SUBJECT: DEVELOPMENT OF FINANCIAL COMPUTER SYSTEMS
DEPARTMENTS & DISTRICTS AFFECTED: ALL AGENCIES, DEPARTMENTS, AND DISTRICTS GOVERNED BY THE BOARD OF SUPERVISORS
At the beginning of a financial information system development, the owner of the system (County department) is required to (1) notify the Auditor-Controller and Internal Audit Department and (2) ensure adequate internal controls are present in the system.
NotificationsTo prescribe the appropriate notifications when implementing a financial information system.
Internal ControlsTo designate the responsibility for ensuring financial information systems include appropriate internal controls.
Board of Supervisor's Resolutions No. 82-162, dated February 2, 1982, and 85-337, dated March 12, 1985.
DevelopmentCreation of, purchase of, implementation of, substantial modification or changes to, or upgrade of a computer system.
Financial Information SystemAny computer system which includes but is not necessarily limited to the recording and processing of fines, fees, invoices, collections, receivables, cost applications and other revenue or expenses.
Internal ControlsA process, effected by the management and other personnel of a department, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Safeguarding of assets.
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws, regulations, and contracts.
Internal controls should assist in ensuring that accurate data is produced, sensitive information is protected, the system is available and maintainable, and all operations are performed as directed by management.
Notification A formal memo as prescribed, signed by the department head.
Required Memo for Notification of Financial System Development Projects. See (Exhibit I)
Departments are required to notify the Auditor-Controller and the Internal Audit Department during the planning phase (at the beginning of the system development lifecycle) for a new or upgraded financial information system. First, the department will determine with the Auditor-Controller whether the new system or upgrade will interface with any of the Auditor-Controller's systems. Then, the department will send written notification as follows:
Financial Systems that DO Interface with any Auditor-Controller SystemThe department must: (1) contact the Auditor-Controller's Information Technology Division to help coordinate system requirements, design specifications and testing, and (2) notify the Internal Audit Department in writing, providing a brief description of the system to be implemented or upgraded including the project's scope and objectives, preliminary cost estimates, projected timelines, and internal control responsibility.
Financial Systems that DO NOT Interface with any Auditor-Controller SystemThe department must notify the Internal Audit Department in writing, providing a brief description of the system to be implemented or upgraded including the project's scope and objectives, preliminary cost estimates, projected timelines, and internal control responsibility.
Internal Audit Department Review Upon notification from the Department, the Internal Audit Department will determine whether or not to review the new system or upgrade. Available audit resources and technical expertise will be considered. The Internal Audit Department will notify the department in writing whether or not a review will be performed. The review could include an on-site review of the system or a desk review of pertinent documents. After the Internal Audit Department's review is completed, they will issue a letter to the department describing the results of their review.
Departmental Responsibility for System ContolsNeither the Internal Audit Department or the Auditor-Controller have the resources or charter to provide project management or ensure all necessary controls are designed and embedded in the new system or upgrade.
The responsibility for designing and ensuring a financial information system has appropriate internal controls and that such controls are properly maintained, rests solely with the management of the department responsible for the financial information system. Internal controls for a financial information system should address, at a minimum, the following areas:
Information Security - The financial information system should ensure the logical use of I/T resources is restricted by adequate identification, authentication, and access controls that link users and resources with access rules.
Audit Trails - The financial information system should be designed so that documentation exists to follow a transaction from its initiation to its conclusion (and vice versa), as well as identify what changes have been made, when, and by whom.
Segregation of Duties - The financial information should have system controls that prevent the same user from authorizing, processing, recording/inputting, or reviewing/verifying/reconciling a transaction.
Documentation - The financial information system should include user procedure manuals, operations manuals, and training materials.
Internal Control Information SourcesManagement should consider consulting professional/authoritative internal control sources for guidance, including: