2025-601 State High-Risk Audit Program

December 11, 2025
2025‑601

The Governor of California
President pro Tempore of the Senate
Speaker of the Assembly
State Capitol
Sacramento, California 95814

Dear Governor and Legislative Leaders:

As required by Government Code section 8546.5, my office presents this report about statewide issues and state agencies that represent a high risk to the State or its residents. Our work to identify and address such high-risk statewide issues and agencies aims to enhance efficiency and effectiveness by focusing the State’s resources on improving the delivery of services related to important programs or functions.

In this report, we conclude that the California Department of Social Services met our criteria to be designated as a high-risk agency, and we are adding it to the high-risk list. Because of recent changes to federal law, the State will soon be required to pay a portion of its CalFresh benefits. This cost, which could be as much as $2.5 billion in federal fiscal year 2028, is based on California’s payment error rate, which measures the accuracy of the State’s eligibility and benefit determinations. We also describe updates to the seven existing high-risk state agencies and statewide issues that include the Employment Development Department, the State’s management of federal COVID-19 funds, the State’s financial reporting and accountability, the Department of Health Care Services, information security, the California Department of Technology, and water infrastructure and availability.

We will continue to monitor the risks we have identified in this report and the actions the State takes to address them. For example, our office has recently initiated more in-depth high-risk audits of Medi-Cal eligibility determinations and the State’s financial reporting and accountability under the statutory authority provided by our state high-risk program. When the State’s actions result in significant progress toward resolving or mitigating such risks, we will remove the high-risk designation according to our professional judgment.

Respectfully submitted,

GRANT PARKS
California State Auditor

---

Selected Abbreviations Used in This Report

ACFR	Annual Comprehensive Financial Report
CAP	Corrective Action Plan
CDC	Centers for Disease Control
EDD	Employment Development Department
HCD	Department of Housing and Community Development
IT	Information Technology
LAO	Legislative Analyst’s Office
OBBBA	One Big Beautiful Bill Act
PAL	Project Approval Lifecycle
PDL	Project Delivery Lifecycle
PER	Payment error rate
SNAP	Supplemental Nutrition Assistance Program
UI	Unemployment Insurance
USDA	U.S. Department of Agriculture

Contents

RISK AREA	HIGH-RISK AGENCY OR RESPONSIBLE AGENCY	REPORT SECTION	ON LIST SINCE
Introduction
New High-Risk Agency
CalFresh Benefit Obligations	California Department of Social Services	Errors in Calculating CalFresh Benefits Reduce Program Effectiveness and Could Increase Costs to the State Due to Federal Legislation	N/A
Retained High-Risk Agencies and Issues
Unemployment Insurance Program	Employment Development Department—High‑Risk Agency	The Employment Development Department Continues to Struggle with Improper Payments, Claimant Service, and Eligibility Decision Appeals	2023
State’s Management of Federal COVID-19 Funds	Department of Finance and Various Agencies—High-Risk Statewide Issue	The State’s Management of Federal COVID-19 Funds Continues to be a High-Risk Issue	2020
State’s Financial Reporting and Accountability	State Controller’s Office and Various Agencies—High-Risk Statewide Issue	Late Financial Reporting Remains a High-Risk Issue	2020
Medi-Cal Eligibility	Department of Health Care Services—High-Risk Agency	The Department of Health Care Services Has Not Adequately Demonstrated Progress to Resolve Problems With Medi-Cal Eligibility Determinations	2007
Information Security	California Department of Technology and Various Agencies—High-Risk Statewide Issue	The State’s Information Security Remains a High‑Risk Issue	2013
Information Technology Oversight	California Department of Technology—High-Risk Agency	The California Department of Technology Has Not Made Sufficient Progress in Its Oversight of State IT Projects	2007
Water Infrastructure and Availability	Department of Water Resources and the California Governor’s Office of Emergency Services—High-Risk Statewide Issue	California’s Deteriorating Water Infrastructure and Climate Change May Threaten the Lives and Property of Its Residents and the Reliability of the State’s Water Supply	2013
Other Area Reviewed
Accountability Over Homelessness Spending and Program Outcomes

Introduction

Background

State law authorizes the California State Auditor (State Auditor) to develop a state high‑risk government agency audit program (high‑risk program). Our office implemented this program to improve the operation of state government by identifying and auditing state agencies and statewide issues at high risk for waste, fraud, abuse, or mismanagement or for having major challenges associated with their economy, efficiency, or effectiveness, and recommending improvements as a result. In accordance with this statutory authority, the State Auditor adopted regulations in 2016 that fully implemented the high‑risk program. These regulations provide the criteria we used in determining the list of state high‑risk agencies and statewide issues we present in this report.

Criteria for Determining Whether a State Agency or Statewide Issue Merits a High‑Risk Designation

According to state regulations, a state agency or statewide issue may be added to the State Auditor’s high‑risk list if the agency is at risk of suffering, or the issue is at risk of producing, waste, fraud, abuse, or mismanagement. Further, a state agency or statewide issue may be added to the State Auditor’s high‑risk list if the agency is at risk of suffering, or the issue is at risk of producing, major challenges associated with economy, efficiency, or effectiveness under circumstances that cause the risk to be high. All four of the following conditions must be present for us to assign the high‑risk designation:

• The waste, fraud, abuse, or mismanagement or the impaired economy, efficiency, or effectiveness may result in serious detriment to the State or its residents.
• The likelihood of waste, fraud, abuse, or mismanagement or the likelihood of impaired economy, efficiency, or effectiveness is great enough, when compared to the level of serious detriment that may result, for there to be a substantial risk of serious detriment to the State or its residents.
• The state agency or agencies that are responsible for a portion of the statewide issue, or could be tasked with responsibility for resolving a portion of the issue, are not taking adequate corrective actions to prevent the risk of waste, fraud, abuse, or mismanagement or the impaired economy, efficiency, or effectiveness from continuing.
• An audit and the agencies’ implementation of the resulting recommendations may significantly reduce the substantial risk of serious detriment to the State or its residents.

When assessing both state agencies and statewide issues, we consider a number of factors to determine whether there is substantial risk of serious detriment to the State or its residents. We consider whether waste, fraud, abuse, or mismanagement or impaired economy, efficiency, or effectiveness are already resulting in serious detriment, whether the detriment to the State or its residents is escalating, and whether changes in circumstances challenging existing state agency controls are likely to result in serious detriment. We also consider various factors that determine whether the risks may result in serious detriment, such as loss of life, injury, or a broad reduction in residents’ overall health or safety; impairment of the delivery of government services; significant reduction in the overall effectiveness or efficiency of state government programs; or impingement of citizens’ rights. Finally, in evaluating whether agencies have taken adequate corrective actions to prevent the substantial risk of serious detriment, we consider factors such as whether the agencies have demonstrated a strong commitment to controlling or eliminating the risk of waste, fraud, abuse, or mismanagement or impaired economy, efficiency, or effectiveness and whether they have made significant progress through action already taken to control or eliminate the risk to the State. We make the final determination of risk level according to our professional judgment.

