Internal Control and Compliance Issues
Applicable to the Financial Statements and
Use the links below to skip to the specific internal control and compliance issue you wish to view:
- Multiple Departments Using FI$Cal
- Department of Financial Information System for California (FI$Cal)
- Auditor’s Comments on the Department's View
- California Department of Public Health
- Department of Parks and Recreation
MULTIPLE DEPARTMENTS USING FI$CAL
Reference Number: 2019-1
During fiscal year 2018–19 numerous departments using the Financial Information System for California (FI$Cal) for financial reporting did not complete bank reconciliations, or reconcile their accounts to the State Controller's Office's (State Controller) records, in a timely manner. Ultimately, many departments also submitted late year-end financial reports to the State Controller, which delayed the completion of our audit procedures and the publication of the State's Comprehensive Annual Financial Report (CAFR). For example, the Employment Development Department (EDD) did not complete all of its June 2019 bank reconciliations until late September 2019, and did not perform them properly. It reconciled to a legacy accounting system, rather than to the FI$Cal system used to prepare its year-end financial reports. Similarly, the California Department of Tax and Fee Administration (CDTFA) did not perform its reconciliations to FI$Cal. Finally, the Department of Health Care Services (DHCS) is still in the process of completing its bank reconciliations, 16 months after fiscal year 2018–19 ended. In addition to preparing bank reconciliations, departments must reconcile their accounts to the records of the State Controller. During fiscal year 2018–19, we found that 12 departments of material importance to the State's overall financial reporting did not perform these monthly reconciliations in a timely manner, with many departments deciding to perform annual rather than monthly reconciliations. Furthermore, EDD completed these reconciliations after submitting its initial financial reports to the State Controller. The reconciliations noted above constitute an important internal control because they enable departments to detect fraud, as well as, to identify and resolve errors or omissions in the financial information that is ultimately reported in the State's CAFR.
EDD's Fiscal Programs Division chief stated that the department reconciled its banking activity to a system other than FI$Cal (the system that contains the department's official accounting records) because it was unaware that continuing to follow the reconciliation process it used prior to the implementation of FI$Cal would not meet state requirements. While performing a bank reconciliation in this manner may allow the department to mitigate the potential for fraud, the value of this control is compromised when departments do not reconcile to their official accounting records, thereby reducing the assurance that their financial reports are complete and accurate. EDD also stated that it submitted its initial financial reports prior to reconciling to accounts maintained by the State Controller due to the pressure it felt to meet the State Controller's reporting deadlines. Because EDD did not complete its bank reconciliations to FI$Cal, in September 2020, it resubmitted its unemployment program financial reports to the State Controller using its legacy accounting system. In addition, EDD provided additional information from this legacy accounting system to support the financial reports for its disability program, which were prepared using FI$Cal. These actions resulted in material revisions to its previously provided reports for the unemployment program.
Similarly, CDTFA's controller stated that the department did not reconcile its banking activity to its official accounting records maintained in FI$Cal believing that the process it followed historically would comply with state requirements. CDTFA also stated that although the Department of Finance (Finance) had advised it to start transitioning to reconciling to FI$Cal, there was some uncertainty by the department as to whether this requirement was to take effect immediately. However, we believe that Finance made it clear that departments were to begin reconciling to FI$Cal as soon as this system became the source of their official accounting records. CDTFA further commented on a lack of detailed written instructions from Finance addressing the unique needs of the department, instructions that Finance later revised in February 2020 to provide more detail. CDTFA also acknowledged that it had access to Finance staff in which to seek any additional guidance. CDTFA did not finish revising its bank reconciliations to properly reconcile to FI$Cal until August 2020, resulting in adjustments to its cash balance reported in its accounting records maintained in FI$Cal of $104.5 million.
