Report 2023-601
August 24, 2023

State High-Risk Audit Program
The California State Auditor’s Updated Assessment of Issues and Agencies That Pose a High Risk to the State

August 24, 2023

The Governor of California
President pro Tempore of the Senate
Speaker of the Assembly
State Capitol
Sacramento, California 95814

Dear Governor and Legislative Leaders:

As required by Government Code section 8546.5, my office presents this report about statewide issues and state agencies that represent a high risk to the State or its residents. Our work to identify and address such high-risk statewide issues and agencies aims to enhance efficiency and effectiveness by focusing the State’s resources on improving the delivery of services related to important programs or functions.

We describe in this report four high-risk statewide issues that include aspects of state management of COVID-19 federal funds, state management of financial reporting and accountability, information security, and water infrastructure. We also conclude that three state agencies meet our criteria to be designated as high-risk: the Employment Development Department, the California Department of Technology, and the Department of Health Care Services. Finally, we have removed from our state high-risk list higher education, the California State Teachers’ Retirement System, other postemployment benefits, the California Department of Public Health, transportation infrastructure, and the California Department of Corrections and Rehabilitation. We have based these decisions on factors including changes in circumstances and the significant progress that the State has made toward mitigating various risk factors.

We will continue to monitor the risks we have identified in this report and the actions the State takes to address them. When the State’s actions result in significant progress toward resolving or mitigating such risks, we will remove the high-risk designation based on our professional judgment.

Respectfully submitted,

California State Auditor

Selected Abbreviations Used in This Report

ACFR Annual Comprehensive Financial Report
CalPERS California Public Employees’ Retirement System
CalSTRS California State Teachers’ Retirement System
CCC California Community Colleges
CDCR California Department of Corrections and Rehabilitation
CDT California Department of Technology
CSU California State University
DHCS Department of Health Care Services
DOL Department of Labor
EDD Employment Development Department
IT information technology
MHSA Mental Health Services Act
OIG Office of the Inspector General
OPEB other postemployment benefits
PAL Project Approval Lifecycle
UC University of California
UI Unemployment insurance


High-Risk Issue or Agency Responsible Agency Report Section On List Since
New High-Risk Agency
Employment Development Department Employment Development Department EDD Is High-Risk Because of Inadequate Fraud Prevention and Claimant Service, as Well as a High Rate of Overturned Eligibility Decisions in Its Unemployment Insurance Program 2023
Retained on High-Risk List
State Management of COVID‑19 Federal Funds Various Agencies The State’s Management of COVID‑19 Federal Funds Continues to Be a High-Risk Issue 2020
State Financial Reporting and Accountability Department of FI$Cal and Various Agencies Late Financial Reporting Continues to Increase Risk to the State 2020
Information Security California Department of Technology and Various Agencies The State’s Information Security Remains a High-Risk Issue 2013
Information Technology Oversight California Department of Technology CDT Has Not Made Sufficient Progress in Its Oversight of State Information Technology Projects 2007
Water Infrastructure and Availability Department of Water Resources and the Governor’s Office of Emergency Services Climate Change and Aging Water Infrastructure Threaten California’s Water Supply and Public Safety 2018
Department of Health Care Services Department of Health Care Services Health Care Services Has Not Adequately Addressed Issues With Medi-Cal Eligibility, But It Has Made Improvements to Its MHSA Oversight 2007
Removed From High-Risk List
Higher Education California State University and University of California CSU and UC Have Made Efforts to Control Tuition and Fees in the Past Decade 2013
California State Teacher’s Retirement System California State Teacher’s Retirement System CalSTRS Has Implemented Corrective Action to Decrease the Risk Posed by Its Unfunded Liability 2011
Other Postemployment Benefits Department of Finance, California Department of Human Resources, and California Public Employees’ Retirement System The State Is Addressing Its OPEB Liabilities 2007
California Department of Public Health California Department of Public Health Public Health Has Made Sufficient Progress in Implementing Outstanding Recommendations 2007
Transportation Infrastructure California Department of Transportation and California Transportation Commission The State Has Made Sufficient Progress in Improving Its Transportation Infrastructure 2007
California Department of Corrections and Rehabilitation California Department of Corrections and Rehabilitation CDCR Is Making Progress in Improving Its Health Care Delivery 2007
Responses to the Audit
California Governor’s Office of Emergency Services (CalOES)
California State Auditor’s Comment on the Response From CalOES
California State Transportation Agency (CalSTA)
California Department of Public Health (Public Health)
California Department of Technology (CDT)
California State Auditor’s Comments on the Response From CDT
Department of Health Care Services (DHCS)
California Natural Resources Agency
The California State University Office of the Chancellor
California Employment Development Department (EDD)
California State Auditor’s Comments on the Response From EDD
Financial Information System for California (FI$Cal)
California State Auditor’s Comment on the Response From FI$Cal
Department of Finance (Finance)
California State Auditor’s Comments on the Response From Finance



State law authorizes the California State Auditor (State Auditor) to develop a state high-risk government agency audit program (high‑risk program). Our office implemented this program to improve the operation of state government by identifying, auditing, and recommending improvements to state agencies and statewide issues at high risk for waste, fraud, abuse, or mismanagement or for having major challenges associated with their economy, efficiency, or effectiveness. In accordance with this statutory authority, the State Auditor adopted regulations in 2016 that further define the high-risk program. These regulations provide the criteria we used in determining the list of state high-risk agencies and statewide issues we present in this report.

Criteria for Determining Whether a State Agency or Statewide Issue Merits a High‑Risk Designation

State regulations outline the conditions under which an agency or issue may be added to the State Auditor’s high-risk list. All four of the following conditions must be present for us to assign the high‑risk designation:

  • Potential waste, fraud, abuse, or mismanagement or impaired economy, efficiency, or effectiveness that may result in serious detriment to the State or its residents.
  • The likelihood of waste, fraud, abuse, or mismanagement or the likelihood of impaired economy, efficiency, or effectiveness causing harm is so great that this likelihood constitutes a substantial risk of detriment to the State or its residents.California Code of Regulations, title 2, section 61015 (a), defines substantial risk and directs the State Auditor to assess “whether the likelihood of the waste, fraud, abuse, or mismanagement or impaired economy, efficiency, or effectiveness being risked by a state agency or a statewide issue is great enough, when compared with the level of serious detriment that may result, for there to be substantial risk of serious detriment to the State or its residents.” 
  • The state agencies that are affected by or responsible for resolving the waste, fraud, abuse, or mismanagement or the impaired economy, efficiency, or effectiveness are not taking adequate corrective actions to prevent the risk or its effects.
  • An audit and the agencies’ implementation of the resulting recommendations may significantly reduce the substantial risk of serious detriment to the State or its residents.

When assessing both state agencies and statewide issues, we consider a number of factors to determine whether there is substantial risk to the State or its residents. We consider whether the risks are already causing detriment, whether those risks are increasing, and whether changes in circumstances are likely to cause detriment. We also consider various factors to determine whether the risks may have serious effects, such as loss of life, injury, or a reduction in residents’ overall health or safety; impairment of the delivery of government services; significant reduction in the overall effectiveness or efficiency of state government programs; and infringement on citizens’ rights. Finally, in evaluating whether agencies have taken adequate measures to correct previously identified deficiencies, or whether the State has taken measures to reduce the risks posed by the issues, we consider factors such as whether the agencies have demonstrated a strong commitment to controlling or eliminating the risk and whether they have made significant progress through action already taken to control or eliminate the risk to the State. In all cases, our professional staff make the final determination of risk level according to their independent and objective judgment.

Removal of High-Risk Designation

We remove the high-risk designation under any of the following circumstances:

  • A change in circumstances has resulted in the risk no longer presenting the potential for serious detriment to the State or its residents.
  • The agency has taken sufficient corrective action to prevent or mitigate the risk of harm.
  • The risk presented by the agency or issue is not likely to be reduced by performing additional audit work.

State regulations require us to use our professional judgment to determine whether to remove a high-risk designation. When we remove the high-risk designation for one of the reasons described above, we continue to monitor the issue or agency and, if the risk reoccurs, we will consider reinstating the high-risk designation according to the factors described earlier.

State High-Risk Reports

Government Code section 8546.5 authorizes the State Auditor to audit and to publish audit reports on any state agency that it identifies as high-risk. In May 2007, we issued Report 2006‑601, which provided an initial list of high-risk state agencies and statewide issues. We have since issued several reports updating the list of those agencies and issues that are high-risk. Further, we include on our website a list of all audits that we are performing, including those of high-risk state agencies and statewide issues.

To update our assessment of high-risk state agencies and statewide issues, we interviewed knowledgeable staff at the responsible state agencies to gain perspective on the extent of the risks the State faces. We also reviewed the efforts that staff at the agencies said were underway and were intended to mitigate the identified risks. In addition, we reviewed reports and other documentation relevant to the issues. Finally, we conferred with agencies and interested parties, such as the Department of Finance, the Legislative Analyst’s office, and the Public Policy Institute of California. Each of the entities we conferred with provided its perspective on high-risk areas facing the State.

