California state government depends on its automated financial systems to record and report financial information. This information is critical for making sound decisions at every level of government.

This portion of the engagement includes a survey of California’s automated financial systems and their corresponding internal controls. The objectives are to determine the following: controls are adequate to detect errors and prevent fraud or waste; financial information is timely, reliable and fairly stated; systems are economic and efficient; and the appropriate financial information is available to program managers and decision-makers.

The scope of this survey was to:

• Review the history and status of the state’s financial systems and the related enterprise or strategic planning effort regarding these systems.
• Determine the critical attributes of existing financial systems.
• Identify and review financial system projects approved in the last four years to determine the scope of new projects and the state’s direction.
• Review audits of financial systems to assess the scope and sufficiency of audit coverage.
• Interview state agencies that have implemented administrative and financial enterprise systems to identify lessons learned.
• Identify lessons learned from other public sector financial systems.

For purposes of this engagement, we have employed the federal Office of Management and Budget definition of “financial system,” which they define as follows:

• “. . . an information system, comprised of one or more applications that is used for any of the following:
• collecting, processing, maintaining, transmitting and reporting data about financial events;
• supporting financial planning or budgeting activities;
• accumulating and reporting cost information; or
• supporting the preparation of financial statements.
• . . . A financial system encompasses automated and manual processes, procedures, controls, data, hardware, software and support personnel dedicated to the operation and maintenance of system functions.”

Significant attention has been directed toward internal control to provide confidence and improve operations because organizations are susceptible to fraud, waste and abuse. Further, because financial systems represent a key component to the reliability of financial reporting they must be considered in the internal control structure.

The Financial Integrity and State Manager’s Accountability Act (FISMA) of 1983, Government Code (GC) Sections 13400–13407, was enacted to set responsibility for control at the highest levels. Moreover, FISMA is designed to help ensure that adequate internal controls are in place to safeguard assets, check the accuracy and reliability of accounting data, promote operational efficiency and encourage adherence to policies.

In September 1992, the Committee of Sponsoring Organizations of the Treadway Commission’s report titled The Internal Control-Integrated Framework (COSO Report) expanded the definition of internal control as a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.

More recently, in response to private sector frauds and failures, Congress passed the Sarbanes-Oxley Act of 2002 to reflect the public’s expectations of an organization’s due diligence regarding financial management and reporting. The Sarbanes-Oxley Act was written to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws and for other purposes. It requires management to establish and maintain an effective and adequate internal control structure, and its requirements are relevant to state government as well.

There are approximately 200 California state agencies, each operating within a financial framework established by law and policy. Each is permitted independence to tailor operations to meet the organization’s needs. A brief explanation of the evolution of California’s existing financial systems is provided to help understand the history and the environment today.

The need for a uniform system of accounting in California was first recognized in 1911, when the Legislature established the Department of Public Accounting. In 1921 and 1965, the duties of devising and installing a uniform system of accounting and reporting were transferred to the Department of Finance (DOF) and the Department of General Services, respectively. In 1973, the duties were transferred back to DOF, where they remain today.

GC Section 13300 mandates DOF to devise, install and supervise a modern and complete accounting system for each state agency permitted or charged by law with handling public money. AB 3322 (Chapter 1284, Statutes of 1978) modified and reaffirmed this mandate, and required, among other things, a coding system to obtain accurate and comparable records, reports, and statements of all the state’s financial affairs. The California Fiscal Information System (CFIS) project resulted from this legislation. The CFIS project included:

• The Financial Information System—the CFIS database
• The California State Accounting & Reporting System (CALSTARS)
• Uniform Codes Manual (UCM)
• Governor’s Budget and Budget Act formats
• SCO Fund Accounting and Disbursement System
• Data exchange with State Treasurer Office (STO) Warrant Redemption and Deposit Reconciliation System
• Legislative and Executive Branch access to the basic system data
• Budget Preparation System (BPS)
• Change Book System
• Legislative Information System (LIS)
• Performance Measures

The CFIS project components were completed by the early 1980s and many are still active; but, the CFIS database requirements were suspended in 1985. The major concerns with the central database included issues with data (preparation, level of detail, timeliness and accuracy), knowledge, training, skills and access (terminals). Most other components of the original CFIS project remain in place and in use and have had some level of update or improvement over the years.

The state’s core accounting system, CALSTARS, was implemented July 1, 1981. The authorizing legislation exempted eight departments (Department of Transportation, Department of Motor Vehicles, Employment Development Department, Department of Rehabilitation, Department of Water Resources, Department of Education, Department of Health Services and Department of Social Services), because they already had automated systems in place. Today, 31 state agencies (including the Legislature, Judicial and the Universities) are exempt from using CALSTARS. Exemptions to CALSTARS are determined on a case by case basis; there are no specific criteria for exemption. In 2003, CALSTARS was used by 90 state accounting offices for the accounting of 178 agencies.

