Oregon Department of Revenue details internal controls for $45 billion in collections

SALEM, Ore. — At an informational hearing May 8, 2025, the General Government Subcommittee of the Ways and Means Committee heard how the Oregon Department of Revenue (DOR) protects taxpayer information and the roughly $45 billion it collected in the last biennium.

DOR Director Betsy Eimholt told the committee the agency relies on policies, employee screening, training, technical safeguards and regular audits to reduce the risk that confidential return data or funds could be improperly accessed or diverted. “If we lose that trust, our very mission is at risk,” Eimholt said.

The presentation described a layered control framework the agency follows. Jay Messenger, DOR’s internal controls officer, said the department follows the Oregon Accounting Manual and draws on federal and industry standards for information security, including Internal Revenue Service guidance and the Center for Internet Security’s critical security controls. “No matter the environment — physical, digital, financial — internal controls have similar attributes,” Messenger said.

DOR described specific personnel and technical safeguards. The agency said all employees undergo a tax compliance check before hire and annually thereafter, and that employees are fingerprinted and receive a federal background check before hire and every five years. Access controls in the department’s tax administration software, Gentax, require manager approval for accounts and role-based permissions; managers verify user roles every three months, the agency said. Messenger described separation of duties, dual custody for payments, rotation of staff for sensitive reconciliation tasks, logging, cameras and security guards as parts of its monitoring suite.

Stefan Hamlin, DOR chief financial officer, explained financial reconciliations: the department reconciles records in Gentax, the monthly bank statement from the State Treasury and the statewide accounting system RSTARS each month. “We reconcile our GenTax information with the monthly bank statement from Treasury,” Hamlin said. He also described layered review on vendor payments and delegation-of-authority thresholds that require higher-level sign-off when limits are exceeded.

Committee members pressed officials on past incidents and the effectiveness of controls. Messenger and Eimholt said there have been instances where staff were disciplined or terminated after accessing data they were not authorized to view; the agency said those incidents did not result in a public breach. “There are times where we have terminated an employee pretty much immediately because they were accessing something they shouldn’t have accessed,” Eimholt said. DOR said suspected criminal activity is referred to law enforcement and that investigations, discipline and termination follow state human resources rules, Department of Administrative Services policies and the SEIU collective bargaining agreement where applicable.

Officials also described how the agency responds to evolving fraud schemes. Eimholt said the trend state tax agencies see is that attempts “get more prolific, more sophisticated, more attempts, lower dollar amount,” and that states share information to adjust detection and thresholds in near real time. DOR officials said they use technology to block improper data transmission, produce automated reports for suspicious activity, and perform ongoing reviews of system access.

The department said it is subject to multiple audits: the Oregon Secretary of State performs an annual comprehensive financial audit; Enterprise Information Services conducts cybersecurity assessments; and the Internal Revenue Service audits the agency’s handling of federal taxpayer information on a roughly three‑year cycle (most recently last August). DOR also has an internal audit team and an internal controls office that conduct periodic reviews.

Officials gave timing details for recent control activities: mandatory employee annual training closed May 4 and the department’s annual risk assessment opened the following Tuesday. Committee members asked about tools and resources; CFO Hamlin said DOR uses spreadsheets and Microsoft products for some risk work and is seeking an appropriate software solution for enterprise risk and compliance tracking.

The subcommittee closed the informational hearing and the chair noted the committee would not meet on May 12 and will hold a work session May 13 on Senate Bill 5540, the appropriation bill for the Board of Tax Practitioners.

The hearing record shows agency officials described existing controls, monitoring and audit processes but did not propose new statutory requirements or request specific additional funding during this presentation. Committee members offered to help the agency secure resources if needed.