Removed High-Risk Agencies and Issues:


We first identified the affordability of higher education as a state high-risk issue in Report 2013-604, December 2013, noting challenges associated with the funding of higher education and the extent of access it provided. In 1960 the State published A Master Plan for Higher Education in California, which provided a roadmap for the future of higher education in the State. Reviews of the plan have reaffirmed its principles and emphasized the need for improved access to affordable higher education. As components of the State’s public higher education system, the University of California (UC), the California State University (CSU), and the California Community Colleges (CCC) each have a responsibility to align its services with the State’s goal of making higher education accessible and affordable to every Californian. However, in 2010 the Legislature identified the ability of the State’s public system of higher education to carry out the master plan as being at risk because of unprecedented population growth and extraordinary social and economic changes.

Although we originally included the CCC as part of this high-risk issue, we removed it in Report 2017-601, January 2018, because it had improved its ability to provide courses and services to students. In Report 2019-601, January 2020, we reported that from 1992 to 2017, undergraduate tuition had increased by about 340 percent at the CSU and 440 percent at UC. In our state high-risk assessment Report 2021‑601, August 2021, we noted that issues related to the affordability of higher education persisted.


By taking steps to control tuition and fee increases, the CSU and UC have made sufficient progress toward eliminating the basis on which the State Auditor designated this issue high-risk. For example, both university systems have held their tuition relatively flat since 2013. The CSU did not increase tuition during that time, and UC increased its tuition only two times, once by 3 percent in academic year 2017–18 and once by 4 percent in academic year 2022–23. As of academic year 2022–23, the CSU’s annual tuition is $5,742 and UC’s is $11,982. Similarly, both universities raised their fees moderately. Since 2018 the CSU increased its systemwide fees by $222 and UC increased its systemwide fees by $184.

With support from the State, the CSU and UC were able to avoid significant tuition and fee increases, even as inflation increased by 1.2 percent to 8 percent annually over a five year period. If the two institutions’ tuition had kept pace with inflation during these years, the CSU’s academic year 2022–23 tuition would have been $6,850 and UC’s would have been $13,649. A recent report recommended that the CSU increase its tuition in predictable amounts because of growing costs and insufficient funding from the State to cover its expenditures. In July 2023, the interim chancellor recommended a multiyear tuition proposal that would raise tuition rates by 6 percent beginning in academic year 2024–25, with one-third of the increase dedicated to financial aid. However, the CSU has not yet adopted this initial proposal. UC approved a tuition stability plan that took effect in 2022. The plan allows for the adjustment of tuition for each incoming undergraduate class at a rate slightly above inflation but subsequently holds the tuition rate flat for that class for up to six years.

Financial aid programs also increase access to higher education and have remained a viable option for the majority of resident students in both systems. For the most recent reporting period—academic year 2021–22—a variety of financial aid programs allowed nearly 60 percent of undergraduate students to pay reduced tuition at the CSU. Likewise, student aid allowed 55 percent of UC undergraduate students to pay no tuition. The university systems reported that in 2021–22, nearly 82 percent of CSU undergraduate students received some form of financial assistance, and 70 percent of UC undergraduate students received grants and scholarships.

The CSU and UC have attempted to address other expenses related to attending college that have increased in the past decade. The costs of housing, food, transportation, books, child care, health care, and supplies contribute to the overall cost of higher education. The CSU reports that the average cost of food and housing for its undergraduate students increased between about 3 percent to 6 percent annually from academic years 2018–19 to 2023–24. The average cost of living, which includes food and housing, increased by a total of 12 percent for UC’s undergraduate students during the same period.

Although expenses other than tuition and fees account for about 66 percent of the total cost of attending the CSU and 60 percent of the cost of attending UC, they are often beyond the university systems’ control. However, to help alleviate food and housing insecurity for students, the Legislature appropriated $15 million per year from 2019 through 2022 for UC and between $6.5 million to $31.5 million per year during the same period for CSU. Both university systems have used these funds to offer a wide range of services. For example, both the CSU and UC offer food pantry and food distribution programs, meal voucher programs, CalFresh application assistance, and multiple emergency housing programs.

Although the affordability of higher education continues to be a concern for many Californians, the CSU and UC have slowed the rate of tuition and fee increases in the past decade relative to inflation. Both university systems have also made attempts to mitigate other barriers to higher education—such as costs associated with food and housing—that are often beyond their direct control. Given these ongoing efforts, it is unlikely that a high-risk audit of higher education expenses would result in recommendations leading to a significant reduction in tuition, fees, or other costs such as food and housing.

Status: Removed from the high-risk list

California State University Office of the Chancellor response. The UC did not provide a response.


The California State Teachers’ Retirement System (CalSTRS) provides retirement, disability, and survivor benefits to the State’s more than 1 million public school educators and their families, primarily through a defined benefit pension plan (benefit plan). CalSTRS uses the funding it receives from its members, their employers, and the State to generate investment income, which it uses to help pay retirement benefits. Pension funds operate on a long-term horizon, working to guarantee benefit payments for existing and future retirees. According to CalSTRS, the most financially prudent way to provide such benefits is to fund the benefit plan fully by maintaining sufficient assets to cover all payments the program is obligated to make.

Despite this goal, CalSTRS has historically not had sufficient assets to fully fund the benefit plan. In essence, the funds it has received, along with the investment income they have generated, have not been sufficient to cover projected costs. The gap between CalSTRS’ assets and its liabilities is its unfunded liability. According to CalSTRS, its unfunded liability was partly a result of poor investment returns during the financial crisis from fiscal years 2007 through 2009 and partly a result of its inability to adjust the amount that plan participants and employers were required to contribute.

We identified CalSTRS as a high-risk agency in Report 2011-601, August 2011, because of the extent of its unfunded liability. In 2014 the Legislature enacted a CalSTRS funding plan that provided CalSTRS with certain limited authority to increase contribution rates for employers and the State in order to eliminate its existing unfunded liability by June 2046. We have monitored CalSTRS’ implementation of the funding plan as part of our high-risk assessments to determine the progress it has achieved.


CalSTRS has made significant progress in eliminating the basis on which we identified it as high-risk. Its continued financial progress indicates that the agency is on track to eliminate its unfunded liability by 2046. According to CalSTRS’ actuarial valuation reports, its implementation of the funding plan decreased its unfunded liability from $107 billion in 2018 to $89 billion in 2022. Despite investment losses in fiscal year 2021–22, CalSTRS reported that it remains slightly ahead of schedule in its goal of fully funding the benefit plan by 2046.

CalSTRS has also taken steps to better mitigate the risks it faces in its financial planning, thereby making its achievement of the funding plan’s goals more likely. For example, CalSTRS lowered its investment return assumptions from 7.5 percent to 7 percent. It also updated its mortality assumptions to account for the increased life expectancy of its members, thereby adding an expected additional two-to-three years of beneficiary payments to its planning.

We based our decision to remove CalSTRS from our high-risk list on several factors. First, the creation of the funding plan in 2014 and CalSTRS’ subsequent implementation of it represent a change in circumstance that reduces the risk of serious detriment. Further, by implementing the funding plan for several years, CalSTRS has demonstrated a strong commitment to mitigating the risk created by its unfunded liability and to meeting its goal of full funding by 2046. Finally, it is unlikely that a high-risk audit would result in recommendations leading to significant additional reduction in CalSTRS’ unfunded liability.

Status: Removed from the high-risk list

The agency did not provide a response.


The State provides health and dental benefits as part of the retirement package it offers to many state employees. The State generally pays the majority of health insurance premiums and at least a portion of dental premiums for retirees, depending on their years of service and dates of hire. The State refers to these benefits as other postemployment benefits (OPEB). Paying OPEB for retired employees is a large cost for the State in any given year. For example, in fiscal year 2020–21, the State paid nearly $2.6 billion in OPEB for retired employees. The State tracks and reports its calculated future OPEB payments as a liability, which totaled about $99 billion as of the end of fiscal year 2020–21.

In Report 2008-601, June 2009, we explained that the State’s OPEB liability could grow so rapidly that it could affect the State’s credit rating. The State has since implemented a plan to eliminate its unfunded OPEB liability by 2046 (prefunding plan). Under the prefunding plan, the State negotiates with employee bargaining units to determine the percentage of employee compensation that employees and the State will make to a trust. California Public Employees’ Retirement System (CalPERS) invests the contributions to create investment income, which state law authorizes for OPEB expenditures either when a specific bargaining unit’s subaccounts reach 100 percent funding or after July 2046, whichever comes first.


The State has made significant progress to eliminate the basis upon which we identified its OPEB liabilities as a high-risk issue. The State’s prefunding plan is now in its eighth year, with $5.1 billion in assets as of June 30, 2022. The State Controller’s Office annually publishes a report on the status of contributions and the progress toward meeting the State’s liability. This report stated that as of June 30, 2022, the State Controller’s Office expected five of the State’s 23 employee bargaining units to be fully funded by 2046, with the remaining to be fully funded by 2050. According to the Department of Finance, if a bargaining unit does not meet the 2046 goal, the State will continue to pay for OPEB for retirees covered under that unit.