Removal of High‑Risk Designation

We remove the high‑risk designation under any of the following circumstances:

• A change occurred since the agency or statewide issue was added to the state high‑risk list such that the risk we previously identified no longer presents a substantial risk of serious detriment to the State or its residents.
• The agency has taken sufficient corrective action to prevent the risk from continuing to present a substantial risk of serious detriment.
• We conclude that the risk presented by the agency or statewide issue is not likely to be reduced by performing additional audit work.

State regulations require us to use our professional judgment to determine whether to remove a high‑risk designation. When we remove the high‑risk designation for one of the reasons described above, we continue to monitor the issue or agency and, if the risk reoccurs, we may reinstate the high‑risk designation according to the factors described earlier.

State High‑Risk Reports

Government Code section 8546.5 authorizes our office to audit and to publish reports on any state agency or statewide issue that we identify as high‑risk. In May 2007, we issued Report 2006‑601, which provided an initial list of high‑risk state agencies and statewide issues. We have since issued several reports updating the list of those agencies and issues that represent high risk to the State. Further, as state regulations require, we establish and post to the State Auditor’s website a tentative plan for performing audits regarding state agencies and statewide issues that appear on the state high‑risk list. Finally, we also include on our website a list of all audits that we are performing, including those of high‑risk state agencies and statewide issues.

To update our assessment of high‑risk state agencies and statewide issues, we interviewed knowledgeable staff at the responsible state agencies to gain perspective on the extent of the risks the State faces. We reviewed the efforts that staff at the agencies said were underway and were intended to mitigate the identified risks. We reviewed reports and other documentation relevant to the issues. Finally, we conferred with agencies and interested parties, such as the Department of Finance, the Legislative Analyst’s Office, Office of the Inspector General within the California Department of Corrections and Rehabilitation, and the Little Hoover Commission. Each of the entities we conferred with provided its perspective on high‑risk agencies and issues it believes the State faces, and we analyzed those agencies and issues to determine whether they should be included on the state high‑risk list.

Our discussions with the above entities and our own analysis led us to include an additional agency in this state high‑risk report. Specifically, we are adding the California Department of Social Services as a high‑risk agency. Finally, we explain why we did not include accountability over homelessness spending and program outcomes but discuss our concern with the California Interagency Council on Homelessness’s implementation of legislative requirements.

New High-Risk Agency

CALIFORNIA DEPARTMENT OF SOCIAL SERVICES: ERRORS IN CALCULATING CALFRESH BENEFITS REDUCE PROGRAM EFFECTIVENESS AND COULD INCREASE COSTS TO THE STATE DUE TO FEDERAL LEGISLATION

Background

The Supplemental Nutrition Assistance Program (SNAP) is a federal program, administered by the states, that provides food benefits to low‑income families. Until recently, the federal government paid all benefit costs for the program. In California, the California Department of Social Services (Social Services) administers SNAP through a program called CalFresh. CalFresh is the largest food program in California and provides an essential hunger safety net.

 In July 2025, the One Big Beautiful Bill Act (OBBBA) became federal law and made changes to SNAP that will increase states’ share of SNAP costs in two ways. First, starting in federal fiscal year (FFY) 2027, which begins on October 1, 2026 and ends on September 30, 2027, states will be responsible for 75 percent of administrative costs for the program rather than the current rate of 50 percent. Second, states meeting certain conditions—likely including California—will be required to pay for a portion of their benefit costs, which has previously been funded entirely by the federal government. The latter of these two changes is likely to have the most significant impact for California.

Beginning in FFY 2028, a state’s payment error rate (PER) will determine the percentage of its SNAP benefit cost for which it is responsible, as the text box shows.¹ The PER measures the accuracy of each state’s eligibility and benefit determinations. Payment errors include both overpayments—when households receive greater benefits than they are eligible to receive—and underpayments—when households receive less benefits than they are eligible to receive.

Currently, states with a PER of 6 percent or above must prepare a Corrective Action Plan (CAP) and provide updates to the CAP through regular, semiannual updates to the U.S. Department of Agriculture (USDA). In FFY 2024, only nine states reported a PER below 6 percent. California’s PER has remained higher than this threshold and has hovered around the national average since FFY 2017, as Figure 1 shows. California has had to submit CAPs since FFY 2017 based on federal law.

Figure 1
California’s PER Did Not Differ Significantly From the National Average From FFY 2017 Through 2024

Source: USDA data and federal law.
Note: No USDA PER data are available for 2020 and 2021 because of quality control suspensions related to the COVID‑19 pandemic.

Figure 1 shows a line graph with points representing California’s PER and the national average PER from FFY 2017 through 2024. Above the graph, there is a note that states “While California’s SNAP PER generally matched the national average from FFY 2017 through FFY 2024, applying the OBBBA’s state contribution benefit cost changes show that California has not had a PER in the range that allows for a zero percent state contribution since FFY 2017.” The y-axis documents the “Payment Error Rate” and the x-axis documents the “Federal Fiscal Year” from 2017 to 2024. The y-axis also documents “OBBBA’s State Contribution Range” by shading the graph’s background to indicate the percent a state would need to contribute to its SNAP benefit costs based on its PER. This shading illustrates that most points in recent years fall within the 15 percent contribution range. The lines for the national average PER and California’s PER are plotted around seven percent from 2017 to 2019. There is a gap between California’s PER and the national average PER from 2020 to 2021. The lines for the national average PER and California’s PER are then plotted around 11 percent from 2022 to 2024. Below the graph there is a note that states “No USDA PER data are available for 2020 and 2021 because of quality control suspensions related to the COVID‑19 pandemic.”

Assessment

Because the recent federal changes to SNAP will require California to shoulder part of the cost of the program’s benefits, CalFresh is now a high‑risk program. If the State does not decrease its PER, it will likely need to spend about $2 billion annually to maintain CalFresh benefits.² Social Services explained that implementing the necessary corrective actions to decrease the State’s PER will require time. Through an audit of CalFresh, our office could identify specific steps Social Services should take to ensure that it is able to reduce the PER effectively and efficiently.

Because of California’s Payment Error Rate, the State Will Incur Substantially Increased Costs Related to CalFresh

The impending change in SNAP’s funding structure and Social Services’ struggle to lower the PER will significantly impact the State’s budget. In FFY 2024, California had a PER of nearly 11 percent. According to Social Services’ 2025 CAP for FFY 2024, the largest cause of payment errors was related to inaccurate wages and salaries of participants. Specifically, in its CAP, Social Services reported that errors most frequently occur when household income is not accurately captured at the time of the initial application or during recertification. Factors contributing to this error include when county eligibility workers fail to determine a participant’s actual total earned income or when participants fail to report income due to limited understanding of rules. Although this PER is not an unusual rate for a large state and is close to the national average rate, the changes in the OBBBA will require California to pay for 15 percent of its SNAP benefits if it does not decrease its PER to below 10 percent. To estimate the amount of this potential future cost, we calculated 15 percent of California’s state fiscal year (SFY) 2024–25 SNAP appropriation.³ This calculation suggests that if the State’s PER remains unchanged, the OBBBA will lead to more than $1.8 billion in additional costs for State benefits alone, as Figure 2 shows. In addition, the OBBBA will raise the State’s administrative costs by more than $600 million. The State’s total estimated additional costs would therefore be nearly $2.5 billion annually, based on SFY 2024–25 amounts.

