CA Audit Seal.jpg

August 24, 2023

The California State Auditor's Updated Assessment of Issues and Agencies That Pose a High Risk to the State.

http://bsa.ca.gov/reports/2023-601/index.html

State High-Risk Audit Program​

The California State Auditor’s Updated Assessment of Issues and Agencies That Pose a High Risk to the State

August 24, 2023
2023-601

The Governor of California
President pro Tempore of the Senate
Speaker of the Assembly
State Capitol
Sacramento, California 95814

Dear Governor and Legislative Leaders:

As required by Government Code section 8546.5, my office presents this report about statewide issues and state agencies that represent a high risk to the State or its residents. Our work to identify and address such high-risk statewide issues and agencies aims to enhance efficiency and effectiveness by focusing the State’s resources on improving the delivery of services related to important programs or functions.

We describe in this report four high-risk statewide issues that include aspects of state management of COVID-19 federal funds, state management of financial reporting and accountability, information security, and water infrastructure. We also conclude that three state agencies meet our criteria to be designated as high-risk: the Employment Development Department, the California Department of Technology, and the Department of Health Care Services. Finally, we have removed from our state high-risk list higher education, the California State Teachers’ Retirement System, other postemployment benefits, the California Department of Public Health, transportation infrastructure, and the California Department of Corrections and Rehabilitation. We have based these decisions on factors including changes in circumstances and the significant progress that the State has made toward mitigating various risk factors.

We will continue to monitor the risks we have identified in this report and the actions the State takes to address them. When the State’s actions result in significant progress toward resolving or mitigating such risks, we will remove the high-risk designation based on our professional judgment.

Respectfully submitted,

GRANT PARKS
California State Auditor






Selected Abbreviations Used in This Report​

ACFRAnnual Comprehensive Financial Report
CalPERSCalifornia Public Employees’ Retirement System
CalSTRSCalifornia State Teachers’ Retirement System
CCCCalifornia Community Colleges
CDCRCalifornia Department of Corrections and Rehabilitation
CDTCalifornia Department of Technology
CSUCalifornia State University
DHCSDepartment of Health Care Services
DOLDepartment of Labor
EDDEmployment Development Department
ITinformation technology
MHSAMental Health Services Act
OIGOffice of the Inspector General
OPEBother postemployment benefits
PALProject Approval Lifecycle
UCUniversity of California
UIUnemployment insurance

State High-Risk Audit Program The California State Auditor’s Updated Assessment of Issues and Agencies That Pose a High Risk to the State

View attachment 7

CONTENTS​

HIGH-RISK ISSUE OR AGENCYRESPONSIBLE AGENCYREPORT SECTIONON LIST SINCE
Introduction
New High-Risk Agency
Employment Development DepartmentEmployment Development DepartmentEDD Is High-Risk Because of Inadequate Fraud Prevention and Claimant Service, as Well as a High Rate of Overturned Eligibility Decisions in Its Unemployment Insurance Program2023
Retained on High-Risk List
State Management of COVID‑19 Federal FundsVarious AgenciesThe State’s Management of COVID‑19 Federal Funds Continues to Be a High-Risk Issue2020
State Financial Reporting and AccountabilityDepartment of FI$Cal and Various AgenciesLate Financial Reporting Continues to Increase Risk to the State2020
Information SecurityCalifornia Department of Technology and Various AgenciesThe State’s Information Security Remains a High-Risk Issue2013
Information Technology OversightCalifornia Department of TechnologyCDT Has Not Made Sufficient Progress in Its Oversight of State Information Technology Projects2007
Water Infrastructure and AvailabilityDepartment of Water Resources and the Governor’s Office of Emergency ServicesClimate Change and Aging Water Infrastructure Threaten California’s Water Supply and Public Safety2018
Department of Health Care ServicesDepartment of Health Care ServicesHealth Care Services Has Not Adequately Addressed Issues With Medi-Cal Eligibility, But It Has Made Improvements to Its MHSA Oversight2007
Removed From High-Risk List
Higher EducationCalifornia State University and University of CaliforniaCSU and UC Have Made Efforts to Control Tuition and Fees in the Past Decade2013
California State Teacher’s Retirement SystemCalifornia State Teacher’s Retirement SystemCalSTRS Has Implemented Corrective Action to Decrease the Risk Posed by Its Unfunded Liability2011
Other Postemployment BenefitsDepartment of Finance, California Department of Human Resources, and California Public Employees’ Retirement SystemThe State Is Addressing Its OPEB Liabilities2007
California Department of Public HealthCalifornia Department of Public HealthPublic Health Has Made Sufficient Progress in Implementing Outstanding Recommendations2007
Transportation InfrastructureCalifornia Department of Transportation and California Transportation CommissionThe State Has Made Sufficient Progress in Improving Its Transportation Infrastructure2007
California Department of Corrections and RehabilitationCalifornia Department of Corrections and RehabilitationCDCR Is Making Progress in Improving Its Health Care Delivery2007
Responses to the Audit
California Governor’s Office of Emergency Services (CalOES)
California State Auditor’s Comment on the Response From CalOES
California State Transportation Agency (CalSTA)
California Department of Public Health (Public Health)
California Department of Technology (CDT)
California State Auditor’s Comments on the Response From CDT
Department of Health Care Services (DHCS)
California Natural Resources Agency
The California State University Office of the Chancellor
California Employment Development Department (EDD)
California State Auditor’s Comments on the Response From EDD
Financial Information System for California (FI$Cal)
California State Auditor’s Comment on the Response From FI$Cal
Department of Finance (Finance)
California State Auditor’s Comments on the Response From Finance

Intro

INTRODUCTION:​

Background​

State law authorizes the California State Auditor (State Auditor) to develop a state high-risk government agency audit program (high‑risk program). Our office implemented this program to improve the operation of state government by identifying, auditing, and recommending improvements to state agencies and statewide issues at high risk for waste, fraud, abuse, or mismanagement or for having major challenges associated with their economy, efficiency, or effectiveness. In accordance with this statutory authority, the State Auditor adopted regulations in 2016 that further define the high-risk program. These regulations provide the criteria we used in determining the list of state high-risk agencies and statewide issues we present in this report.

Criteria for Determining Whether a State Agency or Statewide Issue Merits a High‑Risk Designation​

State regulations outline the conditions under which an agency or issue may be added to the State Auditor’s high-risk list. All four of the following conditions must be present for us to assign the high‑risk designation:
  • Potential waste, fraud, abuse, or mismanagement or impaired economy, efficiency, or effectiveness that may result in serious detriment to the State or its residents.
  • The likelihood of waste, fraud, abuse, or mismanagement or the likelihood of impaired economy, efficiency, or effectiveness causing harm is so great that this likelihood constitutes a substantial risk of detriment to the State or its residents. 1
  • The state agencies that are affected by or responsible for resolving the waste, fraud, abuse, or mismanagement or the impaired economy, efficiency, or effectiveness are not taking adequate corrective actions to prevent the risk or its effects.
  • An audit and the agencies’ implementation of the resulting recommendations may significantly reduce the substantial risk of serious detriment to the State or its residents.
When assessing both state agencies and statewide issues, we consider a number of factors to determine whether there is substantial risk to the State or its residents. We consider whether the risks are already causing detriment, whether those risks are increasing, and whether changes in circumstances are likely to cause detriment. We also consider various factors to determine whether the risks may have serious effects, such as loss of life, injury, or a reduction in residents’ overall health or safety; impairment of the delivery of government services; significant reduction in the overall effectiveness or efficiency of state government programs; and infringement on citizens’ rights. Finally, in evaluating whether agencies have taken adequate measures to correct previously identified deficiencies, or whether the State has taken measures to reduce the risks posed by the issues, we consider factors such as whether the agencies have demonstrated a strong commitment to controlling or eliminating the risk and whether they have made significant progress through action already taken to control or eliminate the risk to the State. In all cases, our professional staff make the final determination of risk level according to their independent and objective judgment.

Removal of High-Risk Designation​

We remove the high-risk designation under any of the following circumstances:
  • A change in circumstances has resulted in the risk no longer presenting the potential for serious detriment to the State or its residents.
  • The agency has taken sufficient corrective action to prevent or mitigate the risk of harm.
  • The risk presented by the agency or issue is not likely to be reduced by performing additional audit work.
State regulations require us to use our professional judgment to determine whether to remove a high-risk designation. When we remove the high-risk designation for one of the reasons described above, we continue to monitor the issue or agency and, if the risk reoccurs, we will consider reinstating the high-risk designation according to the factors described earlier.

State High-Risk Reports​

Government Code section 8546.5 authorizes the State Auditor to audit and to publish audit reports on any state agency that it identifies as high-risk. In May 2007, we issued Report 2006‑601, which provided an initial list of high-risk state agencies and statewide issues. We have since issued several reports updating the list of those agencies and issues that are high-risk. Further, we include on our website a list of all audits that we are performing, including those of high-risk state agencies and statewide issues.
To update our assessment of high-risk state agencies and statewide issues, we interviewed knowledgeable staff at the responsible state agencies to gain perspective on the extent of the risks the State faces. We also reviewed the efforts that staff at the agencies said were underway and were intended to mitigate the identified risks. In addition, we reviewed reports and other documentation relevant to the issues. Finally, we conferred with agencies and interested parties, such as the Department of Finance, the Legislative Analyst’s office, and the Public Policy Institute of California. Each of the entities we conferred with provided its perspective on high-risk areas facing the State.



NEW HIGH RISK AGENCY:

EDD IS HIGH-RISK BECAUSE OF INADEQUATE FRAUD PREVENTION AND CLAIMANT SERVICE, AS WELL AS A HIGH RATE OF OVERTURNED ELIGIBILITY DECISIONS IN ITS UNEMPLOYMENT INSURANCE PROGRAM​

Background​

The Employment Development Department (EDD) provides billions of dollars in partial wage replacement benefits each year to Californians who need and seek such benefits (claimants). One of EDD’s primary responsibilities is its administration of the unemployment insurance (UI) program. Funded by taxes on employers, the UI program provides temporary financial assistance to unemployed workers who meet specific eligibility requirements, including those workers who were affected by the COVID-19 pandemic.
Beginning in March 2020, a surge in pandemic-related unemployment claims increased EDD’s UI workloads and resulted in changes to federal UI benefit programs, both of which created a greater risk of fraud. In Report 2020-628.2, January 2021, we explained that EDD’s fraud prevention approach during the pandemic was marked by significant missteps and inaction that led to billions of dollars in unemployment benefit payments that EDD later determined may have been fraudulent. Further, we also reported that EDD has been unable to accurately quantify its inappropriate UI payments, contributing to the delayed publication of California’s financial statements for the two most recently published fiscal years and to modified audit opinions on those statements. 2
Moreover, as we described in Report 2020‑128/628.1, January 2021, EDD did not prepare for an economic downturn despite multiple warnings, a key example of which is EDD’s slow efforts to improve its UI call center and overall claimant experience. Because the department did not address longstanding problems with the efficiency of its UI customer service, including its call center, EDD was unable to answer claimant questions and process claims in a timely and accurate manner during the pandemic.

Assessment​

EDD is a high-risk agency because of its mismanagement of the UI program. Specifically, EDD is unable to reliably estimate improper payments under the UI program, thus adversly affecting the State’s financial statements as well as impairing efforts to independently evaluate the efficacy of EDD’s own fraud prevention activities. Further, EDD needs to improve customer service to unemployment insurance claimants, while also taking steps to ensure its eligibility decisions are not frequently overturned on appeal. EDD’s mismanagement of the UI program has resulted in a substantial risk of serious detriment to the State and its residents. A high-risk audit may result in recommendations that could substantially reduce the risks we have identified.

Substantial Fraud Risk Exists in EDD’s UI Program​

EDD’s administration of the UI program has resulted in the substantial risk of serious detriment 3 to the State and its residents. In addition to providing temporary wage replacement to unemployed workers, the UI program helps maintain the stability of the state economy during economic downturns. Despite the program’s critical importance, EDD’s management of the UI program has been characterized by significant internal control weaknesses. For example, the program did not block addresses used to file unusually high numbers of claims, and it removed a safeguard preventing payment to individuals who had unconfirmed identities. These inadequate internal controls did not prevent potential fraud during fiscal years 2019–20 and 2020–21 and allowed the payments of potentially fraudulent claims, estimated at tens of billions of dollars, most of which have yet to be recovered.
Contributing to this serious detriment, EDD’s inadequate identification of potentially fraudulent UI benefit payments was also a significant factor leading to modified audit opinions and the delayed publication of California’s Annual Comprehensive Financial Report (ACFR) for fiscal years 2019–20 and 2020–21, which the State Controller published in February 2022 and March 2023, respectively. Further, our contractor responsible for conducting the federal compliance component of the Single Audit found areas of material weakness and noncompliance in EDD’s administration of the UI program during the pandemic, which led the contractor to issue an adverse opinion in the State’s fiscal year 2020–21 Federal Compliance Audit, published in April 2023, indicating that the State did not comply in all material respects with specific program requirements that could have a direct and material effect on the program. The delayed publication of the ACFRs and related audit opinions substantially delayed the public’s ability to gain an understanding of California’s financial position. The impacts on the State’s financial reporting could also be a contributing factor toward any potential decision to lower the State’s credit rating. We discuss our additional concerns about late financial reporting that may adversely affect the State’s credit rating.
EDD has not taken adequate corrective action to prevent the substantial risk of serious detriment to the State and its residents. Corrective action is adequate when it prevents a risk—such as the risk of fraud—from presenting a substantial risk of serious detriment. Because the potentially fraudulent payments have already occurred, have not been fully identified, and have largely not been recovered, EDD’s corrective action is not adequate. Nevertheless, EDD deserves credit for taking some steps to strengthen its internal controls, such as partnering with vendors and data scientists to identify potentially fraudulent claims and to refer those cases to law enforcement agencies for further investigation and potential criminal prosecution, but significant work remains. For example, EDD cannot effectively measure its progress at addressing potentially fraudulent payments because it is unable to accurately determine how many improper payments it has made. We noted this issue in Report 2021-001.1, March 2023, the report that reviewed internal controls and compliance. In fact, we found that EDD’s estimate of potentially fraudulent payments omitted certain payments to claimants who made false statements to obtain benefits and also incorrectly included valid claims for benefits. EDD has established a process to pursue recovery of ineligible payments, but until it identifies all inappropriate transactions, it cannot effectively manage that process or allocate appropriate resources to pursuing recovery. Thus EDD’s current corrective action remains insufficient and is a contributing element to our designation of the agency as high‑risk.

EDD Has Not Provided California Residents With Sufficient Customer Service, Resulting in Significant Challenges to Obtaining UI Benefits​

Like the fraud risk noted above, EDD’s handling of other components of the UI program also presents a substantial risk of significant detriment to Californians. EDD has faced longstanding efficiency problems in providing customer service to UI claimants. During the pandemic, millions of Californians were required to wait long periods to receive UI benefits or get answers to questions about their UI claims, and EDD continues to struggle to pay claimants in a timely manner. EDD’s customer service for the UI program has resulted in the impaired delivery of an important government service.
EDD has taken action to begin addressing customer service deficiencies in its UI program; however, those actions are not yet adequate. For example, as of April 2023, EDD had implemented many of our January 2021 recommendations and has since improved performance, but claimants still experience difficulties contacting EDD and being paid on time. Between January and May 2023 individuals called EDD on average between three and eight times a week trying to get help on their claims. In another example, according to statistics published by the U.S. Department of Labor (DOL), although EDD’s timeliness of first payment on a UI claim has improved since the worst of the COVID-19 pandemic, it does not yet meet DOL’s acceptable level of performance. Specifically, in the first six months of 2023, EDD paid between a high of 86 percent of claims and a low of 81 percent of claims within the time frame established by DOL, and it has not yet met DOL’s 87 percent acceptable level of performance. Consequently, these improvements are not sufficient to prevent the impaired efficiency and effectiveness of EDD’s UI program from presenting a substantial risk to California residents.

Many of EDD’s UI Eligibility Decisions Are Not Upheld on Appeal​

Apart from the potentially fraudulent UI payments that EDD made during the pandemic, which it has estimated to be in the tens of billions of dollars and which continue to affect the State’s financial reporting, EDD’s eligibility decisions are frequently overturned during appeal and have resulted in the substantial risk of serious detriment to California residents. Specifically, EDD’s improper decisions regarding UI benefits have required some UI claimants to face even longer delays than are typical. From 2017 through 2022, about half of the issues in UI claims that claimants appealed were ultimately overturned in favor of the claimant. This rate of overturned decisions is consistent with the high rate of overturned decisions we noted in Report 2014-101, August 2014. Although EDD wants to reduce the percentage of overturned appeals, it asserts that one of the reasons for the high rate of overturned decisions is that claimants can provide new information during their appeal that was not furnished to EDD during the claim filing process, leading many appeals to be decided in the claimants’ favor. Nevertheless, as of March 2023, California had the third highest reversal rate in the nation. These improper eligibility decisions can serve as unnecessary obstacles to claimants’ right to benefits and can result in a significant reduction in the overall effectiveness of the UI program. Thus they present a substantial risk of serious detriment to the State and its residents.
EDD has not taken adequate steps to prevent improper denials of UI benefits. Although EDD says that it is evaluating the UI appeals process in hopes of reducing the high rate of issues overturned on appeal, it has not taken sufficient action to address this problem, as evidenced by the fact that approximately half of the issues that claimants appealed between 2017 and 2022 were overturned, as was the case when we previously reported on this issue in August 2014. Thus, these actions are not sufficient to prevent the impaired efficiency and effectiveness of EDD’s UI program from presenting a substantial risk to California residents.

An Audit May Lead to Policy Changes That Significantly Reduce These Risks​

Additional audit work by the State Auditor may assist EDD in mitigating the risk presented by its handling of the UI program. In particular, a high-risk audit would provide independently developed and verified information regarding EDD’s management of the UI program and its challenges. A high-risk audit would also include analyses that serve as the basis for recommendations to assist EDD in resolving the risks presented by its management of the UI program. For example, an audit could evaluate EDD’s efforts to identify potentially fraudulent or improper UI claims, which would lead to recommendations on how to effectively address the associated payments and properly account for them in a timelier manner. A deeper examination of EDD’s UI claimant service and its high rate of denied UI claims overturned on appeal could result in recommendations on how to improve the UI claims process and how to reduce the high rate of denied UI claims overturned on appeal.
EDD's response, and State Auditor’s comments

RETAINED HIGH-RISK AGENCIES AND ISSUES: (Pg 1 of 2)

THE STATE’S MANAGEMENT OF COVID-19 FEDERAL FUNDS CONTINUES TO BE A HIGH-RISK ISSUE​

Background​

As part of its response to the COVID-19 pandemic, the federal government provided the State with nearly $290 billion in relief funds, portions of which must be obligated or spent by December 2024. The effective use of these funds required the State to allocate them to departments quickly and to expedite program changes, including eligibility updates. The State used COVID-19 funds to support programs related to vaccinations, unemployment benefits, housing assistance, and fiscal recovery. State departments received COVID-19 funds to operate more than 35 existing federal programs and to create new state programs, such as the HomeKey program, which provided temporary shelter to people experiencing homelessness or at risk of homelessness during the pandemic. One of the largest recipients of COVID-19 funds was EDD, which used a significant portion of the funds to provide unemployment benefits.

We initially designated the State’s management of federal funds related to COVID-19 as a high-risk statewide issue in August 2020. We based our initial assessment on the confluence of fiscal and programmatic changes that were critical to the State’s response to the pandemic. The State used COVID-19 funds in large part to support significant expansions of critical benefits for people experiencing unemployment, homelessness, and limited income. The rapid growth of programs providing these benefits posed a significant risk to the State and its residents. Specifically, inadequate outreach to people who needed the programs or the flawed execution of expansion efforts would create a risk that Californians would be left without medical care or money to pay for food and housing. Likewise, the swift creation of new programs by state departments posed risks because of the limited time available to implement sufficient internal controls and processes.

To assist in addressing these risks, we performed 11 state high-risk audits related to the management of COVID-19 funds. We found that state departments faced significant hurdles in using this influx of funding to meet the corresponding increase in responsibilities, such as the massive increase in the number of unemployment insurance claims requiring eligibility determinations and the rapid expansion of vendor oversight necessary for programs that provided pandemic-specific goods and services, like personal protective equipment. The scale and expeditious nature of the funding and its uses to provide services led to the high risk of inefficiencies and fraud occurring in programs supported by COVID-19 funds.

In total, our 11 prior state high-risk audits of COVID-19 fund management resulted in 85 recommendations to departments, of which 37 remain unimplemented. For example, our audit of the Board of State and Community Corrections (Board of Corrections) found that the Board of Corrections allocated funds to the California Department of Corrections and Rehabilitation without justification and that its allocation methodology did not consider important elements, such as the impact of the pandemic. The Board of Corrections also failed to make funding available to cities and tribes, even though it had originally committed to do so. We made 10 recommendations to the Board of Corrections in Report 2021-616, October 2021, but as of July 2023, it had only fully implemented three of our recommendations. We will continue to monitor the steps departments take to minimize the remaining risks related to their handling of COVID-19 funds.

Assessment​

The management of COVID-19 funds continues to represent a significant risk to the State and its residents and will therefore remain a high-risk issue. In the previous section, we described our concerns with EDD, one of the largest recipients of COVID-19 funds, which used a significant portion of the funds to provide unemployment benefits. Since our last high-risk assessment in August 2021, at least 14 state agencies have received $76 billion in additional federal COVID-19 funding. State agencies will continue to spend some of these funds through December 31, 2024. This influx of resources represents both a significant benefit and risk to the State, as represented by the extent of our previous findings on the management of federal COVID-19 funding and the status of unimplemented recommendations.

The State continues to spend federal COVID-19 funds, meaning circumstances have not significantly changed. Further, a number of recommendations from our previous reports have not yet been implemented. For instance, we recommended that various university campuses review the expenses they incurred in response to the pandemic and submit eligible expenses to the federal government for reimbursement. We also recommended that the Department of Housing and Community Development develop a strategy it can use in emergency situations to more efficiently complete or amend contracts, and make funding available to recipients. These recommendations have not been fully implemented. Moreover, additional audit work by the State Auditor could assist in mitigating the risks associated with the management of federal COVID-19 funds. As with our 11 previous state high-risk audits on COVID-19 fund management, additional audits of this issue could generate recommendations to ensure that such funds are spent prudently, within acceptable time frames, and in accordance with federal and state requirements. Consequently, we will retain this issue on the high-risk list.

Status: Retained on high-risk list​

EDD's response, Finance's response


LATE FINANCIAL REPORTING CONTINUES TO INCREASE RISK TO THE STATE​

Background​

The accuracy and timeliness of the State’s financial reporting is of vital importance to the State and its residents. A key method the State uses to provide fiscal oversight and transparency is the mandatory Annual Comprehensive Financial Report (ACFR) that the State Controller’s Office (State Controller) prepares. The ACFR is composed of financial statements from the State’s many departments and agencies, which collectively represent the financial position of the State. The report, which includes the State Auditor’s annual opinion of its accuracy, provides an important resource for stakeholders, such as the State’s creditors, to use when making decisions about the State’s ability to borrow money affordably. Further, billions of dollars in federal grants are contingent on the State’s timely filing of the ACFR for federal review.

To support its financial reporting needs, the State has focused significant effort on modernizing its financial management infrastructure through the implementation of a project known as the Financial Information System for California (FI$Cal). The scope, schedule, and budget of this nearly $1 billion information technology (IT) project has undergone numerous revisions since it began in 2005. However, despite nearly two decades of continued effort, many state entities have historically struggled to use the system to submit timely data for the ACFR.

In Report 2019-601, January 2020, the State Auditor added to the state high-risk list the State’s inability to produce timely financial reports during the transition to FI$Cal. At the time, we noted that since fiscal year 2017–18, the State had issued financial statements late, which could affect the State’s credit rating. The COVID-19 pandemic also created new financial complexities that affected the State’s financial reporting, such as the increased pandemic-related spending by the Employment Development Department (EDD) and its Unemployment Insurance fund. In Report 2021-601, August 2021, our assessment of high-risk issues to the State, we noted that the State Controller continued to issue the ACFR late.

Assessment​

The State has not made sufficient progress in addressing late financial reporting; therefore, this issue will remain on the state high-risk list. The State Controller issued the State’s financial statements for fiscal year 2020–21 later than in previous years—twelve months after its traditional deadline and six months after a general extension on financial reporting that the federal government provided because of the pandemic. Further, the State’s financial reporting for fiscal year 2021–22 is already past due. This continued trend of late reporting reduces the efficiency and effectiveness of the State’s financial oversight. The State’s late financial reporting could also negatively affect its credit rating, which could increase the cost associated with borrowing. According to the State Treasurer, the State borrowed $5.6 billion in general obligation bonds in fiscal years 2021–22. Thus, even a small increase in the interest rate, as might happen with a downgraded bond rating, could cost the State millions annually in increased borrowing costs.

In addition to late financial reporting, the State is experiencing a decline in expected revenue. Although its financial reports in fiscal years 2017–18 through 2020–21 reported general fund surpluses, the Governor’s fiscal year 2023–24 budget had to address a budget shortfall of approximately $31.7 billion. Combining late financial reporting with a diminished financial outlook increases the risk that credit agencies will downgrade the State’s credit rating.

The State has made some limited progress in addressing underlying issues that have contributed to its late financial reporting but not enough progress to warrant removing the issue from the high-risk list. As we noted when we designated the State’s financial reporting as high-risk in January 2020, the transition to FI$Cal has been a key component in financial reporting delays. As of 2023, 152 of 162 state departments are now using the FI$Cal system for their financial reporting, with an additional two departments—the California Department of Technology and the Department of Rehabilitation—currently undergoing a two-year transition. Some departments are doing a better job of submitting their financial statements to the State Controller in a timely manner. For fiscal year 2021–22, departments filed year‑end financial statements within 30 days of the deadline for 1,400 funds, or about 80 percent of all the State’s funds. 4

However, as we noted in our internal control and compliance audit Report 2021‑001.1, March 2023, six large departments of material importance to the State’s overall financial reporting did not perform monthly reconciliations of their accounts to the records of the State Controller in a timely manner during fiscal year 2020–21. Moreover, similar to the previous two fiscal years, the Department of Health Care Services (DHCS) did not fully reconcile its banking activity using FI$Cal before submitting its fiscal year 2020–21 financial reports to the State Controller. In fact, DHCS reported encountering significant challenges during its financial reporting, including that its procedures for completing bank reconciliations to FI$Cal were still under development.

The State Controller echoed these concerns in the fiscal year 2020–21 ACFR, published in March 2023, which noted that the transition to FI$Cal has affected financial reporting for several years but also included steps that the Controller is taking to improve financial reporting. The State Controller reported that it is collaborating with other state agencies to understand the root causes of delays and to develop mitigation strategies. The State Controller also explained that its own transition to the FI$Cal system remains underway and that its completion will lead to measurable advancements in financial reporting. Even so, an approved budget change proposal the State Controller submitted in January 2023 indicates that it anticipates only minimal annual improvements to its reporting timeline of between one and two months earlier each fiscal year. However, as of June 2023, the State Controller has indicated that it will seek to move the issuance date of the ACFR closer to its traditional deadline by three months for its reporting on fiscal year 2021–22.

The State has not made sufficient progress in resolving the problem of its late financial reporting to justify our removing this issue from the high-risk list. Financial reporting remains late, meaning there is no change in circumstances, and the State’s planned corrective actions are still in process. Moreover, state law requires the State Auditor to evaluate both the State Controller’s and the Department of FI$Cal’s efforts to implement the system. The result of this statutory audit work will likely further inform our future designations of this issue as an area of high risk.

Status: Retained on high-risk list​

FI$Cal's response, Finance's response, State Auditor's comments to FI$Cal, and State Auditor's comments to Finance


THE STATE’S INFORMATION SECURITY REMAINS A HIGH-RISK ISSUE​

Background​

Information security is the protection of the confidentiality, integrity, and availability of the State’s information assets, including data, processing capabilities, and information technology (IT) infrastructure. State law generally requires state entities that are under the Governor’s direct authority (reporting entities) to comply with the information security practices that the California Department of Technology (CDT) prescribes and to report annually to CDT on compliance with these practices. However, state law exempts entities that fall outside of the Governor’s direct authority (nonreporting entities), such as constitutional offices and those in the judicial branch, from following CDT policies and procedures.

We first identified information security as a high-risk issue in Report 2013-601, September 2013, when we concluded that CDT was performing limited reviews of the security controls that reporting entities had implemented. In a subsequent high-risk audit, Report 2015-611, August 2015, we noted that many reporting entities had poor controls over their information systems. In our state high-risk assessment, Report 2017-601, January 2018, we reported that CDT had made improvements to its oversight but that reporting entities still showed significant room for improvement. Finally, in Report 2021-601, August 2021, we reported that a federally‑sponsored nationwide security review noted that state entities in California self-reported ratings below the federally recommended minimum level.

Report 2022-114, April 2023, reiterated many of our previous concerns with the State’s information security. Our audit found weaknesses in CDT’s strategic planning, oversight of information security and IT projects, and that CDT has not ensured that the State’s IT systems are adequately protected from cyberattacks. This inadequate protection has the potential to compromise individuals’ identities, shut down critical government functions, and cost the State millions of dollars to remedy.

Assessment​

CDT has not sufficiently improved its oversight of information security to mitigate the risks we have identified; therefore, this issue will remain on the state high-risk list. CDT is responsible for providing direction for the State’s information security efforts and for reviewing the security of reporting entities. However, CDT has yet to determine the effectiveness of cybersecurity programs for all of the entities for which it has oversight responsibility. To determine the effectiveness of information security for reporting entities at higher risk, CDT relies on a four-year oversight lifecycle. This process generally includes a compliance audit, a follow-up review, and two technical assessments. However, as we said in Report 2022-114, April 2023, CDT has the capacity to complete only 13 compliance audits each year, which equates to only 52 reviews of reporting entities during a four-year cycle, or not quite half of the 107 reporting entities for which it is responsible.

To prioritize its compliance audits, CDT uses a risk-based methodology to determine the 52 entities it has the capacity to audit. However, we are concerned about CDT’s limited capacity. Our previous audits have recommended that CDT increase its capacity to conduct its IT audits by hiring more staff or contracting for additional audit support. In March 2023, the Legislative Analyst’s Office raised a similar concern about limited capacity, noting that resolving staffing-related issues in information security is important if state entities are to improve their information security compliance and maturity. However, CDT explained that it does not have any immediate plans to hire additional staff or contractors. Instead, CDT reports that it hopes to find increased efficiencies through a new IT system, which does not currently exist, that would allow CDT to more efficiently conduct its audits.

In addition, most nonreporting entities are also lagging behind in information security. We evaluated nonreporting entities’ compliance with their selected security standards in 2021. As Figure 1 illustrates, we surveyed 32 nonreporting entities for Report 2021-601, August 2021, and found that although 29 had adopted information security frameworks or standards, only four reported achieving full compliance.

Legislation that went into effect in January 2023 implemented our recommendation to improve the security of nonreporting entities. Nonreporting entities are now required to perform a comprehensive, independent security assessment every two years and to certify their compliance with certain security requirements annually. We will continue to monitor reporting and nonreporting entities’ efforts to improve their security; however, information security continues to present a significant risk to the State.

Figure 1​

In 2021 Most Nonreporting Entities Stated That They Were Only Partially Compliant With Their Selected Security Standards​


A pie chart shows 32 nonreporting entities by their compliance status. Most entities reported they are partially compliant.


Source: Analysis of survey responses, Report 2021-601, August 2021.

Figure 1 description:​

A pie chart shows 32 nonreporting entities by their compliance status with their selected security standards. The chart shows that three entities reported having not adopted framework or standards, 19 entities reported partially complying, and four entities reported having fully complied with all of their selected security standards.
Vulnerabilities in the State’s information security practices can have costly effects on the efficiency and effectiveness of State programs and can affect the privacy of Californians’ data. For example, in December 2022, the Department of Finance fell victim to a cyberattack that was widely reported in the media. In 2021 an employee at the State Controller’s Office unknowingly interacted with a malicious link that appeared to come from a trusted source, thereby providing a hacker with such confidential information as the names, Social Security numbers, and birth dates of state employees. Further, in 2023 data maintained by a CalPERS and CalSTRS contractor was breached, resulting in unauthorized access to confidential information related to retirees and their family members. It is likely that attempts against governmental information assets will only increase in the future. CDT has reported that in the wake of the pandemic, the cybersecurity threat nearly quadrupled in the sophistication of attacks by nation-state adversaries and criminal organizations.

Because cybersecurity threats are significant and oversight of state departments and agencies remains inadequate, we will retain this issue on the high-risk list. The State continues to need improvements in its cybersecurity practices, and although state entities are giving increasing attention to cybersecurity, they have not substantially mitigated the ongoing risk from inadequate information security technology practices. Finally, additional audit work by the State Auditor could assist in mitigating the risk presented by this issue area. For example, the State Auditor could continue to audit CDT and other entities as necessary to determine their compliance with state law and best practices related to cybersecurity.

Status: Retained on the high-risk list​

INTRODUCTION:

Background​

State law authorizes the California State Auditor (State Auditor) to develop a state high-risk government agency audit program (high‑risk program). Our office implemented this program to improve the operation of state government by identifying, auditing, and recommending improvements to state agencies and statewide issues at high risk for waste, fraud, abuse, or mismanagement or for having major challenges associated with their economy, efficiency, or effectiveness. In accordance with this statutory authority, the State Auditor adopted regulations in 2016 that further define the high-risk program. These regulations provide the criteria we used in determining the list of state high-risk agencies and statewide issues we present in this report.

Criteria for Determining Whether a State Agency or Statewide Issue Merits a High‑Risk Designation​

State regulations outline the conditions under which an agency or issue may be added to the State Auditor’s high-risk list. All four of the following conditions must be present for us to assign the high‑risk designation:
  • Potential waste, fraud, abuse, or mismanagement or impaired economy, efficiency, or effectiveness that may result in serious detriment to the State or its residents.
  • The likelihood of waste, fraud, abuse, or mismanagement or the likelihood of impaired economy, efficiency, or effectiveness causing harm is so great that this likelihood constitutes a substantial risk of detriment to the State or its residents. 1
  • The state agencies that are affected by or responsible for resolving the waste, fraud, abuse, or mismanagement or the impaired economy, efficiency, or effectiveness are not taking adequate corrective actions to prevent the risk or its effects.
  • An audit and the agencies’ implementation of the resulting recommendations may significantly reduce the substantial risk of serious detriment to the State or its residents.
When assessing both state agencies and statewide issues, we consider a number of factors to determine whether there is substantial risk to the State or its residents. We consider whether the risks are already causing detriment, whether those risks are increasing, and whether changes in circumstances are likely to cause detriment. We also consider various factors to determine whether the risks may have serious effects, such as loss of life, injury, or a reduction in residents’ overall health or safety; impairment of the delivery of government services; significant reduction in the overall effectiveness or efficiency of state government programs; and infringement on citizens’ rights. Finally, in evaluating whether agencies have taken adequate measures to correct previously identified deficiencies, or whether the State has taken measures to reduce the risks posed by the issues, we consider factors such as whether the agencies have demonstrated a strong commitment to controlling or eliminating the risk and whether they have made significant progress through action already taken to control or eliminate the risk to the State. In all cases, our professional staff make the final determination of risk level according to their independent and objective judgment.

Removal of High-Risk Designation​

We remove the high-risk designation under any of the following circumstances:
  • A change in circumstances has resulted in the risk no longer presenting the potential for serious detriment to the State or its residents.
  • The agency has taken sufficient corrective action to prevent or mitigate the risk of harm.
  • The risk presented by the agency or issue is not likely to be reduced by performing additional audit work.
State regulations require us to use our professional judgment to determine whether to remove a high-risk designation. When we remove the high-risk designation for one of the reasons described above, we continue to monitor the issue or agency and, if the risk reoccurs, we will consider reinstating the high-risk designation according to the factors described earlier.

State High-Risk Reports​

Government Code section 8546.5 authorizes the State Auditor to audit and to publish audit reports on any state agency that it identifies as high-risk. In May 2007, we issued Report 2006‑601, which provided an initial list of high-risk state agencies and statewide issues. We have since issued several reports updating the list of those agencies and issues that are high-risk. Further, we include on our website a list of all audits that we are performing, including those of high-risk state agencies and statewide issues.
To update our assessment of high-risk state agencies and statewide issues, we interviewed knowledgeable staff at the responsible state agencies to gain perspective on the extent of the risks the State faces. We also reviewed the efforts that staff at the agencies said were underway and were intended to mitigate the identified risks. In addition, we reviewed reports and other documentation relevant to the issues. Finally, we conferred with agencies and interested parties, such as the Department of Finance, the Legislative Analyst’s office, and the Public Policy Institute of California. Each of the entities we conferred with provided its perspective on high-risk areas facing the State.

NEW HIGH-RISK AGENCY:

EDD IS HIGH-RISK BECAUSE OF INADEQUATE FRAUD PREVENTION AND CLAIMANT SERVICE, AS WELL AS A HIGH RATE OF OVERTURNED ELIGIBILITY DECISIONS IN ITS UNEMPLOYMENT INSURANCE PROGRAM​

Background​

The Employment Development Department (EDD) provides billions of dollars in partial wage replacement benefits each year to Californians who need and seek such benefits (claimants). One of EDD’s primary responsibilities is its administration of the unemployment insurance (UI) program. Funded by taxes on employers, the UI program provides temporary financial assistance to unemployed workers who meet specific eligibility requirements, including those workers who were affected by the COVID-19 pandemic.
Beginning in March 2020, a surge in pandemic-related unemployment claims increased EDD’s UI workloads and resulted in changes to federal UI benefit programs, both of which created a greater risk of fraud. In Report 2020-628.2, January 2021, we explained that EDD’s fraud prevention approach during the pandemic was marked by significant missteps and inaction that led to billions of dollars in unemployment benefit payments that EDD later determined may have been fraudulent. Further, we also reported that EDD has been unable to accurately quantify its inappropriate UI payments, contributing to the delayed publication of California’s financial statements for the two most recently published fiscal years and to modified audit opinions on those statements. 2
Moreover, as we described in Report 2020‑128/628.1, January 2021, EDD did not prepare for an economic downturn despite multiple warnings, a key example of which is EDD’s slow efforts to improve its UI call center and overall claimant experience. Because the department did not address longstanding problems with the efficiency of its UI customer service, including its call center, EDD was unable to answer claimant questions and process claims in a timely and accurate manner during the pandemic.

Assessment​

EDD is a high-risk agency because of its mismanagement of the UI program. Specifically, EDD is unable to reliably estimate improper payments under the UI program, thus adversly affecting the State’s financial statements as well as impairing efforts to independently evaluate the efficacy of EDD’s own fraud prevention activities. Further, EDD needs to improve customer service to unemployment insurance claimants, while also taking steps to ensure its eligibility decisions are not frequently overturned on appeal. EDD’s mismanagement of the UI program has resulted in a substantial risk of serious detriment to the State and its residents. A high-risk audit may result in recommendations that could substantially reduce the risks we have identified.

Substantial Fraud Risk Exists in EDD’s UI Program​

EDD’s administration of the UI program has resulted in the substantial risk of serious detriment 3 to the State and its residents. In addition to providing temporary wage replacement to unemployed workers, the UI program helps maintain the stability of the state economy during economic downturns. Despite the program’s critical importance, EDD’s management of the UI program has been characterized by significant internal control weaknesses. For example, the program did not block addresses used to file unusually high numbers of claims, and it removed a safeguard preventing payment to individuals who had unconfirmed identities. These inadequate internal controls did not prevent potential fraud during fiscal years 2019–20 and 2020–21 and allowed the payments of potentially fraudulent claims, estimated at tens of billions of dollars, most of which have yet to be recovered.
Contributing to this serious detriment, EDD’s inadequate identification of potentially fraudulent UI benefit payments was also a significant factor leading to modified audit opinions and the delayed publication of California’s Annual Comprehensive Financial Report (ACFR) for fiscal years 2019–20 and 2020–21, which the State Controller published in February 2022 and March 2023, respectively. Further, our contractor responsible for conducting the federal compliance component of the Single Audit found areas of material weakness and noncompliance in EDD’s administration of the UI program during the pandemic, which led the contractor to issue an adverse opinion in the State’s fiscal year 2020–21 Federal Compliance Audit, published in April 2023, indicating that the State did not comply in all material respects with specific program requirements that could have a direct and material effect on the program. The delayed publication of the ACFRs and related audit opinions substantially delayed the public’s ability to gain an understanding of California’s financial position. The impacts on the State’s financial reporting could also be a contributing factor toward any potential decision to lower the State’s credit rating. We discuss our additional concerns about late financial reporting that may adversely affect the State’s credit rating.
EDD has not taken adequate corrective action to prevent the substantial risk of serious detriment to the State and its residents. Corrective action is adequate when it prevents a risk—such as the risk of fraud—from presenting a substantial risk of serious detriment. Because the potentially fraudulent payments have already occurred, have not been fully identified, and have largely not been recovered, EDD’s corrective action is not adequate. Nevertheless, EDD deserves credit for taking some steps to strengthen its internal controls, such as partnering with vendors and data scientists to identify potentially fraudulent claims and to refer those cases to law enforcement agencies for further investigation and potential criminal prosecution, but significant work remains. For example, EDD cannot effectively measure its progress at addressing potentially fraudulent payments because it is unable to accurately determine how many improper payments it has made. We noted this issue in Report 2021-001.1, March 2023, the report that reviewed internal controls and compliance. In fact, we found that EDD’s estimate of potentially fraudulent payments omitted certain payments to claimants who made false statements to obtain benefits and also incorrectly included valid claims for benefits. EDD has established a process to pursue recovery of ineligible payments, but until it identifies all inappropriate transactions, it cannot effectively manage that process or allocate appropriate resources to pursuing recovery. Thus EDD’s current corrective action remains insufficient and is a contributing element to our designation of the agency as high‑risk.

EDD Has Not Provided California Residents With Sufficient Customer Service, Resulting in Significant Challenges to Obtaining UI Benefits​

Like the fraud risk noted above, EDD’s handling of other components of the UI program also presents a substantial risk of significant detriment to Californians. EDD has faced longstanding efficiency problems in providing customer service to UI claimants. During the pandemic, millions of Californians were required to wait long periods to receive UI benefits or get answers to questions about their UI claims, and EDD continues to struggle to pay claimants in a timely manner. EDD’s customer service for the UI program has resulted in the impaired delivery of an important government service.
EDD has taken action to begin addressing customer service deficiencies in its UI program; however, those actions are not yet adequate. For example, as of April 2023, EDD had implemented many of our January 2021 recommendations and has since improved performance, but claimants still experience difficulties contacting EDD and being paid on time. Between January and May 2023 individuals called EDD on average between three and eight times a week trying to get help on their claims. In another example, according to statistics published by the U.S. Department of Labor (DOL), although EDD’s timeliness of first payment on a UI claim has improved since the worst of the COVID-19 pandemic, it does not yet meet DOL’s acceptable level of performance. Specifically, in the first six months of 2023, EDD paid between a high of 86 percent of claims and a low of 81 percent of claims within the time frame established by DOL, and it has not yet met DOL’s 87 percent acceptable level of performance. Consequently, these improvements are not sufficient to prevent the impaired efficiency and effectiveness of EDD’s UI program from presenting a substantial risk to California residents.

Many of EDD’s UI Eligibility Decisions Are Not Upheld on Appeal​

Apart from the potentially fraudulent UI payments that EDD made during the pandemic, which it has estimated to be in the tens of billions of dollars and which continue to affect the State’s financial reporting, EDD’s eligibility decisions are frequently overturned during appeal and have resulted in the substantial risk of serious detriment to California residents. Specifically, EDD’s improper decisions regarding UI benefits have required some UI claimants to face even longer delays than are typical. From 2017 through 2022, about half of the issues in UI claims that claimants appealed were ultimately overturned in favor of the claimant. This rate of overturned decisions is consistent with the high rate of overturned decisions we noted in Report 2014-101, August 2014. Although EDD wants to reduce the percentage of overturned appeals, it asserts that one of the reasons for the high rate of overturned decisions is that claimants can provide new information during their appeal that was not furnished to EDD during the claim filing process, leading many appeals to be decided in the claimants’ favor. Nevertheless, as of March 2023, California had the third highest reversal rate in the nation. These improper eligibility decisions can serve as unnecessary obstacles to claimants’ right to benefits and can result in a significant reduction in the overall effectiveness of the UI program. Thus they present a substantial risk of serious detriment to the State and its residents.
EDD has not taken adequate steps to prevent improper denials of UI benefits. Although EDD says that it is evaluating the UI appeals process in hopes of reducing the high rate of issues overturned on appeal, it has not taken sufficient action to address this problem, as evidenced by the fact that approximately half of the issues that claimants appealed between 2017 and 2022 were overturned, as was the case when we previously reported on this issue in August 2014. Thus, these actions are not sufficient to prevent the impaired efficiency and effectiveness of EDD’s UI program from presenting a substantial risk to California residents.

An Audit May Lead to Policy Changes That Significantly Reduce These Risks​

Additional audit work by the State Auditor may assist EDD in mitigating the risk presented by its handling of the UI program. In particular, a high-risk audit would provide independently developed and verified information regarding EDD’s management of the UI program and its challenges. A high-risk audit would also include analyses that serve as the basis for recommendations to assist EDD in resolving the risks presented by its management of the UI program. For example, an audit could evaluate EDD’s efforts to identify potentially fraudulent or improper UI claims, which would lead to recommendations on how to effectively address the associated payments and properly account for them in a timelier manner. A deeper examination of EDD’s UI claimant service and its high rate of denied UI claims overturned on appeal could result in recommendations on how to improve the UI claims process and how to reduce the high rate of denied UI claims overturned on appeal.
EDD's response, and State Auditor’s comments



RETAINED HIGH-RISK AGENCIES AND ISSUES: (1 of 2)

THE STATE’S MANAGEMENT OF COVID-19 FEDERAL FUNDS CONTINUES TO BE A HIGH-RISK ISSUE​

Background​

As part of its response to the COVID-19 pandemic, the federal government provided the State with nearly $290 billion in relief funds, portions of which must be obligated or spent by December 2024. The effective use of these funds required the State to allocate them to departments quickly and to expedite program changes, including eligibility updates. The State used COVID-19 funds to support programs related to vaccinations, unemployment benefits, housing assistance, and fiscal recovery. State departments received COVID-19 funds to operate more than 35 existing federal programs and to create new state programs, such as the HomeKey program, which provided temporary shelter to people experiencing homelessness or at risk of homelessness during the pandemic. One of the largest recipients of COVID-19 funds was EDD, which used a significant portion of the funds to provide unemployment benefits.

We initially designated the State’s management of federal funds related to COVID-19 as a high-risk statewide issue in August 2020. We based our initial assessment on the confluence of fiscal and programmatic changes that were critical to the State’s response to the pandemic. The State used COVID-19 funds in large part to support significant expansions of critical benefits for people experiencing unemployment, homelessness, and limited income. The rapid growth of programs providing these benefits posed a significant risk to the State and its residents. Specifically, inadequate outreach to people who needed the programs or the flawed execution of expansion efforts would create a risk that Californians would be left without medical care or money to pay for food and housing. Likewise, the swift creation of new programs by state departments posed risks because of the limited time available to implement sufficient internal controls and processes.

To assist in addressing these risks, we performed 11 state high-risk audits related to the management of COVID-19 funds. We found that state departments faced significant hurdles in using this influx of funding to meet the corresponding increase in responsibilities, such as the massive increase in the number of unemployment insurance claims requiring eligibility determinations and the rapid expansion of vendor oversight necessary for programs that provided pandemic-specific goods and services, like personal protective equipment. The scale and expeditious nature of the funding and its uses to provide services led to the high risk of inefficiencies and fraud occurring in programs supported by COVID-19 funds.

In total, our 11 prior state high-risk audits of COVID-19 fund management resulted in 85 recommendations to departments, of which 37 remain unimplemented. For example, our audit of the Board of State and Community Corrections (Board of Corrections) found that the Board of Corrections allocated funds to the California Department of Corrections and Rehabilitation without justification and that its allocation methodology did not consider important elements, such as the impact of the pandemic. The Board of Corrections also failed to make funding available to cities and tribes, even though it had originally committed to do so. We made 10 recommendations to the Board of Corrections in Report 2021-616, October 2021, but as of July 2023, it had only fully implemented three of our recommendations. We will continue to monitor the steps departments take to minimize the remaining risks related to their handling of COVID-19 funds.

Assessment​

The management of COVID-19 funds continues to represent a significant risk to the State and its residents and will therefore remain a high-risk issue. In the previous section, we described our concerns with EDD, one of the largest recipients of COVID-19 funds, which used a significant portion of the funds to provide unemployment benefits. Since our last high-risk assessment in August 2021, at least 14 state agencies have received $76 billion in additional federal COVID-19 funding. State agencies will continue to spend some of these funds through December 31, 2024. This influx of resources represents both a significant benefit and risk to the State, as represented by the extent of our previous findings on the management of federal COVID-19 funding and the status of unimplemented recommendations.

The State continues to spend federal COVID-19 funds, meaning circumstances have not significantly changed. Further, a number of recommendations from our previous reports have not yet been implemented. For instance, we recommended that various university campuses review the expenses they incurred in response to the pandemic and submit eligible expenses to the federal government for reimbursement. We also recommended that the Department of Housing and Community Development develop a strategy it can use in emergency situations to more efficiently complete or amend contracts, and make funding available to recipients. These recommendations have not been fully implemented. Moreover, additional audit work by the State Auditor could assist in mitigating the risks associated with the management of federal COVID-19 funds. As with our 11 previous state high-risk audits on COVID-19 fund management, additional audits of this issue could generate recommendations to ensure that such funds are spent prudently, within acceptable time frames, and in accordance with federal and state requirements. Consequently, we will retain this issue on the high-risk list.

Status: Retained on high-risk list​

EDD's response, Finance's response


LATE FINANCIAL REPORTING CONTINUES TO INCREASE RISK TO THE STATE​

Background​

The accuracy and timeliness of the State’s financial reporting is of vital importance to the State and its residents. A key method the State uses to provide fiscal oversight and transparency is the mandatory Annual Comprehensive Financial Report (ACFR) that the State Controller’s Office (State Controller) prepares. The ACFR is composed of financial statements from the State’s many departments and agencies, which collectively represent the financial position of the State. The report, which includes the State Auditor’s annual opinion of its accuracy, provides an important resource for stakeholders, such as the State’s creditors, to use when making decisions about the State’s ability to borrow money affordably. Further, billions of dollars in federal grants are contingent on the State’s timely filing of the ACFR for federal review.

To support its financial reporting needs, the State has focused significant effort on modernizing its financial management infrastructure through the implementation of a project known as the Financial Information System for California (FI$Cal). The scope, schedule, and budget of this nearly $1 billion information technology (IT) project has undergone numerous revisions since it began in 2005. However, despite nearly two decades of continued effort, many state entities have historically struggled to use the system to submit timely data for the ACFR.

In Report 2019-601, January 2020, the State Auditor added to the state high-risk list the State’s inability to produce timely financial reports during the transition to FI$Cal. At the time, we noted that since fiscal year 2017–18, the State had issued financial statements late, which could affect the State’s credit rating. The COVID-19 pandemic also created new financial complexities that affected the State’s financial reporting, such as the increased pandemic-related spending by the Employment Development Department (EDD) and its Unemployment Insurance fund. In Report 2021-601, August 2021, our assessment of high-risk issues to the State, we noted that the State Controller continued to issue the ACFR late.

Assessment​

The State has not made sufficient progress in addressing late financial reporting; therefore, this issue will remain on the state high-risk list. The State Controller issued the State’s financial statements for fiscal year 2020–21 later than in previous years—twelve months after its traditional deadline and six months after a general extension on financial reporting that the federal government provided because of the pandemic. Further, the State’s financial reporting for fiscal year 2021–22 is already past due. This continued trend of late reporting reduces the efficiency and effectiveness of the State’s financial oversight. The State’s late financial reporting could also negatively affect its credit rating, which could increase the cost associated with borrowing. According to the State Treasurer, the State borrowed $5.6 billion in general obligation bonds in fiscal years 2021–22. Thus, even a small increase in the interest rate, as might happen with a downgraded bond rating, could cost the State millions annually in increased borrowing costs.

In addition to late financial reporting, the State is experiencing a decline in expected revenue. Although its financial reports in fiscal years 2017–18 through 2020–21 reported general fund surpluses, the Governor’s fiscal year 2023–24 budget had to address a budget shortfall of approximately $31.7 billion. Combining late financial reporting with a diminished financial outlook increases the risk that credit agencies will downgrade the State’s credit rating.

The State has made some limited progress in addressing underlying issues that have contributed to its late financial reporting but not enough progress to warrant removing the issue from the high-risk list. As we noted when we designated the State’s financial reporting as high-risk in January 2020, the transition to FI$Cal has been a key component in financial reporting delays. As of 2023, 152 of 162 state departments are now using the FI$Cal system for their financial reporting, with an additional two departments—the California Department of Technology and the Department of Rehabilitation—currently undergoing a two-year transition. Some departments are doing a better job of submitting their financial statements to the State Controller in a timely manner. For fiscal year 2021–22, departments filed year‑end financial statements within 30 days of the deadline for 1,400 funds, or about 80 percent of all the State’s funds. 4

However, as we noted in our internal control and compliance audit Report 2021‑001.1, March 2023, six large departments of material importance to the State’s overall financial reporting did not perform monthly reconciliations of their accounts to the records of the State Controller in a timely manner during fiscal year 2020–21. Moreover, similar to the previous two fiscal years, the Department of Health Care Services (DHCS) did not fully reconcile its banking activity using FI$Cal before submitting its fiscal year 2020–21 financial reports to the State Controller. In fact, DHCS reported encountering significant challenges during its financial reporting, including that its procedures for completing bank reconciliations to FI$Cal were still under development.

The State Controller echoed these concerns in the fiscal year 2020–21 ACFR, published in March 2023, which noted that the transition to FI$Cal has affected financial reporting for several years but also included steps that the Controller is taking to improve financial reporting. The State Controller reported that it is collaborating with other state agencies to understand the root causes of delays and to develop mitigation strategies. The State Controller also explained that its own transition to the FI$Cal system remains underway and that its completion will lead to measurable advancements in financial reporting. Even so, an approved budget change proposal the State Controller submitted in January 2023 indicates that it anticipates only minimal annual improvements to its reporting timeline of between one and two months earlier each fiscal year. However, as of June 2023, the State Controller has indicated that it will seek to move the issuance date of the ACFR closer to its traditional deadline by three months for its reporting on fiscal year 2021–22.

The State has not made sufficient progress in resolving the problem of its late financial reporting to justify our removing this issue from the high-risk list. Financial reporting remains late, meaning there is no change in circumstances, and the State’s planned corrective actions are still in process. Moreover, state law requires the State Auditor to evaluate both the State Controller’s and the Department of FI$Cal’s efforts to implement the system. The result of this statutory audit work will likely further inform our future designations of this issue as an area of high risk.

Status: Retained on high-risk list​

FI$Cal's response, Finance's response, State Auditor's comments to FI$Cal, and State Auditor's comments to Finance


THE STATE’S INFORMATION SECURITY REMAINS A HIGH-RISK ISSUE​

Background​

Information security is the protection of the confidentiality, integrity, and availability of the State’s information assets, including data, processing capabilities, and information technology (IT) infrastructure. State law generally requires state entities that are under the Governor’s direct authority (reporting entities) to comply with the information security practices that the California Department of Technology (CDT) prescribes and to report annually to CDT on compliance with these practices. However, state law exempts entities that fall outside of the Governor’s direct authority (nonreporting entities), such as constitutional offices and those in the judicial branch, from following CDT policies and procedures.

We first identified information security as a high-risk issue in Report 2013-601, September 2013, when we concluded that CDT was performing limited reviews of the security controls that reporting entities had implemented. In a subsequent high-risk audit, Report 2015-611, August 2015, we noted that many reporting entities had poor controls over their information systems. In our state high-risk assessment, Report 2017-601, January 2018, we reported that CDT had made improvements to its oversight but that reporting entities still showed significant room for improvement. Finally, in Report 2021-601, August 2021, we reported that a federally‑sponsored nationwide security review noted that state entities in California self-reported ratings below the federally recommended minimum level.

Report 2022-114, April 2023, reiterated many of our previous concerns with the State’s information security. Our audit found weaknesses in CDT’s strategic planning, oversight of information security and IT projects, and that CDT has not ensured that the State’s IT systems are adequately protected from cyberattacks. This inadequate protection has the potential to compromise individuals’ identities, shut down critical government functions, and cost the State millions of dollars to remedy.

Assessment​

CDT has not sufficiently improved its oversight of information security to mitigate the risks we have identified; therefore, this issue will remain on the state high-risk list. CDT is responsible for providing direction for the State’s information security efforts and for reviewing the security of reporting entities. However, CDT has yet to determine the effectiveness of cybersecurity programs for all of the entities for which it has oversight responsibility. To determine the effectiveness of information security for reporting entities at higher risk, CDT relies on a four-year oversight lifecycle. This process generally includes a compliance audit, a follow-up review, and two technical assessments. However, as we said in Report 2022-114, April 2023, CDT has the capacity to complete only 13 compliance audits each year, which equates to only 52 reviews of reporting entities during a four-year cycle, or not quite half of the 107 reporting entities for which it is responsible.

To prioritize its compliance audits, CDT uses a risk-based methodology to determine the 52 entities it has the capacity to audit. However, we are concerned about CDT’s limited capacity. Our previous audits have recommended that CDT increase its capacity to conduct its IT audits by hiring more staff or contracting for additional audit support. In March 2023, the Legislative Analyst’s Office raised a similar concern about limited capacity, noting that resolving staffing-related issues in information security is important if state entities are to improve their information security compliance and maturity. However, CDT explained that it does not have any immediate plans to hire additional staff or contractors. Instead, CDT reports that it hopes to find increased efficiencies through a new IT system, which does not currently exist, that would allow CDT to more efficiently conduct its audits.

In addition, most nonreporting entities are also lagging behind in information security. We evaluated nonreporting entities’ compliance with their selected security standards in 2021. As Figure 1 illustrates, we surveyed 32 nonreporting entities for Report 2021-601, August 2021, and found that although 29 had adopted information security frameworks or standards, only four reported achieving full compliance.

Legislation that went into effect in January 2023 implemented our recommendation to improve the security of nonreporting entities. Nonreporting entities are now required to perform a comprehensive, independent security assessment every two years and to certify their compliance with certain security requirements annually. We will continue to monitor reporting and nonreporting entities’ efforts to improve their security; however, information security continues to present a significant risk to the State.

Figure 1​

In 2021 Most Nonreporting Entities Stated That They Were Only Partially Compliant With Their Selected Security Standards​


A pie chart shows 32 nonreporting entities by their compliance status. Most entities reported they are partially compliant.


Source: Analysis of survey responses, Report 2021-601, August 2021.

Figure 1 description:​

A pie chart shows 32 nonreporting entities by their compliance status with their selected security standards. The chart shows that three entities reported having not adopted framework or standards, 19 entities reported partially complying, and four entities reported having fully complied with all of their selected security standards.
Vulnerabilities in the State’s information security practices can have costly effects on the efficiency and effectiveness of State programs and can affect the privacy of Californians’ data. For example, in December 2022, the Department of Finance fell victim to a cyberattack that was widely reported in the media. In 2021 an employee at the State Controller’s Office unknowingly interacted with a malicious link that appeared to come from a trusted source, thereby providing a hacker with such confidential information as the names, Social Security numbers, and birth dates of state employees. Further, in 2023 data maintained by a CalPERS and CalSTRS contractor was breached, resulting in unauthorized access to confidential information related to retirees and their family members. It is likely that attempts against governmental information assets will only increase in the future. CDT has reported that in the wake of the pandemic, the cybersecurity threat nearly quadrupled in the sophistication of attacks by nation-state adversaries and criminal organizations.

Because cybersecurity threats are significant and oversight of state departments and agencies remains inadequate, we will retain this issue on the high-risk list. The State continues to need improvements in its cybersecurity practices, and although state entities are giving increasing attention to cybersecurity, they have not substantially mitigated the ongoing risk from inadequate information security technology practices. Finally, additional audit work by the State Auditor could assist in mitigating the risk presented by this issue area. For example, the State Auditor could continue to audit CDT and other entities as necessary to determine their compliance with state law and best practices related to cybersecurity.

Status: Retained on the high-risk list​

CDT's response and State Auditor's comments

RETAINED HIGH-RISK AGENCIES AND ISSUES: (Pg 2 of 2)

CDT HAS NOT MADE SUFFICIENT PROGRESS IN ITS OVERSIGHT OF STATE INFORMATION TECHNOLOGY PROJECTS​

Background​

The California Department of Technology (CDT) is responsible for approving, overseeing, and monitoring the State’s IT projects. As a component of this effort, CDT regularly reports on the progress of various projects as measured against their objectives, scope, schedule, and cost. Historically, the State has faced challenges in completing IT projects on time and within budget. Currently, CDT uses a four-stage process known as Project Approval Lifecycle (PAL), that is intended to ensure that larger projects—those anticipated to cost more than $5 million—include a strong business case, clear objectives, accurate costs, and realistic schedules. CDT’s goal in using PAL is to improve the quality, value, and likelihood of success for IT projects in California government.
We designated CDT’s oversight of IT projects as high-risk in our initial high‑risk assessment Report 2006-601, May 2007, because of the number of costly and complex projects that were underway and the State’s history of failed IT projects. In part to address these concerns, CDT implemented PAL in 2016. However, our state high-risk assessment, Report 2021-601, August 2021, found PAL’s effectiveness to be unclear since a sufficient number of projects—especially highly complex, and critical projects—had not been completed using PAL. We further noted in our Report 2022‑114, April 2023, that CDT will require new metrics to better track its effectiveness as it uses PAL to support more complex and critical projects.

Assessment​

CDT’s oversight of IT projects has yet to demonstrate significant improvement and will therefore remain on the state high-risk list. In Report 2022-114, April 2023, we noted that CDT’s oversight of IT projects has been ineffective at addressing risks on complex projects. During that audit, we reviewed CDT’s oversight of four IT projects and found that although CDT identified deficiencies in three which required immediate corrective action, it had not used its authority to ensure that the problems were resolved.
Moreover, CDT’s use of costly and lengthy approval processes can have negative consequences for agencies. As part of Report 2022-114, April 2023, we surveyed 143 agencies on their experience using the PAL process. Among the many agencies that had used CDT’s project approval processes—63 of those we surveyed—23 percent of those agencies were unsatisfied or very unsatisfied with the project approval process. Several agencies noted that the PAL process is too lengthy and that it delays the approval of projects. Timelines that stretch into multiple years can be costly to agencies and can delay updates to critical IT systems. PAL remains a lengthy process for agencies in 2023, and CDT has not clearly demonstrated its effectiveness.
CDT has not made sufficient progress in resolving issues with its oversight of IT projects to justify its removal from the high-risk list. CDT’s oversight process has been ineffective in addressing previously identified problems and CDT’s process is lengthy, leading to delays; thus, circumstances have not changed substantially. Further, CDT needs to better measure its process to assess its effectiveness; thus, adequate corrective action has not occurred. Finally, additional audit work by the State Auditor could follow up on Report 2022-114, April 2023, to assess CDT’s progress in implementing our recommendations, and generate new recommendations.

Status: Retained on the high-risk list​

CDT's response and State Auditor's comments

CLIMATE CHANGE AND AGING WATER INFRASTRUCTURE THREATEN CALIFORNIA’S WATER SUPPLY AND PUBLIC SAFETY​

Background​

We added the State’s water infrastructure as a high-risk issue in Report 2013-601, September 2013, noting that the State’s investment in water infrastructure had not kept pace with its needs and was aging. After the near-failure of the Oroville Dam spillway in 2017, we expanded this issue area in Report 2017-601, January 2018, to include dam safety. In our most recent high-risk assessment in Report 2021-601, August 2021, we noted that the State had not made appreciable progress toward addressing deficiencies in its water infrastructure and that safety planning for dams throughout the State remained incomplete.
Much of the State’s water storage is held in surface water, specifically in lakes behind dams. State law vests authority over dams in the State’s jurisdiction with the Department of Water Resources (Water Resources), a department in the California Natural Resources Agency (Natural Resources). Water Resources oversees these dams through its Division of Safety of Dams (Dam Safety Division), which inspects more than 1,200 dams, rates each dam’s condition as Satisfactory, Fair, Poor, or Unsatisfactory, and identifies the downstream hazard that the dam poses, which can range from Low to Extremely High. Condition rating assesses a dam’s physical condition; the downstream hazard rating assesses the impact if the dam fails.
After the Oroville Dam spillway incident in 2017, the Legislature amended state law to require that owners of state-regulated dams with certain levels of downstream hazard develop emergency action plans (emergency plans) to address the potential loss of life and potential property damage of a dam failure. Each emergency plan must include one or more inundation maps, which illustrate the potential flooding that may result from a dam’s failure. The California Governor’s Office of Emergency Services (Emergency Services) is responsible for approving emergency plans, and the Dam Safety Division is responsible for approving inundation maps, which are a component of every plan.
In our high-risk assessment Report 2021-601, August 2021, we focused our review of the sufficiency of California’s water supply by reviewing the progress of a project known as WaterFix, which is no longer proceeding. Our current review focuses in part on a new effort known as the Delta Conveyance Project which would develop new water infrastructure facilities in the Sacramento–San Joaquin Delta (Delta). The Delta Conveyance Project is intended to protect and preserve California’s water supply threatened by sea level rise, climate change, and seismic activity. The Delta Conveyance Project remains a component of Natural Resources’ greater water supply strategy. However, given California’s changing climate and the strategic planning that Water Resources and other agencies completed since our last review, we have expanded our current high-risk assessment to include a review of the State’s water strategies to ensure water availability and a review of certain levees under water infrastructure safety.

Assessment—Water Availability​

The State has not yet made sufficient progress in addressing the water availability issue area; therefore, it will remain a high-risk issue. Natural Resources estimates that hotter, drier weather could diminish the State’s existing water supply by up to 10 percent by 2040. With the State consuming between 60 and 90 million acre feet per year, this estimated 10 percent loss due to hotter, drier weather would mean 6 to 9 million acre-feet of water less per year in 2040. However, our limited water supply is already affecting many Californians. For example, although more than a million Californians rely on domestic well water, nearly 2,000 wells were reported dry as of May 2022.
California has recently experienced cycles of drought and water overabundance. For example, California’s $50 billion annual agriculture industry, which employs more than 420,000 people, has felt the effects of repeated droughts. In 2022 the Public Policy Institute of California estimated the economic impact of the 2021 drought at $1.7 billion and 14,600 jobs lost. By contrast, the State experienced record rainfall in 2023, which resulted in the State Water Project’s allocating 100 percent of the planned delivery to water contractors in 2023, whereas in 2021 and 2022, it was able to allocate just 5 percent of the water requested.
This drought-and-flood cycle also affects other elements of the State’s water infrastructure, such as its levees. Specifically, according to California’s Delta Stewardship Council, flooding in the Delta could result in loss of life and property losses in the billions of dollars. Moreover, the probability of a levee failure caused by high water levels is substantial based on historical performance. In the last century, there have been more than 140 levee failures and island inundations in the Delta. Ensuring reliable and safe water supplies is critical for the well-being of people, businesses, and communities throughout California.
The State is working to address these needs; however, progress remains slow. For example, Water Resources is in the process of completing an environmental review for the Delta Conveyance Project. The purpose of the Delta Conveyance Project is to modernize and protect the reliability of State Water Project water deliveries south of the Delta to help mitigate the effects of sea level rise, climate change, and seismic risk. The State Water Project provides clean, affordable drinking water to 27 million Californians and irrigation supplies to 750,000 acres of farmland. However, the Delta Conveyance Project is in a planning phase, and may face future challenges related to funding and the timeline for its completion. Water Resources states that it is on schedule to complete an environmental impact review by the end of 2023. It also states that permitting activities are underway or slated to begin soon. The Delta Conveyance Project is estimated to cost about $16 billion in total and, according to Water Resources, construction will likely begin in 2028 or 2029. While the Governor has recently signed legislation that would streamline various processes related to the environmental impact of specified infrastructure projects, the Delta Conveyance Project was explicitly exempted from these changes.
In addition to its work on the Delta Conveyance Project, the State has taken another important step in addressing its water needs since our last review. In August 2022, a variety of state agencies working cooperatively created a strategic water supply plan to help California adapt to its hotter, drier future. 5 This strategic plan calls for the creation of additional storage space for up to 4 million acre-feet of water to assist California in capitalizing on large storms when they occur. The plan also calls for increased water recycling, more efficient water use and conservation, and other methods that diversify the State’s response to climate change. The plan also specifies a variety of steps to meet these goals, such as expanding both desalination production and existing reservoirs. Although the strategic water supply plan is too recent to assess its effects, the plan notes that the State has supported related projects with budgetary increases of more than $8 billion earmarked for water infrastructure modernization and management. We will monitor the strategic water supply plan’s application and the use of related funding to determine its effects on California’s water resources over time.
Given the current risks and limited progress, the availability of water resources will remain a high-risk issue. The State’s cycle of ongoing drought and flood, as well as the still-pending Delta Conveyance Project and newly created strategic water supply plan for additional water storage, show that circumstances have not changed substantially and that water availability continues to be a high-risk issue. Finally, additional audit work by the State Auditor could assist in mitigating the risk presented by this issue area by proposing methods to streamline project management at the responsible agencies, as we did in Report 2016-132, October 2017, our audit of the WaterFix project. Such additional audit work could examine the State’s progress and barriers toward enhancing water storage, increasing recycling, and expanding desalination.

Status: Retained on high-risk list​

California Natural Resources Agency’s response

Assessment—Water Infrastructure Safety​

The condition of some of the State’s potentially most hazardous dams and related emergency planning remains a high-risk issue. Failures or incidents at dams could result in significant harm to the State and its residents, through loss of life and flooding of economically important areas. Nevertheless as of June 2023, 88 dams throughout the State have both a condition rating lower than Satisfactory and a downstream hazard rating of Significant or higher. Dams that fall within these classifications have a combined reservoir capacity of more than 7 million acre‑feet of water. Of particular concern, 37 of the 88 dams with condition ratings below Satisfactory are also rated as Extremely High Hazard, meaning that a dam failure would cause considerable loss of human life and significant economic loss. Water Resources indicates that since 2021, 11 dams have received some repairs and that the department has also identified numerous additional deficiencies. The State’s new strategic water supply plan indicates that Water Resources will administer $100 million in new funding for local dam safety projects and flood management, such as improving dam condition ratings. We look forward to assessing the impact this funding has on the issue area.
Since our August 2021 high-risk assessment, Water Resources has made significant progress in approving inundation maps, having approved maps for 805 dams, or 93 percent of the required inundation maps, an increase of more than 13 percentage points. However, Emergency Services’ approval of emergency plans lags behind. Emergency Services has only approved emergency plans—which outline action to be taken during an emergency to minimize or eliminate the potential for loss of life and property damage—for 419 of the nearly 900 dams required to submit such plans, or about 48 percent. Although this number represents progress—an increase from the 107 approved plans in 2021—it will take several years at the current rate of approval for the State to have clear emergency plans in place for all dams that require them. Further, there are 121 dams without approved emergency plans that Water Resources has assessed as having Extremely High downstream hazard ratings, indicating a risk of considerable loss of human life.
In addition to dams, other elements of water infrastructure, such as levees, are also of concern. Levees face serious threats—from storm surges, sea level rise, and earthquakes—that could cause their failure. Water Resources inspects and reports on observable conditions on certain levees and reviews the status of maintenance practices to ensure that local entities are meeting their legal obligations. 6 Results from Water Resources’ 2022 levee maintenance inspections indicated that local agencies’ maintenance of levees had worsened slightly from the previous year. Water Resources reported that 38 of 106 geographical areas received Unacceptable maintenance ratings, and 33 areas received Minimally Acceptable maintenance ratings. A rating of Unacceptable means that one or more deficient conditions exist that may prevent the project from functioning as designed, intended, or required. A Minimally Acceptable rating means that one or more conditions exist in the flood protection project that needs to be improved or corrected.
Maintenance for levees and flood control is generally conducted by levee districts, reclamation districts, or other public agencies. 7 However, Water Resources inspects levee maintenance for certain levees, and a potential failure of California’s flood control system poses a risk to the State. For example, in 2017 and 2019, many levees sustained storm damage. The State responded by developing a rehabilitation program that, in combination with United State Army Corps of Engineers’ efforts, expedited repair on 105 damaged sites, with 21 remaining to be completed.
Because of the current high risks presented and the inadequate progress to mitigate those risks, the State’s water infrastructure will remain a high-risk issue. The significant number of high-hazard dams with condition ratings below Satisfactory shows that circumstances have not changed substantially enough to meet the requirements of our regulations. Further, the high number of emergency plans yet to be approved by Emergency Services shows that significant corrective action has not yet occurred. Finally, audit work by the State Auditor could assist efforts in mitigating the risk presented by this issue area by examining the State’s process for inspecting dams and approving emergency plans.

Status: Retained on high-risk list​

CalOES' response, California Natural Resources Agency's response, and State Auditor's comments

HEALTH CARE SERVICES HAS NOT ADEQUATELY ADDRESSED ISSUES WITH MEDI-CAL ELIGIBILITY, BUT IT HAS MADE IMPROVEMENTS TO ITS MHSA OVERSIGHT​

Background​

The Department of Health Care Services (Health Care Services) is responsible for overseeing the State’s implementation of the federal Medicaid program, known in California as Medi-Cal. Medi-Cal provides comprehensive health services—including preventive, routine, and emergency care—for eligible residents such as low‑income children, pregnant women, and families, and elderly or disabled individuals. As part of this responsibility, Health Care Services is responsible for ensuring that counties’ determinations of eligibility for applicants are appropriate and completed in a timely manner. Health Care Services’ role is pivotal because erroneous determinations of eligibility result in inappropriate expenditures or in residents’ inability to access needed services.
Our office previously issued Report 2018-603, October 2018, and Report 2019‑002, October 2020, which both identified discrepancies between state and county Medi‑Cal eligibility systems resulting in at least $4 billion in questionable payments. We also found that Health Care Services had not implemented the controls or processes necessary to ensure that problems with Medi‑Cal eligibility are corrected, a process for monitoring county welfare agencies’ progress in addressing eligibility discrepancy alerts. In Report 2020-613, July 2021, we reported that despite the COVID-19 public health emergency, Health Care Services could still do more to address chronic Medi-Cal eligibility problems. In our most recent state high-risk assessment, Report 2021-601, August 2021, we reported that Health Care Services remained a high-risk agency, because it had not corrected discrepancies in its Medi‑Cal eligibility system that had resulted from suspended efforts during the COVID-19 public health emergency and that the problem had continued to grow.
Additionally, since 2012 Health Care Services has been responsible for overseeing various aspects of the Mental Health Services Act (MHSA). In 2004 voters enacted the MHSA, which expanded services and treatment for those who suffer from or are at risk of serious mental illness, and is funded by a 1 percent income tax on personal income in excess of $1 million per year. We have included Health Care Services’ oversight of the MHSA on our state high-risk list since 2007 and have performed two audits related to the MHSA. In Report 2012-122, August 2013, we identified deficiencies in state oversight of the implementation of MHSA funding, including county programs’ inadequate collection of the data necessary to determine the effectiveness of MHSA funds. In Report 2017-117, February 2018, we noted that, despite having had responsibility for the MHSA since 2012, Health Care Services had not developed a process to recover unspent MHSA funds from local mental health agencies. As a result, local agencies had amassed hundreds of millions of dollars in unspent MHSA funds that should otherwise have been reallocated to other local mental health agencies, a process called reversion. We recommended that Health Care Services develop guidance for counties on administering their MHSA programs.

Assessment—Medi-Cal Eligibility​

Although it has made some progress, Health Care Services has not adequately resolved issues involving Medi‑Cal eligibility. In Report 2020-613, July 2021, we found that the number of eligibility discrepancies between state and county eligibility systems increased during the COVID‑19 pandemic and that Health Care Services was not doing enough to resolve eligibility questions about Medi‑Cal beneficiaries. Health Care Services began taking steps in June 2022 to address eligibility discrepancies by issuing guidance to counties on case processing actions after the May 11, 2023, termination of the public health emergency. Health Care Services is developing additional guidance on the prioritization of resolving high-risk eligibility issues and will be monitoring counties’ efforts through its oversight program, which it plans to launch statewide in May 2024. However, to allow counties to complete public health emergency wind-down activities, Health Care Services does not expect to fully implement our July 2021 recommendations regarding eligibility discrepancies until June 2024.
Although Health Care Services is positioning itself to make progress on this issue, we lack assurance that it has resolved issues related to Medi-Cal beneficiary eligibility. Because of the current risks presented and the lack of demonstrated progress, Health Care Services’ management of Medi-Cal benefits will remain a high-risk issue. Finally, audit work by the State Auditor could assist in mitigating the risk presented by this issue area by following up on recommendations from our prior audits, assessing Health Care Services’ progress in addressing ineligible Medi-Cal recipients, and potentially providing further recommendations.

Status: Retained on high-risk list​

Health Care Services response

Assessment—MHSA​

In 2017 the State enacted Assembly Bill 114 to provide counties with a second opportunity to use certain MHSA funds. The amended state law provided that funds subject to reversion as of July 1, 2017, were deemed reverted to the State and reallocated to the county of origin for their originally designated purposes. This effectively provided counties with additional time to spend previously allocated funds. The Legislature also gave small counties—those with fewer than 200,000 residents—two extra years to spend their MHSA funds.
We retained this issue on our high-risk list in August 2021 because Health Care Services had not implemented a sufficient number of our recommendations surrounding this issue to mitigate its risk. However, since that last assessment, Health Care Services has made progress in this area. The department had previously created regulations to improve reporting related to unspent MHSA funds that were subject to reversion. The department reports that it now makes these determinations according to amounts reported by counties in their Annual MHSA Revenue and Expenditure Reports. Health Care Services communicated this process to counties, letting them know that they must generally spend funds allocated to Community Services and Supports, Prevention and Early Intervention, and Innovation components within three fiscal years. In addition, Health Care Services informed counties that they must spend funds allocated to Capital Facilities, Technological Needs, and Workforce Education and Training components within 10 fiscal years.
Our review of submitted MHSA Revenue and Expenditure Reports shows that counties are now using the majority of their MHSA funds within the required timelines. In fiscal year 2021–22, about $5.4 billion was deposited into the MHSA Fund according to the 2023–24 Governor’s budget, and MHSA expenditures amounted to $6.5 billion in that fiscal year. In addition, Health Care Services estimated that $3.5 and $3.4 billion would be deposited into the Mental Health Services fund in fiscal years 2022–23 and 2023–24 respectively and $3.6 and $3.4 billion would be spent in those years. Counties therefore now appear to be spending MHSA funds promptly.
Health Care Services has now fully or partially implemented ten of 11 recommendations from Report 2012-122, August 2013, and six of seven recommendations from Report 2017-117, February 2018. For example, Health Care Services retained a contractor who has provided training and technical assistance to counties.
Although the risk to the State and its residents is serious if Health Care Services mismanages the MHSA, recent legislative changes, combined with the department’s progress in implementing outstanding recommendations, demonstrate that the agency has made sufficient progress toward eliminating the basis upon which we determined that oversight of MHSA funds was high-risk. Therefore, additional audits conducted by the State Auditor would be unlikely to assist in mitigating risks associated with MHSA funds. Accordingly, we are removing Health Care Services’ oversight of the MHSA as a high-risk issue.

Status: Removed from the high-risk list​

Health Care Services response

REMOVED HIGH-RISK AGENCIES AND ISSUES:

CSU AND UC HAVE MADE EFFORTS TO CONTROL TUITION AND FEES IN THE PAST DECADE​

Background​

We first identified the affordability of higher education as a state high-risk issue in Report 2013-604, December 2013, noting challenges associated with the funding of higher education and the extent of access it provided. In 1960 the State published A Master Plan for Higher Education in California, which provided a roadmap for the future of higher education in the State. Reviews of the plan have reaffirmed its principles and emphasized the need for improved access to affordable higher education. As components of the State’s public higher education system, the University of California (UC), the California State University (CSU), and the California Community Colleges (CCC) each have a responsibility to align its services with the State’s goal of making higher education accessible and affordable to every Californian. However, in 2010 the Legislature identified the ability of the State’s public system of higher education to carry out the master plan as being at risk because of unprecedented population growth and extraordinary social and economic changes.

Although we originally included the CCC as part of this high-risk issue, we removed it in Report 2017-601, January 2018, because it had improved its ability to provide courses and services to students. In Report 2019-601, January 2020, we reported that from 1992 to 2017, undergraduate tuition had increased by about 340 percent at the CSU and 440 percent at UC. In our state high-risk assessment Report 2021‑601, August 2021, we noted that issues related to the affordability of higher education persisted.

Assessment​

By taking steps to control tuition and fee increases, the CSU and UC have made sufficient progress toward eliminating the basis on which the State Auditor designated this issue high-risk. For example, both university systems have held their tuition relatively flat since 2013. The CSU did not increase tuition during that time, and UC increased its tuition only two times, once by 3 percent in academic year 2017–18 and once by 4 percent in academic year 2022–23. As of academic year 2022–23, the CSU’s annual tuition is $5,742 and UC’s is $11,982. Similarly, both universities raised their fees moderately. Since 2018 the CSU increased its systemwide fees by $222 and UC increased its systemwide fees by $184.

With support from the State, the CSU and UC were able to avoid significant tuition and fee increases, even as inflation increased by 1.2 percent to 8 percent annually over a five year period. If the two institutions’ tuition had kept pace with inflation during these years, the CSU’s academic year 2022–23 tuition would have been $6,850 and UC’s would have been $13,649. A recent report recommended that the CSU increase its tuition in predictable amounts because of growing costs and insufficient funding from the State to cover its expenditures. In July 2023, the interim chancellor recommended a multiyear tuition proposal that would raise tuition rates by 6 percent beginning in academic year 2024–25, with one-third of the increase dedicated to financial aid. However, the CSU has not yet adopted this initial proposal. UC approved a tuition stability plan that took effect in 2022. The plan allows for the adjustment of tuition for each incoming undergraduate class at a rate slightly above inflation but subsequently holds the tuition rate flat for that class for up to six years.

Financial aid programs also increase access to higher education and have remained a viable option for the majority of resident students in both systems. For the most recent reporting period—academic year 2021–22—a variety of financial aid programs allowed nearly 60 percent of undergraduate students to pay reduced tuition at the CSU. Likewise, student aid allowed 55 percent of UC undergraduate students to pay no tuition. The university systems reported that in 2021–22, nearly 82 percent of CSU undergraduate students received some form of financial assistance, and 70 percent of UC undergraduate students received grants and scholarships.

The CSU and UC have attempted to address other expenses related to attending college that have increased in the past decade. The costs of housing, food, transportation, books, child care, health care, and supplies contribute to the overall cost of higher education. The CSU reports that the average cost of food and housing for its undergraduate students increased between about 3 percent to 6 percent annually from academic years 2018–19 to 2023–24. The average cost of living, which includes food and housing, increased by a total of 12 percent for UC’s undergraduate students during the same period.

Although expenses other than tuition and fees account for about 66 percent of the total cost of attending the CSU and 60 percent of the cost of attending UC, they are often beyond the university systems’ control. However, to help alleviate food and housing insecurity for students, the Legislature appropriated $15 million per year from 2019 through 2022 for UC and between $6.5 million to $31.5 million per year during the same period for CSU. Both university systems have used these funds to offer a wide range of services. For example, both the CSU and UC offer food pantry and food distribution programs, meal voucher programs, CalFresh application assistance, and multiple emergency housing programs.

Although the affordability of higher education continues to be a concern for many Californians, the CSU and UC have slowed the rate of tuition and fee increases in the past decade relative to inflation. Both university systems have also made attempts to mitigate other barriers to higher education—such as costs associated with food and housing—that are often beyond their direct control. Given these ongoing efforts, it is unlikely that a high-risk audit of higher education expenses would result in recommendations leading to a significant reduction in tuition, fees, or other costs such as food and housing.

Status: Removed from the high-risk list​

California State University Office of the Chancellor response. The UC did not provide a response.


CALSTRS HAS IMPLEMENTED CORRECTIVE ACTION TO DECREASE THE RISK POSED BY ITS UNFUNDED LIABILITY​

Background​

The California State Teachers’ Retirement System (CalSTRS) provides retirement, disability, and survivor benefits to the State’s more than 1 million public school educators and their families, primarily through a defined benefit pension plan (benefit plan). CalSTRS uses the funding it receives from its members, their employers, and the State to generate investment income, which it uses to help pay retirement benefits. Pension funds operate on a long-term horizon, working to guarantee benefit payments for existing and future retirees. According to CalSTRS, the most financially prudent way to provide such benefits is to fund the benefit plan fully by maintaining sufficient assets to cover all payments the program is obligated to make.

Despite this goal, CalSTRS has historically not had sufficient assets to fully fund the benefit plan. In essence, the funds it has received, along with the investment income they have generated, have not been sufficient to cover projected costs. The gap between CalSTRS’ assets and its liabilities is its unfunded liability. According to CalSTRS, its unfunded liability was partly a result of poor investment returns during the financial crisis from fiscal years 2007 through 2009 and partly a result of its inability to adjust the amount that plan participants and employers were required to contribute.

We identified CalSTRS as a high-risk agency in Report 2011-601, August 2011, because of the extent of its unfunded liability. In 2014 the Legislature enacted a CalSTRS funding plan that provided CalSTRS with certain limited authority to increase contribution rates for employers and the State in order to eliminate its existing unfunded liability by June 2046. We have monitored CalSTRS’ implementation of the funding plan as part of our high-risk assessments to determine the progress it has achieved.

Assessment​

CalSTRS has made significant progress in eliminating the basis on which we identified it as high-risk. Its continued financial progress indicates that the agency is on track to eliminate its unfunded liability by 2046. According to CalSTRS’ actuarial valuation reports, its implementation of the funding plan decreased its unfunded liability from $107 billion in 2018 to $89 billion in 2022. Despite investment losses in fiscal year 2021–22, CalSTRS reported that it remains slightly ahead of schedule in its goal of fully funding the benefit plan by 2046.

CalSTRS has also taken steps to better mitigate the risks it faces in its financial planning, thereby making its achievement of the funding plan’s goals more likely. For example, CalSTRS lowered its investment return assumptions from 7.5 percent to 7 percent. It also updated its mortality assumptions to account for the increased life expectancy of its members, thereby adding an expected additional two-to-three years of beneficiary payments to its planning.

We based our decision to remove CalSTRS from our high-risk list on several factors. First, the creation of the funding plan in 2014 and CalSTRS’ subsequent implementation of it represent a change in circumstance that reduces the risk of serious detriment. Further, by implementing the funding plan for several years, CalSTRS has demonstrated a strong commitment to mitigating the risk created by its unfunded liability and to meeting its goal of full funding by 2046. Finally, it is unlikely that a high-risk audit would result in recommendations leading to significant additional reduction in CalSTRS’ unfunded liability.

Status: Removed from the high-risk list​

The agency did not provide a response.


THE STATE IS ADDRESSING ITS OPEB LIABILITIES​

Background​

The State provides health and dental benefits as part of the retirement package it offers to many state employees. The State generally pays the majority of health insurance premiums and at least a portion of dental premiums for retirees, depending on their years of service and dates of hire. The State refers to these benefits as other postemployment benefits (OPEB). Paying OPEB for retired employees is a large cost for the State in any given year. For example, in fiscal year 2020–21, the State paid nearly $2.6 billion in OPEB for retired employees. The State tracks and reports its calculated future OPEB payments as a liability, which totaled about $99 billion as of the end of fiscal year 2020–21.

In Report 2008-601, June 2009, we explained that the State’s OPEB liability could grow so rapidly that it could affect the State’s credit rating. The State has since implemented a plan to eliminate its unfunded OPEB liability by 2046 (prefunding plan). Under the prefunding plan, the State negotiates with employee bargaining units to determine the percentage of employee compensation that employees and the State will make to a trust. California Public Employees’ Retirement System (CalPERS) invests the contributions to create investment income, which state law authorizes for OPEB expenditures either when a specific bargaining unit’s subaccounts reach 100 percent funding or after July 2046, whichever comes first.

Assessment​

The State has made significant progress to eliminate the basis upon which we identified its OPEB liabilities as a high-risk issue. The State’s prefunding plan is now in its eighth year, with $5.1 billion in assets as of June 30, 2022. The State Controller’s Office annually publishes a report on the status of contributions and the progress toward meeting the State’s liability. This report stated that as of June 30, 2022, the State Controller’s Office expected five of the State’s 23 employee bargaining units to be fully funded by 2046, with the remaining to be fully funded by 2050. According to the Department of Finance, if a bargaining unit does not meet the 2046 goal, the State will continue to pay for OPEB for retirees covered under that unit.

Several factors contributed to our decision to remove the State’s OPEB liabilities from our high-risk list. First, the creation of the prefunding plan and its subsequent implementation represent a change in circumstances that reduces the risk of serious detriment such that it is no longer substantial. When we added the State’s OPEB liabilities to the high-risk list in Report 2006-601, May 2007, no prefunding plan existed and the State relied on funding necessary contributions annually. Further, the State has taken sufficient corrective action by implementing the prefunding plan for several years, thereby demonstrating a strong commitment to controlling the risk created by its unfunded liability. Finally, the State’s progress makes it unlikely that a high-risk audit would result in recommendations leading to a significant reduction in the State’s OPEB liabilities. We are therefore removing this issue area from the state high-risk list; however, we will continue to monitor it as part of our existing Annual Comprehensive Financial Report (ACFR) audit.

Status: Removed from high-risk list​

The responsible agencies did not provide a response.


PUBLIC HEALTH HAS MADE SUFFICIENT PROGRESS IN IMPLEMENTING OUTSTANDING RECOMMENDATIONS​

Background​

The California Department of Public Health’s (Public Health) mission is to advance the health and well-being of California’s diverse people and communities. Among other things, Public Health is responsible for protecting people from environmental health issues such as lead poisoning, ensuring that patients in hospitals and skilled nursing facilities receive adequate care, and reducing health and mental health disparities among vulnerable and underserved communities.

We designated Public Health as a high-risk agency in Report 2006-601, May 2007. Since that time, we have maintained its designation as a high-risk agency because of a variety of concerns, including the large number of public safety-based recommendations that it had not implemented.

Assessment​

Public Health has made sufficient progress to eliminate the basis for the concerns on which the State Auditor identified it as high-risk. In Report 2017-601, January 2018, we reported that Public Health had not implemented 22 recommendations from various previous reports; we further noted that the conditions that occasioned those recommendations could still pose a substantial risk of the loss of life, significant injury, or a broad reduction in Californians’ overall health or safety. In Report 2019-601, January 2020, we reported that Public Health had made progress in this area: as of November 2019, it had only 11 unimplemented recommendations older than one year, three of which it indicated it would not implement. Currently, the department has only a limited number of outstanding recommendations, which we discuss below:

  • Skilled Nursing Facilities: Absent Effective Oversight, Substandard Quality of Care Has Continued, Report 2017-109, May 2018: In this audit of skilled nursing facilities, we concluded that Public Health had not fulfilled many of its oversight responsibilities meant to ensure that nursing facilities meet quality‑of‑care standards. For example, we found that Public Health had made inconsistent licensing decisions and had not issued citations for facilities’ noncompliance with federal and state requirements in a timely manner. As a result, we made three recommendations to Public Health. As of September 2022, Public Health had partially implemented two of three recommendations and had one recommendation we rated as pending implementation.
    As part of our current high-risk assessment, we reviewed the status of these three recommendations. Our assessment determined that the department has fully implemented one recommendation, which required an upload of inspection findings to a database called Cal Health Find. This upload increased public transparency related to deficiencies at skilled nursing facilities and thereby improved oversight. We also noted that Public Health has generally continued to improve in its issuance of timely citations resulting from inspections of nursing homes, thereby making substantial progress in its implementation of a second recommendation. Finally, Public Health has partially implemented the third recommendation, which involves defining a process for facility application review to ensure that an applicant has demonstrated compliance with state and federal recommendations.
  • Childhood Lead Levels: Millions of Children in Medi-Cal Have Not Received Required Testing for Lead Poisoning, Report 2019-105, January 2020: In this audit, we reported that millions of children in California had not received required lead poisoning testing and made seven recommendations to address the problems we had identified. Public Health subsequently implemented six of these recommendations. However, in our update on outstanding recommendations, Report 2022-041, January 2023, we reported that Public Health had not finished developing its lead evaluation regulations, the remaining recommendation from the January 2020 report. 8 We intended this recommendation to better ensure that children with lead poisoning are identified and treated.
    As part of our current high-risk assessment, we reviewed Public Health’s status on the implementation of this recommendation. As of July 2023, Public Health had finalized one package of draft regulations that focus on risk factors for lead poisoning. It expects to obtain external approval of these regulations by October 2023 from the California Health and Human Services Agency and by December 2023 from the Department of Finance. Public Health is still working to incorporate a new federal blood lead reference value into its regulatory package.
  • Youth Suicide Prevention: Local Educational Agencies Lack the Resources and Policies Necessary to Effectively Address Rising Rates of Youth Suicide and Self Harm, Report 2019-125, September 2020: In this audit, we issued 23 recommendations to 10 entities, and one of our recommendations was to Public Health. Our report found that it had not established a program to support the development of school-based health centers to increase student access to health and mental health professionals as required by a 2007 law. In October of 2022, Public Health provided our office with an update on its efforts to implement our related recommendation and reported that it had worked with the School‑Based Health Alliance to obtain additional information and evaluate the resources needed to develop a public school health center support program. However, Public Health has been unable to identify funding opportunities to establish the program. The review we conducted as a part of this high-risk assessment found that Public Health has still not been able to secure the necessary funding to establish the program.
  • Hospice Licensure and Oversight: The State’s Weak Oversight of Hospice Agencies Has Created Opportunities for Large-Scale Fraud and Abuse, Report 2021-123, March 2022: In this audit, we identified numerous indicators that hospice agencies were engaged in fraud, particularly in Los Angeles County. We also identified a likely large-scale effort to defraud Medicare and Medi-Cal hospice programs. We issued 28 recommendations, one of which was to Public Health. Specifically, we recommended that until the Legislature authorizes Public Health to issue emergency regulations to combat fraud, Public Health should use its existing regulatory authority to increase oversight of hospice agencies. In March 2023, Public Health reported that it was developing emergency hospice regulations to incorporate recommendations from our report and to address stakeholder feedback; it expects to complete this recommendation by the end of 2023.
We based our decision to remove Public Health from our state high-risk list on the significant progress it has made in implementing our recommendations. In doing so, Public Health has demonstrated a strong commitment to controlling the individual risks that we created the recommendations to address. Further, it has implemented corrective actions to mitigate risk to the public.

Status: Removed from the high-risk list​

Public Health’s response


THE STATE HAS MADE SUFFICIENT PROGRESS IN IMPROVING ITS TRANSPORTATION INFRASTRUCTURE​

Background​

The California Department of Transportation (Caltrans) and the California Transportation Commission (Transportation Commission) are generally responsible for ensuring that the State’s highway systems are in good condition. The Transportation Commission is responsible for allocating funds for the construction of highway, transit, and active transportation improvements, such as biking and walking paths, throughout California. Caltrans plans, develops, maintains, and operates the statutorily designated California State Highway System (state system). The state system includes 50,000 lane miles of pavement, 13,200 bridges, 213,000 culverts and drainage facilities, and nearly 21,000 transportation management system assets.

We first designated California’s deteriorating transportation infrastructure as a high‑risk issue in Report 2006-601, May 2007. At that time, we expressed concern about the lack of funding for transportation system upkeep and repairs as well as about the related decline in the condition of the state system because of deferred maintenance. Keeping the State’s transportation infrastructure in good repair is important, because it enhances safety and maintains the useable life of critical state assets. Further, Caltrans has reported that addressing deferred maintenance is more expensive to the State than providing preventive maintenance.

In 2017 the Legislature passed the Road Repair and Accountability Act of 2017 (Road Repair Act) to invest $54 billion over the next decade to fix roads, freeways, and bridges. The Road Repair Act set goals for Caltrans, as Table 1 describes. For example, Caltrans was to fix 500 additional bridges by 2027. The Road Repair Act also increased oversight of Caltrans and of Road Repair Act funds by establishing an inspector general for that agency and by expanding the Transportation Commission’s supervisory role. In our most recent high-risk assessment, Report 2021-601, August 2021, we maintained transportation infrastructure as a high-risk issue area in order to continue monitoring Caltrans’ progress in improving the state system.

Table 1​

Caltrans Is on Track to Meet the Goals of the Road Repair Act​

2027 GOAL2018 REPORT2019 REPORT2020 REPORT2021 REPORT2022 REPORT
Pavement98 percent of pavement in good or fair condition98.96%98.98%98.71%98.69%99.25%*
Culverts90 percent of culverts in good or fair condition90.290.2909090.4
Traffic management systems90 percent of traffic management systems in good condition67.474.67978.877
BridgesFix an additional 500 bridges‡214248496545828
Source: Caltrans annual reports.
Note: The Legislature set a fifth goal related to correcting potholes and cracks in pavement. Caltrans factors the completion of this goal into its pavement metric.
* Pavement conditions for 2022 are projections.
† Information on bridges is presented by fiscal year.
‡ Caltrans and the Transportation Commission have interpreted the goal of fixing 500 additional bridges as meaning 500 more than their average annual repair rate of 114. The numbers indicated are cumulative totals that do not include the prior annual average of 114 each year.

Assessment​

Caltrans and the Transportation Commission have made significant progress toward eliminating the basis on which we identified transportation infrastructure as a high-risk issue. As Table 1 shows, as of 2022 Caltrans had exceeded the goals that the Legislature set for three of four categories and was making progress on the fourth. Caltrans reported that 99.25 percent of the pavement in the state system and 90.4 percent of culverts were in good or fair condition as of 2022. It further reported that it had exceeded the goal to repair an additional 500 bridges. Finally, it was also on track with the fourth goal, ensuring that 90 percent of traffic management systems are in good condition by 2027: 77 percent of these systems were in good repair in 2022.

Caltrans uses a website focused on providing transparency and accountability for the Road Repair Act to publicly report its progress in implementing the goals that the Legislature set. On this website, Caltrans has reported that the number of pavement lane miles it has repaired annually since the passage of the Road Repair Act has increased by 80 percent. It has further reported that its annual repair of linear feet of culverts in the same time period increased by about 700 percent. Caltrans has also reported on the Road Repair Act funds it has invested in projects to date, on the status of such projects, on the number of jobs the act has created—more than 225,000—and on the other effects that the additional funding has had for Californians.

According to Caltrans, the funding provided by the Road Repair Act will be sufficient to meet the act’s goals. In addition, the Road Repair Act requires Caltrans to implement efficiency measures with the goal of generating at least $100 million per year in savings, which Caltrans reported it has exceeded. Since fiscal year 2017–18, Caltrans has reported savings of between $133 million and $340 million annually through cost avoidance, new construction management practices, and other efficiencies. For example, Caltrans transitioned from painted stripes to new materials that last six times longer, resulting in $34 million in ongoing savings. Caltrans invests these savings in the maintenance and rehabilitation of the state system. Further, Caltrans has reported that many of the efficiencies it has created will prevent future construction delays, have positive environmental effects, or increase safety.

We based our decision to remove transportation infrastructure from our high-risk list on several factors. First, the additional funds provided by the Road Repair Act represent a change in circumstances that, due to their extensive and ongoing nature, reduce the risk of serious detriment such that it is no longer substantial. When we added transportation infrastructure to the high-risk list in Report 2006-601, May 2007, such a funding plan did not exist and the State’s infrastructure was slowly deteriorating. Further, as we have demonstrated above, Caltrans and the California Transportation Commission have taken sufficient corrective action by improving the state of transportation infrastructure, thereby demonstrating a strong commitment to mitigate the risk. Moreover, the Road Repair Act created an inspector general—who conducts a variety of compliance audits on the use of Road Repair Act funds each fiscal year—to provide increased oversight to Caltrans.

Status: Removed from the high-risk list​

CalSTA’s response


CDCR IS MAKING PROGRESS IN IMPROVING ITS HEALTH CARE DELIVERY​

Background​

The California Department of Corrections and Rehabilitation (CDCR) operates all state adult prisons, oversees a variety of community correctional facilities, and supervises incarcerated adults and adults released to parole supervision. CDCR operates 33 institutions and, as of June 2023, housed about 96,000 incarcerated people. The department has a constitutional duty to provide its incarcerated population with health care.

In 2005 a federal court found that CDCR’s health care system violated the U.S. Constitution’s prohibition against cruel and unusual punishment. The court found that this resulted in significant harm to the State’s prison-incarcerated population. To remedy the inadequate health care CDCR was providing, the court appointed a federal receiver (receiver) to take control of CDCR’s health care system until it was constitutionally adequate. In Report 2006-601, May 2007, we added CDCR’s provision of health care to incarcerated people as a high-risk issue to the State. Since that time, we have tracked the progress CDCR has made in providing constitutionally adequate care in part by reviewing the number of institutions the receiver has delegated back to CDCR’s oversight.

Assessment​

Since our last assessment, Report 2021‑601, August 2021, the receiver delegated health care at an additional institution—Wasco State Prison—back to CDCR’s oversight. This brings the number of institutions for which the receiver has returned control of health care to CDCR to 20, or 59 percent of its facilities. Figure 2 shows a timeline of the receiver’s delegation of health care at institutions back to CDCR. The receiver is currently considering whether to delegate another institution back to CDCR in 2023.

Figure 2​

The Federal Receiver Has Recently Returned to CDCR’s Care Control of More Institutions​


A timeline bar chart shows all CDCR’s institutions transferred to the receiver’s care in 2005, and some of them returning to CDCR’s care beginning in 2015.


Source: CDCR reports and documentation.

Figure 2 description:​

A bar chart shows two columns per year beginning in 2004, one column shows the institutions under CDCR’s care and the second one institutions under the receiver’s care. CDCR transferred care of all institutions to the receiver in 2005. The receiver returned one institution to CDCR’s care in 2015, a total of nine by 2016, and 20 by 2022. The chart also shows an increase in the total number of CDCR institutions from 32 in 2004 to 35 in 2015, and a reduction to 33 in 2022.

OIG Medical Inspection Cycles​

OIG performs medical inspections in cycles. During each cycle, OIG inspects the medical care delivered at every CDCR adult institution. Afterward, OIG publishes a report of its results for each institution. Once all institutions have been reviewed, OIG begins a new cycle. It is currently performing Cycle 7 reviews.
Source: OIG website.
In addition to the receiver’s returning an additional institution to CDCR’s care, the Office of the Inspector General (OIG) whose functions are described in the text box, has improved the rate at which it performs medical inspections and produces reports. Because the receiver must consider OIG’s reports on the adequacy of the health care an institution provides when determining whether to delegate responsibility for that institution back to CDCR, delays in the completion of OIG’s reports could impede the receiver’s ability to return institutions to CDCR’s care.

Our last high‑risk assessment reported that OIG had not finished performing its Cycle 6 reviews, which it began in 2019, and that it had issued reports for only nine of 35 institutions (26 percent) as of June 2021. However, as Figure 3 shows, OIG had issued medical inspection reports for 30 of 34 institutions (88 percent) and commenced its Cycle 7 inspections as of June 2023. In its 30 Cycle 6 inspection reports, OIG concluded that the health care provided at 21 institutions (70 percent) was adequate during the inspection period. This presents an improvement over the prior cycle, when OIG found 57 percent of the institutions provided adequate health care.

Figure 3​

OIG Has Made Significant Progress in Completing Its Cycle 6 Inspection Reports​


Two pie charts showing that OIG issued 26 percent of reports by June 2021 and 88 percent by June 2023


Source: OIG reports.
* We include the California Correctional Center inspection report in this tally since OIG completed that report. The California Correctional Center permanently closed in June 2023.

Figure 3 description:​

The figure consists of two pie charts. The first pie chart show the OIG issues nine reports by June 2021, 26 percent of the total. A second pie chart shows the OIG issues 30 reports by June 2023, 88 percent of the total.
CDCR has made significant cumulative progress to eliminate the basis upon which we identified it as high risk. We based our decision to remove CDCR from the high-risk list primarily on two factors. First, CDCR has made significant progress in providing constitutionally adequate care, with the receiver having delegated 20 of CDCR’s facilities back to its control. Further, OIG is now providing increased oversight, so it is unlikely that a high-risk audit of CDCR’s health care delivery would result in recommendations leading to additional significant changes in the department’s provision of constitutionally adequate care.

Status: Removed from the high-risk list​

The agency did not provide a response.





We prepared this report under the authority vested in the California State Auditor by Section 8546.5 of the Government Code.

Respectfully submitted,

GRANT PARKS
California State Auditor

August 24, 2023


Staff:
John Lewis, MPA, CIA, Audit Principal
Nick Phelps, JD, Senior Auditor
Cecilia White, MPPA

Data Analytics:
R. Wade Fry, MPA
Grant Volk, MA, CFE

Legal Counsel:
Natalie Moore

RESPONSES TO THE AUDIT:

The California Governor's Office of Emergency Services (CalOES)​

August 4, 2023

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Mr. Parks,

The California Governor’s Office of Emergency Services (Cal OES) received the California State Auditor’s (CSA) High Risk Assessment 2023-601 redacted Draft Report on July 31, 2023, via encrypted email. Cal OES appreciates the opportunity to review and comment on the 2023 High Risk Assessment. Cal OES’s comments are solely on the section titled, “[Redacted] Aging Water Infrastructure Threaten California’s Water Supply and Public Safety.”

The CSA’s Report states: “Since our last assessment in 2021, [Redacted] However, Emergency Services’ approval of emergency action plans lags behind. Emergency Services has only approved emergency action plans–which outline action to be taken during an emergency to minimize or eliminate the potential for loss of life and property damage-for 419 of the nearly 900 dams required to submit such plans, or about 48 percent.”

Cal OES has consistently met the deadlines in statute for reviewing submitted emergency action plans (EAPs) and will continue to work closely with dam owners on their EAPs so they are not only complete, but also effective for dam owners and affected public safety agencies downstream. In addition, Cal OES has created tools to assist dam owners in completing their EAPs including a template, review tool, and example of an acceptable plan.

The CSA’s Report states: “Although this number represents progress–an increase from the 107 approved plans in 2021–it will take several years at the current rate of approval for the State to have clear emergency plans in place for all dams that require them. Further, there are 121 dams without approved emergency plans [Redacted] having Extremely High downstream hazard ratings, indicating a risk of considerable loss of human life.”

Cal OES approved 312 EAPs for the two-year period of 2021 to 2023. That’s an increase of 292% from the 107 EAPs approved since CSA’s last assessment in 2021. Furthermore, of the mentioned 121 Extreme High Hazard (EH) EAPs, 72 are either currently under review or have been reviewed at least once, returned, and Cal OES is awaiting resubmission. Additionally, another 41 EAPs belong to dam owners that have more than one EAP to submit. Experience dictates that once these owners have completed a satisfactory EAP, their subsequent submittals will be better quality and in relatively rapid succession.

Existing law does not establish a deadline for the dam owner to resubmit an EAP returned for correction. Cal OES’s historical practice has been to reach out to the dam owners after six months of no contact. Cal OES will reduce the time of follow-up to one month, and each month thereafter until the corrected EAP is resubmitted.

Lastly, the CSA’s Report states “…the large number of emergency action plans yet to be approved by Emergency Services shows that sufficient corrective action has not yet occurred.”

Cal OES has taken significant corrective actions and continues to work on EAP approvals. Cal OES anticipates the tools we’ve developed, current approval processes, and administrative changes in the timing and frequency of outreach will reduce the number of outstanding EAPs.

Cal OES appreciates the assistance and guidance offered during CSA’s assessment. If you have additional questions or concerns, please contact Ralph Zavala, Cal OES Internal Audits Office Chief, at (916) 845-8437.

Sincerely,

Original PDF copy signed

NANCY WARD
Director

c: Ralph Zavala, Chief, Internal Audits Office



CALIFORNIA STATE AUDITOR’S COMMENT ON THE RESPONSE FROM THE CALIFORNIA GOVERNOR’S OFFICE OF EMERGENCY SERVICES​

To provide clarity and perspective, we are commenting on the response to our assessment from CalOES. The number below corresponds with the number we have placed in the margin of the response.

Although we indicate that CalOES has made some progress in approving emergency plans on page 21, 121 dams with extremely high downstream hazard ratings—indicating a risk of considerable loss of human life—still lack approved plans.






The California State Transportation Agency​

Date: August 4, 2023

To: Grant Parks
California State Auditor

From: Carlos Quant
Deputy Secretary, Budget and Administration
California State Transportation Agency

Subject: California State Transportation Agency Response to 2023-601—State High-Risk Assessment

To Whom it May Concern:

CalSTA concurs with the Auditor’s findings. This decision is a testament to the substantial progress Caltrans, the California Transportation Commission and our partners have made as we work together to improve our state’s critical transportation infrastructure. This progress has been especially noteworthy since the passage of Senate Bill (SB) 1, the Road Repair and Accountability Act of 2017 – landmark legislation that ushered in a new era of infrastructure investment to rebuild California. Our elected officials and the people of California entrusted us with their hard-earned tax dollars to upgrade the state’s aging infrastructure, and we have delivered and will continue to make good on that trust. Coupled with Governor Newsom’s infrastructure streamlining package and a $15 billion investment in clean transportation infrastructure, along with recent increased federal infrastructure funding, our state is in an incredible and unique position to keep making progress and accelerate our transition to a cleaner, safer, more equitable and more connected transportation system that benefits all Californians.

Please contact Carlos Quant with any questions at Carlos.Quant@calsta.ca.gov.

Thank you,

Carlos Quant
Deputy Secretary, Budget and Administration






The California Department of Public Health​

August 4, 2023

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Mr. Parks:

The California Department of Public Health (Public Health) thanks the California State Auditor for the opportunity to comment on its draft report of the updated assessment of high-risk issues faced by the State and select State agencies.

Public Health appreciates that CSA acknowledges the signficant progress we have made to eliminate the concerns that initially identified us as a high-risk department. Removal from this list represents great efforts made by numerous Public Health programs and employees to adopt previous audit recommendations and implement corrective action to control risk to the public.

We take seriously our charge to advance and protect the health and well-being of California’s diverse peoples and communities and have worked to quickly address recommendations that could pose a risk to residents’ overall health or safety.

Public Health understands we still have a limited number of outstanding recommendations and commit to continuing to fully implement these. We will report our progress to the State Auditor at the designated time intervals.

Thank you for the opportunity to respond to the assessment. If you have any questions, please contact Rob Hughes, Deputy Director, Office of Compliance, at (916) 306-2277.

Sincerely,

Tomás J. Aragón, M.D., Dr.P.H.
Director and State Public Health Officer






The California Department of Technology​

August 3, 2023

Grant Parks (via GovOps Agency Secretary Amy Tong)
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

SUBJECT: 2023-601 – STATE HIGH-RISK UPDATE – INFORMATION SECURITY AND STATE IT PROJECTS

Dear Mr. Parks:

The State’s Information Security Remains a High-Risk Issue:

The California Department of Technology (CDT) acknowledges that statewide information security faces significant risks, given the increasingly complex and sophisticated cyber threat landscape. This year has witnessed a remarkable increase in the frequency and sophistication of cyber-attacks globally – greater than those that occurred in the last five years combined. In response to these heightened threats, we coordinated with State and Federal partners to significantly enhance State cybersecurity resiliency measures. As a result, annually the enhanced measures have successfully deterred more than 300 confirmed attacks and mitigation of vulnerabilities. The CDT oversight program is fully modernized to focus on supporting reporting Agencies with operational resiliency to respond to modern cyber-attacks.

The California State Auditor’s (CSA) high-risk audit focused on a subset of the CDT efforts and failed to acknowledge how CDT baselines risk and actions performed to enhance statewide maturity and resiliency. The CSA referenced 52 reviews underway. These reviews are the CDT Information Security Program Audits (ISPA) that audit the highest-risk departments against policy compliance measures. In addition, we provide tailored help to entities and remediate gaps for the remaining lower-risk departments.

The CDT employs a thorough approach to assess and strengthen the security of all State entities. This comprehensive approach involves the Information Security Program Audits (ISPA), Independent Security Assessments (ISA), attack surface analysis, and the National Cybersecurity Review (NCSR). In addition to these compliance baseline measures; the CDT has evolved its oversight program to support departments addressing any identified issues. This program provides remediation assistance through consultative advisory services to help departments manage internal risks. The CDT has expanded its services 24 by including seven continuous threat detection and response services for the internal networks of the least resilient departments identified through this oversight approach. Through this program, the CDT can ensure a higher level of statewide protection.

The CSA references 52 of 107 entities reviewed in a four-year period. These audits are solely focused on high-risk entities as determined by CDT. The remaining entities which are in the low-risk pool are scored using ISAs, the external attack surface baselines, NCSR, and a comprehensive review of their risk remediation plans. Both entity types receive remediation services through programs within our advisory, with tailored hands-on guidance, continuous monitoring of their internal networks, and other operational services provided within our California Cybersecurity Integration Center (Cal-CSIC).

The objective is to provide a clear outline of the oversight program designed to measure risk within the CDT framework. The program specifically covers eight state agencies under the Executive Branch, and several un-affiliated and independent state agencies, totaling 139 unique entities:

  • The program conducted policy audits for 61 unique departments.
    • More than 85 audits were conducted, considering re-audits and departments that received progress check-ins.
  • A total of 250 technical vulnerability assessments were performed, with 121 unique departments receiving technical vulnerability assessments. A subset of these departments receives an audit due to their high-risk nature.
  • The program generated 115 unique NCSR scores.
  • Additionally, 139 baseline attack surface scores were calculated.
cdt_response_graphic.png

As CDT baselines entities through oversight measures by aligning operational efforts to build in resiliency to help them with protective measures.

  • Over 30 resource-constrained departments are receiving continuous internal and wide area network (WAN) monitoring utilized by all departments.
  • Implemented a Vulnerability Disclosure Process and remediated over 50 external risks.
  • The advisory services team conducted over 240 tailored workshops providing internal and hands-on assistance to remediate risk for departments.
  • Delivered 18 policies and standards and 70 example templates for departmental internal use.
  • Established the Technology Stabilization Fund to help departments with stabilizing critical services.
  • Expanded staffing within advisory services by seven to help with independent organizations such as the referenced California Public Employees’ Retirement System (CalPERS), California State Teachers’ Retirement System (CalSTRS), and the State Controller’s Office (SCO).
  • Established incident response teams with CDT and Cal-CSIC to minimize the impact of cyber incidents and provide rapid recovery for affected departments such as the referenced Department of Finance (DOF) incident.
As we continue to evolve our protective measures, as exemplified above, we observe an approximate four percent increase in maturity of the 107 departments under our authority using audits, assessments, or a combination thereof.

The frequency and sophistication will continue to increase, and new technology will continue to expand the threat landscape. As the threat landscape continues to evolve, CDT will adapt its oversight program to encompass standards, advisory, and operational measures. We appreciate input from CSA on any aspect of our measures. The CDT takes a holistic, risk-based approach to oversight and remediation, as focusing on policy reviews and audits alone is not sufficient.

CDT Has Not Made Sufficient Progress in its Oversight of State Information Technology Projects:

CDT’s Project Approval Lifecycle (PAL) process is a robust and rigorous planning process designed to mitigate the risk of failed IT projects and protect the State’s technology investment. CDT asserts that the PAL process and subsequent project oversight functions have significantly improved project outcomes. CDT provided data to the CSA in response to the CSA’s 2022-114 audit indicating the current project outcomes are at or positively above industry benchmarks for IT projects as follows: The Department of Technology conducted an analysis in 2018 in response to a Legislative Analyst Office (LOA) request.

We compared the State of California project outcomes of 178 I projects to the Standish annual CHAOS report of 2014 as follows:

2007 - 2017California StateIndustry Average
Successful Projects28%16.2%
Challenged Projects63%52.7%
Failed Projects9%31.1%

CDT has since updated our analysis: Comparison to the 2020 Standish Group Report shows the following:

FY 2018 – FY 2022California StateIndustry Average
Successful Projects67%31%
Challenged Projects33%50%
Failed Projects0%19%

CDT attributes this improving trend to a higher quality planning, improvements to the oversight process since 2017, and early escalation of issues to state entity leadership when required.

The PAL planning process is scalable based on the IT project's business and/or technical complexity. This means that the more complex a project is, the more planning is needed. The CSA did not include information provided by CDT about all factors that contribute to the time duration of the PAL process, some of which are outside the CDT control, including the annual budget process, changes in state entity business priorities, funding availability, skills and experience of the department staff, and the quality of the state entities planning documents. The CDT has experienced PAL durations as short as 36 days.

In March 2023, the CDT made improvements in the PAL process in response to a yearlong improvement effort and evaluation via interviews of various stakeholders, including three Agencies, 12 Departments, the Legislative Analyst Office, the Department of Finance, and external experts from the Project Management Institute and Sacramento State University. The objectives achieved were reducing burdensome pain points, processes that adapt to various project management methodologies, streamlined processing, challenge-based procurements, and ADA compliance.

As part of CSA’s audit, the team reviewed CDT's oversight of four IT projects and found that although three were identified that required immediate corrective action, CDT had not used its authority to ensure the problems were resolved.

  1. CWS-CARES
  2. Caltrans TAMS
  3. DMV DxP
  4. FI$Cal
We consider the CSA’s conclusion flawed as only one of these projects has achieved completion. CDT takes a collaborative approach to oversight, working with Departments to mitigate unplanned project risks and implement formal and informal corrective action plans. CDT may take various actions as detailed in the IT project oversight framework SIMM 45, including escalation of risks and issues identified in the oversight reporting, via meetings and verbal and written communications with project directors, project sponsors, and department executives. We may guide and direct departments to pursue their own corrective actions, corrective action plans, or contractual remedies. These measures are exhausted before we pursue the most severe actions to issue a CDT Corrective Action Plan letter or a suspension or termination letter, which are seen as punitive measures.

The auditor noted that CDT issued no corrective action plan letter related to these four projects. However, it does not mean that department corrective action plans or corrective actions were not initiated because of CDT recommendations or escalations.

The Auditor chose four projects from a set of 240 projects and analyzed the performance data provided to the auditor. However, the auditor did not provide information about the effectiveness of project oversight for the remaining 236 projects of the State project portfolio. The details on the effectiveness of project oversight were given only for the four selected projects.

Three of the four projects examined by the auditor [CWS-CARES, DMV DxP, and Caltrans TAMS] have not been completed and are still in progress. The ability to determine whether the original project requirements, as defined by the scope of work, were delivered on time is premature. The fourth project, FI$Cal, is complete and provides large-scale benefits to the state as planned. The conclusions drawn from the remaining three projects should not be used to infer the effectiveness of the planning and oversight work over the entire State project portfolio. In the case of CWS-CARES, currently beginning implementation, significant CDT intervention took place, resulting in major changes in the development planning. Regarding the DMV DxP project, phase-1 implementation was successful. Phase-2 risks were identified, and CDT escalated these to executive management resulting in additional planning activities to address the risks identified in the oversight reports and escalation. For Caltrans TAMS, CDT provided observations, recommendations, and guidance, resulting in the termination of a vendor contract and a currently underway re-procurement.

We remain committed to the ongoing evaluation of the effectiveness of the planning and oversight activities as we continue to explore methods to effectively correlate project planning and oversight efforts to successful project outcomes.

Thank you for the opportunity to respond to your draft High-Risk Review report regarding CDT. Please contact Kirk Marston at 916-208-6896, if you have questions.

Sincerely,

Liana Bailey-Crimmins
State Chief Information Officer and Director
California Department of Technology

cc: Amy Tong, Secretary, Government Operations Agency
Jared Johnson, Chief Deputy Director, California Department of Technology



RESPONSES TO THE AUDIT: (Pg 2 of 2)

CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM THE CALIFORNIA DEPARTMENT OF TECHNOLOGY​

To provide clarity and perspective, we are commenting on the response to our assessment from CDT. The numbers below correspond to the numbers we have placed in the margin of the response.

To provide clarity, the draft report to which CDT is responding is not the result of an audit, but rather an assessment of high risk issues and agencies. Our assessment did include a review of recently completed audits, including an audit of the Department of Technology’s strategic planning, information security, and IT project oversight that we published in April 2023. However, because CDT conflates our high-risk assessment with this recently completed audit of CDT, it misses the primary focus of this section of our report, which is that IT security remains a high risk issue—for which CDT is a responsible agency, but not the only agency impacting our high-risk designation. In focusing solely on its own approach, which it believes is thorough, CDT fails to acknowledge the currently limited IT security readiness of the State and the potential costs and impacts of failures in this area. For example, as we note, there have been several high profile data breaches at government agencies including the Department of Finance, CalPERS, CalSTRS, and the State Controller since our last high-risk assessment.

We stand by our concerns related to CDT’s limited capacity to conduct information security audits. At its current capacity, CDT can audit a maximum of 12 percent of reporting entities annually.

We stand by our recent audit, which found that CDT’s oversight of IT projects has been ineffective at addressing risks on complex projects.

The initial analysis CDT references was conducted five years ago, shortly after PAL’s creation, and compares its outcomes with a report from nine years ago. Moreover, CDT did not provide the IT project metrics it cites in response to us during our April 2023 audit.

Despite CDT’s analysis of its own system, it was unable to demonstrate PAL’s effectiveness during our 2023 audit. In fact, although three of the four projects we reviewed required immediate corrective action CDT failed to use its authority to ensure that the associated problems were resolved. Further, CDT did not provide the IT project metrics it cited in its response to our April 2023 audit. Moreover, its response does not provide any context about the number, size, or complexity of the projects it analyzed. Because many of the IT projects CDT approves under the PAL process cost millions of dollars, the State needs to be certain that the process is effective.

In our 2023 audit 23 percent of the agencies that we surveyed, that had used CDT’s PAL process, indicated that they were unsatisfied, or very unsatisfied with it.

CDT’s response focuses on our Report 2022-114, April 2023. Beginning on page 65 of that report, CTD provided a six-page response in which we rebutted 12 items, beginning on page 69.






California Department of Health Care Services​

August 4, 2023

THIS LETTER SENT VIA EMAIL

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

RE: RESPONSE TO DRAFT REPORT 2023-601

Dear Mr. Parks:

The Department of Health Care Services (DHCS) hereby submits the enclosed response to the California State Auditor (CSA) draft report number 2023-601, titled, “The California State Auditor’s Updated Assessment of Issues and Agencies That Pose a High Risk to the State”

DHCS appreciates the work performed by CSA and the opportunity to respond to the draft report. If you have any questions, please contact the DHCS Office of Compliance, Internal Audits at (916) 445 0759.

Sincerely,

Michelle Baass
Director

Enclosure

cc: See Next Page

cc:
Jacey Cooper
State Medicaid Director
Chief Deputy Director
Health Care Programs
Department of Health Care Services
Jacey.Cooper@dhcs.ca.gov

Erika Sperbeck
Chief Deputy Director
Policy and Program Support
Department of Health Care Services
Erika.Sperbeck@dhcs.ca.gov

Rene Mollow
Deputy Director
Health Care Benefits and Eligibility
Department of Health Care Services
Lori.Walker@dhcs.ca.gov

Saralyn Ang-Olson, JD, MPP
Chief Compliance Officer
Office of Compliance
Department of Health Care Services
Saralyn.Ang-Olson@dhcs.ca.gov

Wendy Griffe, MPA
Chief
Internal Audits
Department of Health Care Services
Wendy.Griffe@dhcs.ca.gov


Assessment Item 1 Medi-Cal Eligibility: Although it has made some progress, Department of Health Care Services (DHCS) has not adequately resolved issues involving Medi-Cal Eligibility.

DHCS’ Response:


The Centers for Medicare & Medicaid Services confirmed the continuous enrollment requirement is now delinked from the Public Health Emergency (PHE) in the Consolidation Appropriations Act of 2023, (enacted December 29, 2022), and the PHE ended on March 31, 2023. DHCS began the continuous coverage requirement unwinding activities, including the resumption of annual renewals, on April 1, 2023. DHCS is providing counties with a hold-harmless period for the duration of the unwinding period and expects to resume normal county monitoring and oversight activities, to include resumption of county focused review activities and Medi-Cal Eligibility Data System Alert Monitoring on May 1, 2024. These activities will include assessing corrective action plans as warranted based on monitoring and oversight findings.


Assessment Item 2 Mental Health Services Act (MHSA): Additional Audits by the State Auditor would be unlikely to assist in mitigating risks associated with MHSA funds. Accordingly, we are removing DHCS’ oversight of the MHSA as a high-risk issue.

DHCS’ Response:

No response needed.






California Natural Resources Agency​

August 4, 2023

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Auditor Parks,

The Department of Water Resources (DWR) and the California Natural Resources Agency (CNRA) acknowledge receipt of the California State Auditor’s redacted draft state high-risk report section titled “2023-601 DWR – Climate Change and Aging Water Infrastructure Threaten California’s Water Supply and Public Safety”.

DWR and CNRA appreciate the report’s acknowledgment of the effects of extreme weather on California’s communities, economy, and water infrastructure. We also appreciate the report’s acknowledgement of the August 2022 Water Supply Strategy, Adapting to a Hotter, Drier Future, which DWR and CNRA helped to chart. The actions in this strategy aim to modernize water infrastructure to conserve, capture, and store enough water to replenish what is likely to be lost to hotter, drier weather. DWR also appreciates the report’s acknowledgment of the need for additional funding to create a water-resilient future for all Californians.

Thank you again for the opportunity to comment on the draft, redacted state high-risk report.

Sincerely,

Bryan Cash
Assistant Secretary, Administration and Finance
California Natural Resources Agency







The California State University​

August 1, 2023

Mr. Grant Parks
State Auditor
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, California 95814

Dear Mr. Parks:

Thank you for the opportunity to review and respond to the draft State High-Risk Assessment report. We acknowledge the State Auditor’s plan to remove the affordability of higher education from the high-risk list. College affordability remains an ongoing priority for the California State University.

Sincerely,

Jolene Koester
Interim Chancellor

JK/lm






The Employment Development Department​

August 3, 2023

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Mr. Parks:

Subject: Responses to 2023-601 – State High-Risk Assessment

Thank you for the opportunity to respond to the upcoming state high-risk report 2023-601 relative to the issues impacting the Employment Development Department (EDD). Below are the responses to each issue:

EDD is High Risk Because of Weak Fraud Prevention, Poor Claimant Service, and High Rate of Overturned Eligibility Decisions in its Unemployment Insurance (UI) Program:

Substantial Fraud Risk Exists in EDD’s UI Program

Every Unemployment Insurance system in the country, including California, was overwhelmed with the number of Pandemic Unemployment Assistance (PUA) claims during the height of the COVID-19 Pandemic, and all were impacted by fraud. Based on that experience and the recommendations of the Governors’ EDD Strike Team, the Legislature, the Legislative Analyst Office (LAO), and the California State Auditor (CSA), EDD has one of the nation’s toughest anti-fraud programs, including robust identity and claimant verification. EDD has complied with all CSA fraud audit recommendations (Report 2020-628.2) and has also fully implemented all recommendations in Report 2020-628.1 and EDD anticipates confirmation of the final recommendation as “fully implemented’ by CSA. The Auditor’s risk scenarios in this high-risk report do not reflect the fraud prevention measures in place today and instead reflect outdated challenges that impacted the department at the height of the pandemic. EDD’s significant advancements and enhancements to its fraud prevention and detection measures have proven highly effective in safeguarding benefit payments from fraudsters.

