The URL can be used to link to this page

Home My WebLink AboutF0109 Custom Software Flw-up PUBLISHED 3-11-25To request this information in an alternate format, please call (541) 330- 4674 or send email to internal.audit@Deschutes.org Custom Developed Software Follow-up Report: New policy implemented; additional improvements planned. March 2025 Our 2024 audit of custom developed software found increasing reliance on decentralized information technology without robust governance, documentation, and oversight to mitigate custom software development risks. Nine months later, the Information Technology Department created a new policy to guide software development across departments but additional procedures to increase security, efficiency, and performance were still in the planning stages. Deschutes County Office of the Internal Auditor Page 1 of 7 Audit Follow-up Report: March 2025 Custom Developed Software Recommendation Status Key: Outdated technology policies, some nearly 20 years old, did not address system architecture documentation for custom software raising the risk of incomplete security practices. We recommend that Information Technology develop and implement a policy for custom-software development identifying security and privacy requirements for all projects throughout the County. The Department prioritized developing a policy for custom developed software, stating, “We cannot afford to underestimate the consequences of security incidents, as any self-inflicted incident could have severe financial and reputational repercussions for the County as a whole.” As of March 2025, a policy was substantially complete with expected final approval by the Board of County Commissioners in the Spring. Department software developers did not have a consistent approach to coding and County technology policies did not include unified coding standards. Without a documented process, software implementation faced inefficiencies, inconsistencies, delays, errors, and increased costs. We recommended that Information Technology develop and implement a policy for 2 Resolved 11 In Process 0 Accept Risk Management addressed risk. Auditors will no longer monitor. Recommendations are in progress. Auditors will continue to monitor. Management accepted the risk of not implementing the recommendation. New custom-developed software policy nearly complete. Uniform coding standards to be adopted. Deschutes County Office of the Internal Auditor Page 2 of 7 Audit Follow-up Report: March 2025 Custom Developed Software custom-software development, defining unified coding standards for all County developers. The Department stated that unified coding standards would “ensure that all developers operate from the same playbook, promoting coherence and efficiency in our coding practices” promoting efficiency, collaboration, transparency, and accountability. A proposed policy included coding standards and was substantially complete as of March 2025, with final approval expected by the Board of County Commissioners in the Spring. Staff in various departments made decisions about software without documenting risks or countywide considerations about performance and security. We recommended that Information Technology lead the way in developing a central advisory body to drive a project-centric investment process to support executive decision making. The Department agreed that establsihing of an advisory body would be a great step towards enhancing the technology investment process, but also noted that it would take a significant amount of effort, as many as 240 hours of work. Staff estimated a completion date of December 2026. At the time of the March 2025 update, the Department had not reported any specific steps taken to establish the committee. Departmental staff did not have countywide information about the full cost of custom software and in some cases considered custom software to be "free" despite potentially higher costs than commercial products. We recommended that Information Technology develop and implement a policy for custom-software Software advisory body planned. Cost framework delayed for input from advisory body. Deschutes County Office of the Internal Auditor Page 3 of 7 Audit Follow-up Report: March 2025 Custom Developed Software development, outlining a standardized methodology for determining costs associated with projects throughout the County. The Department agreed a framework would improve transparency and accountability, but but felt a countywide advisory committee would add a business perspective to technical decision making. Staff anticipated forming the committee would be significant work, with completion expected by June 2027. As of March 2025, the Department had not reported any steps toward establishing the committee or creating a cost methodology. Central Information Technology staff inherited custom software when department developers left, sometimes unaware of these projects, leading to unexpected maintenance costs. We recommended that Information Technology develop and implement a policy requiring annual reporting of all software applications used by each department and elected office to ensure an updated inventory is maintained. The Department agreed that identifying assets supports lifecycle management but emphasized the need for cooperation from other departments. They anticipated creating a policy for manadtory reporting by June 2027. At the time of the March 2025 update, the Department had not reported any specific steps taken to create a policy. Developers inconsistently recorded software architecture resulting in gaps in understanding and documentation of security and privacy requirements. We recommended Central Information Technology develop and implement a policy for custom-software For the time-being, reliance on other departments to identify software. County continued to depend on employees for institutional knowledge about software. Deschutes County Office of the Internal Auditor Page 4 of 7 Audit Follow-up Report: March 2025 Custom Developed Software development incorporating formal documentation of system architecture for all projects throughout the County. The Department committed to implementation and noted risks associated with siloed software development stating “in today's dynamic technological landscape, relying solely on individual employees to hold institutional knowledge is a risk and no longer a sustainable practice.” The Department anticipated completing the recommendation by June 2027, and did not report any progress for the March 2025 update. There was no independent quality review for most custom applications because most invovled only one developer in design. This not only fostered departmental and developer siloing but also heightened the risk of software flaws. We recommended that Central Information