Figure 2
Under the OBBBA, California’s Share of CalFresh Costs May Increase by Nearly $2.5 Billion

Source: Auditor‑generated using California’s SFY 2024–25 Spending Plan and federal law.
Note: The OBBBA SNAP changes to federal and state shares of allotment costs go into effect in FFY 2028 and, for FFY 2028, will be based on the State’s PER from FFY 2025 or FFY 2026.
* We calculated these column values using California’s FFY 2024 PER of 11 percent, resulting in the State paying 15 percent of its CalFresh benefit costs. Beginning in FFY 2027, the OBBBA will require the State to pay an additional 25 percent of its administration costs.
^† California shares its state CalFresh administration costs with local counties. Currently, 50 percent is federally funded, 35 percent is state funded, and 15 percent is county funded.
^‡ Administration costs also include the administration of the California Food Assistance Program.

Figure 2 shows a bar graph comparing different categories of California’s CalFresh costs before and after the OBBBA. Above the graph, there is a key that shows that the graph will contain bars for costs “Before OBBBA” and “After OBBBA”. In the key, there is an asterisk next to “After OBBBA” that is explained by a note below the graph. This note states “We calculated these column values using California’s FFY 2024 PER of 11 percent, resulting in the State paying 15 percent of its CalFresh benefit costs. Beginning in FFY 2027, the OBBBA will require the State to pay an additional 25 percent of its administration costs.” The graph’s y-axis documents “Dollars in Billions” and the x-axis documents three categories of CalFresh costs: “California’s Share of Benefit Costs”, “California’s Share of Administration Costs”, and “Total Cost to California”. “California’s Share of Administration Costs” contains a double dagger mark that is explained by a note below the graph. This note states that “Administration costs also include the administration of the California Food Assistance Program.” “California’s Share of Benefit Costs” documents a bar up to the $1.845 billion mark for costs “After OBBBA”. “California’s Share of Administration Costs” documents a bar up to the $1.238 billion mark for “Before OBBBA” and a bar up to the $1.841 billion mark for “After OBBBA”. The “After OBBBA” bar in this section is labeled with a dagger mark that is explained by a note below the graph. This note states that “California shares its state CalFresh administration costs with local counties. Currently, 50 percent is federally funded, 35 percent is state funded, and 15 percent is county funded.” The “Total Cost to California” section shows a bar up to the $1.238 billion mark for “Before OBBBA” and a bar up to the $3.686 billion mark for “After OBBBA”. This section also contains a transparent bar above the “Before OBBBA” bar to illustrate the $2.448 billion difference between the two bars. Below the graph, there is a note that states “The OBBBA SNAP changes to federal and state shares of allotment costs go into effect in FFY 2028 and, for FFY 2028, will be based on the State’s PER from FFY 2025 or FFY 2026.”

If Social Services is able to lower the PER to between 8 percent and 10 percent, the State will still be responsible for paying 10 percent of the costs of SNAP program benefits, or about $1.2 billion. This is particularly concerning considering that California faces growing multiyear budget deficits, as well as a $20 billion operating deficit for SFY 2026–27. The addition of these significant, new state costs will jeopardize a key program for Californians in need and pose a serious impediment to balancing the State’s budget.

Although Social Services Plans to Decrease the PER, It Is Underprepared for the OBBBA Funding Changes

 Although Social Services’ 2025 CAP for FFY 2024 includes a list of actions it intends to take to lower the PER, as the text box shows, some strategies have yet to begin. For example, Social Services intends to launch a multifaceted and multiyear accuracy improvement effort in FFY 2026. In October 2025, Social Services stated that it had been working diligently to evaluate and begin implementing changes in response to the OBBBA, but it needs adequate time to do so. It further explained that although recent state legislation has provided funding for PER reduction work, it has not had time to hire the additional staff and has only just begun to consult with stakeholders and to develop specific strategies and policies. Social Services also added that it will not be able to accurately assess how any changes it makes will impact the PER until it has the opportunity to evaluate and model various strategies.

It is unclear when Social Services’ PER reduction efforts will be implemented and what their impact will be. Given the complexity of the task it faces, we believe that the department is unlikely to lower the PER meaningfully in a timely manner. Because the OBBBA’s changes to California’s contribution will take effect in less than three years and, for FFY 2028, will be based on the State’s PER for FFY 2025 or 2026, at the State’s election, the State will likely need to increase its spending to maintain benefits for CalFresh beneficiaries.

An Audit May Lead to Policy Changes That Significantly Reduce the State’s Future Costs for Maintaining SNAP Program Benefits

Although the immediate cause of the increased expenses to California—federal budget decisions in the OBBBA—is outside of Social Services’ control and our audit authority, the department can and should work to reduce the PER. An audit by our office would assist Social Services in these efforts. In particular, a high‑risk audit could identify potential weaknesses and needed improvements in Social Services’ PER quality control processes, including determining whether the department is adequately measuring the frequency of electronic verification and ensuring client compliance with income reporting requirements. By identifying needed improvements in Social Services’ oversight of CalFresh and providing related recommendations, an audit could help to limit the additional future costs the State may have to pay for SNAP program benefits. In addition, lowering the State’s PER, regardless of federal policy, will enable the State to better maximize the ability of the CalFresh program to help those in need.

Response from Social Services and State Auditor’s comments.

Retained High-Risk Agencies and Issues:

• The Employment Development Department Continues to Struggle with Improper Payments, Claimant Service, and Eligibility Decision Appeals
• The State’s Management of Federal COVID-19 Funds Continues to be a High-Risk Issue
• Late Financial Reporting Remains a High-Risk Issue
• The Department of Health Care Services Has Not Adequately Demonstrated Progress to Resolve Problems With Medi-Cal Eligibility Determinations
• The State’s Information Security Remains a High‑Risk Issue
• The California Department of Technology Has Not Made Sufficient Progress in Its Oversight of State IT Projects
• California’s Deteriorating Water Infrastructure and Climate Change May Threaten the Lives and Property of Its Residents and the Reliability of the State’s Water Supply

---

THE EMPLOYMENT DEVELOPMENT DEPARTMENT CONTINUES TO STRUGGLE WITH IMPROPER PAYMENTS, CLAIMANT SERVICE, AND ELIGIBILITY DECISION APPEALS

Background

The Employment Development Department (EDD) provides billions of dollars in partial wage replacement benefits each year to Californians who need and seek such benefits (claimants). One of EDD’s primary responsibilities is its administration of the Unemployment Insurance (UI) program. Funded in part by taxes on employers, the UI program provides temporary financial assistance to unemployed workers who meet specific eligibility requirements, including those workers affected by the COVID‑19 pandemic.

In our 2023 State High‑Risk Audit Program report, our office added EDD to the high‑risk list because of inadequate fraud prevention and claimant service, including a high rate of overturned eligibility decisions in its UI program. In Report 2020‑628.2, January 2021, we explained that EDD’s significant missteps and inaction related to fraud prevention during the pandemic led to billions of dollars in unemployment benefit payments that EDD later determined may have been fraudulent.

Moreover, as we described in Report 2020‑128/628.1, January 2021, EDD did not prepare for an economic downturn despite multiple warnings, a key example of which was EDD’s slow efforts to improve its UI call center and overall claimant experience. Because the department did not address longstanding problems with the efficiency of its UI customer service, including its call center, EDD was often unable to answer claimant questions and process claims in a timely manner during the pandemic.

In addition, in our 2023 report, we found that EDD’s eligibility decisions continued to be frequently overturned upon appeal, requiring some UI claimants to face even longer delays than are typical. From 2017 through 2022, the California Unemployment Insurance Appeals Board (appeals board) ultimately overturned in favor of the claimant more than 40 percent of the issues in UI eligibility decisions that claimants appealed. We noted that this rate of overturned decisions is consistent with the high rate of overturned decisions we described in Report 2014‑101, August 2014.

Assessment

EDD continues to be a high‑risk agency because of insufficient improvement in managing its UI program. EDD continues to have high rates of improper UI payments, including fraudulent payments, and it needs to improve the customer service it provides to UI claimants. EDD also needs to take steps to ensure that its eligibility decisions are not frequently overturned on appeal. Although it has made efforts in these areas, in its 2025 assessment, EDD failed to meet acceptable levels in more than half of the measures on which the federal government evaluates its performance. These inadequacies have resulted in a substantial risk of serious detriment to the State and its residents. A high‑risk audit may result in recommendations that could substantially reduce the risks we have identified.

EDD’s Efforts to Reduce Unacceptably High Levels of Improper Payments Including Fraudulent Payments in Its UI Program Are Not Yet Adequate

EDD’s levels of improper payments, including those resulting from fraud, continue to pose a substantial risk of serious detriment to the State. In calendar years 2023 and 2024, its estimated rate of improper payments remained above the acceptable level of less than 10 percent of payments established by the federal government, with its estimated amount of improper payments totaling approximately $1.5 billion over these two years. Further, its estimated rate of fraudulent payments remains above the level it was in 2019, before the pandemic, indicating that the amount of fraud was more than $500 million in 2024 alone.

Although EDD has implemented a number of measures to control improper payments and fraud, some of those measures have been in place for several years and have still not helped to consistently reduce improper payments to acceptable levels. Further, in its plans for countering improper payments, EDD has not always clearly identified the causes of the high amounts, nor has the agency determined how it will use its various measures to bring them to acceptable levels.

EDD Has Not Provided State Residents With Sufficient Customer Service, Resulting in Significant Challenges to Claimants Obtaining UI Benefits

Despite EDD’s various corrective actions over the years to begin addressing customer service deficiencies in its UI program, it is still unable to consistently meet federal standards. Although EDD has implemented or resolved our January 2021 recommendations related to customer service and has since improved performance, claimants still face difficulty receiving timely payment and often call EDD multiple times for help with their claims. From May 2023 through May 2025, claimants who called EDD did so an average of between two and five times per week. Moreover, as Figure 3 shows, EDD does not meet the federal government’s acceptable level of performance for timeliness of first payment on a UI claim and has met the standard in only one month since January 2013. Therefore, thousands of eligible claimants each month wait longer to receive their benefits than the federal government deems acceptable. In California, this means longer than four weeks, which consist of 14 days after the end of the first eligible week, plus a one‑week waiting period. Although EDD has created a CAP as the federal government requires, and it intends to hire additional customer service staff, its hiring initiatives are delayed, and its customer service continues to fall below acceptable levels of performance.

Figure 3
EDD Has Consistently Failed to Meet the Federal Standard for First Payment Timeliness

Source: U.S. Department of Labor Payment Timeliness Reports.
* State law requires a waiting period of one week before a claimant is eligible to receive UI benefits. In addition, as specified by federal requirements, EDD counts the number of days it takes to issue the payment beginning after the end of the first week the claimant is eligible to be paid, which follows the waiting week.

A line chart showing the percentage of first unemployment insurance payments issued within 14 days compared to the federal standard of 87 percent during the period of 2013 to 2025. The chart indicates that the Employment Development Department (EDD) consistently failed to meet the federal standard across all years, having met the standard in only one month since January 2013. State law requires a waiting period of one week before a claimant is eligible to receive unemployment insurance benefits. In addition, as specified by federal requirements, EDD counts the number of days it takes to issue the payment beginning after the end of the first week the claimant is eligible to be paid, which follows the waiting week. The source for this figure is the U.S. Department of Labor Payment Timeliness Reports.

Many of EDD’s UI Eligibility Decisions Are Not Upheld on Appeal

EDD’s eligibility decisions continue to be frequently overturned on appeal to the appeals board, which contributes to some UI claimants waiting much longer for decisions than federal standards consider acceptable. In 2023 and 2024, the appeals board overturned or modified in favor of the claimant more than 43 percent of the issues claimants appealed. This rate of overturned EDD decisions is only slightly lower than the rate of overturned decisions we noted in both Report 2023‑601, August 2023, and Report 2014‑101, August 2014. Further, claimants appealing EDD’s determinations face a lengthy wait for a final decision. As of March 2025, the appeals board resolved less than 4 percent of first level appeals within 30 days or less, compared to the federal standard of at least 60 percent, resulting in additional delays to claimants receiving benefits.

An Audit May Lead to Policy Changes That Significantly Reduce EDD’s UI‑Related Risks

Additional audit work by our office may assist EDD in mitigating the risk that its handling of the UI program presents. A high‑risk audit would provide independently developed and verified information regarding EDD’s management of the UI program and its challenges. Such an audit would also include analyses that serve as the basis for recommendations to assist EDD in resolving these risks. For example, an audit could evaluate EDD’s efforts to identify potentially fraudulent or improper UI claims, which could lead to recommendations for how to effectively reduce its improper payment rate. A deeper examination of EDD’s UI claimant service and its high rate of denied UI claims overturned on appeal could result in recommendations for how to improve the UI claims process and how to reduce the high rate of denied UI claims overturned on appeal.

Status: Retained on the high‑risk list

Response from EDD.

---

THE STATE’S MANAGEMENT OF FEDERAL COVID‑19 FUNDS CONTINUES TO BE A HIGH‑RISK ISSUE

Background

We first designated the State’s management of federal funds related to COVID‑19 (federal COVID‑19 funds) as a high‑risk statewide issue in Report 2020‑602, August 2020, based on the significant amount of funding granted to the State, the urgent need for the funding, and the rapid nature of the allocation of this funding to state departments, among other factors. As part of its response to the COVID‑19 pandemic (pandemic), the federal government provided the State with $285 billion in federal COVID‑19 funds over the course of two years. The accompanying need to create new programs and to support significant expansion of benefits under existing programs in a short time posed a risk that the State would not manage the funding effectively. As a result, we initially designated the State’s management of these funds as a statewide high‑risk issue in August 2020. However, most of the federal awards to the State have now expired. In fact, the State’s active grants as of July 2025 comprised $37 billion, representing 13 percent of the $285 billion it was awarded. Further, data from the Department of Finance (Finance) show that the State has spent about $35 billion of active grants, leaving about $2 billion available to spend.

