Skip Repetitive Navigation Links
California State Auditor Logo COMMITMENT • INTEGRITY • LEADERSHIP

High Risk
The California State Auditor’s Updated Assessment of High-Risk Issues the State and Select State Agencies Face

Report Number: 2017-601

Use the links below to skip to the appendix you wish to view:




Appendix A
Considerations for Determining High Risk

Government Code section 8546.5 provides the State Auditor with the following authority:

In addition, section 8546.5 requires the State Auditor to notify the Joint Legislative Audit Committee whenever it identifies a state agency or statewide issue as being at high risk.

Qualitative and Quantitative Factors

In 2016 the State Auditor adopted regulations to implement, interpret, and make specific the provisions of the state high risk authority (Title 2 Cal. Code. Regs. sec. 61000 et seq.) These regulations provide the criteria we use in establishing the state high risk list and whether a state agency or statewide issue will remain on the list. In determining whether a state agency or statewide issue should be identified as high‑risk, we consider a number of qualitative and quantitative factors in addition to the criteria we detailed in the Introduction. Although we consider many qualitative factors, we focus in particular on whether the risk could result in significantly impaired service; significantly reduced efficiency and/or effectiveness; public injury or loss of life; reduced confidence in government; or unauthorized disclosure, manipulation, or misuse of sensitive information. We also assess different factors in determining the substantiality of risk, including whether the risks are already causing detriments to the State or its residents, whether those risks are escalating, and whether changes in circumstances are likely to cause detriment.

Responsiveness to Recommendations and Corrective Measures

Government Code section 8546.2 requires that state agencies provide the State Auditor with updates on the implementation of recommendations we have made to them both in the form and at the intervals prescribed by the State Auditor. Moreover, Government Code section 8548.9 places additional reporting requirements on state agencies that have not implemented audit recommendations that are more than one year old.

The State Auditor also receives whistleblower complaints about improper governmental activities under the California Whistleblower Protection Act (Government Code section 8547 et seq.) and regularly issues public reports on substantiated complaints. That act requires state agencies either to take corrective action on substantiated complaints and report to us what action is taken or, if no action is taken, to indicate the reason for not doing so.

We consider whether each audited or investigated state agency demonstrated commitment in implementing audit recommendations or taking corrective measures for any substantiated complaints or issues noted in our reports. The final determination as to how committed agencies are to making changes to address audit recommendations or to taking corrective measures stemming from investigations may include additional follow‑up reviews by the State Auditor and ultimately is based on our professional judgment.

Ongoing Reporting and Future Audits

Once the State Auditor identifies a state agency or statewide issue as being high‑risk, the State Auditor may require the affected agencies to report on the status of those recommendations for improvement made by the State Auditor or other state oversight agencies. Related to that, the State Auditor may require affected agencies to periodically report their efforts to mitigate or resolve the risks identified by the State Auditor or other state oversight agencies. In addition, the State Auditor may initiate audits and issue audit reports with recommendations for improvement in the affected agencies.

Removal of High Risk Designations

When we designate agencies or statewide issues as being at high risk and place them on our high risk list, we may remove the designation under the following circumstances: (1) if there is a change in circumstances that results in the risk no longer presenting a serious detriment and (2) if there is a demonstrated commitment by the leadership of the state agency or agencies responsible for addressing the risk. The state agency or responsible agencies should define the root causes of the risk and identify effective measures for eliminating those causes. Moreover, the responsible party must have a process for independently monitoring and measuring the effectiveness of steps taken and for periodic reporting regarding progress.

When legislative and agency actions result in significant progress toward resolving or mitigating a high‑risk issue, we will remove the high risk designation. The agency or agencies must also demonstrate progress in implementing corrective measures. However, we will continue to monitor these issues. If risks again arise, we will consider reapplying the high risk designation. The final determination of whether to remove a high risk designation is based on our professional judgment.



Back to top





Appendix B
California State Auditor’s Survey of Select Entities for Levels of Compliance With Security Standards

We resurveyed 101 state entities that certified their levels of compliance with the requirements in Chapter 5300 of the State Administrative Manual (security standards) to the California Department of Technology (Technology Department) in 2014.5 These state entities were previously surveyed for our August 2015 report. In an effort to protect the State’s information assets, we have chosen not to publicly disclose the names of the entities that we surveyed; instead, we assigned each entity a number. In Table B we summarize the 87 respondents’ self‑reported levels of compliance with 17 security standards that we placed into the following categories: Information Asset Management, Risk Management, Information Security Program Management, Information Security Incident Management, and Technology Recovery. We grouped the remaining security standards into the category of Other Information Security Requirements. In addition, Table B identifies the types of information some respondents asserted that they collect, store, or maintain. Other respondents stated that they did not have such information.

