procedures. This demonstrates the department's commitment to addressing critical operational vulnerabilities identified through audit recommendations. High risk recommendations Some recommendations are related to exceptionally high areas of risk. They are areas that deserve increased attention from management. The highest risk among open recommendations is related to reporting the results of the wage equity study. Oregon law requires employers to pay equal wages for equal work and courts can impose financial judgements if they find disproportionate wages. However, the law also protects employers that perform a wage equity study. Deschutes County has not performed a study since the law was passed in 2017. By not conducting a study, the County exposes itself to financial, compliance, employee satisfaction, and reputational risks. The County is in the process of conducting a study and has agreed to report results at its conclusion. More detailed comments can be found in Appendix A. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 9 of 33 Long Outstanding Recommendations Some recommendations are complicated and take longer to implement. This is why the Office tracks recommendation status for four years. But in some cases, management does not prioritize risk identified by auditors and recommendations languish without attention. Unresolved recommendations often involve weaknesses in internal controls, processes, or systems. Failure to address these gaps can lead to inefficiencies, errors, or breakdowns in operations, resulting in service delivery delays, higher costs, or operational disruptions. They can also be an indication of a lack of accountability within the County. This can diminish the overall effectiveness of the audit function, reduce motivation for elected offices and departments to implement changes, and undermine the County’s culture of accountability. Figure 9 on page 12, highlights revisions to policies concerning mobile device access to County information and purchasing cards which have been pending for over four years and should be prioritized by the County. The Policy Advisory Committee, tasked with ensuring policies are relevant, efficient, and aligned with County objectives, currently has numerous pending policy revisions awaiting review. Human Resources has not addressed a recommendation related to Munis implementation. The recommendation will increase efficiency and control of receipted transactions but has remained unresolved for over four years. Updated comments from Human Resources Interim Director, Jason Bavuso, indicate that the department pilot program was successful, but implementation across all receivables is ongoing. These comments can be found in Appendix A. Progress towards resolution Status Updates Any unresolved recommendations are included in the Global follow-up. Status updates and commentary were requested from 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 10 of 33 elected offices and departments that were primarily responsible for implementing the action plans described in their management response. The Office tracks these recommendations for four years or until they are resolved. Reports issued prior to 2024 have undergone at least one follow-up report providing ample time for elected offices and departments to address the recommendations. In 2024, the Office issued nine audit reports, including a total of 61 recommendations. Most recommendations from those audits have not yet been subject to the nine-month follow-up review. Status updates were requested, though not required, for all audits issued prior to August 2024. Accordingly, Appendix A provides updates on the status and commentary for these audits. Progress on any open recommendations will be monitored and reported through the regular follow-up process. Figure 7: Percent of resolved recommendation progress between the last follow-up and the 2024 Global Follow-up. Some audit reports saw no progress in the percentage of recommendations resolved. Figure 7 illustrates the progress made in implementing the recommendations since the last information request; however, a 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 11 of 33 lack of visible movement does not imply no work has been performed but rather indicates that the matter is not yet be fully resolved. Not all reports included in this follow-up are displayed. Duration to resolution Certain recommendations can be implemented or resolved more swiftly than others. Typically, those pertaining to organizational governance tend to require a more extended timeframe for completion. Internal Audit is monitoring the time it takes offices/departments to address the recommendations. It is noteworthy that, at times, the audited department may not be the primary entity responsible for resolving a given recommendation. A notable example is found in the 2023 Facilities and Property Management Cash Handling audit, where we recommended reviewing the County’s conflict-of-interest disclosure policy. Although the audit focused on Facilities and Property Management, Human Resources became responsible for addressing the recommendation. This is because the conflict- of-interest policy is part of the Personnel Rules, making Human Resources the process owner. This highlights the nuanced nature of recommendation resolution, where the responsible party may not always align with the subject of the audit. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 12 of 33 Figure 8 – Recommendations to develop and implement a cybersecurity program took more than two years for Information Technology resolve. The average time to resolution has increased from the 2023 Global average of 9 months to 14 months, indicating a slower pace due to the higher complexity in resolving current recommendations. However, the average duration of unresolved recommendations has dropped significantly from 26 months last year to 18 months. Possibly reflecting a prioritization shift towards closing older recommendations, which may reduce the backlog and improve timeliness in the longer term. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 13 of 33 Figure 9 – Recommendations relating to purchasing cards have been outstanding for more than three years. The unresolved items marked with an asterisk (*) in Figure 9 include recommendations related to contract or policy revision. As previously mentioned, these take longer to complete. Policy revisions in progress include County Administration collaborating with Information Technology to draft a new policy for mobile device access to County information and Human Resources updating labor agreement language to reflect current leave practices as those agreements are negotiated. The Finance Department indicated their purchasing card policy revisions will coincide with a new purchasing card vendor. Refer to Appendix A for detailed comments. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 14 of 33 4. Appendix A: Updated workplan (status as of December 2024) Audit Recommendation Updated Status Updated Comment HR – Cash Handling It is recommended for Human Resources to consider using Munis to enter and provide receipts and bill and manage receivables. Underway HR previously implemented a process to use Munis to enter and provide receipts for receivables. HR successfully piloted in Spring 2024 utilizing Munis for billing of receivables. Work to implement Munis billing for all HR receivables is ongoing. Cellular Costs - Verizon It is recommended for the County to consider updating the Cell Phone Policy to address management and expectations around utilization. This would include monitoring and routine assessment as to whether an employee truly needs the device/phone, what services, and what plan best fits their intended usage. Underway Admin- The County has competed consideration of these updates. Proposed policy updates are currently with unions and then will return to the Board. Cellular Costs - Verizon It is recommended for the County to consider updating policies regarding cellular devices to improve adherence to policy, reduce costs, and reduce risks. The policy improvements should consider addressing: • relationship of stipend levels to the cost of cellular phone services to the County; • developing plan selection criteria for business needs aligned with anticipated usage to right size costs; • developing legal and information technology framework to assure that technologies, data, and security are aligned and appropriate given the rise in new technologies and software; • criteria for selecting between employee phone (stipend) and County owned phone; • monitoring and modification of plan levels (including elimination of devices) for actual usage below anticipated; • utilizing free devices and Underway Admin- The County has competed consideration of these updates. Proposed policy updates are currently with unions. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 15 of 33 Audit Recommendation Updated Status Updated Comment upgrades to maintain the level of technology as well as getting credits for devices sold back. • establishing when devices require mandatory applications and restrictions from modification for protecting data; and • addressing applicability of policy to non-employee users. Cellular Costs - Verizon It is recommended the County consider how to address the risks that come with allowing mobile device access or external computer access to internal County information and who and how the risks will be mitigated. Underway Admin- The County has competed consideration of these updates. Proposed policy updates are currently with unions and then will return to the Board. Cellular Costs - Verizon It is recommended the County provided forms for cell phone allowance be updated to reflect any updated policy language. Underway Admin- The County's Policy Advisory Committee will be reviewing an updated version of the cell phone allowance form at their January meeting. Munis Security and Workflows It is recommended for vendors who are to be setup for payment through purchase card be setup from the beginning by the department. Resolved Purchase cards do not require a vendor to be set up to make a purchase. That is the benefit of a P-Card program. Not all P-card purchases require a separate vendor. Munis Security and Workflows It is recommended for the County to consider some of the workflows they have not been using. Resolved Completed the last annual review on 01/04/2024. Next review scheduled for January 2025. Munis Vendor Master It is recommended that Finance and County departments investigate if they are receiving all of the discounts they can get by paying in a timely manner. Resolved Finance determined departments are entering the invoice net of the discount. The County does not delay payment to vendors. Munis Vendor Master It is recommended for Finance to work with departments to utilize the discounts field when discounts are available. Resolved Discount fields are available in Requisition Entry and Vendor Entry. Vendor Entry is used for early payments purposes. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 16 of 33 Audit Recommendation Updated Status Updated Comment Munis Vendor Master It is suggested that vendors be evaluated as to whether a better type could be assigned that better reflects the service or product they provide. Resolved This is highly utilized for Fair, Employee Reimbursement, Weed Cost Share, and Nitrogen Reducing Rebates. It is already in the handout instructions provided on Tyler ERP. There is a tendency to default to OTHER. Additional information is provided to departments to address this. Munis P-Cards It is recommended for cardholders to enter in invoice/receipt numbers to help prevent duplicate payments. Underway At the moment there is too much of a delay for when P-Cards statements are uploaded for this to be much of a help. Procurement is looking into a new PCARD vendor that will be able to offer uploads more often to allow for reconciliation as transactions post, instead of waiting for the statement to close. Munis P-Cards It is recommended the policy clarify whether an employee can have more than one P-Card assigned to them; whether other employees can use the P-Card; and whether non-employees can be provided a P-Card. Underway PCARD policy update will fall in line with new PCARD vendor. Planned for first quarter 2025 for potential transfer over. Munis P-Cards It is recommended for the policy to address deployment of these high- dollar P-Cards and procedures and controls over their usage. Planned PCARD policy update will fall in line with new PCARD vendor. Planned for first quarter 2025 for potential transfer over. In addition to the policy update new end user agreements and a user manual will be provided to card holders. Munis P-Cards It is recommended for the County to consider the suggested policy improvements (1-8) in an updated policy and any associated changes to procedures. Planned PCARD policy update will fall in line with new PCARD vendor. Planned for first quarter 2025 for potential transfer over. In addition to the policy update new end user agreements and a user manual will be provided to card holders. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 17 of 33 Audit Recommendation Updated Status Updated Comment County Clerk Transition It is recommended for the Clerk's Office identify and proceed with developing contracts and contract renewals with significant vendors. Planned Discussions have taken place with the county's Procurement Manager, who has expressed a willingness to collaborate and provide support. Their assistance will help ensure that our department adheres to and is in compliance with relevant county procurement rules. We have a planning meeting set for next week to move toward developing these contracts. County Clerk Transition It is recommended the Clerk's Office enter any contracts into the County financial system as contracts so that effective approvals and contract management can occur. Planned Discussions have taken place with the county's Procurement Manager, who has expressed a willingness to collaborate and provide support. Their assistance will help ensure that our department adheres to and is in compliance with relevant county procurement rules. We have a planning meeting set for next week to move toward developing these contracts. County Clerk Transition It is recommended for the County to consider addressing the remaining recommendations from the Office of Homeland Security. Resolved The Clerk’s Office has resolved all outstanding Homeland Security recommendations. County Clerk Transition It is recommended for the Clerk's Office to see if the recording software provider can further improve the audit trail. Resolved The recording software provider will not address this recommendation. County Clerk Transition It is recommended for the County to amend code section 8.35.070(D) to direct the notification responsibilities to a more appropriate party than the County Clerk. Resolved The code was amended through BOCC order in June 2024. 2021 County Fair Ticketing It is recommended for fair management to split out convenience fee revenue and associated ticketing costs to improve transparency of the ticketing technology net cost. Resolved The fee breakdown is split out in reporting from our ticketing company. To maintain historical continuity in Munis, the revenue input did not change. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 18 of 33 Audit Recommendation Updated Status Updated Comment 2021 County Fair Ticketing It is recommended for the County to use an expanded contract form for a contractor used for handling monies and include a background check, Legal Counsel review, Risk Management review, and appropriate bonding. Resolved Fair & Expo now utilizes a specialized contract for any/all contractors who handle cash as part of the admissions process; with input from Legal, and Risk management departments. Fair & Expo has, and will continue to require bonding by the admissions coordinator; which began in 2022. Munis Analyses It is recommended for Finance to assess, periodically, the usage of bulk approving and the impacts on the purchasing workflow. Planned After initial research was completed, a new query and reporting system would need to be developed. Due to staffing constraints, this item is postponed until June 2025. Munis Analyses It is recommended, with the incidence of some invoices not being entered against a purchase order or contract, that Finance consider whether it would be beneficial to provide departments a tool to reference their purchase orders. Resolved There is a tool for this purpose through the Tyler ERP system. There are many search features that can be used in the Tyler ERP system including Purchase Order Central, Contract Central, and Vendor Central. Munis Analyses It is recommended for Finance to work with departments to identify and consider setting up routine payments with a purchase order or contract. Resolved The newly hired Procurement Manager has made strides towards getting contracts entered into Tyler ERP. They provided some training to get them up to speed on the process and why it’s important. Munis Analyses It is recommended the County limit usage of its accountable plan payments to employees/volunteers and that other departmental payments should not to be paid through the County’s accountable plan. Resolved Quarterly review of accountable plan payments through vendor 999992 implemented. Management of Pandemic Case Investigation and Contact Tracing It is recommended for the County to develop a new invitation to bid to cover the newer needs of the County for temporary labor and address the handling of margin and concerns noted above. Planned HR- RFP for temporary and agency staffing pushed out for one additional year due to HR staffing. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 19 of 33 Audit Recommendation Updated Status Updated Comment Management of Pandemic Case Investigation and Contact Tracing It is recommended the current contract with the primary vendor for temporary labor be extended out 12-18 months until an invitation to bid can be developed and issued. Underway HR- Contract evaluated to be in draft status as of the time of this response. Interim staff will be prompted to finalize draft edits and execute contract extension by the end of January 2025. Management of Pandemic Case Investigation and Contact Tracing It is recommended for the County to establish more effective leadership and management of the temporary labor contracts and how they are used by County departments. They may want to consider a policy or procedures to address the variety of human resource (HR) issues that come with using a temporary workforce. This would include whether an in-house labor pool could be developed and when departments should consider contracted labor. Human Resources has indicated they will be taking over efforts to work on the temporary labor RFP/contracts. Planned HR- No updates on resolution from the prior management comment: HR will draft guidelines for oversight of temporary and agency workforce management. Management of Pandemic Case Investigation and Contact Tracing It is recommended for the County (and Health Services) consider what practices should be employed to provide feedback (formal and informal and to what extent) to contracted temporary staff working for the County. Underway HR- HR will include guidance in the upcoming revised employee performance management project. That project is currently on hold due to HR staffing. Management of Pandemic Case Investigation and Contact Tracing It is recommended for Health Services and the County to consider using more metrics as they manage temporary and remote staffing workloads (for case investigation and contact tracing). Underway HR- HR will include guidance in the upcoming revised employee performance management project and the guidelines for oversight of temporary and agency workforce management. That project is currently on hold due to HR staffing. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 20 of 33 Audit Recommendation Updated Status Updated Comment Initial Cybersecurity Assessment It is recommended for the County to implement a cybersecurity program that includes establishing a framework and continuous cycle of activity for assessing risk, developing and implementing effective security controls and procedures, and monitoring the effectiveness of those procedures as noted above. Resolved A cybersecurity program has been established that includes a custom framework, continuous proactive activity, and a way to track Deschutes County's cybersecurity posture. Initial Cybersecurity Assessment It is recommended, at least annually, the Board of County Commissioners review and approve the County’s cybersecurity program. Resolved The cybersecurity program was approved by the Board of County Commissioners on Nov. 18, 2024. Initial Cybersecurity Assessment It is recommended for the County, led by the IT Department, continue improvements in addressing cyber defenses. Resolved With the approved cybersecurity program, tracking mechanisms and a strategic plan goal to protect Deschutes County Digital Assets & Information, continuous improvements are imminent. Sheriff’s Office - Cash handling It is recommended the Sheriff’s Office strengthen the internal control system to better oversee all payments they receive and periodically assess their operating environment to assure the system is operating as intended. Underway Recommendation is completed in several guidance areas; Working with County for needed training. Sheriff’s Office - Cash handling It is recommended the Sheriff’s Office develop procedures to make more timely deposits. Underway Recommendation is completed in several guidance areas; Weekly deposits will occur when monies are logged into evidence, at present this is not a regular occurrence due to monies not being logged into evidence on a consistent basis. Sheriff’s Office - Cash handling It is recommended the Sheriff’s Office implement additional control activities through policies and procedures. Underway Recommendation is completed in several guidance areas; A statement will be provided monthly to County to record in Munis. Vacation and Sick Leave It is recommended Human Resources and Payroll establish secondary review processes for employee leave balance limit calculations and adjustments. Underway Finance - The Policy Advisory Committee reviewed the audit recommendations in November 2024 and has recommended policy updates. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 21 of 33 Audit Recommendation Updated Status Updated Comment Vacation and Sick Leave It is recommended the County develop a process to support supervisors in monitor employees’ use of vacation leave in compliance with policy. Underway HR- The County has a policy covering expectations for employee’s use of vacation leave. It is a supervisor’s responsibility to hold their employees accountable to all policies, including this one. Human Resources will update the attendance expectations in the employee performance evaluation form to include this review. This will prompt supervisors to review all aspects of an employee’s attendance and use of leave with respect to County policies. The performance evaluation update is on hold due to HR staffing. Vacation and Sick Leave It is recommended the County revise leave policy HR-16 to be in conformance with State law. Underway HR- HR has drafted policy updates to HR- 16 to be in conformance with State law. This policy will be provided to the Policy Advisory Committee in December 2024. Vacation and Sick Leave It is recommended the