While CALSTARS provides for statewide uniformity and also allows individual agency specificity through a series of unique tables and transaction codes, some functions and departmental business needs are not addressed. Examples include cashiering, large volume accounts receivable, large volume disbursement detail, billing, purchasing, inventory/fixed assets, budget preparation, management decision-making/analysis and federal requirements. The system is not a relational database with integrated data; it lacks real-time processing or a graphical user interface.

As the state has become more complex and automation demands have increased, departments are exploring enterprise systems, also known as Enterprise Resource Planning (ERP) systems: integrated software tools that allow for an exchange of information using a common or centralized database. Plans and proposals for ERP systems have been in development for the past several years.

In July 1997, the Department of Information Technology (DOIT) created the Enterprise Systems Subcommittee of the Information Technology Coordinating Council (ITCC) (hereafter called the Subcommittee) to help the state develop a comprehensive strategy for managing the development of information technology systems that produce and use data vital to the state’s administrative operations (i.e., enterprise systems). The enterprise administrative systems being proposed included: Financial-Accounting, Human Resources, Procurement/Ordering, Asset Management and Inventory Management-Facilities Management. The Subcommittee’s observations and recommendations included encouraging collaboration and information-sharing among departments, encompassing existing and planned projects in an Enterprise Systems Strategy and implementing two or three pilot enterprise systems (including an interagency consortium). The Subcommittee also recommended a moratorium until some pilots were evaluated and a standing committee of central (control) agencies to coordinate their data requirements in order to reduce unnecessary cost and redundant purchases.

However, the Subcommittee chair expressed concerns that, “…[A]bsent a very strong and involved central authority, large central administrative (enterprise) systems fail because of their very scale and the competing views of their participants.”

The three pilots recommended by the Subcommittee were the Health and Human Services Data Center, the Department of General Services and the Department of Transportation. A consortium with three or more members was also recommended and several departments expressed a willingness to consider participating.

The pilot projects and other enterprise projects were approved but the consortium approach was not clearly defined and was not implemented. The ITCC did not track or follow up on the pilot projects or other departments that implemented enterprise systems or portions of enterprise systems. The ITCC legislation sunset in 2002 along with the DOIT enabling legislation. Currently, no statewide administrative systems enterprise plan or strategy currently exists. A follow-up to the pilots and other departments that developed enterprise systems is included in this report.

On February 22, 2000, the California State Senate Advisory Commission on Cost Control in State Government transmitted a report providing an overview of information technology in state operations. The Commission, in part, found the following:

State organization and constitutional responsibilities complicate management of State operations. This structure has led to a diffusion of accountability with diminished authority for the Governor to manage the entire operations of the State. Additionally, there are . . . accounting offices at the agency and department level as well as for boards and commissions (that) . . . have created accounts and data requirements beyond the State’s uniform code manual (UCM). Decentralization of system designs has resulted in a proliferation of systems with different platforms and no uniform databases and little ability to exchange information. . . . (T)here are about 1,800 [estimated] systems which cost about $2 billion annually to operate and there are continuous enhancements and new projects. Despite the huge cost for these systems it is still not possible to summarize the data for the entire State. The current culture of strong decentralization is out of balance. There has been a conspicuous absence of leadership and direction for State operations. All of the agencies and departments seem to do their own thing within legislative requirements. In addition there does not appear to be any central support for those functions which are common to all agencies and departments.

The Commission recommended establishing a Chief Information Officer (CIO) at the cabinet level, a Chief Operating Officer (COO), a statewide strategic master plan for information technology, a business plan with goals and measurable objectives, a new budgeting process and a new uniform statewide financial management plan.

In February 2003, the California State Auditor, Bureau of State Audits (BSA) issued a report, Information Technology: Control Structures are Only Part of Successful Governance. The BSA report recommends a governor’s office level CIO, incentives for agencies to develop effective statewide IT initiatives, a commitment to employee skill development, an evolutionary IT strategy and a statewide inventory of IT equipment and systems. The BSA report also speaks to the appropriate degree of centralization, consolidation and standardization of statewide IT services and applications as well as outsourcing IT activities.

The current state CIO has taken some steps reflected in the BSA report recommendations. For instance, a California Information Technology (IT) Council was chartered in March 2004 to advise the CIO on Executive Branch IT matters, including the development of strategic plans and the adoption of enterprise-wide IT standards and policies. However, no current statewide enterprise or strategic plan addresses financial systems (except for GC Section 13300 that resulted in the creation of CALSTARS). To date, no plan or proposal has identified the timing for the retirement or replacement of CALSTARS.