Technology develop and implement a policy for custom-software development, defining standardized testing conditions and criteria for all projects throughout the County. The Department accepted the recommendation because testing conditions and criteria “not only streamline our testing processes but also create opportunities for mutual support and collaboration.” The Department anticipated completing the recommendation by June 2027, and did not report any progress for the March 2025 update. Staff did not keep some applications in a secure repository that could ensure source code protection and version control. Version control not only tracks modifications made to the code but also provides the ability to revert to previous versions if needed, New system for independent software testing still in progress. Secure repository for software development delayed due to budget issues. Deschutes County Office of the Internal Auditor Page 5 of 7 Audit Follow-up Report: March 2025 Custom Developed Software thereby protecting against accidental or malicious changes during testing. We recommended that Central Information Technology provide access to the secure repository for all County developers. The Department recognized the importance of this recommendation, and hoped to implement it by September 2025. However, providing access to the repository required a $1,800 investment which was not included in the Fiscal Year 2026 budget. The Department was still planning to implement the recommendation. To support the development of software-related service agreements, we recommended Central Information Technology develop and implement a policy for custom-software development, requiring comprehensive system and user documentation for software applications throughout the County. The Department stated that it was already documenting aspects of software applications, but that standardization would increase documentation efficiency while also making it easier for end- users to access documentation to navigate, use, and troubleshoot software. The Department anticipated completing the recommendation by June 2027, and did not report any progress for the March 2025 update. Developers and software stakeholders did not formally document the purpose, scope, roles, responsibilities, management commitment, or coordination between departments and elected offices for deployed custom developed software. Without clear agreements in place, there was a heightened risk of Policy for comprehensive system and user documentation still in development. Software services agreements planned but not in place. Deschutes County Office of the Internal Auditor Page 6 of 7 Audit Follow-up Report: March 2025 Custom Developed Software inconsistencies, misunderstandings, and mismanagement of software deployment processes. We recommended that Central Information Technology establish internal agreements with departments requesting developed software or when inheriting maintenance responsibilities. The Department committed to implement agreements to clarify service expectations and resource requirements, but noted that it would take significant work to create agreements for the many already built solitions across the County. The Department anticipated completing the recommendation by June 2027, and did not report any progress for the March 2025 update There was not a policy to guide software maintenance including identifying and fixing bugs or errors, implementing updates or patches to address vulnerabilities, optimizing performance, and change management. We recommended that Central Information Technology develop and implement a policy for custom-software development maintenance protocols throughout the County. The Department agreed, stating “Security issues are a significant concern in today's digital landscape, and regular maintenance is essential for mitigating these risks.” The Department anticipated completing the recommendation by June 2027, and did not report any progress for the March 2025 update. Staff maintained custom software, but did not track maintenance costs or time spent. We recommended that Central Information Technology continue efforts to capture data for maintaining custom-developed software and make those tools available to Policy for custom software maintenance planned for completion in 2027. Staff planning to track maintenance costs but no progress reported. Deschutes County Office of the Internal Auditor Page 7 of 7 Audit Follow-up Report: March 2025 Custom Developed Software other information technology personnel. The Department had already identified this need and noted that real-time data would help optimize resources and mitigate risks. The department acknowledged that this was a large project that would take significant labor to roll out, but with a budget of $30,000 a year, it planned to complete the recommendation by June 2025. It did not report any progress for the March 2025 update. Staff could not access data about software maintenance to assess software performance to aid decisions about whether to update or retire software. We recommended that Central Information Technology use collected data to create performance measures for custom-developed software. The Department planned to implement the recommendation and noted several ptoential advantages: understanding sucesses, insights about value and effiency, understanding whether solutions continue to meet evolving needs, and identifying when software should be retired. The Department anticipated completing the recommendation by June 2027, and did not report any progress for the March 2025 update. Next Steps: We will continue to report on the status of audit recommendations in our Global Follow-up Report at the end of each calendar year. Custom software performance measures still in development. Deschutes County Office of the Internal Auditor Audit Follow-up Report: Custom Developed Software The mission of the Office of Internal Audit is to improve the performance of Deschutes County government and to provide accountability to residents. We examine and evaluate the effectiveness, efficiency, and equity of operations through an objective, disciplined, and systematic approach. The Office of Internal Audit: Audit committee: Elizabeth Pape – County Internal Auditor Daryl Parrish, Chair - Public member Phil Anderson – Public member Jodi Burch – Public member Phone: 541-330-4674 Joe Healy - Public member Email: internal.audit@deschutes.org Summer Sears – Public member Web: www.deschutes.org/auditor Kristin Toney - Public member Patti Adair, County Commissioner Charles Fadeley, Justice of the Peace Lee Randall, Facilities Director If you would like to receive future reports and information from Internal Audit or know someone else who might like to receive our updates, sign up at http://bit.ly/DCInternalAudit.