DHCS's Financial Reporting and Accounting Operations chief stated that the submission of timely financial reports took precedence over the completion of the bank reconciliations. The chief also stated that the department relied upon other reconciliations, including reconciliations to accounts maintained by the State Controller, FI$Cal year-end processes, and the State Controller's year-end instructions, to ensure the accuracy of its financial reports. Although these other reconciliations, processes and instructions are important to ensuring the quality of the financial reports, they do not address the unique role departments play in the collection and reporting of accurate cash receipts. DHCS stated that it struggled with completing its bank reconciliations due to staffing issues and the inherent complexity of the FI$Cal environment. Similar to CDTFA, the department commented on the lack of sufficiently detailed written instructions from Finance, while acknowledging that it had access to Finance staff from whom to seek further guidance. As described above, Finance has since revised these instructions to provide more detail. Although DHCS made significant progress towards completing its bank reconciliations near the end of our fieldwork, the department was still not able to complete these reconciliations. Consequently, we had to perform additional detailed audit procedures to mitigate the risk of any material misstatements that were not detected because the department did not complete these important reconciliations.
The steps taken by these three departments to rectify the control deficiencies described above and to address the risks these issues posed to the State's financial statements were done at our request. Management is responsible for the design and operating effectiveness of internal control over financial reporting to ensure that the financial statements are free from material error, and should not rely upon the auditor to be a part of its system of internal control.
Finally, the departments listed below, all of which are of material importance to the State's overall financial reporting, did not complete timely monthly reconciliations to accounts maintained by the State Controller, with many departments choosing to prepare annual reconciliations. Some of the explanations that departments provided for not performing timely reconciliations included a lack of staff resources, the need for staff training, unfamiliarity with the FI$Cal system, complexity of the FI$Cal system, challenges encountered during the conversion of prior year balances from legacy systems, and the additional strain placed on resources by running FI$Cal in parallel with legacy systems. Each of these departments also submitted late financial reports to the State Controller.
|Departments That Performed Untimely Reconciliations
To Accounts Maintained By The State Controller
|Dates Financial Reports Were
Submitted To The State Controller
|Employment Development Department||9/6/2020 – 9/9/2020|
|California Department of Education||7/6/2020 – 7/7/2020|
|State Water Resources Control Board||6/29/2020|
|California Department of Forestry and Fire Protection||3/12/2020|
|California Highway Patrol||3/2/2020|
|California Community Colleges Chancellor's Office||2/24/2020|
|California Department of Public Health||1/28/2020|
|California Air Resources Board||12/13/2019|
|Department of Health Care Services||9/13/2019 – 11/20/2019|
|Department of Developmental Services||10/25/2019|
|California Department of Tax and Fee Administration||10/16/2019|
|Department of State Hospitals||10/3/2019|
Notes: Multiple dates listed indicate a range for different funds used by the department.
State Administrative Manual Section 7930 required that departments submit their year-end financial reports for fiscal year 2018–19 to the State Controller by July 31, 2019 for the general fund and by August 20, 2019 for all other funds.
Reflects only the late submission of financial reports for funds of material importance to the State's overall financial reporting.
Government Code sections 13400 through 13407 state that agency heads are responsible for the establishment and maintenance of a system or systems of internal control, and effective and objective ongoing monitoring of the internal controls within their state agencies. This responsibility includes documenting the system, communicating system requirements to employees, and ensuring that the system is functioning as prescribed and is modified, as appropriate, for changes in conditions.
State Administrative Manual Section 7923 requires departments to reconcile their bank account balance with the like account maintained in the State's Centralized Treasury System (CTS). Departments are to reconcile their General Cash, Revolving Fund Cash, and Agency Trust Fund Cash accounts with their State Controller's CTS Account Statement bank balance, adjusted for deposits in-transit, outstanding checks, and other reconciling items. Departments are to file the CTS Statements and monthly reconciliations in date order.
State Administrative Manual Section 7901 requires that departments reconcile their accounts to those accounts maintained by the State Controller to disclose errors as they occur. Departments are to analyze differences and make corrections to their accounts or request corrections to the State Controller's accounts so that information in both systems is complete and accurate. Corrections to errors should be made before financial reports are prepared to ensure the accuracy of departments' financial reports. Reconciliations are to be prepared monthly within 30 days of the preceding month.