CALSTARS is the core accounting system used by most state agencies. It is used by 90 accounting offices for 178 state agencies, or 85 percent of identified state agencies. Another 31 state agencies, including the judicial and legislative branches and the state universities, use other systems. Of the state agencies not using CALSTARS, 12 agencies were identified that have implemented enterprise systems or portions of enterprise systems and 19 agencies use other core accounting systems. Many of the state agencies using CALSTARS are small organizations. As a percentage of state expenditures, the CALSTARS system records 78 percent of state expenditures, the enterprise systems record five percent of expenditures and the other systems record 17 percent.

DOF recognizes that CALSTARS does not meet a number of the financial system needs of state agencies; DOF prioritizes system enhancements and modifications based on the needs of the majority of departments and within limited resources. Therefore, CALSTARS does not provide all financial functionality. We sampled 21 state agencies to identify what other systems comprised the financial system environment of the state. The survey response indicated 690 additional financial systems exist at the 21 state agencies. Among the survey’s key findings are the following:

• Many financial systems are decentralized and not easily identified. Most agencies maintain no central inventory or documentation of all of their financial systems.
• Separate systems most frequently identified in addition to their core accounting systems are cashiering, accounts receivable, federal funds, fixed assets, disbursements/payables, procurement and financial reporting. Many systems automatically upload information to CALSTARS or to another core accounting system.
• Program and financial management requirements are commonly addressed in single program-specific systems.
• Departments commonly download CALSTARS data to another comprehensive database for access, program management, budget monitoring and reporting needs.
• Departments generally do not have budget preparation software; electronic spreadsheets are primarily used.

Separate from the departmental core accounting systems and critical to the design of the state’s overall financial management system is the relationship and role of the State Treasurer’s Office (STO) and the State Controller’s Office (SCO). A prime example of this relationship is the management and processing of cash. Individual agencies collect revenue and deposit it into STO-approved depositories. STO notifies SCO of deposits; and SCO records the cash in its official records. To make cash disbursements, SCO primarily uses a claim schedule process. SCO then records state expenditures from the claim schedules. Individual state agencies must reconcile their accounts with the SCO system. Essentially, at a high level, these separate automated systems duplicate processing but also provide for strong cash controls, assuming the performance and management of manual reconciliations.

The number and variety of financial systems makes the state’s entire internal control structure a risk. The state’s resultant high-level financial statements rely on the relationship between the individual state agencies, SCO and STO. But the quality of detailed financial data generated by these other (hundreds) subsidiary systems has a greater accuracy risk. Moreover, the decentralization and program specific “stovepipe” design (a separate system designed to work independent of other systems) adds to the risk. As previously mentioned, state agencies commonly maintain no central inventory of all their financial systems. Another control risk relates to financial reports. Most departments do not generate reports from their official financial system. Data is downloaded from one or more systems and placed into multiple other systems, ranging from large databases to spreadsheets, which predictably have not been subjected to detailed audit or other verification and/or security testing.

We interviewed representatives of 14 agencies, which included management of the Accounting, Budget and Information Technology Offices. These agencies included departments using CALSTARS, enterprise systems and other types of core accounting systems. The interviews focused on internal controls, risks, reliability, stability, economy and efficiency of the financial systems of the agencies sampled. A summary of key observations is shown in the table below. Additional information is in Appendix VI.

We also asked the same departments to share the top concerns and issues that they believed were critical to financial management systems. Concerns identified multiple times by different individuals and by different departments are summarized in the table below. Some issues repeat the interview attributes above; but, agency staff also identified them as their most urgent concerns. The percentages indicate the number of agencies in the sample that identified items as top concerns or priorities. Additional information is in Appendix VII.

The following is a summary of CALSTARS agencies’ specific issues and concerns about CALSTARS:

• The look and feel is not user friendly (i.e., “green screen” [text only] versus Graphical User Interface that allows direct manipulation of formats and images).
• Not accessible or user friendly to managers outside of accounting.
• Does not provide sufficient or easily accessible detail or drill down of data.
• Does not meet a number of business needs and often requires additional systems or “work-arounds”.
• Requires knowledge and experience that takes significant time to acquire (up to 18 months).
• Federal program reporting requires more information than CALSTARS provides.
• Not an on-line/real time system; monthly reports can be delayed as much as one or two months depending on the departmental processes.

In many CALSTARS agencies, personnel management issues have a greater impact on accounting offices than do technical issues. These issues include employee turn-over and a lack of knowledge, experience and consistency in classifications relative to the required responsibilities. Vacancies and hiring freezes have resulted in less qualified staff filling positions or in positions not filled. In some areas of the state, the pool of resources is limited because of pay inequities with private industry. Many departments do not have the technical ability or resources needed to automate the upload and download of data to CALSTARS that could facilitate processing or reporting.