Several factors contributed to our decision to remove the State’s OPEB liabilities from our high-risk list. First, the creation of the prefunding plan and its subsequent implementation represent a change in circumstances that reduces the risk of serious detriment such that it is no longer substantial. When we added the State’s OPEB liabilities to the high-risk list in Report 2006-601, May 2007, no prefunding plan existed and the State relied on funding necessary contributions annually. Further, the State has taken sufficient corrective action by implementing the prefunding plan for several years, thereby demonstrating a strong commitment to controlling the risk created by its unfunded liability. Finally, the State’s progress makes it unlikely that a high-risk audit would result in recommendations leading to a significant reduction in the State’s OPEB liabilities. We are therefore removing this issue area from the state high-risk list; however, we will continue to monitor it as part of our existing Annual Comprehensive Financial Report (ACFR) audit.

Status: Removed from high-risk list

The responsible agencies did not provide a response.


The California Department of Public Health’s (Public Health) mission is to advance the health and well-being of California’s diverse people and communities. Among other things, Public Health is responsible for protecting people from environmental health issues such as lead poisoning, ensuring that patients in hospitals and skilled nursing facilities receive adequate care, and reducing health and mental health disparities among vulnerable and underserved communities.

We designated Public Health as a high-risk agency in Report 2006-601, May 2007. Since that time, we have maintained its designation as a high-risk agency because of a variety of concerns, including the large number of public safety-based recommendations that it had not implemented.


Public Health has made sufficient progress to eliminate the basis for the concerns on which the State Auditor identified it as high-risk. In Report 2017-601, January 2018, we reported that Public Health had not implemented 22 recommendations from various previous reports; we further noted that the conditions that occasioned those recommendations could still pose a substantial risk of the loss of life, significant injury, or a broad reduction in Californians’ overall health or safety. In Report 2019-601, January 2020, we reported that Public Health had made progress in this area: as of November 2019, it had only 11 unimplemented recommendations older than one year, three of which it indicated it would not implement. Currently, the department has only a limited number of outstanding recommendations, which we discuss below:

  • Skilled Nursing Facilities: Absent Effective Oversight, Substandard Quality of Care Has Continued, Report 2017-109, May 2018: In this audit of skilled nursing facilities, we concluded that Public Health had not fulfilled many of its oversight responsibilities meant to ensure that nursing facilities meet quality‑of‑care standards. For example, we found that Public Health had made inconsistent licensing decisions and had not issued citations for facilities’ noncompliance with federal and state requirements in a timely manner. As a result, we made three recommendations to Public Health. As of September 2022, Public Health had partially implemented two of three recommendations and had one recommendation we rated as pending implementation.

    As part of our current high-risk assessment, we reviewed the status of these three recommendations. Our assessment determined that the department has fully implemented one recommendation, which required an upload of inspection findings to a database called Cal Health Find. This upload increased public transparency related to deficiencies at skilled nursing facilities and thereby improved oversight. We also noted that Public Health has generally continued to improve in its issuance of timely citations resulting from inspections of nursing homes, thereby making substantial progress in its implementation of a second recommendation. Finally, Public Health has partially implemented the third recommendation, which involves defining a process for facility application review to ensure that an applicant has demonstrated compliance with state and federal recommendations.

  • Childhood Lead Levels: Millions of Children in Medi-Cal Have Not Received Required Testing for Lead Poisoning, Report 2019-105, January 2020: In this audit, we reported that millions of children in California had not received required lead poisoning testing and made seven recommendations to address the problems we had identified. Public Health subsequently implemented six of these recommendations. However, in our update on outstanding recommendations, Report 2022-041, January 2023, we reported that Public Health had not finished developing its lead evaluation regulations, the remaining recommendation from the January 2020 report.The State Auditor publishes an annual report that identifies recommendations from prior audits and investigations that have not been fully implemented one year or longer after their publication. We intended this recommendation to better ensure that children with lead poisoning are identified and treated.

    As part of our current high-risk assessment, we reviewed Public Health’s status on the implementation of this recommendation. As of July 2023, Public Health had finalized one package of draft regulations that focus on risk factors for lead poisoning. It expects to obtain external approval of these regulations by October 2023 from the California Health and Human Services Agency and by December 2023 from the Department of Finance. Public Health is still working to incorporate a new federal blood lead reference value into its regulatory package.

  • Youth Suicide Prevention: Local Educational Agencies Lack the Resources and Policies Necessary to Effectively Address Rising Rates of Youth Suicide and Self Harm, Report 2019-125, September 2020: In this audit, we issued 23 recommendations to 10 entities, and one of our recommendations was to Public Health. Our report found that it had not established a program to support the development of school-based health centers to increase student access to health and mental health professionals as required by a 2007 law. In October of 2022, Public Health provided our office with an update on its efforts to implement our related recommendation and reported that it had worked with the School‑Based Health Alliance to obtain additional information and evaluate the resources needed to develop a public school health center support program. However, Public Health has been unable to identify funding opportunities to establish the program. The review we conducted as a part of this high-risk assessment found that Public Health has still not been able to secure the necessary funding to establish the program.
  • Hospice Licensure and Oversight: The State’s Weak Oversight of Hospice Agencies Has Created Opportunities for Large-Scale Fraud and Abuse, Report 2021-123, March 2022: In this audit, we identified numerous indicators that hospice agencies were engaged in fraud, particularly in Los Angeles County. We also identified a likely large-scale effort to defraud Medicare and Medi-Cal hospice programs. We issued 28 recommendations, one of which was to Public Health. Specifically, we recommended that until the Legislature authorizes Public Health to issue emergency regulations to combat fraud, Public Health should use its existing regulatory authority to increase oversight of hospice agencies. In March 2023, Public Health reported that it was developing emergency hospice regulations to incorporate recommendations from our report and to address stakeholder feedback; it expects to complete this recommendation by the end of 2023.

We based our decision to remove Public Health from our state high-risk list on the significant progress it has made in implementing our recommendations. In doing so, Public Health has demonstrated a strong commitment to controlling the individual risks that we created the recommendations to address. Further, it has implemented corrective actions to mitigate risk to the public.

Status: Removed from the high-risk list

Public Health’s response


The California Department of Transportation (Caltrans) and the California Transportation Commission (Transportation Commission) are generally responsible for ensuring that the State’s highway systems are in good condition. The Transportation Commission is responsible for allocating funds for the construction of highway, transit, and active transportation improvements, such as biking and walking paths, throughout California. Caltrans plans, develops, maintains, and operates the statutorily designated California State Highway System (state system). The state system includes 50,000 lane miles of pavement, 13,200 bridges, 213,000 culverts and drainage facilities, and nearly 21,000 transportation management system assets.

We first designated California’s deteriorating transportation infrastructure as a high‑risk issue in Report 2006-601, May 2007. At that time, we expressed concern about the lack of funding for transportation system upkeep and repairs as well as about the related decline in the condition of the state system because of deferred maintenance. Keeping the State’s transportation infrastructure in good repair is important, because it enhances safety and maintains the useable life of critical state assets. Further, Caltrans has reported that addressing deferred maintenance is more expensive to the State than providing preventive maintenance.

In 2017 the Legislature passed the Road Repair and Accountability Act of 2017 (Road Repair Act) to invest $54 billion over the next decade to fix roads, freeways, and bridges. The Road Repair Act set goals for Caltrans, as Table 1 describes. For example, Caltrans was to fix 500 additional bridges by 2027. The Road Repair Act also increased oversight of Caltrans and of Road Repair Act funds by establishing an inspector general for that agency and by expanding the Transportation Commission’s supervisory role. In our most recent high-risk assessment, Report 2021-601, August 2021, we maintained transportation infrastructure as a high-risk issue area in order to continue monitoring Caltrans’ progress in improving the state system.

Table 1

Caltrans Is on Track to Meet the Goals of the Road Repair Act

2027 Goal 2018 Report 2019 Report 2020 Report 2021 Report 2022 Report
Pavement 98 percent of pavement in good or fair condition 98.96% 98.98% 98.71% 98.69% 99.25%*
Culverts 90 percent of culverts in good or fair condition 90.2 90.2 90 90 90.4
Traffic management systems 90 percent of traffic management systems in good condition 67.4 74.6 79 78.8 77
Bridges Fix an additional 500 bridges 214 248 496 545 828

Source: Caltrans annual reports.

Note: The Legislature set a fifth goal related to correcting potholes and cracks in pavement. Caltrans factors the completion of this goal into its pavement metric.

* Pavement conditions for 2022 are projections.

Information on bridges is presented by fiscal year.

Caltrans and the Transportation Commission have interpreted the goal of fixing 500 additional bridges as meaning 500 more than their average annual repair rate of 114. The numbers indicated are cumulative totals that do not include the prior annual average of 114 each year.


Caltrans and the Transportation Commission have made significant progress toward eliminating the basis on which we identified transportation infrastructure as a high-risk issue. As Table 1 shows, as of 2022 Caltrans had exceeded the goals that the Legislature set for three of four categories and was making progress on the fourth. Caltrans reported that 99.25 percent of the pavement in the state system and 90.4 percent of culverts were in good or fair condition as of 2022. It further reported that it had exceeded the goal to repair an additional 500 bridges. Finally, it was also on track with the fourth goal, ensuring that 90 percent of traffic management systems are in good condition by 2027: 77 percent of these systems were in good repair in 2022.