Department of Finance Budget Letter 18-30, dated October 29, 2018, provided a temporary exemption from SAM 7901 due to a variety of transitional issues posed by FI$Cal implementation for some departments. Specifically, reconciliations were due as follows:
- July 2018 and August 2018 were due by November 30, 2018,
- September 2018 and October 2018 were due by December 31, 2018,
- November 2018 and December 2018 were due by January 31, 2019.
In addition, FI$Cal departments were required to:
- Report their progress in completing month end close tasks, including reconciliations
- Assess their current status and determine next steps to meet deadlines, including making necessary resources available, prioritizing workload, and working overtime.
The Budget Letter offered departments a variety of support options to assist departments in meeting deadlines. Departments who were unable to meet deadlines were required to send a request for an extension to Finance prior to a deadline. Departments were to include the reasons for the request and a plan of action to comply with any remaining deadlines.
State Administrative Manual Section 7930 requires that departments submit their year-end financial reports to the State Controller by July 31st for the general fund and by August 20th for all other funds.
EDD should develop a process to reconcile its banking activity to its official accounting records maintained in FI$Cal.
DHCS should complete its bank reconciliations and reflect any needed adjusting entries in its official accounting records maintained in FI$Cal.
Departments should perform their monthly bank reconciliations and reconciliations to the accounts maintained by the State Controller in a timely manner, and before submitting financial reports to the State Controller.
Departments should work with Finance and the State Controller to obtain any additional training and/or clarification needed to ensure monthly reconciliations are performed properly and in a timely manner.
Departments' Views and Corrective Actions:
Each of the departments stated that they agreed with the findings and recommendations, and would institute necessary corrective actions. Many departments also reiterated some of the challenges they experienced with FI$Cal.
DEPARTMENT OF FINANCIAL INFORMATION SYSTEM FOR CALIFORNIA (FI$Cal)
Reference Number: 2019-2
We identified pervasive findings in the overall information technology (IT) general controls environment of the Financial Information System for California (FI$Cal). Details of these findings are being withheld pursuant to Government Code section 8592.45 which prohibits disclosure of certain information related to the FI$Cal IT infrastructure. Accordingly, and consistent with applicable auditing standards, we decided not to publish these details. Thirty‑six (36) out of forty (40) control deficiencies have Plans of Action and Milestones (POAMs) which were not remediated as of the end of the audit period. Further, sufficient compensating controls were not in place to reduce the impact of these findings on the IT general controls environment. Of the applicable open POAMs, a majority of the items were identified in March of 2018 and had not been remediated as of the end of the audit period, June 30, 2019.
The primary cause of these issues was insufficient planning to incorporate appropriate governance and control requirements over financial systems prior to implementing FI$Cal. This, in turn, resulted in inadequate resources and oversight to properly implement, monitor, and maintain IT controls that support FI$Cal's financial reporting function.
The deficiencies result in pervasive risks at the entity and system-level to automated controls and configurations of the FI$Cal system, which impact the ability to rely on FI$Cal data used for financial reporting. Lack of IT general controls could compromise the reliability and integrity of financial data and increases the risk of misstatements in the financial reports.
The Financial Audit Manual (FAM) 240-4 states in relevant part:
(.12) Information system controls consist of those internal controls that are dependent on information system processing and include general controls, application controls, and user controls. Information system general controls (implemented at the entitywide, system, and application levels) are the structure, policies and procedures that apply to all or a large segment of an entity's information systems. General controls help ensure the proper operation of information systems by creating the environment for effective operation of application controls. An effective information system general control environment:
- provides a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity's computer‑related controls (security management);
- limits or detects access to computer resources, such as data, programs, equipment, and facilities, thereby protecting them against unauthorized modification, loss, or disclosure (logical and physical access);
- prevents unauthorized changes to information system resources, such as software programs and hardware configurations, and provides reasonable assurance that systems are configured and operating securely and as intended (configuration management);
- includes policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations (segregation of duties); and
- protects critical and sensitive data, and provides for critical operations to continue without disruption or be promptly resumed when unexpected events occur (contingency planning).
