Secretary of State lays out data-driven FY2027 audit plan, limits scope to 10 audits
Loading...
Summary
The Oregon Secretary of State presented a new two-phase, data-driven methodology for selecting FY2027 performance audits and said the office will conduct 10 audits chosen by a risk-scoring process; officials said capacity, not policy, limited the plan's size.
The Joint Committee on Legislative Audits heard Tuesday that the Oregon Secretary of State's office used a new, data-driven risk model to choose 10 performance audits for fiscal year 2027.
Steve Bergman, the audits director, told the committee the office implemented a new risk methodology in 2025 "to develop the fiscal year 2027 performance audit plan." He said the approach works in two phases: Phase 1 applies 11 risk indicators to rank agencies, and Phase 2 analyzes a risk register to identify specific focus areas within the highest-scoring agencies.
The methodology draws on statewide HR and accounting data, hotline complaints, internal-audit submissions, Legislative Fiscal Office budget analysis and audit staff observations, Bergman said. He listed priority topics for FY2027 that include parole and probation services at the Oregon Youth Authority, offender registration work at Oregon State Police, pass-through funding and contract administration at the Oregon Health Authority, intellectual and developmental disabilities at the Department of Human Services and a capital-accessibility review for Legislative Administration. The division aims to complete the audits by the end of the fiscal year on June 30, 2027.
Senator Starman asked why the office limited the plan to 10 audits. Bergman said the cap reflects available staffing and budgeted hours: "It's capacity," he said, and offered to follow up with committee members on what additional items would have ranked next on the list.
Committee members raised a separate concern about smaller agencies that may never score high enough on the matrix to trigger audits. Michael Kaplan, deputy secretary of state, acknowledged that the model prioritizes larger or higher-risk agencies and said the division will continue conversations with the Legislature about additional capacity to fill gaps.
Bergman described safeguards in the audit process: the office conducts data-reliability work, triangulates evidence, holds internal and external findings meetings with audited agencies and subjects each report sentence to quality-control review. He also said JLAC feedback is a statutory input to the audit plan under Oregon law.
The presentation did not propose new audits beyond the 10-item list; committee members signaled interest in seeing follow-up on capacity and how the register will incorporate fieldwork discoveries. The committee voted not to take formal action at the hearing; Bergman said the office will provide additional information and follow up with JLAC members.
