Report 2023-039
December 14, 2023

Financial Information System
for California
FI$Cal Status Letter

December 14, 2023
2023-039

The Governor of California
President pro Tempore of the Senate
Speaker of the Assembly
State Capitol
Sacramento, California 95814

Dear Governor and Legislative Leaders:

This report continues our office’s monitoring of the Financial Information System for California (FI$Cal). Since 2006 the State has endeavored to implement FI$Cal, a single information technology system that would unify the State’s accounting, budgeting, cash management, procurement, and other operations. However, the State has not fully implemented the system, and 10 departments—which the Department of FISCal (department) is required to onboard to the system by 2032—have not yet transitioned to using FI$Cal. Two recent developments have shaped the direction that the department and the State Controller’s Office (SCO) must take to achieve their goal of making FI$Cal the State’s accounting book of record—which state law defines as the central accounts maintained by the SCO and used in the preparation of financial statements, including the Annual Comprehensive Financial Report (ACFR).

The first key development occurred in July 2021, when the department reported that it released a significant update to FI$Cal functionality that made it possible for FI$Cal to generate versions of the Budgetary/Legal Basis Annual Report (BLBAR) and the ACFR alongside the reports produced by SCO’s legacy systems. The SCO’s acting chief operating officer clarified that this update generated parallel versions of the reports needed to populate the SCO’s existing publishing software that then produces the BLBAR and ACFR. This update was an important development, because it allowed the SCO to ensure that the data captured in FI$Cal aligned with the data in its legacy systems. According to the acting chief operating officer, the SCO is in the process of testing the accuracy of the parallel version of these reports.

The second key development occurred in September 2022 when the Legislature declared that the objectives for the FI$Cal project had been achieved for reporting purposes. At the same time, the Legislature required the SCO to take steps to migrate the State’s accounting book of record to FI$Cal and for the department to complete specific tasks related to the system. The text box lists the activities the department now must complete, which are referred to as roadmap activities. The Legislature required our office to monitor the system and to report annually on the SCO’s and the department’s progress in completing their respective activities. The Legislature’s passage of AB 127 (chapter 45, statutes of 2023) provided the SCO with additional time—until December 31, 2023—to identify the requirements and expected timeline for transitioning to FI$Cal, thus limiting our ability to comment on the SCO’s activities in our 2023 monitoring report. Nevertheless, we noted the following:

Key Observations

  • The SCO is developing the interface requirements for the accounting book of record’s migration to FI$Cal. State law requires the SCO to complete this task by December 31, 2023. We anticipate evaluating the SCO’s efforts to execute its planned FI$Cal transition activities in a subsequent update.
  • The department can plan more effectively to address all of the roadmap activities by July 2032. The department has not defined success criteria for most of the roadmap activities, nor has it developed long-term plans for completing those activities by statutory deadlines. Instead, the department has planned incrementally, planning its projects to address the roadmap activities over a limited period. Its primary planning document is an 18-month portfolio covering January 2023 through June 2024, leaving a significant number of years unaddressed.
  • The department must continue working to ensure that FI$Cal is secure. It has implemented 21 of the 29 cybersecurity capabilities included in the Governor’s Cal-Secure plan, but it is still working to enhance six of those 21 capabilities. The department reported that it is addressing its highest‑risk security weaknesses and that the department has identified target dates to remediate all but one of the other items.
  • The department continues to work to enhance FI$Cal, prioritizing projects by the expected benefit. It reported in June 2023 that it completed five enhancements involving procurement, accounts payable, and small business/disabled veteran business enterprises.

Because FI$Cal cannot yet serve as the accounting book of record, the Legislature required that the SCO meet specific deadlines for migrating from its legacy systems to FI$Cal. The text box shows the activities the SCO must complete and their deadlines. The Legislature had originally set earlier deadlines for these activities (July 1 and March 1, 2023, respectively), but in July 2023, it extended those deadlines to the end of December 2023. To help it fulfill these responsibilities, the SCO contracted with a vendor to develop a three-year project plan that defines an integrated strategy for migrating the State’s accounting book of record to FI$Cal. The SCO’s acting chief operating officer, who is responsible for coordinating activities between the SCO and the department, stated that the SCO continues to work with the department to finalize the necessary interface and system requirements for the migration. According to the SCO’s acting chief operating officer, the State Controller is committed to meeting all deadlines in state law and has already taken several steps to meet these deadlines. The SCO provided us with a copy of the plan it had developed, but in late November 2023, it informed us that the plan was still in draft form. Because the SCO’s deliverables—which are noted in the text box—were still in development as of that date, we will report on those efforts in a subsequent update.

