State High-Risk Audit Program

THE STATE’S MANAGEMENT OF COVID-19 FEDERAL FUNDS CONTINUES TO BE A HIGH-RISK ISSUE​

Background​

As part of its response to the COVID-19 pandemic, the federal government provided the State with nearly $290 billion in relief funds, portions of which must be obligated or spent by December 2024. The effective use of these funds required the State to allocate them to departments quickly and to expedite program changes, including eligibility updates. The State used COVID-19 funds to support programs related to vaccinations, unemployment benefits, housing assistance, and fiscal recovery. State departments received COVID-19 funds to operate more than 35 existing federal programs and to create new state programs, such as the HomeKey program, which provided temporary shelter to people experiencing homelessness or at risk of homelessness during the pandemic. One of the largest recipients of COVID-19 funds was EDD, which used a significant portion of the funds to provide unemployment benefits.

We initially designated the State’s management of federal funds related to COVID-19 as a high-risk statewide issue in August 2020. We based our initial assessment on the confluence of fiscal and programmatic changes that were critical to the State’s response to the pandemic. The State used COVID-19 funds in large part to support significant expansions of critical benefits for people experiencing unemployment, homelessness, and limited income. The rapid growth of programs providing these benefits posed a significant risk to the State and its residents. Specifically, inadequate outreach to people who needed the programs or the flawed execution of expansion efforts would create a risk that Californians would be left without medical care or money to pay for food and housing. Likewise, the swift creation of new programs by state departments posed risks because of the limited time available to implement sufficient internal controls and processes.

To assist in addressing these risks, we performed 11 state high-risk audits related to the management of COVID-19 funds. We found that state departments faced significant hurdles in using this influx of funding to meet the corresponding increase in responsibilities, such as the massive increase in the number of unemployment insurance claims requiring eligibility determinations and the rapid expansion of vendor oversight necessary for programs that provided pandemic-specific goods and services, like personal protective equipment. The scale and expeditious nature of the funding and its uses to provide services led to the high risk of inefficiencies and fraud occurring in programs supported by COVID-19 funds.

In total, our 11 prior state high-risk audits of COVID-19 fund management resulted in 85 recommendations to departments, of which 37 remain unimplemented. For example, our audit of the Board of State and Community Corrections (Board of Corrections) found that the Board of Corrections allocated funds to the California Department of Corrections and Rehabilitation without justification and that its allocation methodology did not consider important elements, such as the impact of the pandemic. The Board of Corrections also failed to make funding available to cities and tribes, even though it had originally committed to do so. We made 10 recommendations to the Board of Corrections in Report 2021-616, October 2021, but as of July 2023, it had only fully implemented three of our recommendations. We will continue to monitor the steps departments take to minimize the remaining risks related to their handling of COVID-19 funds.

Assessment​

The management of COVID-19 funds continues to represent a significant risk to the State and its residents and will therefore remain a high-risk issue. In the previous section, we described our concerns with EDD, one of the largest recipients of COVID-19 funds, which used a significant portion of the funds to provide unemployment benefits. Since our last high-risk assessment in August 2021, at least 14 state agencies have received $76 billion in additional federal COVID-19 funding. State agencies will continue to spend some of these funds through December 31, 2024. This influx of resources represents both a significant benefit and risk to the State, as represented by the extent of our previous findings on the management of federal COVID-19 funding and the status of unimplemented recommendations.

The State continues to spend federal COVID-19 funds, meaning circumstances have not significantly changed. Further, a number of recommendations from our previous reports have not yet been implemented. For instance, we recommended that various university campuses review the expenses they incurred in response to the pandemic and submit eligible expenses to the federal government for reimbursement. We also recommended that the Department of Housing and Community Development develop a strategy it can use in emergency situations to more efficiently complete or amend contracts, and make funding available to recipients. These recommendations have not been fully implemented. Moreover, additional audit work by the State Auditor could assist in mitigating the risks associated with the management of federal COVID-19 funds. As with our 11 previous state high-risk audits on COVID-19 fund management, additional audits of this issue could generate recommendations to ensure that such funds are spent prudently, within acceptable time frames, and in accordance with federal and state requirements. Consequently, we will retain this issue on the high-risk list.

Status: Retained on high-risk list​

EDD's response, Finance's response

LATE FINANCIAL REPORTING CONTINUES TO INCREASE RISK TO THE STATE​

Background​

The accuracy and timeliness of the State’s financial reporting is of vital importance to the State and its residents. A key method the State uses to provide fiscal oversight and transparency is the mandatory Annual Comprehensive Financial Report (ACFR) that the State Controller’s Office (State Controller) prepares. The ACFR is composed of financial statements from the State’s many departments and agencies, which collectively represent the financial position of the State. The report, which includes the State Auditor’s annual opinion of its accuracy, provides an important resource for stakeholders, such as the State’s creditors, to use when making decisions about the State’s ability to borrow money affordably. Further, billions of dollars in federal grants are contingent on the State’s timely filing of the ACFR for federal review.