In an effort to mitigate the risk that the State would not spend all of its federal COVID‑19 funds, we performed 11 state high‑risk audits of agencies and programs that received the substantial influx of funding and found that they frequently experienced significant hurdles in using those funds. In total, the 11 audits resulted in 85 recommendations. For example, our audit of the Board of State and Community Corrections found that it had allocated funds to the California Department of Corrections and Rehabilitation without justifications and that its allocation methodology did not consider important elements, such as the impact of the pandemic. Of the 85 recommendations we made among the 11 audits, 20 remain unimplemented. Finance similarly completed eight audits of agencies’ use of federal COVID‑19 funds that resulted in 42 recommendations. For example, Finance found that the Department of Housing and Community Development (HCD) could improve its efforts to develop clear outcome statements and report accurate and complete performance data to Finance in accordance with federal requirements. Five of Finance’s recommendations remain unimplemented as of August 2025. Finance is in the process of completing two additional audits for a program with $540 million of federal COVID‑19 funds that remain available for the State to spend.

Assessment

The State’s management of federal COVID‑19 funds continues to represent a significant risk to California and its residents and will therefore remain a high‑risk issue. As we note in the Background, according to Finance’s data, the amount of federal COVID‑19 funds the State is managing has decreased significantly from the amount initially awarded to the State.⁴ However, the $2 billion that remains is still a significant amount for the State to manage. Further, $1.3 billion of these funds expires by December 31, 2026, and there is a risk that the State may not fully spend this large amount. Among the awards that have already expired, the State has allowed $820 million to expire unspent. For example, the federal government awarded the California Department of Public Health (Public Health) $418 million for the State’s portion of Immunization Cooperative Agreements for COVID‑19 Vaccine Preparedness. When the grant expired at the end of June 2025, Public Health had spent only $313 million of its award and therefore lost access to the remaining $105 million.

We spoke with officials at Public Health who identified several factors that made spending awards difficult. For example, they indicated that the revocation of the State’s emergency powers in February 2023 associated with the Governor’s State of Emergency caused Public Health to reduce the speed at which it allocated remaining funds to build the infrastructure to vaccinate the population. Further, the officials described how the federal Centers for Disease Control (CDC) extended the original spending deadline from June 2024 to June 2025 and then extended it again to June 2027. In response to the extensions, Public Health officials stated that they adjusted the program’s plans for spending to continue on to the new deadlines. However, the officials indicated that the CDC later notified Public Health in April 2025 that all the program’s previously approved COVID‑19 grant funds would expire at the end of June 2025, preventing Public Health from fully expending those funds.

The significant remaining amounts and approaching expiration dates for these awards present a risk that the State will not use all of this funding. As for the more than $781 million that will remain available after December 2026, the table shows the eight programs and state departments that manage those funds, and that the awards expire in 2027, 2029, or 2030. Two of these eight programs have spent very little of their awarded funding as of July 2025—one program that focuses on housing has spent only 5 percent of its $155 million award, while the other that focuses on California’s public health infrastructure has spent only 8 percent of its $145 million award. Regardless of the longer period of availability for these awards, the programs’ slow rate of spending presents further risk that the State will not use all its remaining funding.

Additional audit work could help reduce the State’s risk of misusing these funds or of not maximizing their use. The audits that our office and Finance previously performed resulted in a significant number of findings that state departments and their subrecipients had not managed funds according to federal and state requirements. Nearly 20 percent of these recommendations remain unimplemented. Moreover, Finance and our office have not audited many of the programs with remaining funds, and the departments implementing those programs may be managing funds in ways that federal requirements do not allow. Additional audits of this issue could generate recommendations to ensure that these federal COVID‑19 funds are spent prudently, within acceptable time frames, and in accordance with federal and state requirements.

Status: Retained on the high‑risk list

Response from Finance and State Auditor’s comments.

---

LATE FINANCIAL REPORTING REMAINS A HIGH‑RISK ISSUE

Background

The accuracy and timeliness of the State’s financial reporting is of vital importance to the State and its residents. A key method the State uses to provide fiscal oversight and transparency is the mandatory Annual Comprehensive Financial Report (ACFR) that the State Controller’s Office (State Controller) prepares. The ACFR is composed of financial information from the State’s many departments and agencies, which collectively represent the financial position of the State. The report, which includes the State Auditor’s annual opinion on whether the financial statements are presented fairly in all material respects, provides an important resource for stakeholders, such as the State’s creditors, to use when making decisions about the State’s ability to borrow money affordably. Further, failing to promptly submit the audited ACFR for federal review could result in the withholding of billions of dollars in federal grant awards.

To support its financial reporting needs, the State has focused significant effort on modernizing its financial management infrastructure through the implementation of a project known as the Financial Information System for California (FI$Cal). The scope, schedule, and budget of this nearly $1 billion information technology (IT) project have undergone numerous revisions since it began in 2005. However, despite two decades of continued effort, many state entities continue to struggle to use the system to submit timely data for the ACFR.

In Report 2019‑601, January 2020, the State Auditor added to the state high‑risk list the State’s inability to produce timely financial reports during the transition to FI$Cal. At the time, we noted that since fiscal year 2017–18, the State had issued financial statements late, which could affect the State’s credit rating. The COVID‑19 pandemic also created new financial complexities that affected the State’s financial reporting, such as the increased pandemic‑related spending by EDD and its UI fund. In our previous assessment of high‑risk issues, we noted that the State Controller issued the State’s financial statements for fiscal year 2020–21 later than in previous years—12 months after its traditional deadline and six months after a general extension on financial reporting that the federal government provided because of the pandemic. We also noted that the State’s ACFR for fiscal year 2021–22 had not yet been issued, as of August 2023.

Assessment

The State’s financial statements for fiscal years 2021–22, 2022–23, and 2023–24 were issued in March 2024, December 2024, and September 2025, respectively. Although these recent ACFRs have been issued much sooner than in prior years, the State’s continued inability to produce timely financial reports represents a state high‑risk issue. Because of the significance of this issue, our office has contracted with an independent accounting firm to conduct an external audit of this high‑risk issue, which is currently underway. The audit will examine and identify opportunities for improvement or greater efficiency at the State Auditor’s Office, State Controller, Finance, and five state entities that report financial data material to the State’s ACFR and that did not provide timely and accurate financial reports. We are retaining this issue on the high‑risk list and will reconsider its status upon completion of the contractor’s audit.

Status: Retained on the high‑risk list

Response from the State Controller and State Auditor’s comments.