Caltrans uses a website focused on providing transparency and accountability for the Road Repair Act to publicly report its progress in implementing the goals that the Legislature set. On this website, Caltrans has reported that the number of pavement lane miles it has repaired annually since the passage of the Road Repair Act has increased by 80 percent. It has further reported that its annual repair of linear feet of culverts in the same time period increased by about 700 percent. Caltrans has also reported on the Road Repair Act funds it has invested in projects to date, on the status of such projects, on the number of jobs the act has created—more than 225,000—and on the other effects that the additional funding has had for Californians.

According to Caltrans, the funding provided by the Road Repair Act will be sufficient to meet the act’s goals. In addition, the Road Repair Act requires Caltrans to implement efficiency measures with the goal of generating at least $100 million per year in savings, which Caltrans reported it has exceeded. Since fiscal year 2017–18, Caltrans has reported savings of between $133 million and $340 million annually through cost avoidance, new construction management practices, and other efficiencies. For example, Caltrans transitioned from painted stripes to new materials that last six times longer, resulting in $34 million in ongoing savings. Caltrans invests these savings in the maintenance and rehabilitation of the state system. Further, Caltrans has reported that many of the efficiencies it has created will prevent future construction delays, have positive environmental effects, or increase safety.

We based our decision to remove transportation infrastructure from our high-risk list on several factors. First, the additional funds provided by the Road Repair Act represent a change in circumstances that, due to their extensive and ongoing nature, reduce the risk of serious detriment such that it is no longer substantial. When we added transportation infrastructure to the high-risk list in Report 2006-601, May 2007, such a funding plan did not exist and the State’s infrastructure was slowly deteriorating. Further, as we have demonstrated above, Caltrans and the California Transportation Commission have taken sufficient corrective action by improving the state of transportation infrastructure, thereby demonstrating a strong commitment to mitigate the risk. Moreover, the Road Repair Act created an inspector general—who conducts a variety of compliance audits on the use of Road Repair Act funds each fiscal year—to provide increased oversight to Caltrans.

Status: Removed from the high-risk list

CalSTA’s response


The California Department of Corrections and Rehabilitation (CDCR) operates all state adult prisons, oversees a variety of community correctional facilities, and supervises incarcerated adults and adults released to parole supervision. CDCR operates 33 institutions and, as of June 2023, housed about 96,000 incarcerated people. The department has a constitutional duty to provide its incarcerated population with health care.

In 2005 a federal court found that CDCR’s health care system violated the U.S. Constitution’s prohibition against cruel and unusual punishment. The court found that this resulted in significant harm to the State’s prison-incarcerated population. To remedy the inadequate health care CDCR was providing, the court appointed a federal receiver (receiver) to take control of CDCR’s health care system until it was constitutionally adequate. In Report 2006-601, May 2007, we added CDCR’s provision of health care to incarcerated people as a high-risk issue to the State. Since that time, we have tracked the progress CDCR has made in providing constitutionally adequate care in part by reviewing the number of institutions the receiver has delegated back to CDCR’s oversight.


Since our last assessment, Report 2021‑601, August 2021, the receiver delegated health care at an additional institution—Wasco State Prison—back to CDCR’s oversight. This brings the number of institutions for which the receiver has returned control of health care to CDCR to 20, or 59 percent of its facilities. Figure 2 shows a timeline of the receiver’s delegation of health care at institutions back to CDCR. The receiver is currently considering whether to delegate another institution back to CDCR in 2023.

Figure 2

The Federal Receiver Has Recently Returned to CDCR’s Care Control of More Institutions

A timeline bar chart shows all CDCR’s institutions transferred to the receiver’s care in 2005, and some of them returning to CDCR’s care beginning in 2015.

Source: CDCR reports and documentation.

Figure 2 description:

A bar chart shows two columns per year beginning in 2004, one column shows the institutions under CDCR’s care and the second one institutions under the receiver’s care. CDCR transferred care of all institutions to the receiver in 2005. The receiver returned one institution to CDCR’s care in 2015, a total of nine by 2016, and 20 by 2022. The chart also shows an increase in the total number of CDCR institutions from 32 in 2004 to 35 in 2015, and a reduction to 33 in 2022.

OIG Medical Inspection Cycles

OIG performs medical inspections in cycles. During each cycle, OIG inspects the medical care delivered at every CDCR adult institution. Afterward, OIG publishes a report of its results for each institution. Once all institutions have been reviewed, OIG begins a new cycle. It is currently performing Cycle 7 reviews.

Source: OIG website.

In addition to the receiver’s returning an additional institution to CDCR’s care, the Office of the Inspector General (OIG) whose functions are described in the text box, has improved the rate at which it performs medical inspections and produces reports. Because the receiver must consider OIG’s reports on the adequacy of the health care an institution provides when determining whether to delegate responsibility for that institution back to CDCR, delays in the completion of OIG’s reports could impede the receiver’s ability to return institutions to CDCR’s care.

Our last high‑risk assessment reported that OIG had not finished performing its Cycle 6 reviews, which it began in 2019, and that it had issued reports for only nine of 35 institutions (26 percent) as of June 2021. However, as Figure 3 shows, OIG had issued medical inspection reports for 30 of 34 institutions (88 percent) and commenced its Cycle 7 inspections as of June 2023. In its 30 Cycle 6 inspection reports, OIG concluded that the health care provided at 21 institutions (70 percent) was adequate during the inspection period. This presents an improvement over the prior cycle, when OIG found 57 percent of the institutions provided adequate health care.

Figure 3

OIG Has Made Significant Progress in Completing Its Cycle 6 Inspection Reports

Two pie charts showing that OIG issued 26 percent of reports by June 2021 and 88 percent by June 2023

Source: OIG reports.

* We include the California Correctional Center inspection report in this tally since OIG completed that report. The California Correctional Center permanently closed in June 2023.

Figure 3 description:

The figure consists of two pie charts. The first pie chart show the OIG issues nine reports by June 2021, 26 percent of the total. A second pie chart shows the OIG issues 30 reports by June 2023, 88 percent of the total.

CDCR has made significant cumulative progress to eliminate the basis upon which we identified it as high risk. We based our decision to remove CDCR from the high-risk list primarily on two factors. First, CDCR has made significant progress in providing constitutionally adequate care, with the receiver having delegated 20 of CDCR’s facilities back to its control. Further, OIG is now providing increased oversight, so it is unlikely that a high-risk audit of CDCR’s health care delivery would result in recommendations leading to additional significant changes in the department’s provision of constitutionally adequate care.

Status: Removed from the high-risk list

The agency did not provide a response.

We prepared this report under the authority vested in the California State Auditor by Section 8546.5 of the Government Code.

Respectfully submitted,

California State Auditor

August 24, 2023

John Lewis, MPA, CIA, Audit Principal
Nick Phelps, JD, Senior Auditor
Cecilia White, MPPA

Data Analytics:
R. Wade Fry, MPA
Grant Volk, MA, CFE

Legal Counsel:
Natalie Moore

Responses to the Audit:

August 4, 2023

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Mr. Parks,

The California Governor’s Office of Emergency Services (Cal OES) received the California State Auditor’s (CSA) High Risk Assessment 2023-601 redacted Draft Report on July 31, 2023, via encrypted email. Cal OES appreciates the opportunity to review and comment on the 2023 High Risk Assessment. Cal OES’s comments are solely on the section titled, “[Redacted] Aging Water Infrastructure Threaten California’s Water Supply and Public Safety.”

The CSA’s Report states: “Since our last assessment in 2021, [Redacted] However, Emergency Services’ approval of emergency action plans lags behind. Emergency Services has only approved emergency action plans–which outline action to be taken during an emergency to minimize or eliminate the potential for loss of life and property damage-for 419 of the nearly 900 dams required to submit such plans, or about 48 percent.”

Cal OES has consistently met the deadlines in statute for reviewing submitted emergency action plans (EAPs) and will continue to work closely with dam owners on their EAPs so they are not only complete, but also effective for dam owners and affected public safety agencies downstream. In addition, Cal OES has created tools to assist dam owners in completing their EAPs including a template, review tool, and example of an acceptable plan.

The CSA’s Report states: “Although this number represents progress–an increase from the 107 approved plans in 2021–it will take several years at the current rate of approval for the State to have clear emergency plans in place for all dams that require them. Further, there are 121 dams without approved emergency plans [Redacted] having Extremely High downstream hazard ratings, indicating a risk of considerable loss of human life.”

Cal OES approved 312 EAPs for the two-year period of 2021 to 2023. That’s an increase of 292% from the 107 EAPs approved since CSA’s last assessment in 2021. Furthermore, of the mentioned 121 Extreme High Hazard (EH) EAPs, 72 are either currently under review or have been reviewed at least once, returned, and Cal OES is awaiting resubmission. Additionally, another 41 EAPs belong to dam owners that have more than one EAP to submit. Experience dictates that once these owners have completed a satisfactory EAP, their subsequent submittals will be better quality and in relatively rapid succession.

Existing law does not establish a deadline for the dam owner to resubmit an EAP returned for correction. Cal OES’s historical practice has been to reach out to the dam owners after six months of no contact. Cal OES will reduce the time of follow-up to one month, and each month thereafter until the corrected EAP is resubmitted.

Lastly, the CSA’s Report states “…the large number of emergency action plans yet to be approved by Emergency Services shows that sufficient corrective action has not yet occurred.”

