Use the links below to skip to the appendix you wish to view:
- Appendix A: Considerations for Determining High Risk
- Appendix B: California State Auditor’s Survey of Select Entities for Levels of Compliance With Security Standards
Considerations for Determining High Risk
Government Code section 8546.5 provides the State Auditor with the following authority:
- To establish a high‑risk government agency audit program for the purpose of identifying, auditing, and issuing reports on any agency of the State, whether created by the Constitution or otherwise, that the State Auditor identifies as being at high risk for the potential of waste, fraud, abuse, or mismanagement or that has major challenges associated with its economy, efficiency, or effectiveness. This includes challenges that cut across programs or management functions at all state agencies or multiple state agencies; we refer to these as statewide issues.
- When identifying state agencies or statewide issues that are at high risk, in addition to reviewing the audit and investigative reports produced by the State Auditor, to consult with the Legislative Analyst’s Office, the Little Hoover Commission, the Office of the Inspector General, the Department of Finance, and other state agencies with oversight responsibilities.
- To issue audit reports with recommendations for improvement in state agencies or with regard to statewide issues identified as being at high risk not less than once every two years.
- To require state agencies identified as being at high risk, including state agencies with responsibility for a statewide issue, to periodically report to the State Auditor on the status of recommendations for improvement made by the State Auditor or other state oversight agencies.
In addition, section 8546.5 requires the State Auditor to notify the Joint Legislative Audit Committee whenever it identifies a state agency or statewide issue as being at high risk.
Qualitative and Quantitative Factors
In 2016 the State Auditor adopted regulations to implement, interpret, and make specific the provisions of the state high risk authority (Title 2 Cal. Code. Regs. sec. 61000 et seq.) These regulations provide the criteria we use in establishing the state high risk list and whether a state agency or statewide issue will remain on the list. In determining whether a state agency or statewide issue should be identified as high‑risk, we consider a number of qualitative and quantitative factors in addition to the criteria we detailed in the Introduction. Although we consider many qualitative factors, we focus in particular on whether the risk could result in significantly impaired service; significantly reduced efficiency and/or effectiveness; public injury or loss of life; reduced confidence in government; or unauthorized disclosure, manipulation, or misuse of sensitive information. We also assess different factors in determining the substantiality of risk, including whether the risks are already causing detriments to the State or its residents, whether those risks are escalating, and whether changes in circumstances are likely to cause detriment.
Responsiveness to Recommendations and Corrective Measures
Government Code section 8546.2 requires that state agencies provide the State Auditor with updates on the implementation of recommendations we have made to them both in the form and at the intervals prescribed by the State Auditor. Moreover, Government Code section 8548.9 places additional reporting requirements on state agencies that have not implemented audit recommendations that are more than one year old.
The State Auditor also receives whistleblower complaints about improper governmental activities under the California Whistleblower Protection Act (Government Code section 8547 et seq.) and regularly issues public reports on substantiated complaints. That act requires state agencies either to take corrective action on substantiated complaints and report to us what action is taken or, if no action is taken, to indicate the reason for not doing so.
We consider whether each audited or investigated state agency demonstrated commitment in implementing audit recommendations or taking corrective measures for any substantiated complaints or issues noted in our reports. The final determination as to how committed agencies are to making changes to address audit recommendations or to taking corrective measures stemming from investigations may include additional follow‑up reviews by the State Auditor and ultimately is based on our professional judgment.
Ongoing Reporting and Future Audits
Once the State Auditor identifies a state agency or statewide issue as being high‑risk, the State Auditor may require the affected agencies to report on the status of those recommendations for improvement made by the State Auditor or other state oversight agencies. Related to that, the State Auditor may require affected agencies to periodically report their efforts to mitigate or resolve the risks identified by the State Auditor or other state oversight agencies. In addition, the State Auditor may initiate audits and issue audit reports with recommendations for improvement in the affected agencies.
Removal of High Risk Designations
When we designate agencies or statewide issues as being at high risk and place them on our high risk list, we may remove the designation under the following circumstances: (1) if there is a change in circumstances that results in the risk no longer presenting a serious detriment and (2) if there is a demonstrated commitment by the leadership of the state agency or agencies responsible for addressing the risk. The state agency or responsible agencies should define the root causes of the risk and identify effective measures for eliminating those causes. Moreover, the responsible party must have a process for independently monitoring and measuring the effectiveness of steps taken and for periodic reporting regarding progress.
When legislative and agency actions result in significant progress toward resolving or mitigating a high‑risk issue, we will remove the high risk designation. The agency or agencies must also demonstrate progress in implementing corrective measures. However, we will continue to monitor these issues. If risks again arise, we will consider reapplying the high risk designation. The final determination of whether to remove a high risk designation is based on our professional judgment.
California State Auditor’s Survey of Select Entities for Levels of Compliance With Security Standards
We resurveyed 101 state entities that certified their levels of compliance with the requirements in Chapter 5300 of the State Administrative Manual (security standards) to the California Department of Technology (Technology Department) in 2014.5 These state entities were previously surveyed for our August 2015 report. In an effort to protect the State’s information assets, we have chosen not to publicly disclose the names of the entities that we surveyed; instead, we assigned each entity a number. In Table B we summarize the 87 respondents’ self‑reported levels of compliance with 17 security standards that we placed into the following categories: Information Asset Management, Risk Management, Information Security Program Management, Information Security Incident Management, and Technology Recovery. We grouped the remaining security standards into the category of Other Information Security Requirements. In addition, Table B identifies the types of information some respondents asserted that they collect, store, or maintain. Other respondents stated that they did not have such information.
Most Survey Respondents Reported That They Are Not Fully Compliant With Security Standards
Source: California State Auditor’s analysis of state entities’ 2017 survey responses.
* For entries in these columns that do not contain the value “Yes,” the entity asserted in its response to our survey that it did not collect, store, or maintain this type of data.
|■ =||Fully compliant: The entity asserted that it is fully compliant with all of the security standards for the control area.|
|■ =||Mostly compliant: The entity asserted that it has attained nearly full compliance with all of the security standards for the control area.|
|■ =||Partially compliant: The entity asserted that it has made measurable progress in complying but has not addressed all of the security standards for the control area.|
|■ =||Not compliant: The entity asserted that it has not yet addressed the security standards for the control area.|
5 The 101 state entities we surveyed included entities that state law requires to report to the Technology Department each year as well as some entities that voluntarily reported to the Technology Department in 2014. Go back to text