Table B
Most Survey Respondents Reported That They Are Not Fully Compliant With Security Standards

STATE ENTITY COLLECTS, STORES, OR MAINTAINS   SELF-REPORTED COMPLIANCE LEVELS  
PERSONAL INFORMATION OR HEALTH INFORMATION PROTECTED BY LAW CONFIDENTIAL FINANCIAL DATA OTHER SENSITIVE DATA INFORMATION ASSET MANAGEMENT RISK MANAGEMENT INFORMATION SECURITY PROGRAM MANAGEMENT INFORMATION SECURITY INCIDENT MANAGEMENT TECHNOLOGY RECOVERY OTHER INFORMATION SECURITY REQUIREMENTS
01         fully compliant fully compliant fully compliant fully compliant fully compliant fully compliant
02 Yes Yes Yes fully compliant fully compliant fully compliant fully compliant fully compliant fully compliant
03       fully compliant fully compliant fully compliant fully compliant fully compliant fully compliant
04 Yes Yes Yes fully compliant fully compliant fully compliant fully compliant fully compliant fully compliant
05 Yes Yes Yes fully compliant fully compliant fully compliant fully compliant fully compliant fully compliant
06       fully compliant fully compliant fully compliant fully compliant fully compliant fully compliant
07 Yes   Yes fully compliant fully compliant fully compliant fully compliant mostly compliant mostly compliant
08 Yes     fully compliant fully compliant fully compliant mostly compliant fully compliant fully compliant
09 Yes   Yes fully compliant fully compliant fully compliant mostly compliant fully compliant mostly compliant
10 Yes   Yes fully compliant fully compliant fully compliant mostly compliant mostly compliant mostly compliant
11       fully compliant fully compliant mostly compliant fully compliant fully compliant fully compliant
12 Yes Yes   fully compliant fully compliant mostly compliant partially compliant mostly compliant mostly compliant
13 Yes     fully compliant fully compliant mostly compliant fully compliant fully compliant mostly compliant
14     Yes fully compliant fully compliant mostly compliant mostly compliant mostly compliant mostly compliant
15 Yes     fully compliant fully compliant mostly compliant mostly compliant mostly compliant mostly compliant
16 Yes Yes Yes fully compliant mostly compliant fully compliant fully compliant mostly compliant mostly compliant
17 Yes Yes   fully compliant mostly compliant fully compliant fully compliant mostly compliant fully compliant
18 Yes     fully compliant mostly compliant fully compliant mostly compliant mostly compliant mostly compliant
19 Yes   Yes fully compliant mostly compliant mostly compliant fully compliant mostly compliant mostly compliant
20       fully compliant partially compliant mostly compliant fully compliant mostly compliant mostly compliant
21 Yes Yes Yes fully compliant partially compliant mostly compliant fully compliant mostly compliant mostly compliant
22 Yes Yes   fully compliant partially compliant mostly compliant mostly compliant mostly compliant mostly compliant
23 Yes   Yes fully compliant partially compliant fully compliant fully compliant fully compliant mostly compliant
24       fully compliant partially compliant partially compliant fully compliant fully compliant mostly compliant
25 Yes     fully compliant partially compliant partially compliant mostly compliant partially compliant mostly compliant
26 Yes   Yes mostly compliant fully compliant fully compliant fully compliant fully compliant mostly compliant
27 Yes Yes Yes mostly compliant fully compliant fully compliant fully compliant fully compliant mostly compliant
28 Yes   Yes mostly compliant fully compliant fully compliant mostly compliant mostly compliant mostly compliant
29 Yes     mostly compliant fully compliant mostly compliant fully compliant fully compliant mostly compliant
30 Yes     mostly compliant fully compliant mostly compliant fully compliant fully compliant mostly compliant
31 Yes     mostly compliant fully compliant mostly compliant mostly compliant fully compliant mostly compliant
32       mostly compliant fully compliant mostly compliant fully compliant mostly compliant mostly compliant
33       mostly compliant fully compliant mostly compliant fully compliant mostly compliant mostly compliant
34       mostly compliant fully compliant mostly compliant fully compliant mostly compliant mostly compliant
35       mostly compliant fully compliant mostly compliant fully compliant mostly compliant mostly compliant
36       mostly compliant fully compliant mostly compliant fully compliant mostly compliant mostly compliant
37       mostly compliant fully compliant mostly compliant fully compliant mostly compliant mostly compliant
38       mostly compliant fully compliant mostly compliant fully compliant mostly compliant mostly compliant
39 Yes   Yes mostly compliant fully compliant mostly compliant partially compliant partially compliant mostly compliant
40 Yes     mostly compliant mostly compliant mostly compliant mostly compliant mostly compliant mostly compliant
41       mostly compliant mostly compliant mostly compliant fully compliant mostly compliant mostly compliant
42       mostly compliant mostly compliant mostly compliant fully compliant mostly compliant mostly compliant
43       mostly compliant mostly compliant mostly compliant fully compliant mostly compliant mostly compliant
44       mostly compliant mostly compliant mostly compliant fully compliant mostly compliant mostly compliant
45 Yes Yes   mostly compliant mostly compliant mostly compliant mostly compliant mostly compliant mostly compliant
46 Yes     mostly compliant mostly compliant mostly compliant mostly compliant mostly compliant mostly compliant
47 Yes Yes   mostly compliant mostly compliant mostly compliant partially compliant mostly compliant mostly compliant
48 Yes     mostly compliant mostly compliant fully compliant mostly compliant fully compliant mostly compliant