---

THE DEPARTMENT OF HEALTH CARE SERVICES HAS NOT ADEQUATELY DEMONSTRATED PROGRESS TO RESOLVE PROBLEMS WITH MEDI‑CAL ELIGIBILITY DETERMINATIONS

Background

The Department of Health Care Services (Health Care Services) is responsible for overseeing the State’s implementation of the federal Medicaid program, known in California as Medi‑Cal. Medi‑Cal provides comprehensive health services—including preventive, routine, and emergency care—for eligible residents such as low‑income children, pregnant women, families, and elderly or disabled individuals. As part of this responsibility, Health Care Services ensures that counties’ determinations of eligibility for applicants are appropriate and completed in a timely manner. Health Care Services’ role is pivotal because erroneous determinations of eligibility can result in inappropriate expenditures or in residents experiencing barriers to access needed services.

Our office previously issued Report 2018‑603, October 2018, and Report 2019‑002, October 2020, which both identified discrepancies in Medi‑Cal eligibility records resulting in at least $4 billion in questionable payments. We also found that Health Care Services had suspended the processes it used to ensure that county welfare agencies addressed eligibility discrepancies, including monitoring their adherence to performance standards, requiring CAPs, and, if necessary, imposing financial sanctions, because of difficulties that counties faced during the initial implementation of the Affordable Care Act. As we discuss later, Health Care Services only recently reinstated these processes. In Report 2020‑613, July 2021, we reported that even after considering the effects of the COVID‑19 public health emergency, Health Care Services could still do more to address chronic Medi‑Cal eligibility problems. In Report 2021‑601, August 2021, we reported that Health Care Services remained a high‑risk agency, because it had not corrected discrepancies in its Medi‑Cal eligibility system and that the problem had continued to grow. In our most recent state high‑risk assessment, Report 2023‑601, August 2023, we found that although Health Care Services was positioning itself to make progress on this issue, eligibility discrepancies remained a problem.

Assessment

Although it has made some progress since our last assessment, Health Care Services has not adequately resolved problems involving Medi‑Cal eligibility and will remain on the state high‑risk list. As of April 2025, the number of eligibility discrepancies between the county and state eligibility systems remains only somewhat below the level that we identified in 2021 that was estimated to have caused the State to disburse $1.9 billion in questionable payments. Additionally, as we have previously reported, Health Care Services may also deny benefits to individuals who may be entitled to receive them. The large number of eligibility discrepancies continues to present a substantial risk of serious financial detriment to the State, as well as to some Californians seeking healthcare services.

Since our last report, Health Care Services has issued guidance to counties on how it plans to monitor performance standards, which include standards related to resolving eligibility discrepancies. Counties must provide a CAP if they are noncompliant with the standards, and Health Care Services can issue financial sanctions for failure to demonstrate measurable improvement. However, Health Care Services is still in the first round of this review process, and its schedule indicates that it plans to issue its first report in December 2025. Further, if Health Care Services requires a county to produce a CAP, the county would have an additional two months to develop one. Although Health Care Services has implemented steps to resume oversight of Medi‑Cal eligibility discrepancies, it is yet to be determined whether these actions will result in substantial reductions in outstanding discrepancies and questionable costs.

Because of the ongoing and longstanding risks and its lack of significant progress, Health Care Services’ management of Medi‑Cal benefits remains on the high-risk list. Additional audit work by our office could assist in mitigating these risks by assessing Health Care Services’ progress in addressing ineligible Medi‑Cal recipients and reviewing the processes and effectiveness of Health Care Services’ county reviews. Further, an audit could lead to recommendations to improve the process of resolving eligibility discrepancies.

Status: Retained on the high‑risk list

Response from Health Care Services and State Auditor’s comment.

---

THE STATE’S INFORMATION SECURITY REMAINS A HIGH‑RISK ISSUE

 Background

Information security is the protection of the confidentiality, integrity, and availability of the State’s information assets, and such assets include data, processing capabilities, and IT infrastructure. State law generally requires state entities that are under the Governor’s direct authority (reporting entities) to comply with the information security practices that the California Department of Technology (Technology) prescribes. Technology has the authority to audit reporting entities to evaluate their compliance with information security and privacy policies (compliance audits). Reporting entities are also required to report annually to Technology on compliance with these practices. However, state law does not require entities that fall outside of the Governor’s direct authority (nonreporting entities), such as constitutional offices and those in the judicial branch, to follow Technology’s policies and procedures.⁵ As the text box shows, we first identified information security as a high‑risk issue in September 2013 and have continued to consider it a high‑risk issue.

Assessment

Although Technology has increased its capacity to conduct compliance audits, reporting entities’ cybersecurity maturity continues to be below the state standard, and many nonreporting entities are not complying with cybersecurity requirements; therefore, we will retain information security on the state high‑risk list. Technology is responsible for providing direction for the State’s information security efforts and reviewing the security of reporting entities. To help determine the effectiveness of information security for reporting entities, Technology relies, in part, on audits of the entities’ compliance with the State’s security and privacy policies. In Report 2022‑114, April 2023, we expressed concerns about Technology’s ability to quickly complete audits of all reporting entities. However, from April 2023 through May 2025, Technology increased its capacity to complete compliance audits by growing the number of staff assigned to work on these audits by 26 percent. Additionally, as of August 2025, Technology had audited all reporting entities that are required to receive an audit.

Technology uses technical assessments—which consist of technical analyses of information systems to identify cybersecurity risk—and its compliance audits to summarize each reporting entity’s cybersecurity status into a single score called a maturity metric. Technology asserts that it informs reporting entities that the minimum baseline maturity metric score is 2.0, which indicates that an entity has developed practices and procedures for operationalizing the foundational elements of its information security program. However, as of July 2025, a majority of reporting entities had a maturity metric score below Technology’s standard. Figure 4 shows that the average maturity metric score was 1.6 out of 4.0. This score conveys that, on average, even though reporting entities have developed the foundational elements of their information security program, they are still in the process of developing the practices and procedures to implement their information security programs. This average score is an improvement over the average score we noted in Report 2022‑114, April 2023, although most state entities continue to fall short of minimum standards.

Figure 4
State Entities, on Average, Have Not Reached the Baseline Standard Maturity Metric Score

Source: Technology staff interviews and maturity metric scores.

This chart shows that Information Security maturity levels range from zero to four, where higher scores indicate greater maturity. Levels zero to two represent the development of foundational elements. Levels three through four represent the implementation of the information security program. The statewide baseline standard is a score of two, while the average score for reporting entities is one and six tenths as of July 2025. The source of this figure is Technology staff interviews and maturity metric scores.

Nonreporting entities also need to improve their information security. Legislation that went into effect in 2023 implemented our prior audit recommendation to improve the security of nonreporting entities. Nonreporting entities are now required to perform a comprehensive, independent security assessment every two years and to annually certify to Technology their compliance with certain security requirements, or alternatively, confirm to Technology that they voluntarily and fully comply with Technology’s information security policies and procedures. Technology is then required to review the annual certifications and report to the Legislature a summary of the status of nonreporting entities. However, Technology did not submit to the Legislature its most recent report until August 2025, more than five months after the timeline required by state law. In its August 2025 report, Technology identified that 46 percent of nonreporting entities were out of compliance with either a certification of their information security status or their plan of action and milestones. Technology also reported that the aggregated independent security assessment scores of nonreporting entities were slightly below the state average, indicating that cybersecurity is an issue with both reporting entities and nonreporting entities.