County update policy and CBA contract language to align with practice. Underway HR- HR has drafted policy updates and currently planning to circulate to the Policy Advisory Committee once vetted internally. HR will engage with AFSCME and DCSEA in early 2025 and propose modifications for the contract renewal to align CBA language with practice. Vacation and Sick Leave It is recommended for the County to consider adjustments to the leave cash out policies to further address constructive receipt. Underway HR- HR and Finance have determined an annual process for vacation sellback which addresses constructive receipt. Implementation is tentatively scheduled to occur in time for 2026 vacation sellback activities. Personal Information Data Privacy It is recommended for the County departments/offices to assign an employee over each department’s/office’s personal information security program who will also be responsible for establishing appropriate training and compliance with County policy. Resolved In March 2024, we contacted departments to initiate the formal process of having each office/department appoint an employee to oversee their data privacy initiatives. This work is now complete, and we are scheduled to convene our inaugural meeting with this cohort of data privacy liaisons next week. This group will be submitting information to IT about where they store different types of data, learning about County policies and receiving required training. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 22 of 33 Audit Recommendation Updated Status Updated Comment Personal Information Data Privacy It is recommended for departments/offices to consider the risks and develop and/or deploy technology appropriate to the situation for communicating and sharing personal information. Resolved IT and Admin have created a Data Privacy workgroup with all departments and offices. This focus has been communicated to participants as a focus for the group's work and through training, which will continue. Personal Information Data Privacy It is recommended County departments/offices consider whether they are following policies and could reduce the amount of personal information they collect or retain and make changes to associated processes. Resolved IT and Admin have created a Data Privacy workgroup with all departments and offices. This focus has been communicated to participants as a focus for the group's work and through training, which will continue. Continuity of Operations Plans It is recommended the County determine whether the capabilities of the new COOP software system meet their requirements or explore other viable alternatives. Resolved Staff has determined that the new COOP system does not meet requirements and has selected Smartsheet as the alternative software. Continuity of Operations Plans It is recommended the County direct staff to complete comprehensive COOP planning documentation with the support of DCSO-ESU. Resolved The County Administrator has directed staff to do this work. Continuity of Operations Plans It is recommended the County re- establish regular COOP planning meetings to review and revise COOP plans. Resolved The County has re-established regular COOP meetings. Continuity of Operations Plans It is recommended the County review and update its COOP activation scenarios to include pandemics and other potential crises. Resolved Despite initially accepting the recommendation, we do not plan to include pandemics as an activation scenario. Continuity of Operations Plans It is recommended the County establish a COOP training program for all personnel. Resolved The County has established a County- wide training for all employees. New employees are receiving the training during onboarding. Training will be assigned to all staff during National Preparedness Month September. Continuity of Operations Plans It is recommended the County conduct regular COOP exercises and make necessary improvements identified as weaknesses. Planned As departments update their COOP plans, the County will conduct regular COOP exercises. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 23 of 33 Audit Recommendation Updated Status Updated Comment Finance/Tax – Controls over receipts It is recommended the Finance/Tax department resume audits of transient room taxpayers. Resolved Finance has contracted with an external audit firm for the transient room tax audit. Preliminary audit results anticipated December 2024. Behavioral Health – Practices Improvement It is recommended Behavioral Health go through the process to develop appropriate productivity measures as well as clarify expectations for staff. Underway No new updates from July 2024. Behavioral Health has started three workgroups to dive into the root causes of the challenges related to our current productivity standards. Each workgroup has a goal of creating one solution to an identified problem by the end of 2024. Utilization Management - focus on caseload management, intakes and discharges. We are moving towards a contract with third party consultant who specialize in helping organizations reach maximum efficiencies and outcomes. Administrative Burden workgroup - focused on reducing excessive admin burden in our EHR, documentation and processes. Clinical Vision Workgroup - focused on guiding the clinical vision of the department and ensuring our services are of the highest quality as well as identifying gaps in care and solutions to those gaps. Behavioral Health – Practices Improvement It is recommended Behavioral Health review the accuracy of the data contributing to clinician workload measures Underway No new updates from July 2024. The above section also addresses this area and our work with the consultant will review all of our current data and collection methods to identify gaps and solutions for improvement. Behavioral Health – Practices Improvement It is recommended Behavioral Health strengthen the controls for first treatment appointment assignment and client discharge. Underway No new updates from July 2024. While we have strengthened and improved our FTA's and the timelines, there is more comprehensive work to be done. Our work with the consultant will address this more fully. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 24 of 33 Audit Recommendation Updated Status Updated Comment Behavioral Health – Practices Improvement It is recommended Behavioral Health create a comprehensive library of division-approved smart tools to improve clinical documentation efficiency and provide training to clinicians on how to use them. Underway No new updates from July 2024. The Administrative Burden workgroup is actively working on this and we expect to have this completed by the deadline. Facilities & Property Management - Cash handling The Human Resources Department should align Section 8.020 with State conflict-of-interest laws and establish a standardized disclosure procedure. This could include a template for written notifications. Planned HR- No updates on resolution from the prior management comment: Human Resources agrees with the auditors’ comments and recommendation and will work on updating HR-Personnel Rules to better establish expectations and procedures. Wage Equity County Administration should continue with the plan to conduct an equal-pay analysis. Underway The project is underway. Phase I of the project is expected to be complete in Spring of 2025. Wage Equity County Administration should report results of the equal-pay analysis in a format accessible to leadership, employees, and community members. Planned At the conclusion of the Salary Study and Market Review project, a report will be generated and presented that will include deliverables that address the requirements listed above. Throughout the process, the selected consultant will assist the County with all appropriate communications. Wage Equity Human Resources should update the Personnel Rules to include the Equity Review process. Underway The County anticipates receiving from the pay equity study project consultant recommended updates to Personnel Rules inclusive of discussion and rules regarding OR Pay Equity compliance. Once received, those updates will be vetted through the County's Policy Advisory Committee and provided to the Board of County Commissioners for consideration. Wage Equity Human Resources should update the Equity Review procedures to include review for employees offered steps one or two. Resolved Human Resources added this content and published to the HR Procedures Reference Teams channel. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 25 of 33 Audit Recommendation Updated Status Updated Comment Wage Equity Human Resources should add the Equity Review process and procedures to the Supervisor Tool Kit. Resolved Human Resources added the Candidate Qualifications Review section to the Recruitment & Selection Toolkit and announced the addition to all department heads, managers, and supervisors via email. Custom Developed Software Central Information Technology should establish an advisory body comprising diverse County stakeholders to drive a project- centric investment process to support executive decision making. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. Custom Developed Software Central Information Technology should develop and implement a policy for custom software development, outlining a standardized methodology for determining costs associated with projects throughout the County. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. Custom Developed Software Central Information Technology should develop and implement a policy requiring annual reporting of all software applications used by each department and elected office to ensure an updated inventory is maintained. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. Custom Developed Software Central Information Technology should develop and implement a policy for custom software development identifying security and privacy requirements for all projects throughout the County. Underway A policy has been created and undergoing the approval process through the Deschutes County standard approach. Custom Developed Software Central Information Technology should develop and implement a policy for custom software development incorporating formal documentation of system architecture for all projects throughout the County. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 26 of 33 Audit Recommendation Updated Status Updated Comment Custom Developed Software Central Information Technology should develop and implement a policy for custom software development, defining unified coding standards for all developers throughout the County. Underway A policy has been created and undergoing the approval process through the Deschutes County standard approach. Custom Developed Software Central Information Technology should develop and implement a policy for custom software development, defining standardized testing conditions and criteria for all projects throughout the County. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. Custom Developed Software Central Information Technology should provide access to the secure repository for all County developers. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. Custom Developed Software Central Information Technology should develop and implement a policy for custom software development, requiring comprehensive system and user documentation for software applications throughout the County. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. Custom Developed Software Central Information Technology should establish internal agreements with departments requesting developed software or when inheriting maintenance responsibilities of previously deployed applications. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. Custom Developed Software Central Information Technology should develop and implement a policy for custom software development maintenance protocols throughout the County. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 27 of 33 Audit Recommendation Updated Status Updated Comment Custom Developed Software Central Information Technology should continue efforts to capture data for maintaining custom- developed software and make those tools available to other information technology personnel. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. Custom Developed Software Central Information Technology should use collected data to create performance measures for custom- developed software. Planned No new updates from May 2024 original audit. Regular audit follow-up will occur in February 2025. Clerk's Office Integrated Audit The Clerk’s Office should conduct a fraud risk assessment, and document outcomes. Planned No update. We agree with the auditors’ comments and will explore conducting a fraud risk assessment. Clerk's Office Integrated Audit The Clerk’s Office should document and implement procedures to address fraud risks identified in the risk assessment. Planned No update. We agree with the auditors’ comments and will explore conducting a fraud risk assessment. Clerk's Office Integrated Audit The Clerk’s Office should consult with the new procurement staffer about procurement requirements. Underway Discussions have taken place with the county's Procurement Manager, who has expressed a willingness to collaborate and provide support. Their assistance will help ensure that our department adheres to and is in compliance with relevant county procurement rules. We have a planning meeting set for next week to move toward developing these contracts. Clerk's Office Integrated Audit The Clerk’s Office should conduct competitive procurements, put contracts in place, and get Administrator sign-off related to services identified in the audit. Underway Discussions have taken place with the county's Procurement Manager, who has expressed a willingness to collaborate and provide support. Their assistance will help ensure that our department adheres to and is in compliance with relevant county procurement rules. We have a planning meeting set for next week to move toward developing these contracts 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 28 of 33 Audit Recommendation Updated Status Updated Comment Clerk's Office Integrated Audit The Clerk’s Office should analyze how often and when staff need to review a document they record and then decide whether recording and reviewing duties should be segregated. Resolved The Clerk’s Office has adopted the recommendation to enable software controls to segregate recording and reviewing (verification), while maintaining the department’s current level of customer service. These enabled software controls ensure no single person can record and verify their own work. Clerk's Office Integrated Audit If the Clerk’s Office decides record and review duties should be segregated, it should re-enable controls in the information system to enforce segregation. If the Office decides that duties should not be segregated, it should formally accept the risk by allowing role conflicts in a procedure. Resolved The Clerk’s Office has adopted the recommendation to enable software controls to segregate recording and reviewing (verification), while maintaining the department’s current level of customer service. These enabled software controls ensure no single person can record and verify their own work. Clerk's Office Integrated Audit The Clerk’s Office should document workflow impacts of requiring supervisor approval of voided receipts including how often they happen and how long the process takes. After collecting this information, the Office should decide whether voids should require supervisor authorization. Resolved Software controls have been reactivated to enforce a requirement for supervisor approval on any voided receipts. This ensures an additional layer of oversight and accountability, preventing unauthorized voids and helping to maintain accurate financial records. Clerk's Office Integrated Audit If the Office decides that voids should require supervisor authorization, it should use controls in the information system to enforce authorization. If the Office decides that it will not require authorization, it should document compensating controls and formally accept the risks. Resolved Software controls have been reactivated to enforce a requirement for supervisor approval on any voided receipts. This ensures an additional layer of oversight and accountability, preventing unauthorized voids and helping to maintain accurate financial records. Clerk's Office Integrated Audit The Clerk's Office should review how staff use the generic account including how often it is used. Resolved We have discontinued the use of a generic username and password for access to computers in the Clerk’s Office. Clerk's Office Integrated Audit If the Office continues to use the generic account, it should formally accept and document the risks associated with its use. Resolved We have discontinued the use of a generic username and password for access to computers in the Clerk’s Office. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 29 of 33 Audit Recommendation Updated Status Updated Comment Clerk's Office Integrated Audit The Clerks' Office should assign someone to keep the payment card secured while continuing to use the log. Resolved The Purchase Card is now secured under lock and key with the exception of when it is in use. Clerk's Office Integrated Audit The Clerk's Office should improve performance reporting by including data about staff to number of pages recorded, clarifying why staff to voter registration is “In-Progress” or changing status to “True”, and including historical context/goals in the narrative section to cost per ballot tallied. Resolved We have updated the measures to reflect the correct status, ensuring that any "In- Progress" entries are now accurately categorized. Moving forward, the department will continue to assess the provided metrics to ensure they offer meaningful insights and align with county goals. We will also work on integrating historical context and clearer data points, such as FTE to voter registration ratios and cost per ballot tallied, to provide a more comprehensive picture of the work being done by the department. Clerk's Office Integrated Audit The Clerk's Office should request that the Board of County Commissioners amend County Code to give responsibility to distribute copies of the code chapter about weed control to the Road Department. Resolved The code was amended through BOCC order in June 2024. County Legal Integrated Audit County Legal should create new performance measures that are more useful, relevant, and adequate. Consider measures used by benchmark counties including staff workload, timeliness, and satisfaction. Underway These will be reported on or around the FY budget cycle. County Legal Integrated Audit County Legal should document and implement procedures to address fraud risks identified in the risk assessment. Resolved We created and implemented a check handling policy that segregates duties and addresses risks identified in the assessment. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 30 of 33 5. Appendix B: Authority, Objective, Scope, and Methodology Audit Authority The Deschutes County Audit Committee has suggested that follow-ups occur within nine months of the reports. The Audit Committee would like to make sure departments satisfactorily address any prior recommendations that have not been completed at the time of the initial or subsequent follow-ups. Objective and Scope Objective: The objective was to follow up on previously unresolved recommendations. Scope and timing: This 2024 Global follow-up included all reports issued with unresolved recommendations. Reports that had a follow-up report completed in approximately nine months were subject to a new request for information. Updates to the recommendations outlined in the audit reports presented in Figure I have been incorporated into this report and are detailed in Appendix A. There are ninety (90) recommendations included in this update over twenty (22) audit reports. Status was determined through information provided by elected offices and departments in December 2024. The original internal reports should be referenced for the full text of recommendations and associated discussion. All internal audit performance reports are published on the County website at https://www.deschutes.org/administration/page/internal-audit- reports. Methodology The follow-up report was developed from information provided by appropriate staff in the associated offices and departments. In cases where recommendations have not been implemented, comments were sought for the reasons why and the timing for “Audit objectives” define the goals of the audit. 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 31 of 33 addressing these. The follow-ups are, by nature, subjective. In determining the status of recommendations that were followed up, we relied on assertions provided by those involved and did not attempt to independently verify those assertions. Since no substantive audit work was performed, Government Auditing Standards issued by the Comptroller General of the United States were not followed. 6. Appendix C: Audit Reports Issued Audit Title Original Report # Report Issued # of Original Recommend ations # of Recommend ations Outstanding % Resolved Munis purchasing topics Part I - Security and Workflows 19/20-9 Jan-21 18 0 100% Munis purchasing topics Part II - Vendor Master 20/21-6 Mar-21 12 0 100% Munis purchasing topics Part III – P-Cards 20/21-8 May-21 7 4 43% County Clerk Transition 20/21-11 Jul-21 9 2 78% 2021 County Fair - Ticketing and selected areas 21/22-1 Sep-21 17 0 100% Munis purchasing topics Part IV - Analyses 20/21-9 Nov-21 10 1 90% Management of Pandemic Case Investigation and Contact Tracing 21/22-5 Mar-22 5 5 0% Adult Parole and Probation - Cash Handling 21/22-11 May-22 1 0 100% Administrative Services & Risk - Cash handling 21/22-10 May-22 3 0 100% Assessor's Office - Cash Handling 21/22-13 Jun-22 10 0 100% 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 32 of 33 Audit Title Original Report # Report Issued # of Original Recommend ations # of Recommend ations Outstanding % Resolved Initial Cybersecurity Assessment 21/22-6 Jul-22 3 0 100% Justice Court - Cash handling 21/22-15 Sep-22 2 0 100% Sheriff’s Office - Cash handling 21/22-16 Nov-22 3 3 0% Vacation and Sick Leave 21/22-17 Dec-22 10 5 50% Elected District Attorney Transition 22/23-4 Jan-23 5 0 100% Personal Information Data Privacy 22/23-2 Feb-23 4 0 100% Treasurer Transition 2022 21/22-12 Mar-23 7 0 100% Finance/Tax – Controls over receipts 22/23-8 Apr-23 4 0 100% Continuity of Operations Plans 22/23-6 Jun-23 6 1 83% Behavioral Health – Practices Improvement 22/23-9 Sep-23 9 4 56% District Attorney’s Office – Cash Handling 23/24-4 Sep-23 1 0 100% Facilities and Property Management – Cash Handling 23/24-2 Oct-23 4 1 75% Overtime and Compensatory Time 24/23-6 Jan-24 8 4 50% Fair and Expo – Cash Handling 23/24-8 Feb-24 5 2 60% 2024 Global Follow-up #24/25-4 December 2024 Deschutes County Office of the Internal Auditor Page 33 of 33 Audit Title Original Report # Report Issued # of Original Recommend ations # of Recommend ations Outstanding % Resolved Wage Equity 23/24-5 Mar-24 5 3 40% Custom-Developed Software 23/24-13 May-24 13 13 0% Clerk’s Office Integrated Audit 23/24-14 Jun-24 13 4 69% County Legal Integrated Audit 23/24-19 Jun-24 3 1 67% Total 28 197 53 73.10% If you would like to receive future reports and information from Internal Audit or know someone else who might like to receive our updates, sign up at http://bit.ly/DCInternalAudit.