To support its financial reporting needs, the State has focused significant effort on modernizing its financial management infrastructure through the implementation of a project known as the Financial Information System for California (FI$Cal). The scope, schedule, and budget of this nearly $1 billion information technology (IT) project has undergone numerous revisions since it began in 2005. However, despite nearly two decades of continued effort, many state entities have historically struggled to use the system to submit timely data for the ACFR.

In Report 2019-601, January 2020, the State Auditor added to the state high-risk list the State’s inability to produce timely financial reports during the transition to FI$Cal. At the time, we noted that since fiscal year 2017–18, the State had issued financial statements late, which could affect the State’s credit rating. The COVID-19 pandemic also created new financial complexities that affected the State’s financial reporting, such as the increased pandemic-related spending by the Employment Development Department (EDD) and its Unemployment Insurance fund. In Report 2021-601, August 2021, our assessment of high-risk issues to the State, we noted that the State Controller continued to issue the ACFR late.

Assessment​

The State has not made sufficient progress in addressing late financial reporting; therefore, this issue will remain on the state high-risk list. The State Controller issued the State’s financial statements for fiscal year 2020–21 later than in previous years—twelve months after its traditional deadline and six months after a general extension on financial reporting that the federal government provided because of the pandemic. Further, the State’s financial reporting for fiscal year 2021–22 is already past due. This continued trend of late reporting reduces the efficiency and effectiveness of the State’s financial oversight. The State’s late financial reporting could also negatively affect its credit rating, which could increase the cost associated with borrowing. According to the State Treasurer, the State borrowed $5.6 billion in general obligation bonds in fiscal years 2021–22. Thus, even a small increase in the interest rate, as might happen with a downgraded bond rating, could cost the State millions annually in increased borrowing costs.

In addition to late financial reporting, the State is experiencing a decline in expected revenue. Although its financial reports in fiscal years 2017–18 through 2020–21 reported general fund surpluses, the Governor’s fiscal year 2023–24 budget had to address a budget shortfall of approximately $31.7 billion. Combining late financial reporting with a diminished financial outlook increases the risk that credit agencies will downgrade the State’s credit rating.

The State has made some limited progress in addressing underlying issues that have contributed to its late financial reporting but not enough progress to warrant removing the issue from the high-risk list. As we noted when we designated the State’s financial reporting as high-risk in January 2020, the transition to FI$Cal has been a key component in financial reporting delays. As of 2023, 152 of 162 state departments are now using the FI$Cal system for their financial reporting, with an additional two departments—the California Department of Technology and the Department of Rehabilitation—currently undergoing a two-year transition. Some departments are doing a better job of submitting their financial statements to the State Controller in a timely manner. For fiscal year 2021–22, departments filed year‑end financial statements within 30 days of the deadline for 1,400 funds, or about 80 percent of all the State’s funds. 4

However, as we noted in our internal control and compliance audit Report 2021‑001.1, March 2023, six large departments of material importance to the State’s overall financial reporting did not perform monthly reconciliations of their accounts to the records of the State Controller in a timely manner during fiscal year 2020–21. Moreover, similar to the previous two fiscal years, the Department of Health Care Services (DHCS) did not fully reconcile its banking activity using FI$Cal before submitting its fiscal year 2020–21 financial reports to the State Controller. In fact, DHCS reported encountering significant challenges during its financial reporting, including that its procedures for completing bank reconciliations to FI$Cal were still under development.

The State Controller echoed these concerns in the fiscal year 2020–21 ACFR, published in March 2023, which noted that the transition to FI$Cal has affected financial reporting for several years but also included steps that the Controller is taking to improve financial reporting. The State Controller reported that it is collaborating with other state agencies to understand the root causes of delays and to develop mitigation strategies. The State Controller also explained that its own transition to the FI$Cal system remains underway and that its completion will lead to measurable advancements in financial reporting. Even so, an approved budget change proposal the State Controller submitted in January 2023 indicates that it anticipates only minimal annual improvements to its reporting timeline of between one and two months earlier each fiscal year. However, as of June 2023, the State Controller has indicated that it will seek to move the issuance date of the ACFR closer to its traditional deadline by three months for its reporting on fiscal year 2021–22.

The State has not made sufficient progress in resolving the problem of its late financial reporting to justify our removing this issue from the high-risk list. Financial reporting remains late, meaning there is no change in circumstances, and the State’s planned corrective actions are still in process. Moreover, state law requires the State Auditor to evaluate both the State Controller’s and the Department of FI$Cal’s efforts to implement the system. The result of this statutory audit work will likely further inform our future designations of this issue as an area of high risk.

Status: Retained on high-risk list​

FI$Cal's response, Finance's response, State Auditor's comments to FI$Cal, and State Auditor's comments to Finance

THE STATE’S INFORMATION SECURITY REMAINS A HIGH-RISK ISSUE​

Background​

Information security is the protection of the confidentiality, integrity, and availability of the State’s information assets, including data, processing capabilities, and information technology (IT) infrastructure. State law generally requires state entities that are under the Governor’s direct authority (reporting entities) to comply with the information security practices that the California Department of Technology (CDT) prescribes and to report annually to CDT on compliance with these practices. However, state law exempts entities that fall outside of the Governor’s direct authority (nonreporting entities), such as constitutional offices and those in the judicial branch, from following CDT policies and procedures.

