STATE OF OREGON RISK MANAGEMENT CONTRACT - ATA # 10700030-03

The State of Oregon requires that state agencies, commissions and others conduct 1. Performance; 2. Risk; and/or 3. Information Technology assessments.  Quality Plus Engineering (Q+E) has been preapproved by the State of Oregon to conduct: 1. Performance audits; 2. Risk assessments; and 3. Information Technology audits.  The risk management and management advisory services are described in this section

 

STATE OF OREGON PERFORMANCE AUDITS

The State of Oregon defines performance audit as:

 

“A performance audit is an objective and systematic examination of evidence to provide an independent assessment of the performance and management of a program against objective criteria or an assessment of best practices and other information.  Performance audits provide information to improve program operations and facilitate decision-making by parties with responsibility to oversee or initiate corrective action, and improve public accountability.  Performance audits encompass a wide variety of objectives including related objectives to assess program effectiveness and results; economy and efficiency; internal control; and compliance with legal or other requirements; and objectives related to providing prospective analyses, guidance, or summary information.  Types of performance audits include:

 

Program effectiveness and results audits.  These audits address the effectiveness of a program and typically measure the extent to which a program is achieving its goals and objectives. 

Economy and efficiency audits.  These audits address whether an entity is acquiring, protecting, and using its resources in the most productive manner to achieve program objectives.  The objectives of the program effectiveness and results audits and the economy and efficiency audits are often interrelated and may be concurrently addressed in a performance audit.

Internal control reviews.  These reviews address management’s plans, methods, and procedures used to meet its missions, goals, and objectives.  Internal controls include processes and procedures for planning, organizing, directing, and controlling, program operations, and the systems put in place for measuring, reporting, and monitoring program performance.  The internal control environment include controls to help ensure the following:

o        The organization’s missions, goals, and objective are achieved effectively and efficiently.

o        Resources are used in compliance with laws, regulations, or other requirements.

o        Resources are safeguarded against unauthorized acquisition, use or disposition.

o        Management information and public reports that are produced are complete, accurate, and consistent to document performance and support decision making.

o        Information technology resources are adequately managed and controlled, and security over computerized information systems will help ensure confidentiality, integrity, and availability of the State’s information resources; and

o        Business continuity planning and procedures will enable mission critical operational to continue in the event of a significant disruption. Review and validation of contract performance between state and agencies and vendors.”

 

STATE OF OREGON RISK ASSESSMENTS

The State of Oregon defines risk assessment as:  

“A risk assessment is an evaluation and identification of an entity’s risks and a prioritization of management action necessary to address or mitigate risks.  It is used to provide management with a measure of an agency’s success in 1. Compliance with applicable rules, regulations, laws, and policies; 2. Safeguarding assets against waste, loss, unauthorized use and misappropriation; 3. Agencies and revenues and expenditures are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports, and to maintain the accountability over the assets; 4. Programs and administrative and operating functions are efficiently and effectively carried out in accordance with applicable laws and management policies; and 5. That the control process emphasizes prevention of waste, fraud, mismanagement, and timely correction of control weaknesses.”

 

STATE OF OREGON INFORMATION TECHNOLOGY AUDITS

The State of Oregon defines Information Technology audits as:

“The State of Oregon has adopted the COBIT framework to help ensure effective management of information technology resources.  COBIT stands for Control Objectives for Information and related Technology and is an open standard for control over information technology, developed and promoted by the IT Governance Institute.  The Information Systems Audit and Control Association and the Foundation’s publish Control Objectives for Information and related Technology.  Generally, information technology audits should be based on COBIT framework.  Information Technology audits may include any or all of the following:

 

Evaluating the effectiveness of the Information Technology unit (IT policies, strategic planning, roles and responsibilities, monitoring, an oversight, etc.).

Change control.

Systems development.

Information technology security.

Computer operations/general controls.  Access controls, systems operator policies and procedures, adequate protection of the production systems from intruders and the environment, network monitoring, which involve properly configuring the audit logs, ensuring the continuity and integrity of the logs, and tracking who accesses the network and what they do within it.  Monitoring also includes recognizing changes that have occurred to key program, why and who changed them.

Business continuity.

Application controls.

Specialized audits/computer assisted audits.

Fraud detection, identifying duplicate payments or other errors, verifying compliance with established criteria using computer assisted audit techniques.”