Cal OES has taken significant corrective actions and continues to work on EAP approvals. Cal OES anticipates the tools we’ve developed, current approval processes, and administrative changes in the timing and frequency of outreach will reduce the number of outstanding EAPs.

Cal OES appreciates the assistance and guidance offered during CSA’s assessment. If you have additional questions or concerns, please contact Ralph Zavala, Cal OES Internal Audits Office Chief, at (916) 845-8437.


Original PDF copy signed


c: Ralph Zavala, Chief, Internal Audits Office

To provide clarity and perspective, we are commenting on the response to our assessment from CalOES. The number below corresponds with the number we have placed in the margin of the response.

 Although we indicate that CalOES has made some progress in approving emergency plans on page 21, 121 dams with extremely high downstream hazard ratings—indicating a risk of considerable loss of human life—still lack approved plans.

Date: August 4, 2023

To: Grant Parks
California State Auditor

From: Carlos Quant
Deputy Secretary, Budget and Administration
California State Transportation Agency

Subject: California State Transportation Agency Response to 2023-601—State High-Risk Assessment

To Whom it May Concern:

CalSTA concurs with the Auditor’s findings. This decision is a testament to the substantial progress Caltrans, the California Transportation Commission and our partners have made as we work together to improve our state’s critical transportation infrastructure. This progress has been especially noteworthy since the passage of Senate Bill (SB) 1, the Road Repair and Accountability Act of 2017 – landmark legislation that ushered in a new era of infrastructure investment to rebuild California. Our elected officials and the people of California entrusted us with their hard-earned tax dollars to upgrade the state’s aging infrastructure, and we have delivered and will continue to make good on that trust. Coupled with Governor Newsom’s infrastructure streamlining package and a $15 billion investment in clean transportation infrastructure, along with recent increased federal infrastructure funding, our state is in an incredible and unique position to keep making progress and accelerate our transition to a cleaner, safer, more equitable and more connected transportation system that benefits all Californians.

Please contact Carlos Quant with any questions at

Thank you,

Carlos Quant
Deputy Secretary, Budget and Administration

August 4, 2023

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Mr. Parks:

The California Department of Public Health (Public Health) thanks the California State Auditor for the opportunity to comment on its draft report of the updated assessment of high-risk issues faced by the State and select State agencies.

Public Health appreciates that CSA acknowledges the signficant progress we have made to eliminate the concerns that initially identified us as a high-risk department. Removal from this list represents great efforts made by numerous Public Health programs and employees to adopt previous audit recommendations and implement corrective action to control risk to the public.

We take seriously our charge to advance and protect the health and well-being of California’s diverse peoples and communities and have worked to quickly address recommendations that could pose a risk to residents’ overall health or safety.

Public Health understands we still have a limited number of outstanding recommendations and commit to continuing to fully implement these. We will report our progress to the State Auditor at the designated time intervals.

Thank you for the opportunity to respond to the assessment. If you have any questions, please contact Rob Hughes, Deputy Director, Office of Compliance, at (916) 306-2277.


Tomás J. Aragón, M.D., Dr.P.H.
Director and State Public Health Officer

August 3, 2023

Grant Parks (via GovOps Agency Secretary Amy Tong)
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814


Dear Mr. Parks:

The State’s Information Security Remains a High-Risk Issue:

The California Department of Technology (CDT) acknowledges that statewide information security faces significant risks, given the increasingly complex and sophisticated cyber threat landscape. This year has witnessed a remarkable increase in the frequency and sophistication of cyber-attacks globally – greater than those that occurred in the last five years combined. In response to these heightened threats, we coordinated with State and Federal partners to significantly enhance State cybersecurity resiliency measures. As a result, annually the enhanced measures have successfully deterred more than 300 confirmed attacks and mitigation of vulnerabilities. The CDT oversight program is fully modernized to focus on supporting reporting Agencies with operational resiliency to respond to modern cyber-attacks.

The California State Auditor’s (CSA) high-risk audit focused on a subset of the CDT efforts and failed to acknowledge how CDT baselines risk and actions performed to enhance statewide maturity and resiliency. The CSA referenced 52 reviews underway. These reviews are the CDT Information Security Program Audits (ISPA) that audit the highest-risk departments against policy compliance measures. In addition, we provide tailored help to entities and remediate gaps for the remaining lower-risk departments.

The CDT employs a thorough approach to assess and strengthen the security of all State entities. This comprehensive approach involves the Information Security Program Audits (ISPA), Independent Security Assessments (ISA), attack surface analysis, and the National Cybersecurity Review (NCSR). In addition to these compliance baseline measures; the CDT has evolved its oversight program to support departments addressing any identified issues. This program provides remediation assistance through consultative advisory services to help departments manage internal risks. The CDT has expanded its services 24 by including seven continuous threat detection and response services for the internal networks of the least resilient departments identified through this oversight approach. Through this program, the CDT can ensure a higher level of statewide protection.

The CSA references 52 of 107 entities reviewed in a four-year period. These audits are solely focused on high-risk entities as determined by CDT. The remaining entities which are in the low-risk pool are scored using ISAs, the external attack surface baselines, NCSR, and a comprehensive review of their risk remediation plans. Both entity types receive remediation services through programs within our advisory, with tailored hands-on guidance, continuous monitoring of their internal networks, and other operational services provided within our California Cybersecurity Integration Center (Cal-CSIC).

The objective is to provide a clear outline of the oversight program designed to measure risk within the CDT framework. The program specifically covers eight state agencies under the Executive Branch, and several un-affiliated and independent state agencies, totaling 139 unique entities:

  • The program conducted policy audits for 61 unique departments.
    • More than 85 audits were conducted, considering re-audits and departments that received progress check-ins.
  • A total of 250 technical vulnerability assessments were performed, with 121 unique departments receiving technical vulnerability assessments. A subset of these departments receives an audit due to their high-risk nature.
  • The program generated 115 unique NCSR scores.
  • Additionally, 139 baseline attack surface scores were calculated.

As CDT baselines entities through oversight measures by aligning operational efforts to build in resiliency to help them with protective measures.

  • Over 30 resource-constrained departments are receiving continuous internal and wide area network (WAN) monitoring utilized by all departments.
  • Implemented a Vulnerability Disclosure Process and remediated over 50 external risks.
  • The advisory services team conducted over 240 tailored workshops providing internal and hands-on assistance to remediate risk for departments.
  • Delivered 18 policies and standards and 70 example templates for departmental internal use.
  • Established the Technology Stabilization Fund to help departments with stabilizing critical services.
  • Expanded staffing within advisory services by seven to help with independent organizations such as the referenced California Public Employees’ Retirement System (CalPERS), California State Teachers’ Retirement System (CalSTRS), and the State Controller’s Office (SCO).
  • Established incident response teams with CDT and Cal-CSIC to minimize the impact of cyber incidents and provide rapid recovery for affected departments such as the referenced Department of Finance (DOF) incident.

As we continue to evolve our protective measures, as exemplified above, we observe an approximate four percent increase in maturity of the 107 departments under our authority using audits, assessments, or a combination thereof.

The frequency and sophistication will continue to increase, and new technology will continue to expand the threat landscape. As the threat landscape continues to evolve, CDT will adapt its oversight program to encompass standards, advisory, and operational measures. We appreciate input from CSA on any aspect of our measures. The CDT takes a holistic, risk-based approach to oversight and remediation, as focusing on policy reviews and audits alone is not sufficient.

CDT Has Not Made Sufficient Progress in its Oversight of State Information Technology Projects:

     CDT’s Project Approval Lifecycle (PAL) process is a robust and rigorous planning process designed to mitigate the risk of failed IT projects and protect the State’s technology investment. CDT asserts that the PAL process and subsequent project oversight functions have significantly improved project outcomes. CDT provided data to the CSA in response to the CSA’s 2022-114 audit indicating the current project outcomes are at or positively above industry benchmarks for IT projects as follows: The Department of Technology conducted an analysis in 2018 in response to a Legislative Analyst Office (LOA) request.

We compared the State of California project outcomes of 178 I projects to the Standish annual CHAOS report of 2014 as follows:

2007 - 2017 California State Industry Average
Successful Projects 28% 16.2%
Challenged Projects 63% 52.7%
Failed Projects 9% 31.1%

CDT has since updated our analysis: Comparison to the 2020 Standish Group Report shows the following:

FY 2018 – FY 2022 California State Industry Average
Successful Projects 67% 31%
Challenged Projects 33% 50%
Failed Projects 0% 19%

CDT attributes this improving trend to a higher quality planning, improvements to the oversight process since 2017, and early escalation of issues to state entity leadership when required.

The PAL planning process is scalable based on the IT project's business and/or technical complexity. This means that the more complex a project is, the more planning is needed. The CSA did not include information provided by CDT about all factors that contribute to the time duration of the PAL process, some of which are outside the CDT control, including the annual budget process, changes in state entity business priorities, funding availability, skills and experience of the department staff, and the quality of the state entities planning documents. The CDT has experienced PAL durations as short as 36 days.

