AUDIT OF INFORMATION TECHNOLOGY PROJECTS - 4943

All information technology (IT) projects are subject to audit, with project reporting and evaluation documents an essential aspect of the audit trail. Documentation supporting project decisions must be kept by the Agency/state entity for a minimum of two years following approval of the post-implementation assessment.

Some projects may be subject to ongoing review by the Department of Finance’s Office of State Audits and Evaluations (OSAE). OSAE may review the Project Approval Lifecycle Stage/Gate deliverables of projects approved by the California Department of Technology (Department of Technology) and the Reporting Exemption Requests of projects delegated to agencies by the Department of Technology. OSAE will select projects for ongoing review based on their risk, cost, and materiality.

For projects selected for ongoing review, OSAE will develop and submit to Agency/state entity management periodic status reports and the project Post-Implementation Evaluation Report (PIER) required under SAM Section 4947. Agencies/state entities are required to submit final versions of the periodic status reports and the project PIER to the Department of Technology within five working days after they are received from OSAE.

If OSAE determines that the project should be audited, the Agency/state entity must enter into an interagency agreement with OSAE for that purpose. Since the cost that the Agency/state entity otherwise would have incurred in monitoring the project and producing progress reports and the PIER will no longer be borne by the Agency/state entity, these costs should not be included in the project budget. However, the Agency/state entity should ensure that the project budget includes an amount sufficient to cover the costs of the interagency agreement with OSAE.