Custom Developed Software

Published May 13, 2024

The 2022 cybersecurity audit provided a high-level assessment of software security but didn't specifically assess custom-developed software. The County's sole responsibility for custom-developed software security, maintenance, and accuracy heightens the risk over commercially available alternatives. This audit was conducted to assess the effectiveness of Deschutes County's custom-developed software processes and governance structures. The audit aimed to identify areas of improvement and provide recommendations for enhancing software development, maintenance, and management practices.

What was found:

Deschutes County operates under a decentralized information technology structure that has expanded significantly over the past decade. As a result, more information technology staff are now in other departments and elected offices rather than the County Central Information Technology Department. Some of these non-Central information technology personnel possess software development expertise and have contributed to the creation of important applications.

However, the County's governance structure has not evolved to adequately address the growing diversification of development efforts. As a result, there is limited documentation and oversight of custom-developed software projects.

To address these challenges, Deschutes County must strengthen governance, documentation, and oversight processes for custom-developed software. By doing so, the County can mitigate risks, improve efficiency, and align with industry best practices and standards.

What was recommended:

We recommended that the Central Information Technology:

• Develop and implement policies encompassing the entire software development life cycle.

• Establish an advisory body to develop a software selection process.

• Continue efforts to provide data to decision makers on cost, benefits, and risks.

By aligning with industry standards and best practices, Deschutes County can enhance the quality of its software, mitigate risks, and better serve its communities. This involves focusing on practical steps to improve the current environment and ensure that custom-developed software continues to meet the needs of both users and the organization as a whole.