In March 2023, the CDT made improvements in the PAL process in response to a yearlong improvement effort and evaluation via interviews of various stakeholders, including three Agencies, 12 Departments, the Legislative Analyst Office, the Department of Finance, and external experts from the Project Management Institute and Sacramento State University. The objectives achieved were reducing burdensome pain points, processes that adapt to various project management methodologies, streamlined processing, challenge-based procurements, and ADA compliance.

As part of CSA’s audit, the team reviewed CDT's oversight of four IT projects and found that although three were identified that required immediate corrective action, CDT had not used its authority to ensure the problems were resolved.

  2. Caltrans TAMS
  3. DMV DxP
  4. FI$Cal

We consider the CSA’s conclusion flawed as only one of these projects has achieved completion. CDT takes a collaborative approach to oversight, working with Departments to mitigate unplanned project risks and implement formal and informal corrective action plans. CDT may take various actions as detailed in the IT project oversight framework SIMM 45, including escalation of risks and issues identified in the oversight reporting, via meetings and verbal and written communications with project directors, project sponsors, and department executives. We may guide and direct departments to pursue their own corrective actions, corrective action plans, or contractual remedies. These measures are exhausted before we pursue the most severe actions to issue a CDT Corrective Action Plan letter or a suspension or termination letter, which are seen as punitive measures.

The auditor noted that CDT issued no corrective action plan letter related to these four projects. However, it does not mean that department corrective action plans or corrective actions were not initiated because of CDT recommendations or escalations.

The Auditor chose four projects from a set of 240 projects and analyzed the performance data provided to the auditor. However, the auditor did not provide information about the effectiveness of project oversight for the remaining 236 projects of the State project portfolio. The details on the effectiveness of project oversight were given only for the four selected projects.

Three of the four projects examined by the auditor [CWS-CARES, DMV DxP, and Caltrans TAMS] have not been completed and are still in progress. The ability to determine whether the original project requirements, as defined by the scope of work, were delivered on time is premature. The fourth project, FI$Cal, is complete and provides large-scale benefits to the state as planned. The conclusions drawn from the remaining three projects should not be used to infer the effectiveness of the planning and oversight work over the entire State project portfolio. In the case of CWS-CARES, currently beginning implementation, significant CDT intervention took place, resulting in major changes in the development planning. Regarding the DMV DxP project, phase-1 implementation was successful. Phase-2 risks were identified, and CDT escalated these to executive management resulting in additional planning activities to address the risks identified in the oversight reports and escalation. For Caltrans TAMS, CDT provided observations, recommendations, and guidance, resulting in the termination of a vendor contract and a currently underway re-procurement.

We remain committed to the ongoing evaluation of the effectiveness of the planning and oversight activities as we continue to explore methods to effectively correlate project planning and oversight efforts to successful project outcomes.

Thank you for the opportunity to respond to your draft High-Risk Review report regarding CDT. Please contact Kirk Marston at 916-208-6896, if you have questions.


Liana Bailey-Crimmins
State Chief Information Officer and Director
California Department of Technology

cc: Amy Tong, Secretary, Government Operations Agency
Jared Johnson, Chief Deputy Director, California Department of Technology

To provide clarity and perspective, we are commenting on the response to our assessment from CDT. The numbers below correspond to the numbers we have placed in the margin of the response.

 To provide clarity, the draft report to which CDT is responding is not the result of an audit, but rather an assessment of high risk issues and agencies. Our assessment did include a review of recently completed audits, including an audit of the Department of Technology’s strategic planning, information security, and IT project oversight that we published in April 2023. However, because CDT conflates our high-risk assessment with this recently completed audit of CDT, it misses the primary focus of this section of our report, which is that IT security remains a high risk issue—for which CDT is a responsible agency, but not the only agency impacting our high-risk designation. In focusing solely on its own approach, which it believes is thorough, CDT fails to acknowledge the currently limited IT security readiness of the State and the potential costs and impacts of failures in this area. For example, as we note, there have been several high profile data breaches at government agencies including the Department of Finance, CalPERS, CalSTRS, and the State Controller since our last high-risk assessment.

 We stand by our concerns related to CDT’s limited capacity to conduct information security audits. At its current capacity, CDT can audit a maximum of 12 percent of reporting entities annually.

 We stand by our recent audit, which found that CDT’s oversight of IT projects has been ineffective at addressing risks on complex projects.

 The initial analysis CDT references was conducted five years ago, shortly after PAL’s creation, and compares its outcomes with a report from nine years ago. Moreover, CDT did not provide the IT project metrics it cites in response to us during our April 2023 audit.

 Despite CDT’s analysis of its own system, it was unable to demonstrate PAL’s effectiveness during our 2023 audit. In fact, although three of the four projects we reviewed required immediate corrective action CDT failed to use its authority to ensure that the associated problems were resolved. Further, CDT did not provide the IT project metrics it cited in its response to our April 2023 audit. Moreover, its response does not provide any context about the number, size, or complexity of the projects it analyzed. Because many of the IT projects CDT approves under the PAL process cost millions of dollars, the State needs to be certain that the process is effective.

 In our 2023 audit 23 percent of the agencies that we surveyed, that had used CDT’s PAL process, indicated that they were unsatisfied, or very unsatisfied with it.

 CDT’s response focuses on our Report 2022-114, April 2023. Beginning on page 65 of that report, CTD provided a six-page response in which we rebutted 12 items, beginning on page 69.

August 4, 2023


Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814


Dear Mr. Parks:

The Department of Health Care Services (DHCS) hereby submits the enclosed response to the California State Auditor (CSA) draft report number 2023-601, titled, “The California State Auditor’s Updated Assessment of Issues and Agencies That Pose a High Risk to the State”

DHCS appreciates the work performed by CSA and the opportunity to respond to the draft report. If you have any questions, please contact the DHCS Office of Compliance, Internal Audits at (916) 445 0759.


Michelle Baass


cc: See Next Page

Jacey Cooper
State Medicaid Director
Chief Deputy Director
Health Care Programs
Department of Health Care Services

Erika Sperbeck
Chief Deputy Director
Policy and Program Support
Department of Health Care Services

Rene Mollow
Deputy Director
Health Care Benefits and Eligibility
Department of Health Care Services

Saralyn Ang-Olson, JD, MPP
Chief Compliance Officer
Office of Compliance
Department of Health Care Services

Wendy Griffe, MPA
Internal Audits
Department of Health Care Services

Assessment Item 1 Medi-Cal Eligibility: Although it has made some progress, Department of Health Care Services (DHCS) has not adequately resolved issues involving Medi-Cal Eligibility.

DHCS’ Response:

The Centers for Medicare & Medicaid Services confirmed the continuous enrollment requirement is now delinked from the Public Health Emergency (PHE) in the Consolidation Appropriations Act of 2023, (enacted December 29, 2022), and the PHE ended on March 31, 2023. DHCS began the continuous coverage requirement unwinding activities, including the resumption of annual renewals, on April 1, 2023. DHCS is providing counties with a hold-harmless period for the duration of the unwinding period and expects to resume normal county monitoring and oversight activities, to include resumption of county focused review activities and Medi-Cal Eligibility Data System Alert Monitoring on May 1, 2024. These activities will include assessing corrective action plans as warranted based on monitoring and oversight findings.

Assessment Item 2 Mental Health Services Act (MHSA): Additional Audits by the State Auditor would be unlikely to assist in mitigating risks associated with MHSA funds. Accordingly, we are removing DHCS’ oversight of the MHSA as a high-risk issue.

DHCS’ Response:
No response needed.

August 4, 2023

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Auditor Parks,

The Department of Water Resources (DWR) and the California Natural Resources Agency (CNRA) acknowledge receipt of the California State Auditor’s redacted draft state high-risk report section titled “2023-601 DWR – Climate Change and Aging Water Infrastructure Threaten California’s Water Supply and Public Safety”.

DWR and CNRA appreciate the report’s acknowledgment of the effects of extreme weather on California’s communities, economy, and water infrastructure. We also appreciate the report’s acknowledgement of the August 2022 Water Supply Strategy, Adapting to a Hotter, Drier Future, which DWR and CNRA helped to chart. The actions in this strategy aim to modernize water infrastructure to conserve, capture, and store enough water to replenish what is likely to be lost to hotter, drier weather. DWR also appreciates the report’s acknowledgment of the need for additional funding to create a water-resilient future for all Californians.

Thank you again for the opportunity to comment on the draft, redacted state high-risk report.


Bryan Cash
Assistant Secretary, Administration and Finance
California Natural Resources Agency

August 1, 2023

Mr. Grant Parks
State Auditor
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, California 95814

Dear Mr. Parks:

Thank you for the opportunity to review and respond to the draft State High-Risk Assessment report. We acknowledge the State Auditor’s plan to remove the affordability of higher education from the high-risk list. College affordability remains an ongoing priority for the California State University.