We first identified information security as a high-risk issue in Report 2013-601, September 2013, when we concluded that CDT was performing limited reviews of the security controls that reporting entities had implemented. In a subsequent high-risk audit, Report 2015-611, August 2015, we noted that many reporting entities had poor controls over their information systems. In our state high-risk assessment, Report 2017-601, January 2018, we reported that CDT had made improvements to its oversight but that reporting entities still showed significant room for improvement. Finally, in Report 2021-601, August 2021, we reported that a federally‑sponsored nationwide security review noted that state entities in California self-reported ratings below the federally recommended minimum level.

Report 2022-114, April 2023, reiterated many of our previous concerns with the State’s information security. Our audit found weaknesses in CDT’s strategic planning, oversight of information security and IT projects, and that CDT has not ensured that the State’s IT systems are adequately protected from cyberattacks. This inadequate protection has the potential to compromise individuals’ identities, shut down critical government functions, and cost the State millions of dollars to remedy.

Assessment​

CDT has not sufficiently improved its oversight of information security to mitigate the risks we have identified; therefore, this issue will remain on the state high-risk list. CDT is responsible for providing direction for the State’s information security efforts and for reviewing the security of reporting entities. However, CDT has yet to determine the effectiveness of cybersecurity programs for all of the entities for which it has oversight responsibility. To determine the effectiveness of information security for reporting entities at higher risk, CDT relies on a four-year oversight lifecycle. This process generally includes a compliance audit, a follow-up review, and two technical assessments. However, as we said in Report 2022-114, April 2023, CDT has the capacity to complete only 13 compliance audits each year, which equates to only 52 reviews of reporting entities during a four-year cycle, or not quite half of the 107 reporting entities for which it is responsible.

To prioritize its compliance audits, CDT uses a risk-based methodology to determine the 52 entities it has the capacity to audit. However, we are concerned about CDT’s limited capacity. Our previous audits have recommended that CDT increase its capacity to conduct its IT audits by hiring more staff or contracting for additional audit support. In March 2023, the Legislative Analyst’s Office raised a similar concern about limited capacity, noting that resolving staffing-related issues in information security is important if state entities are to improve their information security compliance and maturity. However, CDT explained that it does not have any immediate plans to hire additional staff or contractors. Instead, CDT reports that it hopes to find increased efficiencies through a new IT system, which does not currently exist, that would allow CDT to more efficiently conduct its audits.

In addition, most nonreporting entities are also lagging behind in information security. We evaluated nonreporting entities’ compliance with their selected security standards in 2021. As Figure 1 illustrates, we surveyed 32 nonreporting entities for Report 2021-601, August 2021, and found that although 29 had adopted information security frameworks or standards, only four reported achieving full compliance.

Legislation that went into effect in January 2023 implemented our recommendation to improve the security of nonreporting entities. Nonreporting entities are now required to perform a comprehensive, independent security assessment every two years and to certify their compliance with certain security requirements annually. We will continue to monitor reporting and nonreporting entities’ efforts to improve their security; however, information security continues to present a significant risk to the State.

Figure 1​

In 2021 Most Nonreporting Entities Stated That They Were Only Partially Compliant With Their Selected Security Standards​

Source: Analysis of survey responses, Report 2021-601, August 2021.

Figure 1 description:​

A pie chart shows 32 nonreporting entities by their compliance status with their selected security standards. The chart shows that three entities reported having not adopted framework or standards, 19 entities reported partially complying, and four entities reported having fully complied with all of their selected security standards.
Vulnerabilities in the State’s information security practices can have costly effects on the efficiency and effectiveness of State programs and can affect the privacy of Californians’ data. For example, in December 2022, the Department of Finance fell victim to a cyberattack that was widely reported in the media. In 2021 an employee at the State Controller’s Office unknowingly interacted with a malicious link that appeared to come from a trusted source, thereby providing a hacker with such confidential information as the names, Social Security numbers, and birth dates of state employees. Further, in 2023 data maintained by a CalPERS and CalSTRS contractor was breached, resulting in unauthorized access to confidential information related to retirees and their family members. It is likely that attempts against governmental information assets will only increase in the future. CDT has reported that in the wake of the pandemic, the cybersecurity threat nearly quadrupled in the sophistication of attacks by nation-state adversaries and criminal organizations.

Because cybersecurity threats are significant and oversight of state departments and agencies remains inadequate, we will retain this issue on the high-risk list. The State continues to need improvements in its cybersecurity practices, and although state entities are giving increasing attention to cybersecurity, they have not substantially mitigated the ongoing risk from inadequate information security technology practices. Finally, additional audit work by the State Auditor could assist in mitigating the risk presented by this issue area. For example, the State Auditor could continue to audit CDT and other entities as necessary to determine their compliance with state law and best practices related to cybersecurity.

Status: Retained on the high-risk list​