Finally, our discussions with state agencies about the automated financial systems environment (supplemental to the survey) revealed issues that impede economic and efficient operations but that would require changes in laws, regulation or policy:

• California has almost 1,000 separately accounted-for funds of varying complexity and workload demands. Program visibility or funding can be obtained without so many separate funds.
• Generally Accepted Accounting Principles (GAAP) versus Legal/Budgetary Basis generates additional workload including two sets of financial statements and multiple systems. Additionally, the Legal/Budgetary Basis has become a driver for financial and accounting requirements. Government Code 12460 indicates that the two methods should deviate as little as possible and that the state should convert to using GAAP as a basis for its accounting systems.
• The statewide view of budget to actual is restricted by the budget program numbering system. Budget program numbers at one agency for a specific program can be used at a different agency for a completely different program. This prevents a statewide roll-up of information.
• Federal requirements are extensive and vary widely among the hundreds of federal programs and grants.

As a result of this overall environment, the state’s ability to produce timely, reliable financial data in an economical and efficient manner may suffer, and the risk of error or misstatement increases.

Existing systems are not meeting the state’s business needs or expectations. That by itself would require planning to specify the business requirements and an approach to meet those requirements. But with the state at a critical juncture, the current situation has added timing urgencies. Many of the financial systems are at risk of failure because of age, loss of manufacturer support and/or loss of key (dependent) staff that maintain or use them.

The loss of key staff is especially critical because they perform the necessary manual processes such as reconciliations between the multiple systems, preparation of financial reports, execution of the automated processes required for daily operation and resolution of system problems. Moreover, other personnel are not being trained as back-ups and replacements because of current policies, workload levels and the obsolescence of the technology. Further, because of the age and extensive customization of many systems, contractors do not have the required knowledge to step into operations without significant training. The number of systems involved, the multiple handling of data for different systems and the overall complexity of the financial management system exacerbate the current conditions.

The state’s hiring freeze and the loss of operational staff have degraded its ability to maintain adequate duty separations and key operational and maintenance functions.

Plans to remedy these diverse conditions vary. Budgetary constraints have precluded many agencies from taking the required steps or planning for resolution. Previous planning efforts lead by the state’s control agencies to address these issues have been inconclusive.

The overall structure of the financial management environment—the number of systems and the obsolescent design of many of the systems—has inevitably resulted in a lack of economy and efficiency in the use of resources, frequent untimeliness of data and the potential unreliability and inaccessibility of data.

The remedy is not simple. Before these issues can be resolved, the state must determine an overall approach, strategy or enterprise plan for its financial management. Each agency must develop an inventory of its core and supplementary financial systems and determine their “life spans,” potential risks and maintenance needs for sustainability. DOF should perform a similar assessment for CALSTARS; currently the software and hardware of CALSTARS is supported by the manufacturer. Most CALSTARS support staff are not scheduled to retire in the near future; so, CALSTARS is not an immediate risk. But because large IT projects require multiple years from concept to realization, planning should not be deferred. The state must prioritize its plan of action based on the results of this risk analysis.

In the last four years, DOF has approved 38 projects with financial or financial-related functions and a total project cost (includes both development and ongoing maintenance and operations spanning multiple years) of $2.4 billion. Approximately 70 percent of these projects automate manual processes and/or replace obsolete systems; 30 percent meet new program requirements (i.e., legislation). Most included customization and program functionality in addition to financial functionality; these are not exclusively financial system projects. The result is a potential tangling of financial and program functions in a single purpose system. Only 21 percent of the projects might be considered “just” financial.

Projects with approval delegated to the departments were not included in this review. Our review of departments’ identification of their existing financial and accounting systems indicated many supplemental systems do not require control agency approval.

The 38 project feasibility studies approved within the last four years identified the following, sometimes multiple, financial or financial-related functionalities:

3 comprehensive financial systems
3 general ledgers
2 human resource systems
2 electronic claims for payment processing
6 accounts payable
9 accounts receivable and billing systems
7 cashiering systems
3 asset management systems
3 collection systems
2 project cost accounting

Because of departmental autonomy in the planning and development of supplementary accounting systems, the state is essentially purchasing and implementing the same functionality multiple times but without coordination among the entities. Each system is designed and tailored for a particular agency or program.