Jolene Koester
Interim Chancellor


August 3, 2023

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Mr. Parks:

Subject: Responses to 2023-601 – State High-Risk Assessment

Thank you for the opportunity to respond to the upcoming state high-risk report 2023-601 relative to the issues impacting the Employment Development Department (EDD). Below are the responses to each issue:

EDD is High Risk Because of Weak Fraud Prevention, Poor Claimant Service, and High Rate of Overturned Eligibility Decisions in its Unemployment Insurance (UI) Program:

Substantial Fraud Risk Exists in EDD’s UI Program

Every Unemployment Insurance system in the country, including California, was overwhelmed with the number of Pandemic Unemployment Assistance (PUA) claims during the height of the COVID-19 Pandemic, and all were impacted by fraud. Based on that experience and the recommendations of the Governors’ EDD Strike Team, the Legislature, the Legislative Analyst Office (LAO), and the California State Auditor (CSA), EDD has one of the nation’s toughest anti-fraud programs, including robust identity and claimant verification. EDD has complied with all CSA fraud audit recommendations (Report 2020-628.2) and has also fully implemented all recommendations in Report 2020-628.1 and EDD anticipates confirmation of the final recommendation as “fully implemented’ by CSA. The Auditor’s risk scenarios in this high-risk report do not reflect the fraud prevention measures in place today and instead reflect outdated challenges that impacted the department at the height of the pandemic. EDD’s significant advancements and enhancements to its fraud prevention and detection measures have proven highly effective in safeguarding benefit payments from fraudsters.

In October 2020, EDD partnered with to implement its identity proofing and authentication platform, which is used by numerous government agencies. The services were added to supplement EDD’s existing Identity Alert Process, to validate the identity of the individual filing the UI claim. In January 2021, Thomson Reuters (TR) Government Division fraud detection tools were incorporated into the new claim filing process. Adding the TR cross-check at the start of the process allows for the earliest possible detection of potential fraud and occurs prior to the issuance of any benefit payments. We also work with our sister agency, the California Department of Corrections and Rehabilitation (CDCR) to crossmatch prisoner identifications that may be used in an attempt to obtain UI benefits.

With the use of these tools, as well as the creation of a Fraud Prevention and Detection Section within the UI Branch and the implementation of additional internal fraud prevention measures, from 2020 through 2022, EDD has successfully identified and mitigated attempted fraud schemes and safeguarded nearly $43.4 billion in fraudulent UI benefit payments from being issued. EDD maintains a close review and continuous assessment of its existing fraud prevention measures adjusting to the continuously evolving fraud landscape. Of note, the vast majority of the fraud that occurred during the pandemic was in the PUA program, which ended in September of 2021. As this department and other UI systems around the country have stated, the PUA program lacked the traditional safeguards of the regular UI program.

Along with all the internal enhancements and controls that have been implemented, EDD continues to collaborate with other state agencies and law enforcement entities through a statewide EDD Fraud Task Force. Leading this work is EDD’s Special Counsel, McGregor Scott, an experienced former federal prosecutor, and United States Attorney who is providing independent counsel and expertise in the areas of fraud prevention, detection, and interdiction. Specifically, EDD’s Investigation Division is involved in hundreds of joint criminal investigations with the Fraud Special Counsel and local, state, and federal law enforcement entities in an ongoing effort to identify and prosecute individuals and criminal organizations participating in complex identity theft and fraud schemes.

As it relates to inadequate identification of potentially fraudulent payments, EDD agrees that this has been a contributing factor which led to not only delayed publications of the Annual Comprehensive Financial Report (ACFR), but also modified audit opinions for the state. As indicated in the Department’s response to the California State Auditor’s (CSA) Internal Control Report 2020-1, EDD agreed with the recommendation from CSA on revisiting its methodology for estimating potentially fraudulent payments. EDD has used the knowledge gained during the fiscal year 2019-20 and 2020-21 audits to identify invalid claims more accurately and will be implementing a validation process to ensure multiple levels of review are incorporated.

EDD has been engaging with CSA since April 2023 to ensure that the Department’s understanding of this dataset is in line with CSA expectations. It should be noted that for financial purposes the Department is now of the understanding that all invalid claims need to be assessed, not just those which are potentially fraudulent. Including all improper payments is a major change from prior audit cycles and reinforces the complex nature of quantifying this dataset and accurately incorporating the data results into EDD’s financial statements.

EDD Has Not Provided California Residents with Sufficient Customer Service, Resulting in Significant Challenges to Obtaining UI Benefits

During the COVID-19 pandemic, the contact center experienced its most significant call volume periods, with call volumes in the millions per week.

We agree customer satisfaction with the Unemployment Insurance claim process fell during the pandemic, however, we disagree it remains low. Sixty-Nine percent of customers surveyed in 2022 were completely or mostly satisfied with the application process, up from 67 percent in 2021. We are continuing to assess customer feedback to implement additional improvements, so this data continues to trend in a positive direction.

EDD has made significant improvements to increase the level of service it provides to the citizens of California. For the months following the April 2023 period cited by CSA, the contact center received an average of 169,763 incoming calls from an average of 59,905 customers and answered an average of 68,978 calls; it is estimated that the average customer attempted to contact EDD approximately 2.8 times before speaking with an agent from June 3, 2023, through July 22, 2023. During this same period, the average customer waited approximately 12 minutes and 28 seconds to speak with an agent, a 64 percent improvement from the pandemic. Based on call analysis, there are various reasons customers may call the contact center that do not directly impact the timely payment of benefits. For example, customers may call to inquire about the status of an active appeal, inquire about California Training Benefits, or update their demographic information.

We take CSA audits and recommendations very seriously. According to the CSA, EDD has “Fully Implemented” all contact center enhancements submitted by EDD, in response to Report 2020-128/628.1, and has identified these on the CSA website. The recommendations made by CSA that address contact center issues were thorough and comprehensive, covering data tracking, staff training, analysis, and specific call features. In addition to what CSA recommended, EDD has implemented thirty (30) operational or technological enhancements in the contact center, with additional plans to improve the customer experience. EDD remains committed to improving the overall experience of Californians who require the critical services EDD provides in their most significant times of need. We are the only department in state government with a branch dedicated to Customer and User Experiences.

With respect to the timeliness of first payments, EDD agrees with the importance of timely benefit payments and agrees with CSA’s statement that EDD’s “timeliness has increased since the worst of the COVID-19 pandemic”. EDDs performance has made significant strides, nearing within one percent of the Department of Labor’s (DOL) 87 percent threshold. EDD has identified measures to continue this upward trend trajectory that include monitoring workloads to prioritize cases to meet timeliness standards and developing written questionnaires to address specific eligibility issues, reducing the need for telephone interviews, and facilitating quicker determinations and payment of benefits.

Many of EDD’s UI Eligibility Decisions Are Not Upheld on Appeal

Regarding the EDD Appeals process, it is important to note that a disqualifying decision made by the department does not inherently constitute an improper decision if the decision is later appealed and reversed. EDD is responsible for administering the program and determining eligibility by applying federal and state law and policy to make eligibility decisions based on the information available, as provided by the claimant and the employer. As CSA has noted, a claimant is able to provide new information during their appeal that was not furnished to EDD during the adjudication processes which may result in the reversal of a previous ineligibility.

Additionally, DOL reporting requirements reflect appeal modifications/adjustments as a reversal of the decision. For example, an adjustment of penalty weeks or penalty amounts is considered a non-affirmation decision and reflected as a decision that has been reversed, even though the claimant is still ineligible to receive UI benefits, consistent with EDD’s original decision. Therefore, individuals that have one primary eligibility issue affirmed and remain ineligible may also have two secondary issues modified or adjusted, which will reflect as reversals per DOL reporting requirements; however, the individuals remain ineligible for benefits, per EDD’s original decision.

In other words, CSA is adopting DOLs overbroad "reverse" definition. Again, if a claimant has an overpayment penalty reduced by the Board or they reduce one of the multiple false statements, this is counted as a "reversal" even if the EDDs decision of ineligibility is affirmed. We do not believe this accurately reflects the integrity of EDD’s eligibility decisions.

EDD continues to assess decisions that are reversed to identify ways to improve the adjudication process. This includes attending hearings to provide clarification regarding the Department's decisions and observing and gathering information to identify areas for improvement. EDD has also enhanced the training system to allow for expedient access to materials to ensure employees are fully equipped to apply the law and policy accurately, efficiently, and effectively.

The State’s Management of COVID-19 Federal Funds Continues to Be a High-Risk Issue

In reference to the CSA statement regarding the high risk associated with federal funds and recommendations remaining unimplemented, EDD confirms that as of June 2022, all seven recommendations listed in the Fraud Prevention Report (Report 2020-628.2) have been completed, accepted, and reported as fully implemented or resolved by the CSA.

Late Financial Reporting Continues to Increase Risk to the State

EDD takes seriously its role in contributing to the late publications of the ACFR by the State of California. As has been noted in multiple audit responses, most recently in the Department’s response to the “Federal Compliance Audit Report for the Fiscal Year Ended June 30, 2021” (Report 2021-002), the deferred transition to FI$Cal and the difficulties experienced thereafter have continued to cause EDD to be late with submitting year-end financials. In addition, the onset of the COVID-19 pandemic created additional accounting issues never dealt with before that impacted EDD’s ability to submit timely year-end financials. However, EDD is making progress and continues to gain ground in the Department’s efforts to follow the State’s deadlines for submitting year-end financials.

The Department submitted the last of its fiscal year 2021-22 financials to the Controller’s office in March 2023. For comparison, EDD had submitted its 2020-21 financial statements in July of 2022. Furthermore, shortly after submitting its 2021-22 financial statements to the Controller, EDD quickly began closing out accounting periods within the statewide financial system (FI$Cal) for 2022-23. In a period of approximately 95 days, EDD went from closing out July 2022 to closing out May 2023. As of this date, EDD is actively working on closing out June 2023 with a goal of submitting financial statements to the Controller by December 2023. Although this is still after the state deadline to produce timely financials, it represents another significant year-over-year improvement for the Department.