In October 2020, EDD partnered with ID.me to implement its identity proofing and authentication platform, which is used by numerous government agencies. The ID.me services were added to supplement EDD’s existing Identity Alert Process, to validate the identity of the individual filing the UI claim. In January 2021, Thomson Reuters (TR) Government Division fraud detection tools were incorporated into the new claim filing process. Adding the TR cross-check at the start of the process allows for the earliest possible detection of potential fraud and occurs prior to the issuance of any benefit payments. We also work with our sister agency, the California Department of Corrections and Rehabilitation (CDCR) to crossmatch prisoner identifications that may be used in an attempt to obtain UI benefits.

With the use of these tools, as well as the creation of a Fraud Prevention and Detection Section within the UI Branch and the implementation of additional internal fraud prevention measures, from 2020 through 2022, EDD has successfully identified and mitigated attempted fraud schemes and safeguarded nearly $43.4 billion in fraudulent UI benefit payments from being issued. EDD maintains a close review and continuous assessment of its existing fraud prevention measures adjusting to the continuously evolving fraud landscape. Of note, the vast majority of the fraud that occurred during the pandemic was in the PUA program, which ended in September of 2021. As this department and other UI systems around the country have stated, the PUA program lacked the traditional safeguards of the regular UI program.

Along with all the internal enhancements and controls that have been implemented, EDD continues to collaborate with other state agencies and law enforcement entities through a statewide EDD Fraud Task Force. Leading this work is EDD’s Special Counsel, McGregor Scott, an experienced former federal prosecutor, and United States Attorney who is providing independent counsel and expertise in the areas of fraud prevention, detection, and interdiction. Specifically, EDD’s Investigation Division is involved in hundreds of joint criminal investigations with the Fraud Special Counsel and local, state, and federal law enforcement entities in an ongoing effort to identify and prosecute individuals and criminal organizations participating in complex identity theft and fraud schemes.

As it relates to inadequate identification of potentially fraudulent payments, EDD agrees that this has been a contributing factor which led to not only delayed publications of the Annual Comprehensive Financial Report (ACFR), but also modified audit opinions for the state. As indicated in the Department’s response to the California State Auditor’s (CSA) Internal Control Report 2020-1, EDD agreed with the recommendation from CSA on revisiting its methodology for estimating potentially fraudulent payments. EDD has used the knowledge gained during the fiscal year 2019-20 and 2020-21 audits to identify invalid claims more accurately and will be implementing a validation process to ensure multiple levels of review are incorporated.

EDD has been engaging with CSA since April 2023 to ensure that the Department’s understanding of this dataset is in line with CSA expectations. It should be noted that for financial purposes the Department is now of the understanding that all invalid claims need to be assessed, not just those which are potentially fraudulent. Including all improper payments is a major change from prior audit cycles and reinforces the complex nature of quantifying this dataset and accurately incorporating the data results into EDD’s financial statements.

EDD Has Not Provided California Residents with Sufficient Customer Service, Resulting in Significant Challenges to Obtaining UI Benefits

During the COVID-19 pandemic, the contact center experienced its most significant call volume periods, with call volumes in the millions per week.

We agree customer satisfaction with the Unemployment Insurance claim process fell during the pandemic, however, we disagree it remains low. Sixty-Nine percent of customers surveyed in 2022 were completely or mostly satisfied with the application process, up from 67 percent in 2021. We are continuing to assess customer feedback to implement additional improvements, so this data continues to trend in a positive direction.

EDD has made significant improvements to increase the level of service it provides to the citizens of California. For the months following the April 2023 period cited by CSA, the contact center received an average of 169,763 incoming calls from an average of 59,905 customers and answered an average of 68,978 calls; it is estimated that the average customer attempted to contact EDD approximately 2.8 times before speaking with an agent from June 3, 2023, through July 22, 2023. During this same period, the average customer waited approximately 12 minutes and 28 seconds to speak with an agent, a 64 percent improvement from the pandemic. Based on call analysis, there are various reasons customers may call the contact center that do not directly impact the timely payment of benefits. For example, customers may call to inquire about the status of an active appeal, inquire about California Training Benefits, or update their demographic information.

We take CSA audits and recommendations very seriously. According to the CSA, EDD has “Fully Implemented” all contact center enhancements submitted by EDD, in response to Report 2020-128/628.1, and has identified these on the CSA website. The recommendations made by CSA that address contact center issues were thorough and comprehensive, covering data tracking, staff training, analysis, and specific call features. In addition to what CSA recommended, EDD has implemented thirty (30) operational or technological enhancements in the contact center, with additional plans to improve the customer experience. EDD remains committed to improving the overall experience of Californians who require the critical services EDD provides in their most significant times of need. We are the only department in state government with a branch dedicated to Customer and User Experiences.

With respect to the timeliness of first payments, EDD agrees with the importance of timely benefit payments and agrees with CSA’s statement that EDD’s “timeliness has increased since the worst of the COVID-19 pandemic”. EDDs performance has made significant strides, nearing within one percent of the Department of Labor’s (DOL) 87 percent threshold. EDD has identified measures to continue this upward trend trajectory that include monitoring workloads to prioritize cases to meet timeliness standards and developing written questionnaires to address specific eligibility issues, reducing the need for telephone interviews, and facilitating quicker determinations and payment of benefits.

Many of EDD’s UI Eligibility Decisions Are Not Upheld on Appeal

Regarding the EDD Appeals process, it is important to note that a disqualifying decision made by the department does not inherently constitute an improper decision if the decision is later appealed and reversed. EDD is responsible for administering the program and determining eligibility by applying federal and state law and policy to make eligibility decisions based on the information available, as provided by the claimant and the employer. As CSA has noted, a claimant is able to provide new information during their appeal that was not furnished to EDD during the adjudication processes which may result in the reversal of a previous ineligibility.

Additionally, DOL reporting requirements reflect appeal modifications/adjustments as a reversal of the decision. For example, an adjustment of penalty weeks or penalty amounts is considered a non-affirmation decision and reflected as a decision that has been reversed, even though the claimant is still ineligible to receive UI benefits, consistent with EDD’s original decision. Therefore, individuals that have one primary eligibility issue affirmed and remain ineligible may also have two secondary issues modified or adjusted, which will reflect as reversals per DOL reporting requirements; however, the individuals remain ineligible for benefits, per EDD’s original decision.

In other words, CSA is adopting DOLs overbroad "reverse" definition. Again, if a claimant has an overpayment penalty reduced by the Board or they reduce one of the multiple false statements, this is counted as a "reversal" even if the EDDs decision of ineligibility is affirmed. We do not believe this accurately reflects the integrity of EDD’s eligibility decisions.

EDD continues to assess decisions that are reversed to identify ways to improve the adjudication process. This includes attending hearings to provide clarification regarding the Department's decisions and observing and gathering information to identify areas for improvement. EDD has also enhanced the training system to allow for expedient access to materials to ensure employees are fully equipped to apply the law and policy accurately, efficiently, and effectively.

The State’s Management of COVID-19 Federal Funds Continues to Be a High-Risk Issue

In reference to the CSA statement regarding the high risk associated with federal funds and recommendations remaining unimplemented, EDD confirms that as of June 2022, all seven recommendations listed in the Fraud Prevention Report (Report 2020-628.2) have been completed, accepted, and reported as fully implemented or resolved by the CSA.

Late Financial Reporting Continues to Increase Risk to the State

EDD takes seriously its role in contributing to the late publications of the ACFR by the State of California. As has been noted in multiple audit responses, most recently in the Department’s response to the “Federal Compliance Audit Report for the Fiscal Year Ended June 30, 2021” (Report 2021-002), the deferred transition to FI$Cal and the difficulties experienced thereafter have continued to cause EDD to be late with submitting year-end financials. In addition, the onset of the COVID-19 pandemic created additional accounting issues never dealt with before that impacted EDD’s ability to submit timely year-end financials. However, EDD is making progress and continues to gain ground in the Department’s efforts to follow the State’s deadlines for submitting year-end financials.

The Department submitted the last of its fiscal year 2021-22 financials to the Controller’s office in March 2023. For comparison, EDD had submitted its 2020-21 financial statements in July of 2022. Furthermore, shortly after submitting its 2021-22 financial statements to the Controller, EDD quickly began closing out accounting periods within the statewide financial system (FI$Cal) for 2022-23. In a period of approximately 95 days, EDD went from closing out July 2022 to closing out May 2023. As of this date, EDD is actively working on closing out June 2023 with a goal of submitting financial statements to the Controller by December 2023. Although this is still after the state deadline to produce timely financials, it represents another significant year-over-year improvement for the Department.

EDD has accomplished significant advancements in fraud detection and prevention through transformative policy and program changes, new tools and technology, and vital public-private partnerships. The Department appreciates audit feedback and remains open to any additional recommendations that strengthen fraud prevention and accountability for our essential state and federal programs.

Sincerely,

Nancy Farias
Director



CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM THE CALIFORNIA EMPLOYMENT DEVELOPMENT DEPARTMENT​

To provide clarity and perspective, we are commenting on the response to our assessment from EDD. The numbers below correspond to the numbers we have placed in the margin of the response.

Although EDD has taken some steps to address fraud, EDD cannot effectively measure the impact of these efforts because it is unable to determine how many improper payments it has made.

Financial reporting standards have consistently required EDD to determine the total amount of ineligible payments it made, regardless of whether the payments related to fraud, and exclude this amount from its reported federal revenue and certain other accounts.

EDD’s own response indicates that nearly one-third of customers surveyed in 2022 were not completely or mostly satisfied with the application process. These results indicate that customer satisfaction remains low and warrants continued efforts by EDD to improve its unemployment insurance claims process—a condition with which EDD appears to agree.

As EDD states in its response, we used the U.S. Department of Labor’s definition for appeal reversals to quantify reversal rates. Using a consistent definition across states and territories allows for a comparison of appeal reversal rates, which shows that California has the third highest rate in the nation of appeal reversals in favor of the claimant.






Financial Information System for California (FI$Cal)​

August 4, 2023

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

RE: 2023-601-State High Risk Assessment

Dear Mr. Parks:

We appreciate your feedback and welcome the opportunity to respond to the California State Auditor’s draft for the State High Risk Assessment.

The FI$Cal system remains one of the largest and most dynamic IT projects that California has undertaken in its history, and we are proud of the work that has been accomplished to date.

The FI$Cal system is working for California. It serves as the departmental accounting system for 152 departments and approximately 14,000 users, processing $421 billion in spending each year. The State Treasurer’s Office uses the FI$Cal system to process approximately $3.1 trillion in state government banking transactions annually and the Department of Finance uses the system to prepare the state budget each year. Departments are paying their bills and balancing their budgets every day using the FI$Cal system.

During the onboarding process from fiscal year 2014-15 until 2018-19, when the final and largest group of departments were onboarded and first began transacting and reporting using the FI$Cal system, we knew there was a significant learning curve. Over the past five years, we have seen departments continuously improve in closing years and completing their statements using the FI$Cal system. More than half of the departments met the year-end close deadline for 2021-22 fiscal year and one month later, in September 2022, 82% of departments had submitted their statements. This represented a significant improvement from the 53% in September 2021.

We recognize there are challenges that remain and we are working diligently with departments and our control agency partners to address them. The system becoming the accounting book of record for the state of California will create additional efficiencies that will have positive downstream effects on departments’ abilities to reconcile and submit timely financial statements.

Late Financial Reporting Continues to Increase Risk to the State

There is no prior instance of the state being downgraded solely related to our failure to provide audited financial statements by April 1st and there is currently no reason to believe that this alone, absent other exigent circumstances, would cause the state’s credit rating to be downgraded. The reason for this is that the state frequently provides public updates on the status of its finances. This includes the Department of Finance’s monthly Finance Bulletin, the State Controller’s monthly cash reports, various Legislative Analysis Office reports, the Governor’s budget, the May revision and the enacted state budget. In addition, each time the state issues bonds secured by the General Fund, the state updates its bond disclosure, which contains information on the state’s fiscal condition, including the current budget, revenues, expenditures, reserves, pending litigation, debt obligations, investments, pension obligations, cash management, economy and population. These public updates are provided to ensure that the investment community understands the state’s circumstances.

With the passage of Assembly Bills 156 and 127, we, in collaboration with our partners, will continue our efforts towards making the FI$Cal system the accounting book of record by July 2026. As mentioned previously, the system becoming the accounting book of record for the state of California will create additional efficiencies that will have positive downstream effects on departments’ abilities to submit timely financial statements. This transition will eliminate the need for departments to spend time reconciling their monthly statements with the State Controller’s Office after they have finalized their transactions in the FI$Cal system, effectively reducing the length of time it takes to submit their year-end financial statements. In addition, there has been a significant improvement in the number of departments that have filed their year-end financial statements within 30 days of the deadline. This will continue to improve as departments finalize their internal processes and procedures.

We look forward to continuing our collaboration with customer departments, our control agency partners, the State Auditor’s Office and the Legislature to ensure that the FI$Cal system continues to grow and evolve with the needs of California. We will continue to provide regular updates on our progress; in the meantime, if you have any questions please contact me at (916) 576-4341 or Jennifer.Maguire@fiscal.ca.gov.

Sincerely,

Jennifer Maguire
Director
Department of FISCal



CALIFORNIA STATE AUDITOR’S COMMENT ON THE RESPONSE FROM THE FINANCIAL INFORMATION SYSTEM FOR CALIFORNIA​

To provide clarity and perspective, we are commenting on the response to our assessment from FI$Cal. The number below corresponds to the number we have placed in the margin of the response.

The Department of FI$Cal suggests that the past experience of the State’s credit rating not being downgraded due to late financial statements is an indicator of future results. However, the State’s credit rating has been downgraded in the past for other reasons; for example, in April 2001 the electricity crisis prompted downgrades. Persistent late financial statements do pose a risk that FI$Cal should not brush aside, and that the State should work to mitigate. As we note in Report 2021-039, August 2022, our status report on FI$Cal, the State’s ability to publish accurate and timely financial statements is important for the State to sustain the trust of financial markets and maintain a high credit rating. This helps the state access lower-cost debt. As we further note in that report, late financial statements also create a risk to the State’s access to billions of dollars in federal funding.






Department of Finance​

August 4, 2023

Grant Parks, State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

2023-601-State High Risk Assessment

Thank you for the opportunity to respond to the California State Auditor’s State High Risk Assessment draft report. In response to your assessment that the State’s management of COVID-19 federal funding remains high risk, we provide the following comments:

Given recent legislative, administration, and federal actions, the Department of Finance does not agree that the management of the COVID-19 federal funds should continue to be a high-risk issue. In line with our response to the California State Auditor’s State High-Risk Audit Program report, issued August 2021, Finance continues to assert the State’s management of COVID-19 federal funds does not meet the regulatory criterion of presenting a substantial risk of serious detriment to the State or its residents. However, to ensure the proper oversight of the COVID-19 federal funds, in the 2021 Budget, the Legislature approved the establishment of the Federal Funds Accountability and Cost Tracking (FFACT) Unit with several positions within Finance, to track the receipt and expenditure of COVID-19 federal funds provided under the following six federal bills: (1) Coronavirus Preparedness and Response (Public Law 116-123), (2) Families First (Public Law 116-127), (3) Coronavirus Aid, Relief, and Economic Security (Public Law 116-136), (4) Paycheck Protection Program and Health Care Enhancement (Public Law 116-139), (5) Coronavirus Response and Relief (Public Law 116-260), and (6) American Rescue Plan Act (Public Law 117-2). FFACT also provides leadership, direction, training, and support to departments with respect to this funding.
FFACT continues to monitor and oversee the progress of expenditures with the various departments. In addition to this oversight, internal audits are performed to assist in the monitoring of the COVID-19 federal funds by identifying and providing recommendations to address risks. Finally, the Single Audit and the U.S. Treasury’s authority to audit provide additional assurance that the state’s COVID- 19 federal funds are expended appropriately. For example, in the recently concluded desk review of the state’s Coronavirus Aid, Relief, and Economic Security Act Coronavirus Relief Fund (CRF) allocation of $9.5 billion, auditors contracted by the U.S. Treasury Office of Inspector General determined that California’s risk of unallowable use of funds is low and did not recommend California for a full audit. They determined the only expenditure that fell beyond the period of availability for CRF was $6,952 for the third year of a California Department of Public Health software subscription. This was considered immaterial, and Finance made the necessary reporting correction. This result clearly demonstrates that FFACT oversight and coordination with departments has mitigated the risks in managing this federal funding.
If you have any questions or need additional information, please contact Cheryl McCormick, Chief, Office of State Audits and Evaluations, at (916) 322-2985.

Sincerely,

Original signed by
Erika Li

JOE STEPHENSHAW
Director, California Department of Finance



CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM THE CALIFORNIA DEPARTMENT OF FINANCE​

To provide clarity and perspective, we are commenting on the response to our assessment from Finance. The numbers below correspond to the numbers we have placed in the margin of the response.

We appreciate the Department of Finance’s perspective on this issue. However, as we noted in August 2021, the purpose of federal COVID-19 funds was to help Californians through a life-threatening pandemic that upended the economy. We found several instances in which these funds were mismanaged by state agencies. For example, in Report 2021-611, we identified $47 million for which several university campuses could have requested reimbursement from other sources, increasing available COVID funds by a like amount. Further, as we note on page 10, the Board of State and Community Corrections allocated funds to CDCR without justification or an allocation methodology that considered important elements such as the impact of the pandemic. Because COVID-19 funds will remain eligible for allocation and expenditure by state agencies through December 31, 2024, the risk of serious detriment remains high, and has not been sufficiently mitigated.

The findings and recommendations in the 11 high‑risk audits we have conducted on this issue area demonstrate the need for oversight though the State Auditor’s high‑risk program. Moreover, since our last review in 2021, an additional $76 billion in COVID-19 funding remains to be allocated and expended by State agencies.

State High-Risk Audit Program The California State Auditor’s Updated Assessment of Issues and Agencies That Pose a High Risk to the State

State High Risk.png

State High-Risk Audit Program The California State Auditor’s Updated Assessment of Issues and Agencies That Pose a High Risk to the State