DOF’s Office of State Audits and Evaluations (OSAE) publishes two guidelines for audits of a department’s information systems, one as part of the FISMA audit and a more comprehensive IT guide. In the preface to the IT Audit Guide, OSAE states:

These IT audit guidelines . . . reflect the transformation of IT and information systems from the centralized and structured IT environments to the decentralized information processing environments which are increasingly controlled at the program and organizational sub-unit level.     . . .This situation makes the need for the IT audit function more critical than ever, and at the same time more difficult than ever.    . . . The diversity of hardware, software and application systems across the universe of State agencies precludes the “check-list” approach to IT auditing. The IT audit function must be an ongoing process if the intent of the state’s security and data integrity policies is to be met.

The audit guide recommends an analysis of both general and application controls and an examination of IT functions and activities across the entire agency. Audit activities and procedures recommended include information and data integrity practices.

We requested all IT audit reports that included financial systems from 32 departments. Only 19 percent of the departments had had an audit in the last three years that included at least one financial system and that followed many of the OSAE guidelines. Many departments performed some of the recommended audit procedures. When these departments are added, departments that performed at least some audit procedures of their financial systems increase to 53 percent.

This review indicates that the state is not performing the recommended audits of financial systems and is at increased risk that inadequate physical, general and application system controls will not be detected.

In 1997, the ITCC recommended three pilot enterprise systems to evaluate different approaches and one interagency consortium to develop an enterprise system. The state approved the three pilot projects; but the proposed interagency consortium project did not take place. The ITCC did not evaluate the pilots because of changes in priorities and ultimately the ITCC was discontinued because its enabling legislation sunset.

In addition to the three pilots, the state has approved other administrative and financial enterprise projects. Twelve agencies were identified with enterprise systems or some enterprise system modules. We interviewed five departments with enterprise systems for their lessons learned, including two of the original pilots. The state agencies interviewed have on average two to five years experience with their systems.

All departments stated they were better off with their enterprise systems than with their previous systems. Improvements included better access to data and data research, budget controls, reports, data integration, real time processing, cost accounting and improved business processes. The departments also pointed out some negative attributes of the commercial-off-the-shelf (COTS) software: complexity (much more than expected) and lack of user friendliness make operations difficult; standard reports do not always meet state requirements. Additionally, the systems require specific standard processes; if these processes are modified, data integrity may be lost. The departments also found that enterprise system maintenance costs are frequently more than for the systems replaced. Some departments also pointed out that they believe some program operational areas obtained savings, however processes and costs were not baselined before the project was implemented and savings were not quantified. Each department modified or customized the software and each did some business process reengineering.

Given the opportunity for 20/20 hindsight, each department strongly encouraged avoiding the development and implementation pitfalls that they reported and have since converted to “lessons learned.” One key lesson shared applies to all the advice from these agencies: individuals who have not experienced enterprise systems have a diminished understanding of the importance of the best practices or lessons learned, or as one individual pointed out, “You don’t know what you don’t know.” The key lessons learned are summarized in Appendix VIII.

The information in Appendix VIII is critical to understand and adopt if the state chooses to go forward with additional enterprise systems. Overall, “top down” process reengineering, beginning with the control agencies, is necessary. Furthermore, the transformation to enterprise systems and processes from the existing environment can have unforeseen effects; one agency experienced a 95 percent employee turnover in its accounting office.

An Internet search of other lessons learned considering enterprise solutions revealed comments on enterprise projects implemented by George Washington University, West Virginia University, Sacramento County, the Commonwealth of Pennsylvania and the United States Mint. Additional comments were obtained from a report prepared by The Diagonal Group. Common concerns from these organizations reflect many of the concerns identified by the surveyed state agencies and are presented in Appendix IX.

The state has increasing risk in its financial management system structure. Issues have been identified in the past but a statewide, comprehensive strategic plan for financial management systems has not been developed. Some of the key issues include:

• Large number of existing systems
• Insufficient oversight or audit of the existing systems
• Obsolescence and deferred maintenance of the systems
• Dependence on diminishing staff resources to maintain the systems
• Dependence on diminishing staff resources to ensure data integrity
• Decentralization and design of the systems
• Complexity of the financial requirements
• Complexity of the organizational responsibilities

Some systems are past the critical point for required action. But because development of new automated systems is very expensive, a coordinated approach, direction or enterprise plan for systems replacement is prudent. Today, each department operates as a separate entity and the SCO operates a parallel system. The state must determine if it will continue with this approach, or if a consolidated approach or some hybrid is preferable.