Although state law requires the department to complete six roadmap activities by July 2032, the department has not defined the success criteria for most of these activities, nor has it developed long-term plans for meeting the deadlines. The department’s chief deputy director indicated that the department uses an incremental planning approach by which it plans its projects to address the roadmap activities over a limited period instead of planning for all of the projects that it needs to complete by 2032. Its primary planning document is an 18-month portfolio—covering January 2023 through June 2024—that lists projects related to all of the roadmap activities. However, that plan lacks the full scope of actions the department must take to be successful in its roadmap activities and lacks the criteria the department must use to know if it is successful. The table shows our assessment of the department’s progress in defining success for the roadmap activities and whether it has plans for each activity.


Roadmap Activity Success Criteria Defined Does the Department Have a Plan to Complete the Roadmap Activity? * Is the Roadmap Activity Completed?
1. Ensure that the system is technically optimized and secure. Partially defined. The department established service level benchmarks for one of FI$Cal’s critical applications to determine whether the system is optimized. Yes No
2. Onboard the remaining deferred departments and be sufficiently staffed to provide ongoing support and assistance to end-users. Partially defined. State law requires the department to onboard the remaining deferred departments by
July 2032.
No No
3. Ensure the integrity and security of the State’s financial data. No Yes No
4. Support the transition of the State’s accounting book of record from the SCO’s legacy systems to FI$Cal, including validation work related to the ACFR. No No No
5. Work with partner agencies to identify and implement additional products, interfaces, and add-ons to the system to enhance business transactions. No No No
6. Continue to enhance, upgrade, and manage the system to ensure efficient and relevant alignment with the State’s financial management processes. No No No

Source: State law, interviews with department staff, and the department’s planning documents and reports.

* To determine whether the department had a plan, we reviewed whether the department had specifically documented its approach to finishing the roadmap activity by, at a minimum, identifying all actions it believes it would need to take to complete the activity.

The department is currently transitioning the Department of Rehabilitation, the California Department of Technology, and the California Department of Transportation to FI$Cal, but it does not yet have a plan to complete the roadmap activity and successfully transition and support the California Department of Corrections and Rehabilitation, the California Prison Industry Authority, the California State Teachers' Retirement System, the California State Lottery Commission, the California Department of Justice, the Department of Water Resources, and the Department of Motor Vehicles.

For two of the roadmap activities, the department has taken most of the steps necessary to define the actions it will take and to delineate the metrics it will monitor to ensure that it succeeds. Specifically, the department has a plan that describes the tasks the department will perform to address the first and third roadmap activities, which relate to the technical optimization and security of the system and the State’s financial data. The plan provides specific details for technology improvements. For example, the plan states that the department will replace software or migrate to cloud-based software-as-a-service when feasible and economical before its current software is discontinued. At the time the plan was developed, it noted that key software used by FI$Cal is expected to be supported by the manufacturer at least through 2034. The department anticipates needing four years to identify and migrate its operations to a new solution if the manufacturer ends support for this software. The department’s plan states that it anticipates conducting market research in fiscal year 2028–29 for a replacement product. According to the department’s chief information officer (CIO), the department may delay the market research if the manufacturer extends support for the software beyond 2034 so that the department can maximize the benefits from the State’s current investment in that software.

Additionally, the department has established some benchmarks, processes, and procedures describing how it ensures that the system is technically optimized. The CIO’s definition of technical optimization is based on system reliability and response time. For example, the department established benchmarks to monitor the transaction times and availability of one of the system’s essential applications, PeopleSoft Financials, a software product that the department uses. For the nine-month period we reviewed, reports provided by the department indicated that it met the benchmarks for this application.

In addition to technical optimization, however, the first and third roadmap activities require the department to ensure the security of the State’s system and data. Although the department’s current plans include a description of the activities it will perform to enhance the security of the system, the department does not yet have metrics to measure its success in providing security. To best prepare itself for success in completing these two roadmap activities, the department should adopt metrics by which it will measure its success in the area of security, such as establishing expectations for how quickly it will resolve identified security weaknesses. The department could also establish a goal of passing its external security reviews without any critical deficiencies.

Although the department is making progress in its plans to complete these two activities, it lacks clear plans and success criteria for the other roadmap activities. Planning and success criteria are particularly important in light of the broad nature of some of the activities. For example, state law requires that the department shall, by July 1, 2032, “continue to enhance, upgrade, and manage the system to ensure efficient and relevant alignment with the State’s financial management processes.” This requirement does not have a readily apparent definition of success when contrasted to another of the roadmap activities—“onboard the remaining deferred departments.” There are 10 remaining deferred departments—which are departments that have or are implementing their own financial management systems and are not yet using FI$Cal—and all 10 either will or will not be using FI$Cal by July 2032, thereby providing a clear definition of success for that portion of that roadmap activity.There are 10 other state departments, including our office, that are exempt from using FI$Cal. Therefore, the department must create success criteria for the roadmap activities that are not discretely defined in their scope, so it can establish specific, measureable goals for each activity.

