2024-039 FI$Cal

November 14, 2024
2024-039

The Governor of California
President pro Tempore of the Senate
Speaker of the Assembly
State Capitol
Sacramento, California 95814

Dear Governor and Legislative Leaders:

State law requires our office to monitor and to report annually on the State’s progress in implementing and operating the Financial Information System for California (FI$Cal), a single information technology platform intended to seamlessly support the financial business of the State by unifying and making transparent and efficient its budgeting, procurement, cash management, and accounting functions. The Department of FISCal operates the system and, in collaboration with its four partner agencies, oversees its ongoing maintenance and improvement.¹ Our office’s responsibilities include monitoring and reporting annually on the progress of the Department of FISCal and of one of its partner agencies—the State Controller’s Office (SCO)—as they work jointly to make FI$Cal the State’s accounting book of record for statewide accounting, year-end close processes, and the preparation of financial statements. We are also monitoring the Department of FISCal’s progress in onboarding eight remaining agencies to the FI$Cal system.

Key Observations

• The SCO must closely monitor its progress implementing 121 requirements to meet a 2026 target date related to migrating its book of record functionality to FI$Cal.
• Although the Department of FISCal has only eight remaining agencies to transition to the FI$Cal system, some of those agencies are among the State’s largest and most complex entities.
• The Department of FISCal is making progress on completing projects for the six roadmap activities established in state law.

Background

FI$Cal’s development and implementation began in 2006, and since then more than 150 entities have implemented FI$Cal, which accounts for 90 percent of the State’s agencies and business units. In 2022 the Legislature declared the objectives for the FI$Cal project to be complete for reporting purposes, which allowed the Department of FISCal to shift its focus from achieving implementation milestones to pursuing ongoing enhancements and improvements. To guide the Department of FISCal’s efforts, state law established for the department six specific categories of work, which the law refers to as roadmap activities. The text box shows the six roadmap activities that the Department of FISCal is responsible for completing. Although the law requires the Department of FISCal to complete all six of these roadmap activities before or by July 1, 2032 unless otherwise specified, four of them will remain ongoing as part of the department’s ongoing mission even after meeting the deadline. We discuss all of the roadmap activities and some of their related criteria and tasks in the final section of this report; however, the two activities with scheduled completion dates are of particular importance to our office’s monitoring responsibility. Roadmap Activity 4 requires the Department of FISCal and the SCO to support the transition of the State’s central accounts for financial reporting—the accounting book of record—from the SCO’s legacy system to the FI$Cal system. To achieve this transition by July 1, 2026, a target date established in state law, the Department of FISCal and the SCO must each complete an extensive list of tasks. Roadmap Activity 2 requires the Department of FISCal to continue onboarding activities for the eight agencies that are required to but have not yet transitioned to FI$Cal (deferred agencies).² These remaining agencies include some of the State’s largest and most complex, and their transition to FI$Cal must be complete by July 1, 2032.

The SCO Must Implement 121 Requirements Before July 2026 to Meet Its Target Date to Move the State’s Book of Record to FI$Cal

As we discussed in the Background, state law directs the Department of FISCal and the SCO to complete the migration of the SCO’s book of record to FI$Cal. The book of record is the official financial record for the State and includes two primary components: the accounting book of record contains the daily financial balances and activity, and the reporting book of record is used for the State’s financial statements. In December 2023, the SCO submitted to the Joint Legislative Budget Committee a high-level timeline and a list of 150 requirements it believed at the time were necessary for it to complete the migration of the SCO’s book of record functionality to FI$Cal by July 1, 2026. The SCO has since revised and decreased the number of requirements, and it may continue to adjust the requirements’ necessity or priority. As of October 2024, the list stands at 121 requirements that the SCO believes it currently needs to complete to ensure the migration of its book of record functionality to FI$Cal by the planned deadline.

The SCO plans to implement the 121 requirements through a series of scheduled releases, as Table 1 shows. We asked the SCO to identify which of these 121 requirements are the most critical for ensuring that it can complete the migration of the book of record as planned. However, the SCO’s acting chief operating officer stated that all the requirements are necessary for the book of record transition. She further stated that the current requirements are not interdependent, and as long as the SCO releases the planned number of requirements at each milestone date, the order of the requirements’ release does not impact the SCO’s schedule. Further, each requirement has its own scheduled completion date, which may be before the requirement’s scheduled release date. Therefore, the SCO is able to monitor its progress toward completing the requirements during the time between the scheduled release dates.