The results of previous pilot projects have been included in this report and will not be repeated here; however, key points for success concluded from the pilots and the other departments interviewed are:

• Active executive support
• Reengineer the control agencies processes
• Update automation of the control agencies
• Establish realistic expectations
• Establish and define leadership for the effort
• Incorporate lessons learned and best practices

Many state agencies have neglected to comply with the state law requiring effective systems of internal controls. Consequently, the risk of fraud, waste and abuse increases when internal controls are lacking or missing. Additionally, financial statement reliability may also be compromised if independent validation and verification are not performed. We looked at the state’s control structures and requirements and surveyed agencies’ auditors to determine their role in providing assurances. We noted that many agencies do not perform internal control audits nor do they certify to the adequacy of their internal controls effectiveness. When internal audits are performed, auditors often identify deficiencies relating to accounting and administrative controls. For the most part, management takes timely and appropriate corrective action to fix the deficiencies; but some deficiencies continue from year to year. Repeated internal control deficiencies suggest that management hasn’t sufficiently embraced its control responsibility. Moreover, the audit function may not be placed at the proper organizational level to effect necessary control environment change.

The state’s current internal control legislation has been in place for over 20 years. The Legislature, aware of the importance effective internal controls played in detecting fraud and assisting in its prevention, as well as safeguarding assets, enacted the Financial Integrity and State Manager’s Accountability Act of 1983 (FISMA). FISMA, Government Code 13400–407, requires each state agency to maintain effective systems of internal accounting and administrative controls. Furthermore, FISMA defines internal controls and requires agencies to evaluate controls continuously. When weaknesses are detected, they are to be corrected promptly. To ensure FISMA compliance, agency heads must certify to the agency’s internal controls biennially. The act also discusses the Department of Finance’s (DOF) responsibility for guiding agencies in their reviews and reporting. To assist agencies with the FISMA requirements, specific procedures are described in the State Administrative Manual (SAM).

SAM Section 20000 et seq. describes FISMA-related procedures for all state agencies and discusses DOF’s Office of State Audits and Evaluations (OSAE) role in monitoring and coordinating FISMA implementation. DOF requires all state entities to submit reports concluding on the adequacy of their organization’s internal controls. The reports consist of a certification letter, internal control audit report(s) and management’s response to the audit report(s). Further, SAM 20060 discusses DOF’s independent program to examine the internal controls in institutions that have no process for monitoring internal controls. To help agencies fulfill FISMA requirements, OSAE issues an audit guide for the evaluation of internal controls and when necessary, issues audit memos to establish uniform policy and procedures.

To evaluate the effectiveness of state agencies’ systems of internal controls, we interviewed key personnel from OSAE, reviewed applicable laws, examined pertinent documentation and obtained historical audit and expenditure data from various state agencies. In addition, we analyzed the data for comparative purposes and performed trend analysis to identify patterns which might suggest systematic problems within the agencies’ internal control systems.

As part of this engagement, we analyzed state agencies’ FISMA compliance during biennial periods ending December 31, 2001 and December 31, 2003 (under the act, agencies are required to report every odd-numbered year). First, we obtained the spreadsheet used by OSAE to track the various state agencies’ certification letters and audit reports. Next, we obtained historical expenditure data from the Legislative Analyst Office’s website. We combined this information and included 161 state agencies in this analysis. We computed the compliance rates by percentages of agencies submitting certification letters and corresponding dollar amounts. The results were disappointing.

For the biennial period ending December 31, 2001, only 40 out of 161 state agencies (24.8 percent) submitted certification letters. Compliance rose slightly in the biennial period ending December 31, 2003, to 34.8 percent. Considering the magnitude of the agencies reviewed expenditures, the analysis indicates the state is at significant risk of errors and irregularities occurring and not being detected. For Fiscal Year 2001–2002, agencies not certifying to the effectiveness of their internal controls incurred more than $60 billion in expenditures. For FY 2002–2003, the amount fell to just over $40 billion expended by agencies not certifying.

Compliance varied widely among agencies. In several agencies, over 88 percent of the operating departments complied with reporting requirements during the biennial period ending December 31, 2001. However, other agencies showed no compliance. The wide range of compliance suggests that the agencies with higher rates understand the importance of certifying to the effectiveness of internal controls. One agency in full compliance maintains an audit unit at the agency level. This placement apparently ensures compliance and suggests that the internal auditing function benefits if placed at the secretary level. On the negative side, we noted that several control agencies did not comply with FISMA’s reporting requirements.

Also, several agencies with internal audit units have not completed FISMA related audits. A primary reason for such a poor showing by many state agencies may be the lack of sanctions for noncompliance. In addition, if an agency has no high visibility fraud or control breakdown, it may believe efforts to ensure controls are not necessary.

The OSAE audit chief, while aware of the noncompliance by many agencies, stated that OSAE does not have the proper enforcement authority to ensure all agencies comply. Neither FISMA nor SAM establishes enforcement responsibilities or sanctions. As a result, OSAE has limited its monitoring and coordination to recording the state agencies which file their certification letters and audit reports. In the past, OSAE performed more internal control audits of agencies without internal auditors. However, due to continuing budgetary constraints, OSAE has refocused its efforts to emphasize reimbursement work and has discontinued many of its FISMA related audits unless requested and paid for by the agencies. OSAE agrees that an agency level internal audit function would benefit the state because it would provide broader audit coverage through risk assessments of the agencies’ departments and offices.

