DAS, State Treasury outline enterprise internal controls, audits and cyber safeguards

The Department of Administrative Services and the Oregon State Treasury presented an informational briefing on internal controls to the General Government Subcommittee on May 7, outlining how the state balances risk, oversight and operational efficiency.

Kate Nass, chief financial officer at the Department of Administrative Services, told Chair Gorsek and committee members that internal controls ‘‘is really a pretty broad topic’’ that must be embedded across policies, systems and physical and electronic access. She said the department would keep the briefing high level and take requests for more sensitive detail offline to avoid increasing security risk.

Nass said statewide policies include guidance from the chief human resources office and the Oregon Accounting Manual, and that controls are enforced through multiple financial systems and through physical and electronic access controls. Rob Hamilton, state controller in the Chief Financial Office, said the Oregon Accounting Manual includes a chapter on internal control and that RSTARS, the state accounting system, uses more than 50 user classes to separate transaction authorization, recording, custody and reconciliation.

Hamilton described segregation of duties as ‘‘a key component for the prevention and detection of fraud or errors,’’ and said the accounting system and a centralized system security office work with agency security officers to review access every six months. He said the Secretary of State Audits Division reviews the state’s internal control environment as part of the annual financial statement audit.

George Knott, deputy treasurer, framed internal controls around risk management and the Treasury’s role as the state’s banker and investor. ‘‘Risk is not necessarily a bad thing,’’ Knott said, and explained that Treasury distinguishes between opportunity risks on the investment side and threat risks that controls seek to mitigate. He described investment controls for large wire transfers and custodial processes used when funds are called by external managers, noting multiple approvals and custodian verification on transfers.

Knott said Treasury uses a combination of preventative, detective and corrective controls and highlighted specific practices: a fraud, waste and abuse hotline administered by the Secretary of State for confidential tips; an internal audit function (he said Treasury currently employs three internal auditors and augments work with external firms such as Gartner for IT vulnerability reviews); role‑based access and background checks for staff; quarterly financial disclosures and a legal and compliance unit to manage conflicts; and ongoing investments in cybersecurity, including multi‑factor authentication and a move toward zero‑trust architecture.

On unclaimed property, Knott said claims are never initiated by Treasury staff, that the documentation required from claimants is the principal control, that two approvals are required before checks are issued, and that Treasury contacts claimants before issuing large checks. He gave an example that an attempted fraudulent unclaimed‑property check in recent work was caught during those processes (the presentation referenced a significant check of roughly three quarters of a million dollars that was intercepted).

Committee members asked clarifying questions. Representative Chi Chi asked whether hotline reports are public records; Knott and other presenters said the Secretary of State manages the hotline and that questions about public‑records exclusions should be directed to that office. Multiple committee members asked about small agencies’ ability to maintain segregation of duties; presenters said small boards often contract DAS for accounting services or rely on commission chairs and agency heads to maintain controls.

Presenters emphasized there were no formal decisions or votes during the hearing. They repeatedly cautioned that more granular control details are sensitive and would need to be handled outside an open public meeting. Chair Gorsek closed the informational hearing and noted the department of revenue will present a related briefing the next day.

Discussion versus action: the session was informational; staff were asked to provide more detailed information offline where appropriate, but no formal motions, directives or policy changes were adopted.