Marijuana and the Oregon Liquor Control Commission's Technology Audit


 Secretary of State


The State of Oregon

900 Court Street NE, Salem, Oregon 97310  -

Secretary Richardson

Oregon's Recreational Marijuana Program was legalized by the voters in 2015. Responsibility for issuing permits, inspecting "grows," ensuring compliance, and all other aspects of the administration of the marijuana industry from "seed to sale" was placed on the Oregon Liquor Control Commission. The size and complexity of regulating the Oregon marijuana industry was grossly underestimated. Although the initial estimate for tax revenue was $10.8 million, the marijuana tax revenue actually generated since January 2016 was $115 million. Below is the information on the results of the Secretary of State audit, which focused on the OLCC's technology and computer systems being used to track production and sales. Since there has been substantial state and federal concerns about broader aspects of administering, managing, and regulating marijuana in Oregon, a second audit with a much broader scope of Oregon's marijuana industry will begin soon.


Salem, OR – Today, Secretary of State Dennis Richardson released an audit of The Oregon Liquor Control Commission (OLCC). The audit titled: Cannabis Information Systems Properly Functioning but Monitoring and Security Enhancements are Needed found that OLCC has taken positive steps to establish information systems for recreational marijuana regulation. However, auditors also found several weaknesses associated with the agency’s new IT systems used for marijuana licensing and tracking.

The audit also found that OLCC has not implemented an appropriate agency-wide IT security management program.

In 2014, voters approved Measure 91, which legalized the production, sale, and use of recreational marijuana in Oregon. State law requires applicants for recreational marijuana business licenses and renewals to submit their application to OLCC. The law also requires the agency to implement a system to track recreational marijuana from seed to sale. In response, OLCC contracted with external vendors to develop, host, and support the Marijuana Licensing System and Cannabis Tracking System (CTS).  We found that these systems are functioning properly to facilitate licensing of marijuana businesses and to track marijuana products within the state.

OLCC requires Marijuana businesses to track a number of items in the CTS, including daily sales activity, inventory transfers, lab test results, inventory adjustments, and marijuana waste. OLCC has developed initial processes to use this data to identify potential instances of noncompliance in the marijuana industry. 

However, auditors determined that immature regulatory processes and poor data quality increase the risk that compliance violations in the recreational marijuana program will go undetected. Specifically, auditors found the following issues increased the risk that OLCC may not detect potential violations or illegal activity:

  • Reliance on self-reported data from marijuana businesses;
  • Inconsistent weight measurement systems;
  • Allowing untracked marijuana inventory in the first 90 days of licensure;
  • Poor or insufficient data quality in the Cannabis Tracking System; and
  • An insufficient number of trained inspectors needed for on-site investigations.

Additionally, auditors concluded that better practices are needed to manage marijuana applications and application vendors. They identified the following specific weaknesses:

  • OLCC lacks processes to monitor some third-party service providers;
  • OLCC does not have a process for reconciling data transmitted by the licensing system to the tracking system;
  • Test data exists in the Marijuana Licensing System production environment, increasing the risk that program decisions may be based on unreliable data; and
  • User account management processes are lacking, which increases the risk of inappropriate access to marijuana systems.

Although the marijuana licensing and tracking systems are hosted and supported by external vendors, OLCC’s information technology (IT) division is responsible for the agency’s network security, web application design and development, database administration, and software development.

Auditors determined OLCC lacks an appropriate IT security management program based on the following identified weaknesses:

  • OLCC lacks an up-to-date security plan;
  • IT assets are not sufficiently tracked;
  • OLCC has not set server or network device baselines and does not have a process to monitor for unauthorized changes or devices;
  • Management has not developed processes to identify IT security vulnerabilities;
  • Antivirus solutions are not effectively managed;
  • Servers and workstations are running on unsupported operating systems;
  • Physical access controls should be improved; and
  • Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets.

Auditors also found OLCC should develop a disaster recovery plan and improve backup media testing processes.

The audit includes 17 recommendations to address the risk of undetected compliance violations, weaknesses related to marijuana vendor and application management, IT security management weaknesses, and weaknesses related to disaster recovery and backup media testing.

Read the full audit on the Secretary of State website