.
According to an auditor’s office preview of the audit’s scope and objectives, the report will assess CDT’s role in managing a selection of IT procurements and “whether it routinely followed laws, rules, regulations, policies, and best practices when selecting vendors for the system, including, to the extent possible, those prohibiting a conflict of interest during the selection process.”
In addition, the report will evaluate the level of oversight CDT provides on statewide IT and security, including:
- Whether CDT has conducted an inventory of all the IT systems used by departments of state government, including the age of the systems and the adequacy of their security controls.
- Whether CDT has identified all the legacy systems that need modernization, including those that have unsupported hardware and software, are using outdated languages, or are operating with known security vulnerabilities.
- Whether CDT is involved in making key decisions, including the development of modernization plans, and ensuring that the systems meet departments’ needs.
- The extent to which CDT has assessed and measured state departments’ information security status and the extent to which CDT has monitored potential or actual security threats across the state.
Auditors also reviewed CDT’s management of state IT procurements and whether it followed laws, rules, regulations, policies and best practices in selecting vendors. This will include regulations prohibiting a conflict of interest during the vendor selection process.
The report will address how many of the state’s legacy technology systems need modernization and will determine those that are most critical, and whether those departments have documented modernization plans.
The audit will also address whether CDT fulfilled “its roles and responsibilities” with regard to projects for which it provided services, including recent projects at the Employment Development Department and the Financial Information System for California (FI$Cal). Specifically, it will:
- Identify the estimated and actual implementation costs and timelines for the system as well as the number of and reasons for change orders and contract amendments.
- Determine whether the original project requirements, as defined by the scopes of work, were timely and delivered during implementation of the system projects.
- Evaluate the steps CDT took when project variances were identified within its scope of responsibility. To the extent possible, determine whether CDT could have identified problems with the systems earlier.
- If applicable, determine whether the departments and/or CDT have documented lessons learned for use in future phases of system implementations.
Other issues that the report will address include:
- Determining whether CDT “is the right size to appropriately perform its statutory responsibility to oversee IT project development and IT security, including whether additional qualified staff would meaningfully improve its services with respect to information security and IT projects.”
- Surveying all state departments within CDT’s scope of responsibility to assess whether and how much they are aware of CDT’s services, and whether they’re satisfied with those services, which include project approvals and oversight, technology procurement, IT consulting and information security.
Industry Insider — California will report more on the details and findings after the report’s publication, along with any reaction from CDT.
