• General computer controls – security planning and management, access controls, application software development and change control, operating system software, segregation of duties, and service continuity.
• Application controls – data input, processing, and output.
• Application development – request, requirements, planning, design, development, and testing.

Additionally, we perform continuous auditing using CAATs (Computer Assisted Audit Techniques).  We utilize a proprietary, state-of-the-art and industry recognized software product to help us analyze patterns and exceptions in the County's financial data.

• County Accounting Manual No. S-1
• COBIT (Control Objectives for Information and Related Technology) by the AICPA
• SysTrust by the AICPA
• FISCAM (Federal Information Systems Controls Audit Manual) by the GAO
• Industry best practices

The Internal Audit Department has prepared an IT self-assessment form.  We encourage County Departments' use of the form to help ensure an adequate control system exists in their IT environment.  If you are with a County Department and would like to request a copy, please contact us at 714.834.5475.

• Activate the operating system screen saver password feature and lockout your workstation when leaving it unattended.
• Do not open e-mails and attachments from senders you do not recognize.
• Comply with software licensing for all applications and do not violate copyright laws (e.g., for software, music, video).
• Use strong passwords for your user accounts and do not share passwords with anyone or write passwords down.
  
  
  • Do not include all or part of your user ID in your password.
  • Use at least seven characters in your password.
  • Use at least three of the following four groups: upper and lower case characters, numbers, and special characters (!,@,#,etc.).

• Enable virus scanning software on all workstations and servers and ensure software patches and virus updates are installed on a regular basis.
• Assign access using the least privilege principle and only grant access on a need to know and right to know basis.
• Ensure key applications have end-user and I/T support documentation.
• Perform a risk analysis of I/T operations and be familiar with data sensitivity and impact of a security breach.
• Update business continuity plans and ensure staff are familiar with disaster work-around procedures.
• Document development, testing, and approval of all application changes.
• Set operating and application security settings based upon the risks associated with the data you control.
  
  
  • Enforce password history, maximum & minimum password age, and minimum password length.
  • Set an appropriate account lockout duration & threshold and reset period.
  • Enable system event auditing and frequently review system logs.