Deschutes County commissioners spent the latter portion of their Dec. 1 meeting in a work session examining the role, scope and governance of the county's internal audit program after recent audits touched on sensitive matters including body-camera management and election-system IT controls.

The board heard from the county's internal auditor (identified in the transcript as Elizabeth Paper) and audit committee chair Daryl Parish. The auditor said the audit committee requested reviews of body-camera management and election-related IT controls, that the audits evaluated internal controls and program-level risks rather than conducting criminal investigations, and that her office follows procedures for handling sensitive information, including training, background checks and secure storage when required.

"I take access to data very seriously," the auditor said, describing steps her office takes to secure and limit exposure of sensitive information and noting options for confidential reporting when technology vulnerabilities are found.

Commissioners and audit-committee members debated whether the internal auditor or a peer-review process (for example, review by other sheriff's offices or other county clerks) would be preferable for particularly politically charged or legally constrained topics. Commissioner (speaker 8) suggested peer reviews as a way to obtain independent technical assurance while avoiding legal or public-sensitivity conflicts when, for example, body-camera footage or CJIS-protected materials are involved. Auditor Paper replied that code currently gives the auditor access to CJIS information and that she can follow confidentiality procedures, but acknowledged legal and operational complexities when data-providers make errors in what they share.

The conversation also covered how the audit program frames findings and how management responses and resource limitations influence remediation choices; the auditor said management can accept identified risks and provide rationale. Several commissioners asked for clearer code language defining the audit committee's governance role and suggested clarifying when audits should be handled as peer reviews, confidential technical assessments, or public audit reports.

Board members agreed to consider proposed code revisions that would clarify governance, committee responsibilities and expectations around politically sensitive audits and to continue the discussion in subsequent meetings. No formal code change was adopted at this session.