Because cybersecurity poses a significant risk to the State, and the State’s compliance and preparedness remains inadequate, we are retaining this issue on the high‑risk list. The State continues to need improvements in its cybersecurity practices, and although it has been focusing its attention on cybersecurity, it has not substantially mitigated the ongoing risk from inadequate information technology practices. Finally, additional audit work by the State Auditor could assist in mitigating the risk presented by this issue area and could lead to recommendations to improve Technology’s oversight of information security.

Status: Retained on the high‑risk list

Response from Technology and State Auditor’s comments.

---

THE CALIFORNIA DEPARTMENT OF TECHNOLOGY HAS NOT MADE SUFFICIENT PROGRESS IN ITS OVERSIGHT OF STATE IT PROJECTS

Background

We added IT oversight to the state high‑risk list in our initial high‑risk assessment Report 2006‑601, May 2007, because a number of costly and complex projects were underway at the time, and the State had a history of failed IT projects. State law makes Technology responsible for approving, overseeing, and monitoring the State’s IT projects. Since that initial assessment, Technology implemented the Project Approval Lifecycle (PAL) to, in part, address historical challenges the State has faced in completing IT projects on time and within budget. This four‑stage IT project approval process seeks to ensure that larger projects—those anticipated to cost more than $5 million—include strong business cases, clear objectives, accurate costs, and realistic schedules.

Technology has not been able to demonstrate that PAL has reduced the risk of IT projects failing or exceeding their budgets and timelines. Our state high‑risk assessment Report 2021‑601, August 2021, found PAL’s effectiveness to be unclear because Technology had not demonstrated that PAL was a consistent success across projects of varied importance—especially highly critical and complex projects. We further noted in Report 2022‑114, April 2023, that PAL had several key weaknesses, including its time‑consuming nature, which could delay project approvals. In one instance, we observed that Technology’s process of reviewing procurements took 30 months. We also found that Technology lacked documented metrics to evaluate or demonstrate the effectiveness of PAL, despite a past recommendation from the Legislative Analyst’s Office (LAO) that Technology should report at legislative budget hearings on the quantitative and qualitative measures of success. Moreover, in Report 2023‑601, August 2023, we noted that the weaknesses we observed in PAL persisted and that Technology’s oversight process has continued to be ineffective in addressing other previously identified shortcomings.

Assessment

Technology has taken steps to improve the PAL process, although other areas of risk remain. Technology has now fully implemented two of three recommendations from Report 2022‑114, April 2023, that were pertinent to its oversight of IT projects. Specifically, Technology has revised the PAL process to require that proposed projects align with statewide strategic initiatives, and it has completed analyses of its IT project success metrics, including whether projects are completed on time and within budget. Figure 5 shows that according to Technology’s metrics, PAL produced better outcomes than the industry benchmark from 2019 through 2023, resulting in 56 percent of projects being successful, 44 percent of projects being challenged, and no failed projects. However, Technology has not fully implemented our recommendation to revise the PAL process to promote the use of modern approaches, such as modular or Agile, when developing new systems.

Figure 5
PAL Produces a Higher Rate of Successful Projects and Fewer Challenged Projects Than the Industry Standard

Source: Technology’s PAL project outcomes documentation.
Note: A successful project is one that delivers its desired functionality within a 10 percent variance of being on time and within budget. A challenged project is one that delivers its desired functionality but with a greater than 10 percent variance of being on time and within budget. A failed project is one that Technology has terminated. Finally, the industry benchmark is based on the Standish CHAOS Report: Beyond Infinity (2020).

Figure 5 compares California’s IT projects, completed between 2019 to 2023, to industry benchmarks, established in the Standish CHAOS Report: Beyond Infinity (2020). These benchmarks are successful, challenged, and failed. A successful project is one that delivers its desired functionality within a ten percent variance of being on time and within budget. A challenged project is one that delivers its desired functionality, but with greater than ten percent variance of being on time and within budget. A failed project is one that Technology has terminated. For the successful benchmark, California completed projects at a rate of 56 percent, with the industry rate set at 31 percent. For the challenged benchmark, California completed projects at a rate of 44 percent with the industry rate set at 50 percent. For the failed benchmark, California had no projects fail with the industry rate at 19 percent. The source of this figure is PAL project outcome documentation from Technology.

Although Technology has strengthened the PAL process and demonstrated its relative success, PAL remains a protracted stage of IT project development that can delay project execution. As we reported in Report 2022‑114, April 2023, some state agencies have said that the PAL process is too lengthy and delays the approval of projects. Moreover, in a March 2024 press release, Technology expressed its desire for a faster process. However, officials at Technology indicated that factors outside of their control, such as the annual budget process, organizational maturity, the quality of the state agency’s submitted planning documents, and changes in state agency and administration business priorities also contribute to delayed project execution. To evaluate how long projects spend in PAL, we looked at the eight highly critical IT projects currently using PAL as of November 2025. Criticality is determined based on a range of factors, including the project’s technical complexity, business complexity, budget, and durations. We reviewed these highly critical projects because their failure poses the greatest risk to the State. Figure 6 shows that these projects have been in PAL for as few as nine months to as long as 109 months—about nine years. Because the purpose of these IT projects is to address priority strategic needs, these delays in approval pose a risk of impairing the delivery of important government services.

Figure 6
Current Highly Critical Rated IT Projects Have Been in PAL for an Extensive Period

Source: Technology PAL IT project documentation.
Note: We determined each project’s start date in PAL by identifying the date that the requesting agency originally submitted the project’s PAL Stage 1 Business Analysis form to Technology.