The department’s chief deputy director indicated that long-term planning requires more data than the department currently has and highlighted some roadmap activities’ dependence on external factors. For example, for one of the roadmap activities—“work with partner agencies to identify and implement additional products, interfaces, and add-ons to the system to enhance business transactions”—the chief deputy director said that working with partner agencies requires project planning coordination and alignment between the agencies and the department. As an example, he described how the Department of General Services (DGS) is currently conducting market research for its own eMarketplace project to improve users’ ability to find and order from approved suppliers based on specific categories that will require the addition of new interfaces to FI$Cal. For the department to develop a timeline to implement eMarketplace, the chief deputy director explained that DGS must first formulate its eMarketplace project plans so that the department can identify the scope of work needed to administer new interfaces into the system.

We acknowledge that the department must work with other agencies or departments to achieve some of the roadmap activities and also that as planning extends further into the future, the reliability and specificity of plans can diminish. In addition, during our review, the department shared with us multiple projects it is working on related to the roadmap activities, showing that it is conducting work related to state law’s requirements. Nonetheless, the department’s current approach heightens the risk it will not complete all the roadmap activities by 2032, such as the activity that requires the department to onboard the remaining deferred departments. Moreover, this approach does not take into account the structure that the department can provide to its own long-term plan by establishing criteria for success and developing interim goals. By planning for fewer than two years into the future, the department could overlook upcoming resource needs and miss opportunities to successfully meet those needs. In November 2023, as we were finalizing our review, the department provided draft copies of a three-year plan and a plan through 2032 showing the major projects it intends to complete for each roadmap activity. If it finishes these plans, the department can gain greater awareness and assurance of the steps it will need to take to fulfill the roadmap activities.

Although the department has taken steps to improve FI$Cal security, it should take further action to address the remaining security weaknesses. In 2021 the Governor published Cal-Secure, a plan to address critical gaps in the State’s information and cybersecurity programs. Cal-Secure establishes five phases of baseline technical cybersecurity capabilities that entities within the State’s executive branch should achieve over a five-year period. As of July 2023, the department reported that it had fully implemented 21 of the 29 total capabilities included in the Cal-Secure plan. However, the department also reported that it is still working to enhance six of the 21 capabilities by making further improvements to them.

The CIO explained that in addition to fulfilling the requirements in Cal-Secure, the department ensures the integrity and security of the State’s financial data by following and implementing the requirements set forth in the State Administrative Manual (SAM) and the Statewide Information Management Manual (SIMM). State policy presented in SAM and SIMM requires the department to develop and maintain a Risk Register and Plan of Action and Milestones (POAM) process for addressing information security program deficiencies.State entities report security weaknesses or noncompliance, identified by risk level and remediation status, through POAMs. State entities are obligated to report updated POAMs quarterly to the California Department of Technology’s Office of Information Security. The department’s POAM identifies security risks found by internal observation and by audits conducted by the California Department of Technology, the California Military Department, and our office, and the POAM assigns each risk a rating. The POAM shows that the department is addressing its highest-risk security weaknesses and that the department has identified target dates to remediate all but one of the other items.

The department is currently working on partner projects to address the roadmap activity that requires it to enhance business transactions. According to the deputy director of the department’s Business Operation and Solutions Division, the department prioritizes projects according to technical effort, feasibility, criticality, impact on specific departments, and customer experience. For instance, the deputy director explained that the department plans to implement electronic funds transfers (EFT) and a supplier self-service portal for electronic invoicing. The portal will enable suppliers to update their own information and submit electronic invoices. Although the project is still in the early stages, the department considers EFT to be a high-value project that all partners and most departments want implemented into FI$Cal.

In addition to its partner projects, the department reports that it regularly updates and enhances the system based on end-user feedback. The department publishes monthly newsletters listing the enhancements made during the previous month. In June 2023, the department reported in its newsletter that it completed five enhancements related to procurement, accounts payable, and small business/disabled veteran business enterprises. According to the newsletter, the goal of the enhancements is to improve the usability of the system while maintaining the security of the State’s data.

We prepared this report pursuant to Government Code section 11868.

Respectfully submitted,

GRANT PARKS
California State Auditor

For questions regarding the contents of this report, please contact our
Communications Office at 916.445.0255.


Staff:
Bob Harris, Audit Principal
Brian D. Boone, CIA, CFE
Savanna Rowe

Legal Counsel:
Joe Porche