49 Yes   Yes mostly compliant mostly compliant mostly compliant fully compliant mostly compliant mostly compliant
50 Yes Yes   mostly compliant mostly compliant mostly compliant fully compliant mostly compliant mostly compliant
51       mostly compliant mostly compliant mostly compliant fully compliant mostly compliant partially compliant
52 Yes   Yes mostly compliant mostly compliant mostly compliant mostly compliant mostly compliant mostly compliant
53 Yes Yes Yes mostly compliant mostly compliant mostly compliant mostly compliant mostly compliant mostly compliant
54 Yes     mostly compliant mostly compliant partially compliant mostly compliant mostly compliant mostly compliant
55 Yes Yes   mostly compliant partially compliant partially compliant mostly compliant mostly compliant mostly compliant
56 Yes   Yes mostly compliant partially compliant partially compliant partially compliant mostly compliant partially compliant
57 Yes Yes Yes mostly compliant partially compliant partially compliant partially compliant partially compliant partially compliant
58 Yes     mostly compliant partially compliant mostly compliant fully compliant mostly compliant mostly compliant
59 Yes     mostly compliant partially compliant partially compliant fully compliant mostly compliant mostly compliant
60 Yes Yes   mostly compliant not compliant partially compliant partially compliant partially compliant partially compliant
61 Yes Yes Yes partially compliant mostly compliant mostly compliant fully compliant fully compliant mostly compliant
62 Yes     partially compliant mostly compliant partially compliant mostly compliant mostly compliant mostly compliant
63 Yes   Yes partially compliant mostly compliant partially compliant mostly compliant mostly compliant partially compliant
64 Yes   Yes partially compliant mostly compliant partially compliant mostly compliant partially compliant mostly compliant
65     Yes partially compliant mostly compliant partially compliant partially compliant partially compliant partially compliant
66 Yes Yes Yes partially compliant partially compliant mostly compliant mostly compliant partially compliant mostly compliant
67 Yes Yes Yes partially compliant partially compliant partially compliant partially compliant partially compliant partially compliant
68 Yes     partially compliant partially compliant partially compliant partially compliant partially compliant mostly compliant
69 Yes   Yes partially compliant partially compliant mostly compliant mostly compliant mostly compliant mostly compliant
70 Yes     partially compliant partially compliant mostly compliant mostly compliant mostly compliant partially compliant
71 Yes     partially compliant partially compliant mostly compliant mostly compliant partially compliant partially compliant
72 Yes   Yes partially compliant partially compliant mostly compliant partially compliant partially compliant partially compliant
73 Yes Yes   partially compliant partially compliant partially compliant mostly compliant partially compliant partially compliant
74 Yes     partially compliant partially compliant partially compliant partially compliant partially compliant mostly compliant
75 Yes     partially compliant partially compliant partially compliant mostly compliant partially compliant partially compliant
76 Yes     partially compliant partially compliant partially compliant mostly compliant partially compliant partially compliant
77 Yes Yes Yes partially compliant partially compliant partially compliant mostly compliant partially compliant partially compliant
78 Yes Yes Yes partially compliant partially compliant partially compliant partially compliant partially compliant partially compliant
79 Yes   Yes partially compliant partially compliant partially compliant partially compliant partially compliant partially compliant
80 Yes     partially compliant partially compliant partially compliant partially compliant partially compliant partially compliant
81 Yes     partially compliant partially compliant partially compliant partially compliant partially compliant partially compliant
82 Yes   Yes partially compliant not compliant partially compliant partially compliant partially compliant partially compliant
83       partially compliant not compliant partially compliant partially compliant partially compliant partially compliant
84 Yes   Yes not compliant mostly compliant partially compliant mostly compliant partially compliant mostly compliant
85 Yes Yes   not compliant partially compliant fully compliant partially compliant partially compliant partially compliant
86 Yes     not compliant partially compliant partially compliant partially compliant partially compliant partially compliant
87 Yes     not compliant partially compliant partially compliant partially compliant partially compliant partially compliant

Source: California State Auditor’s analysis of state entities’ 2017 survey responses.

* For entries in these columns that do not contain the value “Yes,” the entity asserted in its response to our survey that it did not collect, store, or maintain this type of data.

 =  Fully compliant: The entity asserted that it is fully compliant with all of the security standards for the control area.
 =  Mostly compliant: The entity asserted that it has attained nearly full compliance with all of the security standards for the control area.
 =  Partially compliant: The entity asserted that it has made measurable progress in complying but has not addressed all of the security standards for the control area.
 =  Not compliant: The entity asserted that it has not yet addressed the security standards for the control area.



Footnote

5 The 101 state entities we surveyed included entities that state law requires to report to the Technology Department each year as well as some entities that voluntarily reported to the Technology Department in 2014. Go back to text



Back to top