Information Technology (IT)

What We Do

The Internal Audit Department provides a variety of information technology services to County departments and agencies including audits and reviews of:

  • General computer controls – security planning and management, access controls, application software development and change control, operating system software, segregation of duties, and service continuity.
  • Application controls – data input, processing, and output.
  • Application development – request, requirements, planning, design, development, and testing.

Additionally, we perform continuous auditing using CAATs (Computer Assisted Audit Techniques). We utilize a proprietary, state-of-the-art and industry recognized software product to help us analyze patterns and exceptions in the County's financial data.

IT Standards & Criteria

Criteria used in evaluating information technology applications and procedures is derived from:

  • County Accounting Manual No. S-1
  • COBIT (Control Objectives for Information and Related Technology) by the AICPA
  • SysTrust by the AICPA
  • FISCAM (Federal Information Systems Controls Audit Manual) by the GAO
  • Industry best practices

IT Self-Assessment

The Internal Audit Department has prepared an IT self-assessment form. We encourage County Departments' use of the form to help ensure an adequate control system exists in their IT environment. If you are with a County Department and would like to request a copy, please contact us at 714.834.5475.

Security & Compliance

As an employee of the County of Orange, you can help keep our technology infrastructure secure and compliant.

  • Activate the operating system screen saver password feature and lockout your workstation when leaving it unattended.
  • Do not open e-mails and attachments from senders you do not recognize.
  • Comply with software licensing for all applications and do not violate copyright laws (e.g., for software, music, video).
  • Use strong passwords for your user accounts and do not share passwords with anyone or write passwords down.
    • Do not include all or part of your user ID in your password.
    • Use at least seven characters in your password.
    • Use at least three of the following four groups: upper and lower case characters, numbers, and special characters (!,@,#,etc.).

IT managers and administrators should facilitate sound IT practices:

  • Enable virus scanning software on all workstations and servers and ensure software patches and virus updates are installed on a regular basis.
  • Assign access using the least privilege principle and only grant access on a need to know and right to know basis.
  • Ensure key applications have end-user and I/T support documentation.
  • Perform a risk analysis of I/T operations and be familiar with data sensitivity and impact of a security breach.
  • Update business continuity plans and ensure staff are familiar with disaster work-around procedures.
  • Document development, testing, and approval of all application changes.
  • Set operating and application security settings based upon the risks associated with the data you control.
    • Enforce password history, maximum & minimum password age, and minimum password length.
    • Set an appropriate account lockout duration & threshold and reset period.
    • Enable system event auditing and frequently review system logs.