This process of scheduled releases is, in part, enabled by the SCO and the Department of FISCal using the Agile development approach which includes short development lifecycles, also known as sprints, for each deliverable or requirement, repeated over the course of the project. Through this approach, the development teams regularly review projects and refine them during execution as more detailed and specific information and more accurate estimates become available. Although the SCO has identified the number of requirements and developed a schedule for starting and implementing each requirement, the Agile development approach allows for flexibility and change to minimize any impact on the overall project scope and deadline.

As an example of this development approach, the SCO had planned to complete four requirements by July 2024, and it actually completed six requirements as of July 2024; however, those six completed requirements included only two of the four that it had originally planned. The SCO was unable to release the other two of the four planned requirements because it discovered in July 2024 that FI$Cal lacked the necessary functionality to support those requirements. Specifically, FI$Cal was not always consistent in how it processed certain transactions that involved more than one state entity. According to the SCO’s acting chief operating officer, this was the first instance of FI$Cal lacking necessary functionality that the SCO had discovered since the migration process started. The Department of FISCal is currently developing the necessary functionality for those two requirements to meet the next scheduled release date in February 2025. According to the SCO’s acting chief operating officer, the delay related to implementing these two requirements will have no impact on the SCO’s ability to meet the 2026 target date.

However, the acting chief operating officer stated that the SCO’s failing to complete the total number of requirements as scheduled would be a better indication of a risk that it may not be able to meet the July 1, 2026 target date and would likely require the SCO to look for a workaround. Further, she stated that if a feasible workaround does not exist, the SCO may have to delay the book of record migration to July 1, 2027. The statute that established the target date for the migration of the book of record acknowledges that the date might not be feasible and does not provide for any consequences if the SCO does not meet the target. The SCO’s acting chief operating officer stated that any potential risks to meeting the target migration date will not be apparent until it reaches its next timeline milestone for Release 2 in February 2025, at which time it must have completed 18 requirements.

As of October 2024, the SCO appears to be on track to meet the goals for its timeline, as it has completed seven of the requirements and expects to have 16 more completed by February 2025. Moreover, according to the detailed schedule the SCO provided us, of the 68 book of record requirements it expects will take 6 months or more to complete, it will have begun work on 46 by February 2025, and all 68 by October 2025. Nevertheless, the SCO will need to continue to closely monitor its progress to ensure that it remains on schedule to complete all the necessary requirements by 2026.

The Department of FISCal Has Made Some Progress Toward Completing the Roadmap Activities Established in State Law

As we discussed earlier, in addition to requiring the SCO to take steps to complete the migration of the State’s accounting book of record to FI$Cal, state law requires the Department of FISCal to complete its roadmap activities by July 1, 2032. Although the law includes some general criteria—such as industry best practices and desired outcomes—for the roadmap activities, it does not direct the Department of FISCal on how to complete each activity or include specific criteria the department should use to gauge its success. Therefore, it is incumbent upon the Department of FISCal to identify the scope of actions it must take to be successful in its roadmap activities and define the criteria it will use to know if it is successful.

The Department of FISCal has identified from three to thirteen separate projects within each of the six roadmap activities—a total of 50 projects—and has developed a 10‑year strategic plan to guide its successful completion of all 50 projects and the six roadmap activities by July 1, 2032. According to its schedule, the department plans to complete 15 of these projects by the end of December 2024. As of October 2024, it had completed 10 projects, as the figure shows. According to the Department of FISCal, it is on track to complete four of the five remaining projects by December 2024 as scheduled. The department has extended the completion date for the fifth project to June 2025 due to delays in selecting a vendor. We discuss the roadmap activities and these projects in additional detail below.

Figure
The Department of FISCal’s Progress on Six Roadmap Activities

Source:  Department of FISCal Strategic Roadmap, October 2024.

* These seven projects are Department of FISCal activities that are separate from the SCO’s requirements shown in Table 1.

^† These roadmap activities are ongoing maintenance and operations activities.