(.13) Application controls, sometimes referred to as business process controls, are those controls incorporated directly into information systems to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during information system processing. An effective application control environment includes:
- general controls implemented at the application level (i.e., security management, access controls, configuration management, segregation of duties, and contingency planning);
- controls over transaction data input, processing, and output as well as master data maintenance; interface controls over the timely, accurate, and complete processing of information between information systems; and
- controls over the data management systems.
The California State Administrative Manual (SAM), section 5300.5, states:
"California has adopted the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 as minimum information security control requirements to support implementation and compliance with the Federal Information Processing Standards (FIPS). Each state entity shall use the FIPS and NIST SP 800-53 in the planning, development, implementation, and maintenance of their information security programs."
The SAM, section 5305, states:
"Each state entity is responsible for establishing an information security program. The program shall include planning, oversight, and coordination of its information security program activities to effectively manage risk, provide for the protection of information assets, and prevent illegal activity, fraud, waste, and abuse in the use of information assets.
Each state entity shall:
- Align the information security program, its activities, and staff with the requirements of this Chapter;
- Establish a governance body to direct the development of state entity specific information security plans, policies, standards, and other authoritative documents;
- Oversee the creation, maintenance, and enforcement of established information security policies, standards, procedures, and guidelines;
- Ensure the state entity's security policies and procedures are fully documented and state entity staff is aware of, has agreed to comply with, and understands the consequences of failure to comply with policies and procedures;
- Identify and integrate or align information security goals and objectives to the state entity's strategic and tactical plans;
- Develop and track information security and privacy risk key performance indicators;
- Develop and disseminate security and privacy metrics and risk information to state entity executives and other managers for decision making purposes; and
- Coordinate state entity security efforts with local government entities and other branches of government as applicable."
We recommend that the Department of FI$Cal:
- Perform a comprehensive risk assessment to re-evaluate FI$Cal governance in accordance with SAM, NIST SP 800-53, FIPS, financial reporting, and other State and Federal requirements. Results should include, but are not limited to:
- Updated System Security Plan (SSP), which accurately documents critical policies and procedures associated with the execution and monitoring of controls;
- Updated policies and procedures which demonstrate management's controls in place to monitor and prevent risk as designed within the SSP.
- Generate a project plan for remediation and establish a control environment, which reflects the strategic goals identified as part of the comprehensive risk assessment.
- Incorporate a process to make consistent progress against open POAMs and to actively pursue remediation of findings which incorporates post-implementation monitoring.
- Coordinate and establish validation and verification of controls identified in the SSP.
- Conduct information, communication, and monitoring activities to promote awareness of updated processes.
Department's View and Corrective Actions:
The Department of FI$Cal agrees with the findings and is committed to addressing them immediately. The security of the system is our highest priority and we greatly value the State Auditor's Office (State Auditor) feedback and take the concerns stated in the report seriously. To continuously improve the IT general controls environment, there are yearly independent security assessments and/or audits, updates to the POAMs, and actions taken to implement solutions to remediate findings. To safeguard the system and data, the department emphasizes external threats including emerging threats and operational security and has made progress in closing POAMs. Further, the California Department of Military's independent security assessment of August 2019 reported that its targeted external attacks were unsuccessful.
The State Auditor also conducted an audit for fiscal year 2017–18 and did not report any deficiencies in IT controls. As a result, the department continued its approach of emphasizing external threats and operational security of the system. During the fiscal year 2018–19 audit the department learned that our risk tolerances are different in some areas than what is expected by the State Auditor. Going forward, the department will enhance its risk assessment and governance processes, internal controls, policies, procedures and documentation with the same emphasis it has placed on external threats in accordance with these recommendations.
Auditor's Comments on Department's View
To provide clarity and perspective, we are commenting on the Department of FI$Cal's response to our report.