EDD has accomplished significant advancements in fraud detection and prevention through transformative policy and program changes, new tools and technology, and vital public-private partnerships. The Department appreciates audit feedback and remains open to any additional recommendations that strengthen fraud prevention and accountability for our essential state and federal programs.


Nancy Farias

To provide clarity and perspective, we are commenting on the response to our assessment from EDD. The numbers below correspond to the numbers we have placed in the margin of the response.

 Although EDD has taken some steps to address fraud, EDD cannot effectively measure the impact of these efforts because it is unable to determine how many improper payments it has made.

 Financial reporting standards have consistently required EDD to determine the total amount of ineligible payments it made, regardless of whether the payments related to fraud, and exclude this amount from its reported federal revenue and certain other accounts.

 EDD’s own response indicates that nearly one-third of customers surveyed in 2022 were not completely or mostly satisfied with the application process. These results indicate that customer satisfaction remains low and warrants continued efforts by EDD to improve its unemployment insurance claims process—a condition with which EDD appears to agree.

 As EDD states in its response, we used the U.S. Department of Labor’s definition for appeal reversals to quantify reversal rates. Using a consistent definition across states and territories allows for a comparison of appeal reversal rates, which shows that California has the third highest rate in the nation of appeal reversals in favor of the claimant.

August 4, 2023

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

RE: 2023-601-State High Risk Assessment

Dear Mr. Parks:

We appreciate your feedback and welcome the opportunity to respond to the California State Auditor’s draft for the State High Risk Assessment.

The FI$Cal system remains one of the largest and most dynamic IT projects that California has undertaken in its history, and we are proud of the work that has been accomplished to date.

The FI$Cal system is working for California. It serves as the departmental accounting system for 152 departments and approximately 14,000 users, processing $421 billion in spending each year. The State Treasurer’s Office uses the FI$Cal system to process approximately $3.1 trillion in state government banking transactions annually and the Department of Finance uses the system to prepare the state budget each year. Departments are paying their bills and balancing their budgets every day using the FI$Cal system.

During the onboarding process from fiscal year 2014-15 until 2018-19, when the final and largest group of departments were onboarded and first began transacting and reporting using the FI$Cal system, we knew there was a significant learning curve. Over the past five years, we have seen departments continuously improve in closing years and completing their statements using the FI$Cal system. More than half of the departments met the year-end close deadline for 2021-22 fiscal year and one month later, in September 2022, 82% of departments had submitted their statements. This represented a significant improvement from the 53% in September 2021.

We recognize there are challenges that remain and we are working diligently with departments and our control agency partners to address them. The system becoming the accounting book of record for the state of California will create additional efficiencies that will have positive downstream effects on departments’ abilities to reconcile and submit timely financial statements.

Late Financial Reporting Continues to Increase Risk to the State

There is no prior instance of the state being downgraded solely related to our failure to provide audited financial statements by April 1st and there is currently no reason to believe that this alone, absent other exigent circumstances, would cause the state’s credit rating to be downgraded. The reason for this is that the state frequently provides public updates on the status of its finances. This includes the Department of Finance’s monthly Finance Bulletin, the State Controller’s monthly cash reports, various Legislative Analysis Office reports, the Governor’s budget, the May revision and the enacted state budget. In addition, each time the state issues bonds secured by the General Fund, the state updates its bond disclosure, which contains information on the state’s fiscal condition, including the current budget, revenues, expenditures, reserves, pending litigation, debt obligations, investments, pension obligations, cash management, economy and population. These public updates are provided to ensure that the investment community understands the state’s circumstances.

With the passage of Assembly Bills 156 and 127, we, in collaboration with our partners, will continue our efforts towards making the FI$Cal system the accounting book of record by July 2026. As mentioned previously, the system becoming the accounting book of record for the state of California will create additional efficiencies that will have positive downstream effects on departments’ abilities to submit timely financial statements. This transition will eliminate the need for departments to spend time reconciling their monthly statements with the State Controller’s Office after they have finalized their transactions in the FI$Cal system, effectively reducing the length of time it takes to submit their year-end financial statements. In addition, there has been a significant improvement in the number of departments that have filed their year-end financial statements within 30 days of the deadline. This will continue to improve as departments finalize their internal processes and procedures.

We look forward to continuing our collaboration with customer departments, our control agency partners, the State Auditor’s Office and the Legislature to ensure that the FI$Cal system continues to grow and evolve with the needs of California. We will continue to provide regular updates on our progress; in the meantime, if you have any questions please contact me at (916) 576-4341 or


Jennifer Maguire
Department of FISCal

To provide clarity and perspective, we are commenting on the response to our assessment from FI$Cal. The number below corresponds to the number we have placed in the margin of the response.

 The Department of FI$Cal suggests that the past experience of the State’s credit rating not being downgraded due to late financial statements is an indicator of future results. However, the State’s credit rating has been downgraded in the past for other reasons; for example, in April 2001 the electricity crisis prompted downgrades. Persistent late financial statements do pose a risk that FI$Cal should not brush aside, and that the State should work to mitigate. As we note in Report 2021-039, August 2022, our status report on FI$Cal, the State’s ability to publish accurate and timely financial statements is important for the State to sustain the trust of financial markets and maintain a high credit rating. This helps the state access lower-cost debt. As we further note in that report, late financial statements also create a risk to the State’s access to billions of dollars in federal funding.

August 4, 2023

Grant Parks, State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

2023-601-State High Risk Assessment

Thank you for the opportunity to respond to the California State Auditor’s State High Risk Assessment draft report. In response to your assessment that the State’s management of COVID-19 federal funding remains high risk, we provide the following comments:

     Given recent legislative, administration, and federal actions, the Department of Finance does not agree that the management of the COVID-19 federal funds should continue to be a high-risk issue. In line with our response to the California State Auditor’s State High-Risk Audit Program report, issued August 2021, Finance continues to assert the State’s management of COVID-19 federal funds does not meet the regulatory criterion of presenting a substantial risk of serious detriment to the State or its residents. However, to ensure the proper oversight of the COVID-19 federal funds, in the 2021 Budget, the Legislature approved the establishment of the Federal Funds Accountability and Cost Tracking (FFACT) Unit with several positions within Finance, to track the receipt and expenditure of COVID-19 federal funds provided under the following six federal bills: (1) Coronavirus Preparedness and Response (Public Law 116-123), (2) Families First (Public Law 116-127), (3) Coronavirus Aid, Relief, and Economic Security (Public Law 116-136), (4) Paycheck Protection Program and Health Care Enhancement (Public Law 116-139), (5) Coronavirus Response and Relief (Public Law 116-260), and (6) American Rescue Plan Act (Public Law 117-2). FFACT also provides leadership, direction, training, and support to departments with respect to this funding.

FFACT continues to monitor and oversee the progress of expenditures with the various departments. In addition to this oversight, internal audits are performed to assist in the monitoring of the COVID-19 federal funds by identifying and providing recommendations to address risks. Finally, the Single Audit and the U.S. Treasury’s authority to audit provide additional assurance that the state’s COVID- 19 federal funds are expended appropriately. For example, in the recently concluded desk review of the state’s Coronavirus Aid, Relief, and Economic Security Act Coronavirus Relief Fund (CRF) allocation of $9.5 billion, auditors contracted by the U.S. Treasury Office of Inspector General determined that California’s risk of unallowable use of funds is low and did not recommend California for a full audit. They determined the only expenditure that fell beyond the period of availability for CRF was $6,952 for the third year of a California Department of Public Health software subscription. This was considered immaterial, and Finance made the necessary reporting correction. This result clearly demonstrates that FFACT oversight and coordination with departments has mitigated the risks in managing this federal funding.

If you have any questions or need additional information, please contact Cheryl McCormick, Chief, Office of State Audits and Evaluations, at (916) 322-2985.


Original signed by
Erika Li

Director, California Department of Finance

To provide clarity and perspective, we are commenting on the response to our assessment from Finance. The numbers below correspond to the numbers we have placed in the margin of the response.

 We appreciate the Department of Finance’s perspective on this issue. However, as we noted in August 2021, the purpose of federal COVID-19 funds was to help Californians through a life-threatening pandemic that upended the economy. We found several instances in which these funds were mismanaged by state agencies. For example, in Report 2021-611, we identified $47 million for which several university campuses could have requested reimbursement from other sources, increasing available COVID funds by a like amount. Further, as we note on page 10, the Board of State and Community Corrections allocated funds to CDCR without justification or an allocation methodology that considered important elements such as the impact of the pandemic. Because COVID-19 funds will remain eligible for allocation and expenditure by state agencies through December 31, 2024, the risk of serious detriment remains high, and has not been sufficiently mitigated.

 The findings and recommendations in the 11 high‑risk audits we have conducted on this issue area demonstrate the need for oversight though the State Auditor’s high‑risk program. Moreover, since our last review in 2021, an additional $76 billion in COVID-19 funding remains to be allocated and expended by State agencies.