In August 2024, the Department of FISCal published success criteria and a list of specific projects for completing each roadmap activity. For example, the department’s success criteria for Roadmap Activity 3—ensuring the integrity and security of the State’s financial data—include having no critical findings from third-party assessments and audits.³ It also includes having no findings with certain high ratings in a register of risks that the Department of Technology maintains, having no specified security incidents related to the State’s financial data stored in the FI$Cal system, and having implemented all capabilities listed in the Governor’s CalSecure Roadmap. According to the Department of FISCal’s chief deputy director, the department plans to evaluate quarterly whether it is meeting the criteria for this roadmap activity.

Roadmap Activity 4:
Support the Transition of the State’s Accounting Book of Record to FI$Cal

The Department of FISCal is on schedule to complete the roadmap activity related to its own tasks required for migrating the State’s book of record to FI$Cal by July 1, 2026. The department identified seven projects necessary to support this migration, and it has completed one of the seven projects and four are in progress. Of the four in progress, the department has scheduled one for completion by the end of 2024, one by the end of 2025, and two by June 2026. The chief deputy director stated that he expects the department to complete all four of these projects as scheduled, and that the Department of FISCal has two contractors working to help complete some of these projects. The remaining two projects are scheduled to start in November 2025 or later. In July 2024, the Department of FISCal procured a vendor to design, develop, and implement additional services to support the migration of the SCO’s book of record functionality to FI$Cal.

Roadmap Activity 2:
Onboarding the Remaining Deferred Agencies

The Department of FISCal believes that it is on track to onboard all deferred agencies by the July 1, 2032 deadline.⁴ The department has identified 12 projects for the onboarding roadmap activity—10 related to onboarding the remaining deferred agencies; one related to working with seven of those agencies on their gap analyses; and one related to how onboarding agencies will use the FI$Cal system when their onboarding is complete. In June 2024, the Department of FISCal completed onboarding of two state agencies—the Department of Rehabilitation and the California Department of Technology—as Table 2 shows. For the eight deferred agencies that have yet to fully adopt FI$Cal, the Department of FISCal says that it is using lessons learned over the past 10 years, one of which includes the practice of having each agency conduct a gap analysis, which involves reviewing each agency’s processes and information systems and identifying any high‑level gaps that may exist between the agency’s business processes and FI$Cal.

In 2023 the California Department of Corrections and Rehabilitation (CDCR) completed its gap analysis, which identified a significant number of gaps between CDCR’s legacy system and business processes, and FI$Cal functionality. For example, the gap analysis showed that CDCR’s legacy system includes modules for human resources and supply chain management, which FI$Cal does not include. In March 2024, CDCR requested an exemption from the California Department of Technology—which has the authority to grant such exemptions—from the requirement to transition to FI$Cal. Instead of granting an exemption, in May 2024, the California Department of Technology granted CDCR a deferral through October 2027 to identify potential solutions. If CDCR cannot identify potential solutions, the Department of Technology required it to submit a new request for an exemption or deferral by June 2027. According to the Department of FISCal, CDCR is currently transitioning to a new technology platform, and the Department of FISCal expects CDCR to update its gap analysis once that process is completed.

Roadmap Activity 3:
Ensure the Integrity and Security of the State’s Financial Data

The Department of FISCal has missed some targeted dates for projects and activities related to data and system security but believes that it is still on track. The department identified three projects related to the security roadmap activity and completed one of those projects as scheduled in April 2024. According to its schedule, the Department of FISCal expected to complete the other two by September 30, 2024. However, through October 2024, those projects were still in progress. These two projects relate to the Department of FISCal’s implementation of the State’s Cal‑Secure Strategic Plan. The Cal-Secure Strategic Plan—the State’s multi‑year information security maturity roadmap issued in 2021—consists of 29 technical capabilities that state entities must adopt and achieve in order of priority, 27 of which are applicable to the Department of FISCal. A requirement related to the direct monitoring and control of physical devices and a requirement related to managing supply chain functions such as supplier relationships are not applicable to the Department of FISCal because the FI$Cal system does not include those functions. The text box shows the status of the Department of FISCal’s Cal‑Secure technical capabilities. The department has 23 of the technical capabilities in place. Of the remaining four capabilities, two are in progress, and two are in the planning stages. According to the Department of FISCal’s chief information officer, the technology and vendor evaluations for these Cal‑Secure capabilities required more time than originally anticipated.

