Report 2023-601 State High Risk Audit Program, Audit Plan:
September 2023 through August 2025
In accordance with the State High-Risk Government Agency Audit Program regulations, we present a tentative two-year plan for performing audits and conducting other monitoring activities. The plan covers work from September 2023 through August 2025 regarding state agencies and statewide issues appearing on this state high risk list. The plan is tentative, as such audits and monitoring can be conducted only when resources are available based on our office’s projected workload.
| High Risk Issue or Agency | Summary of Concern | Planned Approach |
|---|---|---|
| Employment Development Department (EDD) | EDD is unable to reliably estimate improper payments under the Unemployment Insurance (UI) program, thus adversely affecting the State’s financial statements as well as impairing efforts to independently evaluate the efficacy of EDD’s own fraud prevention activities. Further, EDD needs to improve customer service to unemployment insurance claimants, while also taking steps to ensure its eligibility decisions are not frequently overturned on appeal. | We will monitor EDD’s implementation of recommendations from two audits in 2021 and will continue to monitor EDD’s efforts to improve its handling of fraud and its customer service within the UI program. We will consider conducting a state high-risk audit to follow up on the 2021 audits as resources allow. |
| State Management of COVID-19 Federal Funds | Since our last high-risk assessment in August 2021, at least 14 state agencies have received $76 billion in additional federal COVID-19 funding. State agencies will continue to spend some of these funds through December 31, 2024. This influx of resources represents both a significant benefit and risk to the State, as represented by the extent of our previous findings on the management of federal COVID-19 funding and the status of unimplemented recommendations. The State continues to spend federal COVID-19 funds, meaning circumstances have not significantly changed. | In 2021 we issued eight state high-risk audit reports on various state entities’ use of federal COVID-19 funds. We will continue to monitor the audited entities’ implementation of our recommendations from those reports and will also monitor overall COVID-19 federal spending through our financial and federal compliance audits. |
| State Financial Reporting and Accountability | The State Controller issued the State’s financial statements for fiscal year 2020–21 later than in previous years—12 months after its traditional deadline and six months after a general extension on financial reporting that the federal government provided because of the pandemic. The State’s financial reporting for fiscal year 2021–22 was also late. This continued trend of late reporting reduces the efficiency and effectiveness of the State’s financial oversight. The State’s late financial reporting could also negatively affect its credit rating, which could increase the cost associated with borrowing. | Given our central role in auditing the ACFR each year, the State Auditor will be seeking an independent CPA firm, with significant experience auditing large and complex ACFRs of governmental entities, to conduct an independent performance audit of the State’s ACFR process. The primary goal of the audit will be to provide greater transparency to the public and Legislature regarding the cause or causes of the State’s late financial reporting, while also providing relevant state agencies with specific, actionable recommendations that will lead to the timely issuance of California’s ACFR. The audit will include a review of the respective roles of the key agencies involved in the preparation and issuance of the State’s ACFR for fiscal year 2021-22. |
| Information Security | The California Department of Technology (CDT) is responsible for providing direction for the State’s information security efforts and for reviewing the security of reporting entities. However, CDT has yet to determine the effectiveness of cybersecurity programs for all of the entities for which it has oversight responsibility. To determine the effectiveness of information security for reporting entities at higher risk, CDT relies on a four-year oversight lifecycle. However, as we said in Report 2022-114, issued in April 2023, CDT has the capacity to complete only 13 compliance audits each year, or 52 reviews of reporting entities during a four-year cycle, which is not quite half of the 107 reporting entities for which it is responsible. | In 2021 and 2023 we issued audit reports on information security and made several recommendations. We will continue to monitor CDT’s implementation of those recommendations and will consider conducting a follow-up audit of CDT’s efforts to improve information security as resources allow. |
| Information Technology Oversight | In April 2023, we noted that CDT’s oversight of IT projects has been ineffective at addressing risks on complex projects. During that audit, we found that although CDT identified deficiencies in three IT projects which required immediate corrective action, it had not used its authority to ensure that the problems were resolved. Moreover, CDT’s use of costly and lengthy approval processes can have negative consequences for agencies. | We will continue to monitor CDT’s efforts to improve its oversight of IT projects and will consider conducting a state high-risk audit as resources allow. |
| Water Infrastructure and Availability | The condition of some of the State’s potentially most hazardous dams and related emergency planning remains a high-risk issue. Failures or incidents at dams could result in significant harm to the State and its residents, through loss of life and flooding of economically important areas. Nevertheless, as of June 2023, 88 dams throughout the State have both a condition rating lower than Satisfactory and a downstream hazard rating of Significant or higher. Dams that fall within these classifications have a combined reservoir capacity of more than 7 million acre-feet of water. Of particular concern, 37 of the 88 dams with condition ratings below Satisfactory are also rated as Extremely High Hazard, meaning that a dam failure would cause considerable loss of human life and significant economic loss. | We will monitor the State’s approval of emergency plans and other activities related to mitigating threats to water infrastructure and availability. We will consider conducting a state high-risk audit as resources allow. |
| Department of Health Care Services (Health Care Services) | Health Care Services has not adequately resolved issues involving Medi-Cal eligibility. In Report 2020-613, July 2021, we found that the number of eligibility discrepancies between state and county eligibility systems increased during the COVID-19 pandemic and that Health Care Services was not doing enough to resolve eligibility questions about Medi-Cal beneficiaries. Health Care Services began taking steps in June 2022 to address eligibility discrepancies by issuing guidance to counties on case processing actions after the May 11, 2023, termination of the public health emergency. | We will continue to follow the department’s implementation of recommendations from our July 2021 state high-risk audit report. We will consider conducting a state high-risk audit as resources allow. |