We analyzed audit information obtained from 26 internal audit units from various state agencies. Using the OSAE’s Directory of State Internal Audit Organizations, we requested the state’s 32 internal audit units to provide audit findings, recommendations and corrective actions for the period from January 1, 2000, through December 31, 2003. From the 26 audit shops that responded, we developed a database of 2,292 audit findings, which we queried to identify trends and patterns.

The first query showed the array of findings as the internal audit units allocate their resources to perform the different FISMA subcycles. Many audit units did not properly categorize their findings to a valid subcycle; therefore, the findings included in this analysis will not agree to the total findings reported. Only findings categorized to proper subcycles are included. Using the key words to the left of the table below, our query generated the following results:

These results lead to several conclusions. First, the number of cash-related findings suggests this area is at high risk. Then, although the small number of findings in the budget and financial reporting cycles indicates fewer problems or exposures in those areas, our results with the financial statement exceptions (noted in the next discussion area) may instead indicate that audit units are not focusing their efforts in these areas. With the exception of the revolving fund subcycle, the other subcycles seem to show a consistent pattern of findings between 7 and 13 percent of total findings.

The next query was created to search the findings for sensitive words which would indicate errors and irregularities. We searched sensitive key words in the finding and condition field of the database. The results are noted in the following table.

Table Notes:

Fraud — Most of the findings/conditions identified by this key word related to risk of fraud if the findings were not corrected. In addition, the Department of Health Services (DHS) performed an audit of a program set up to identify fraudulent labs. The audit identified several deficiencies which hinder the program’s ability to efficiently address fraud. The other findings related to the Department of Insurance audit of its Fraud Division.

Overstated — This key word identified several accounts which were overstated on the financial statements. Several of the findings related to overstated accounts receivables.

Understated — This key word identified several understated accounts. In particular, DHS understated its encumbrances by over $5 million for computer equipment ordered by various programs at year-end.

Many agencies report findings related to their fixed assets and accounts receivable. Since these two areas have direct ties to the state’s financial statements, we performed additional queries. The first query used the key word “property” and resulted in a report of findings that showed 22 out of the 26 agencies (85 percent) reported significant findings related to their fixed assets. The following was extracted from several of the reported findings and/or conditions.

• Controls over property accounting did not ensure that assets were properly valued and received.
• Equipment was overstated on the financial statements.
• Controls over property did not ensure that assets were properly tracked, tagged, recorded and reconciled to accounting records.
• Missing property valued at $434,046 had been recorded in a suspense account, an average of one year, while awaiting disposition.
• The Board has not maintained adequate control and accountability for property, increasing the risk of misstatement in the general ledger.
• Reconciliation of property balances with amounts reported to DGS not performed or incomplete.

As noted above, these findings may cause not only the individual agencies’ financial statements to be misstated, but also the agencies’ property ledgers, general ledgers and Statement of Changes in General Fixed Assets. In addition, given the frequency and extent of these findings, the issues appear to be systematic and could be even more significant considering all the agencies which do not have an internal audit function. CPR has established a separate Assets Management team to address issues of identification, management and control of the state’s fixed assets.

In reviewing the accounts receivable (A/R) findings, we observed that many agencies found problems relating to the aging of A/Rs, A/Rs not recorded in general ledgers, A/Rs not reconciled to appropriate records, financial statements overstated and inadequate write-off procedures. One specific example states: “This listing reflects $14.8 million in outstanding receivables. However, the listing cannot be relied upon, as it lacks a basis in valid supporting documentation.” Given these findings, the financial statements’ A/R balances may be misstated for several, if not many, state agencies.

Our final query browsed the audit information to determine whether corrective action had been taken. Many documents showing the status of corrective action plans indicated that corrective action was taken. In addition, follow-ups were performed for some but not all of the issues noted. While most of the agencies are responsive to the audit issues noted, many findings are repeated from year to year. In addition, in at least one example, an agency neglected to implement audit findings noted in the audit.

During our interview with the Office of Emergency Services (OES), staff notified us of audit identified problems with Office of Criminal Justice Planning (OCJP) accounting records. The findings included no bank reconciliations for several years, revenue collected but not posted, no remittances to the State Treasurer’s Office, SCO reconciliations not reflecting the agency records and federal grant reporting and claim payment issues. According to OES, a team of 12 OSAE auditors has been established to assist OES with the corrective effort. OES further stated that an internal audit report identified all of these problems and that shortly after the audit report was presented, the OCJP audit shop was disbanded. While this may be an isolated and not correlative incident, if the internal audit unit had reported to an agency secretary it may have been avoided.

