2022-114 Audit Scope and Objectives
California Department of Technology—Oversight of Information Technology Projects
The audit by the California State Auditor will provide independently developed and verified information related to the California Department of Technology's (Technology Department) oversight of stateinformation technology projects and the State's safeguards against cybersecurity threats. The audit's scope will include, but not be limited to, the following activities:
- Review and evaluate the laws, rules, and regulations significant to the audit objectives.
- Review and evaluate the processes used by the Technology Department for reviewing and approving information technology procurements and determine the degree to which the Technology Department is responsible for statewide oversight, coordination, planning, and leadership as well as effective uses of information technology, including new systems that would allow for interdepartmental communication and information sharing.
- Review and evaluate the level of oversight the Technology Department provides on statewide information technology and security, including but not limited to determining the following:
- Whether the Technology Department has conducted an inventory of all the information technology systems used by departments throughout the State, including the age of the systems and the adequacy of their security controls.
- Whether the Technology Department has identified all the legacy systems in need of modernization, including those that have unsupported hardware and software, are using outdated languages, or are operating with known security vulnerabilities.
- Whether the Technology Department is involved in making key decisions, including the development of modernization plans, and ensuring that the systems meet the needs of departments, agencies, and entities.
- The extent to which the Technology Department has assessed and measured the information security status across the State.
- The extent to which the Technology Department has monitored potential or actual security threats across the State.
- Review the Technology Department's role in managing a selection of procurements of information technology and whether it routinely followed laws, rules, regulations, policies, and best practices when selecting vendors for the system, including, to the extent possible, those prohibiting a conflict of interest during the selection process.
- Review a selection of information technology projects at state departments, agencies, and entities for which the Technology Department provides services, including recent projects at the Employment Development Department and FI$Cal, and determine whether the Technology Department fulfilled its roles and responsibilities. Specifically, perform the following:
- Identify the estimated and actual implementation costs and timelines for the system as well as the number of and reasons for change orders and contract amendments.
- Determine whether the original project requirements, as defined by the scopes of work, were timely delivered during implementation of the system projects.
- Evaluate the steps the Technology Department took when project variances were identified within the Technology Departmentís scope of responsibility. To the extent possible, determine whether the Technology Department could have identified problems with the systems earlier.
- If applicable, determine whether the departments, agencies, and entities, and/or the Technology Department have documented lessons learned for use in future phases of system implementations.
- Determine whether the Technology Department is the right size to appropriately perform its statutory responsibility to oversee IT project development and IT security, including whether additional qualified staff would meaningfully improve its services with respect to information security and IT projects.
- Conduct a survey of all state departments, agencies, and entities within the Technology Departmentís scope of responsibility to assess the extent to which they are aware of, using, and satisfied with the services that the Technology Department offers, including project approvals and oversight, technology procurement, IT consulting, and information security.
- Determine statewide the number of legacy systems in need of modernization and determine those that are most critical. Furthermore, for the departments, agencies, and entities with legacy systems needing modernization, determine whether they have documented modernization plans.
- Identify any recommendations that could improve or assist the Technology Departmentís efforts to deliver digital services, develop innovative and responsive solutions for business needs, and provide assistance with IT projects and services.
- Review and assess any other issues that are significant to the audit.
California State Auditor's Office