In planning and performing our audit of the State of California's fiscal year 2017–18 financial statements, we considered the State's internal controls over financial reporting in order to design audit procedures that were appropriate in the circumstances for the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of those controls. During these efforts, the State Auditor did not inform the Department of FI$Cal that the general IT controls over the FI$Cal system were effective. Further, the Department of FI$Cal is responsible for the design and operating effectiveness of internal controls over financial reporting and should not rely upon the State Auditor to be a part of its system of internal control. Lastly, we performed our work in accordance with applicable state requirements as described in the criteria section of this finding.
CALIFORNIA DEPARTMENT OF PUBLIC HEALTH
Reference Number: 2019-3
The Department of Public Health (CDPH) did not accrue drug manufacturer rebate revenues receivable in the AIDS Drug Assistance Program (ADAP) Rebate Fund as of June 30, 2018 and June 30, 2019 in the amount of $294 million and $266.8 million respectively, resulting in an understatement of beginning fund balance of $294 million, an understatement of accounts receivable of $266.8 million, and a net overstatement of revenues in fiscal year 2018–19 of $27.2 million.
CDPH invoices drug manufacturers for rebates on drugs purchased through the ADAP on a quarterly basis. Drug manufacturers calculate the rebate owed in accordance with its contracted price per unit and submits payment to CDPH typically within 6 months from the end of the quarter invoiced. CDPH failed to record the outstanding drug rebates from purchases occurring before year-end for both fiscal year 2018–19 and fiscal year 2017–18.
California Government Code Section 12461 requires the State Controller to issue a comprehensive annual financial report (CAFR) that is prepared in accordance with accounting principles generally accepted in the United States of America (GAAP). The State Controller provides guidance to departments on the preparation of their year‑end financial statements in its Year End Financial Reports Procedures Manual. To prepare the State's CAFR, the State Controller annually requests that departments submit revenue accruals for the funds they manage.
Codification of Governmental Accounting and Financial Reporting Standards Section 1600 states that financial statements for governmental funds should be presented using the current financial resources measurement focus and the modified accrual basis of accounting. The current financial resources measurement focus and modified accrual basis of accounting require revenues to be reported when they become available and measurable.
To ensure that its financial statements are properly presented and comply with GAAP at fiscal year‑end, CDPH should do the following:
- Develop written procedures, including a methodology for estimating outstanding manufacturer drug rebates receivable at year‑end based on annual drug purchases and historical rebate collections data, to ensure CDPH records accounts receivable and related revenue for the ADAP rebate fund in accordance with GAAP.
- Provide guidance and training to staff to ensure that all accrual procedures comply with GAAP.
Department's View and Corrective Actions:
CDPH agrees with the above finding. CDPH has already trained staff on procedures for revenue deposits and accruals, and will formally document the procedures to ensure revenue deposits are attributed to the year the expenditure occurred (invoice period) in accordance with GAAP. Additionally, CDPH will draft procedures to document a methodology to estimate uncollected revenues in order to properly complete the year-end revenue accruals in accordance with GAAP. These procedures will be fully operational prior to year-end closeout beginning with fiscal year 2019–20.
DEPARTMENT OF PARKS AND RECREATION
Reference Number: 2019-4
The Department of Parks and Recreation (State Parks) is unable to reconcile its capital asset account balances for buildings and related improvements to a subsidiary inventory ledger, and therefore it cannot ensure that it is reporting complete and accurate information in the State's comprehensive annual financial report (CAFR). Prior to implementing the Financial Information System for California (FI$Cal) in fiscal year 2017–18, State Parks reported its capital assets based on historical account balances reflected in the California State Accounting and Reporting System (CalSTARS)—the department's previous accounting system. However, according to its chief of accounting, State Parks does not have a subsidiary ledger listing the buildings and related improvements making up the account balance. State Parks lacks such a ledger because it does not have adequate policies and procedures in place to ensure that its records for buildings and related improvements are maintained in compliance with generally accepted accounting principles (GAAP).