The department’s chief information officer explained that in addition to fulfilling the requirements in Cal-Secure, the Department of FISCal ensures the integrity and security of the State’s financial data by following and implementing the requirements set forth in the State Administrative Manual (SAM) and the Statewide Information Management Manual. State policy presented in SAM requires the Department of FISCal to develop and maintain a Register and Plan of Action and Milestones (POAM) process for addressing information security program deficiencies.⁵ State entities are obligated to report updated POAMs quarterly to the California Department of Technology’s Office of Information Security. In the POAM, the Department of FISCal records security risks found by internal observation and by audits conducted by the California Department of Technology, the California Military Department, and our office, and assigns each risk a rating. The number of open risks can change over time, as new risks are identified and the department addresses old ones. For example, the Department of FISCal had 40 open risks as of April 2023, 80 as of July 2023, and 55 as of January 2024. The Department of FISCal’s latest POAM shows that it continues to address its highest-risk security weaknesses and has identified target dates to remediate the 60 open risks. According to the July 2024 POAM, the Department of FISCal had planned to address 49 of the 60 open risks by June 30, 2024. According to the chief information officer, the department did not meet most of those target dates because collaboration with multiple teams and stakeholders required more time than originally anticipated. We purposefully do not discuss risks related to missing and incomplete information technology security programs so as not to potentially compromise FI$Cal. However, the chief information officer affirmed that the Department of FISCal plans to resolve the remaining risks in the next twelve months.

Roadmap Activities 1, 5, and 6:
Ensure Technical Optimization; Work With Partner Agencies to Identify Priorities and Implement Additional Products; and Continue to Enhance, Upgrade, and Manage the System

The Department of FISCal has identified a total of 28 projects related to the technical optimization, the partner priorities and additional products, and the enhancements and upgrades roadmap activities. However, as these roadmap activities are ongoing maintenance and operations activities and are likely to continue over the lifespan of the FI$Cal system, the Department of FISCal may add or remove projects related to each activity over time. As of October 2024, it had completed six projects as scheduled and ten projects are in progress. While one of these ten projects—production enhancements—is an ongoing activity, the other nine projects in progress are scheduled to be completed between December 2024 and December 2025. For example, according to the Department of FISCal, one of the key partner priority projects it is working on involves implementing a process so that the SCO can make payments electronically. The Department of FISCal’s schedule indicates that it will complete this work by June 2025. According to the chief deputy director, all nine projects are on schedule, and he expects them to be completed by the planned dates.

Although there are currently two partner priority projects on hold, the entities sponsoring those projects are working to finalize the project details so that the Department of FISCal can resume work on those projects. A project to create an eMarketplace for the Department of General Services (DGS) is on hold while the Department of FISCal waits for DGS to provide the scope based on DGS’s project strategy. Similarly, Department of FISCal staff stated that the integration of the California State Payroll System is on hold until the SCO executes a contract with a vendor, which the Department of FISCal expects will happen in 2025. The chief deputy director stated that because of the ongoing nature of this roadmap activity, these two projects being on hold is not an impediment to the Department of FISCal completing other projects for this roadmap activity.

We prepared this report pursuant to Government Code section 11868.

Respectfully submitted,

GRANT PARKS
California State Auditor

For questions regarding the contents of this report, please contact our Communications Office at 916.445.0255.

Staff:
Kris Patel, Audit Principal
David DeNuzzo, CIA, CFE, Senior Auditor
Trunice Anaman-lkyurav, MA

Legal Counsel:
Joe Porche

---

Footnotes

1. The four partner agencies that work to support the project and achieve FI$Cal’s objectives are the Department of Finance, the Department of General Services, the SCO, and the State Treasurer’s Office. ↩︎
2. The California Department of Transportation, the California Department of Justice, the Prison Industry Authority, the California State Teachers’ Retirement System, the California State Lottery Commission, the California Department of Corrections and Rehabilitation, the Department of Water Resources, and the Department of Motor Vehicles. ↩︎
3. The California Department of Technology and the California Military Department conduct these audits. ↩︎
4. In addition to the deferred agencies, eight state agencies are exempt from the requirement to transition to FI$Cal. These include the California Finance Housing Agency, the University of California, the California State University, the Public Employees’ Retirement System, the State Compensation Insurance Fund, the California Law Revision Commission, the Enhanced Tobacco Settlement Asset-Backed Bonds, and the Legislative Counsel Bureau. The California State Auditor is also exempt, but is exploring a transition to FI$Cal by July 2025. ↩︎
5. State entities report security weaknesses or noncompliance, identified by risk level and remediation status, through POAMs. ↩︎