We noted that various smaller agencies do not receive routine audits of their internal controls or financial information as is typical in larger departments. The Bureau of State Audits (BSA) annual audit of the state’s financial statements rarely includes smaller agencies because of its high dollar materiality levels. As discussed in the previous section, most state agencies do not have internal audit units and do not perform routine accounting and administrative control audits. The control agencies with auditing functions typically audit agencies with high expenditure amounts. Often, agencies’ only financial statement review comes from SCO, but that review is more one of form rather than of substance. Nevertheless, these reviews showed that many agencies’ financial reports lacked timeliness and accuracy of financial data. Given these conditions, we believe the state runs the risk that unreliable financial information (although not material to the state as a whole) may be prepared by smaller agencies and not discovered and corrected in a timely manner.

Each year, BSA audits the financial statements that collectively comprise the state’s basic financial statements. In conducting the audit, BSA relies on audit work performed by control agencies, state internal auditors and independent contractors. In addition, BSA assesses the risk of material misstatement of the financial statements due to fraud and designs tests that provide reasonable assurance of detecting fraud that is material to the financial statements. BSA establishes materiality levels for the major funds and identifies profile accounts for audit testing. BSA performs the required testing and procedures to express an opinion on the state’s basic financial statements. To obtain an understanding of BSA’s audit coverage for selected state agencies, we met with the Deputy State Auditor, who explained the audit approach and identified the state agencies that were part of BSA’s audit testing for FY 2002–2003. The majority of them were larger agencies. According to the Deputy State Auditor, the smaller agencies have a remote chance to be included in the annual audit. BSA’s materiality levels and sampling plan broadly incorporate those small agencies whose potential noncompliance would not materially affect the state’s financial statements taken as a whole.

We also met with SCO’s audit managers to determine the extent of their audit coverage. SCO’s seven audit bureaus perform a wide range of audits including the following areas:

• Single audit oversight of local agencies, school districts and special districts
• Unclaimed properties and non-institutional providers of Medi-Cal
• Mandated costs for school districts, cities, counties and special districts
• Court revenues to ensure their accuracy and appropriate allocation
• County collected property taxes to ensure their proper allocation
• Oil and gas royalties owed to the state
• Claim schedule and tape claims
• California Lottery to determine accurate revenue reporting and proper allocation

This audit coverage does not include internal control or financially-related audits of small state agencies. However, the SCO’s Division of Accounting and Reporting (separate from the Division of Audits) does perform a cursory review of each financial statement submitted by the individual agencies.

To recognize agencies that submit both accurate and timely year-end financial reports, SCO’s review measures the financial information against pre-established criteria. If agencies meet all of the criteria, they may receive the “Award for Achieving Excellence in Financial Reporting.” To qualify for this award, general fund agencies must meet 10 criteria including timely submittal, proper account number and title coding, prior year accruals within a specified range and debits equal credits. The table below shows the percentage of agencies receiving awards.

We analyzed further to identify the types of errors that prevented the agencies from receiving the reporting awards. For the 226 agencies that submitted general fund financial reports, we noted the following errors and error rates.

As this table shows, many agencies are not submitting their financial reports by the due dates. In addition, agencies appear to have problems accounting for their prior accruals and submitting reports with minimal errors. While these exceptions occurred in both large and small agencies, the larger agencies generally have audit coverage by either internal or external auditors, whereas the smaller agencies more often lack independent audit assessment of their financial data. Without this audit coverage, the risk increases that agencies are certifying to the accuracy of their financial statements without a solid basis. This may lead program and fiscal managers to make decisions based on untimely and incomplete financial data.

Overall, the state’s control environment could be improved by taking several important steps. First, in conjunction with CPR’s proposed re-organization, place auditors at the agency level. This organizational placement will help assure wider audit coverage of the smaller entities within the agencies—especially those lacking financial-related audits. In addition, agency-level auditors will be better able to ensure appropriate corrective actions are being taken to address audit-reported deficiencies, and would provide a point of contact for coordination among other state auditors. Second, OSAE’s FISMA monitoring efforts should be strengthened. OSAE should have adequate enforcement authority to require all agencies to comply with the FISMA reporting requirement. Moreover, the guidance and approach to the FISMA audits should be clearly discussed with the internal auditors to help assure consistency. Next, agency heads should reinforce the importance of providing timely and reliable financial reports to SCO. The low achievement award rate we identified may indicate the lack of importance management places on timely and correct financial data. By implementing these steps, the state’s internal control structures would be strengthened, and would likely improve the timeliness and reliability of the state’s financial data.

Back to Top