In order to establish such a ledger, in February 2020 State Parks engaged its districts to conduct an inventory of these assets; however, the data resulting from this inventory did not comply with GAAP. Specifically, State Parks used records contained in its asset management system (Maximo) as a starting point and instructed district personnel to verify their completeness and accuracy. However, because State Parks does not use Maximo for accounting purposes, the data did not always comply with GAAP. Specifically, assets were not always recorded at historical cost (or acquisition value for donated assets).
Similarly, Maximo data did not contain accurate acquisition dates for a significant number of assets. Given the State depreciates building and related improvements over a period of 40 years, such inaccuracies would cause errors in depreciation calculations. Further, State Parks management at its headquarters office did not provide sufficient guidance to districts on GAAP requirements and did not allow districts sufficient time to gather and correct missing or inaccurate information. As a result, the districts' inventory listings often did not correct known issues with the Maximo data. Based upon the level of funding historically made available to State Parks, the issues described above do not currently pose a risk of a material misstatement to the State's CAFR.
Codification of Governmental Accounting and Financial Reporting Standards Section 1400.102 states that capital assets should be reported at historical cost. The cost of a capital asset should include ancillary charges necessary to place the asset into its intended location and condition for use. Ancillary charges include costs that are directly attributable to asset acquisition—such as freight and transportation charges, site preparation costs, and professional fees. Donated capital assets should be reported at their acquisition value plus ancillary charges, if any.
Codification of Governmental Accounting and Financial Reporting Standards Section 1400.104 states that capital assets should be depreciated over their estimated useful lives unless they are inexhaustible, are intangible assets with indefinite useful lives, or are infrastructure assets reported using the modified approach.
State Administrative Manual Section 8650 states that to maintain accountability of state assets, departments are to maintain a record of state property, whether capitalized or not, in a property accounting or inventory system. When property is acquired, departments are to record information in the system including, but not limited to the date acquired, property description, owner fund, and cost.
State Administrative Manual Section 7924 states that departments are to reconcile the acquisitions and dispositions of capitalized property with the amounts recorded in the property ledger. The reconciliation should be done monthly or at least quarterly, depending on the volume of transactions.
State Administrative Manual Section 8652 states that departments are to make a physical count of all property and reconcile the count with accounting records at least once every three years.
To ensure the proper reporting of its buildings and related improvements within its year-end financial statements, State Parks should:
- Develop policies and procedures for capital asset accounting and reporting that comply with GAAP, including but not limited to the following:
- Define the roles and responsibilities of management and staff involved in the process of accounting for and reporting capital assets.
- Develop detailed processes that incorporate instructions on how to identify capitalizable versus non-capitalizable costs, as well as, the type of source documentation that should be used to support such costs.
- Develop detailed processes to account for and report any changes in capital assets, including additions, deductions, and impairments, if any.
- Conduct a comprehensive inventory to ensure that its buildings and related improvements are accurately reported in a subsidiary ledger. This would entail:
- Developing a sound methodology for identifying and compiling relevant capital asset information, including asset values based on historical cost (or acquisition value for donated assets) and asset acquisition dates.
- Communicating the methodology to staff and providing guidance on key GAAP requirements related to capital asset reporting.
- Developing a process to review inventory results to ensure they are accurate and complete.
- Update building and related improvements records in FI$Cal to reflect the results of the inventory, and ensure the year-end financial reports reflect any necessary restatements.
- Conduct a physical count of all property and reconcile the count with accounting records at least once every three years in accordance with State Administrative Manual Section 8652.
Department's View and Corrective Actions:
State Parks agrees with the findings and will implement the following corrective actions:
- Develop policies and procedures for reporting capital assets.
- Develop a sound methodology for conducting a capital asset inventory and communicate that methodology to staff with guidance on key GAAP requirements.
- Develop a review process to ensure that the capital asset inventory results are accurate.
- Update accounting records in FI$Cal based on the inventory results.
- Conduct a physical count of all property and reconcile with accounting records at least once every three years in accordance with State Administrative Manual Section 8652.