State law authorizes the California State Auditor (State Auditor) to develop a state high-risk government agency audit program (high risk program). Our office uses this program to improve the operation of state government by identifying, auditing, and recommending improvements to state agencies and statewide issues at high risk for waste, fraud, abuse, or mismanagement or for having major challenges associated with their economy, efficiency, or effectiveness. In accordance with this statutory authority, the State Auditor adopted regulations in 2016 that further describe the high risk program. As we outline below, these regulations provide the criteria we used in determining the list of high-risk agencies and issues we present in this report.
Criteria for Determining Whether a State Agency or Statewide Issue Merits High Risk Designation
State regulations outline the conditions under which an agency or issue is high risk. All four of the following conditions must be present for us to assign the high risk designation:
- The potential waste; fraud; abuse; mismanagement; or impaired economy, efficiency, or effectiveness may result in serious detriment to the State or its residents.
- The likelihood of waste; fraud; abuse; mismanagement; or impaired economy, efficiency, or effectiveness causing such harm is so great that it constitutes a substantial risk.
- The state agencies that are suffering from or that are responsible for resolving the waste; fraud; abuse; mismanagement; or impaired economy, efficiency, or effectiveness are not taking adequate corrective actions to prevent the risk or its effects.
- An audit and the agencies’ implementation of the resulting recommendations will significantly reduce or eliminate the substantial risk of serious detriment to the State or its residents.
For both state agencies and statewide issues, we consider a number of factors in determining whether there is substantial risk to the State or its residents. We consider whether the risks are already causing detriment, whether those risks are increasing, and whether changes in circumstances are likely to cause detriment. We also assess different factors to determine whether the risks will have serious effects such as loss of life, injury, or reduction in residents’ overall health or safety; impairment of the delivery of government services; significant reduction in overall effectiveness or efficiency of state government programs; and impingement of citizens’ rights. Finally, we evaluate whether agencies have taken adequate measures to correct previously identified deficiencies or whether the State has taken measures to reduce the risks posed by the issues. In all cases, our professional staff make the final determination of risk level based on their independent and objective judgment.
Removal of High Risk Designation
We may remove the high risk designation under the following circumstances:
- A change in circumstances results in the risk no longer presenting the potential for serious detriment to the State or its residents.
- The responsible agencies have taken sufficient corrective action to prevent or mitigate the risk of harm.
For example, we evaluate whether the agencies have defined the root causes of the risk and identified and implemented effective measures for eliminating those causes. We also analyze whether the agencies responsible have processes for independently monitoring and measuring the effectiveness of corrective actions. When these actions result in significant progress toward resolving or mitigating the high-risk issue, we may remove the high risk designation. However, we will continue to monitor the issue. If the risk reoccurs, we will consider reinstating the high risk designation. We base the final determination of whether to remove a high risk designation on our professional judgment.
State High Risk Reports
Government Code section 8546.5 authorizes the State Auditor to audit and to publish audit reports on any state agency it identifies as high risk. In May 2007, we issued a report that provided an initial list of high-risk agencies and issues, and we have since issued several reports updating the status of those agencies and issues. We published our most recent update to the state high risk list in January 2018. Further, we have audited a selection of the high-risk agencies and issues; for instance, we published a state high risk audit report in July 2019 titled Gaps in Oversight Contribute to Weaknesses in the State’s Information Security, Report 2018‑611.
To update our analysis of high-risk agencies and issues, we interviewed knowledgeable staff at the responsible agencies to gain perspective on the extent of the risks the State faces. We also reviewed efforts that the staff at the agencies said were underway and were intended to mitigate the identified risks. In addition, we reviewed reports and other documentation relevant to the issues and consulted other state agencies when relevant.