The following eight projects are Technology’s current highly critical rated IT projects in PAL.
1. California Child Care Workforce Registry—California Department of SocialServices<h1>
This project has been in PAL since early 2025—9 months.
Social Services currently obtains childcare provider information through a multitude of programs and surveys. This registry will provide a single platform to help ensure that required training for childcare educators is up-to-date and aligns with statutory requirements.
2. Electronic Adjudication Management System—Department of Industrial Relations <h1>
This project has been in PAL since late 2024—16 months.
Industrial Relations’ current system supports more than 8 million cases by managing the adjudication of benefit issues and assisting injured workers in determining how much they are entitled to in workers’ compensation benefits. However, the system software has lacked some basic capabilities since its launch in 2008. For example, in 2018, the system’s inability to reassign cases in mass meant staff manually reassigned more than 58,000 court cases one at a time. This project aims to increase the system capabilities and improve accessibility.
3. Life Outcome Improvement System—Department of Developmental Services <h1>
This project has been in PAL since late 2023—24 months.
Developmental Services’ current consumer electronic records management system does not allow for centralized core business rule management, change management, and integration of case management data across all regional centers, resulting in disparate data sources, poor data consistency and integrity, and non-standard data. Further, Developmental Services’ Uniform Fiscal System is outdated with many limitations including inflexible technology, outdated workflows, and insufficient information security. This project plans to modernize both systems to ensure that needed services are coordinated, received, and accessible and to improve the quality of data received by Developmental Services.
4. EDDNext Project (Previously Re-Imaging Benefits Systems Modernization—EDD <h1>
This project has been in PAL since mid-2022—40 months.
EDD administers several multi-billion-dollar benefit programs, including the Unemployment Insurance (UI) program. Since 2021, we have reported that the UI program struggles to provide adequate customer service and struggles with preventing and detecting fraudulent payments. This project strives to modernize EDD’s benefits system to simplify the claims intake process, boost multilingual service, and mitigate fraud
5. Mobile Driver’s License Pilot—Department of Motor Vehicles<h1>
This project has been in PAL since late 2021—50 months.
Motor Vehicles issues driver’s licenses, identification cards, and REAL IDs, to millions of California residents. This project will build off of Motor Vehicles’ driver’s license and identification card enrollment process and allow California residents to obtain a digital driver’s license and/or identification card through a smartphone.
6. Firearms IT Systems Modernization—California Department of Justice<h1>
This project has been in PAL since the beginning of 2020—71 months.
Justice currently operates 17 different Firearms IT Systems that it reports are inefficient, outdated, and struggles to respond to statutory mandates pertaining to firearms. These IT systems support crucial processes, such as background investigations on individuals who apply for dangerous weapons permits. This project will simplify the patchwork of firearms systems into just two systems to more efficiently and effectively collect public safety information.
7. Emerging Threats 2 System—California Department of Food and Agriculture<h1>
This project has been in PAL since the beginning of 2019—83 months.
Food and Agriculture uses an IT system to collect, manage, and report data used in response to emergency animal disease outbreaks and food safety incidents. However, its IT system is slow, error-prone, and inaccurate. For example, early on in the Newcastle disease outbreak in 2018, Food and Agriculture staff spent two weeks validating and cleaning inaccurate data, which delayed disease surveillance and mitigation. This project will replace the IT system to effectively provide time-sensitive and reliable data for emergency responses.
8. Electronic Health Records System—Department of State Hospitals <h1>
This project has been in PAL since late 2016—109 months.
State Hospitals manages the nation’s largest inpatient forensic mental health system. However, its mainframe patient registration system was built more than 30 years ago and matches patient records incorrectly in 1 of every 20 readmitted patients. This project aims to implement a unified electronic health record system to improve primary care services.
We determined each project’s start date in PAL by identifying the date that the requesting agency originally submitted the project’s PAL Stage 1 Business Analysis form to Technology.
The source of this figure is PAL IT project documentation from Technology.

Based on agency feedback about PAL, Technology developed the Project Delivery Lifecycle (PDL) process to allow for a faster, more flexible, iterative approach to IT project planning than the outputs generated from PAL. Technology launched PDL in February 2025, initially for approving only generative artificial intelligence projects, and it will subsequently require all projects to undergo PDL starting in July 2026. Figure 7 points out key differences between the PAL and PDL processes, including the difference in end products. Departments going through PAL leave the process with a complete project plan that addresses details such as baseline project cost, schedule, and scope. In contrast, departments that complete PDL end the process with the creation of a minimum viable product, a technological solution that only includes minimum capabilities but satisfies customer needs and demands before full development. Should the minimum viable product be successful, the department would continue to work with vendors to plan, develop, and implement the remainder of the project. Technology states that the use of proofs of concept and minimum viable products in the PDL process will benefit the State because instead of unwieldy, slow projects, state entities will be able to test ideas first to confirm that they work before fully committing to the project. Technology reports that this, in turn, should help the approval process become clearer and more efficient. This change would also address our remaining outstanding recommendation to Technology.

Figure 7
PAL and PDL Are Designed to Take Different Approaches to Developing IT Projects

Source: LAO assessment of changes to the State’s technology project approval and oversight processes.

Figure 7 is a Venn diagram that compares the similarities and differences of PAL and PDL.
PAL <h1>
1. Discrete four stage project planning process
2. Solicits vendors during the final approval stage
3. Creates a complete project plan, including a baseline cost, schedule, and scope
4. Requires legislative approval
PDL <h1>
1. Incremental and iterative project planning process
2. Solicits vendors in early approval stages
3. Creates a Minimum Viable Product that, if successful, is scaled to size during project execution
4. Requires periodic legislative notification
PAL and PDL <h1>
1. Formal Technology and Finance involvement in approval process
This source of this figure is LAO’s assessment of changes to the State’s technology project approval and oversight processes.

Although the benefits of PDL appear promising, the new process has not yet proven to be successful. In April 2025, the LAO published a preliminary assessment of Technology’s plan to implement PDL, in which it expressed concerns that Technology’s timeline was aggressive and that its planned launch of its final version was premature. The LAO noted that delays in Technology’s first round of IT projects have prevented Technology from providing the Legislature with the information it desires to evaluate the process’s success and its ability to coalesce with the annual budget process. Additionally, the LAO noted that the PDL process may be less transparent than the PAL process. For example, the LAO concluded that the incremental and iterative nature of the PDL process means that baseline cost information and the understanding of subsequent project iterations might not be available until completion of the minimum viable product. Moreover, because the PDL process requires state entities to test ideas first with smaller scale projects, it can lead a project into confidential procurement sooner than previous state IT projects, limiting what information is available for the Legislature to review before approving funding requests through the annual budget process. These risks are of particular concern because of Technology’s intent to transition to reviewing all IT project proposals through the PDL process in July 2026. However, in response to the LAO’s conclusions, Technology stated that PDL will provide similar quality of transparency and documentation for external review as PAL.

Technology has not made sufficient progress in resolving issues with its oversight of IT projects to justify its removal from the high‑risk list. Technology’s PAL process is lengthy and leads to delays. Its PDL process may shorten IT project approval timelines, but Technology does not yet have outcomes to support the success of the new project approval process. Consequently, the circumstances have not changed substantially since our last assessment. Additional audit work by our office could follow up on the findings in Report 2022‑114, April 2023, by more thoroughly assessing Technology’s progress in implementing the PDL process and generating new recommendations.

Status: Retained on the high‑risk list

Response from Technology and State Auditor’s comments.

---

CALIFORNIA’S DETERIORATING WATER INFRASTRUCTURE AND CLIMATE CHANGE MAY THREATEN THE LIVES AND PROPERTY OF ITS RESIDENTS AND THE RELIABILITY OF THE STATE’S WATER SUPPLY

Background

California’s water infrastructure continues to age and require significant maintenance. We first presented the entirety of the State’s water infrastructure as a high‑risk issue in Report 2013‑601, September 2013, noting that the State’s investment in water infrastructure had not kept pace with its needs. The report also highlighted that the State’s water infrastructure had not seen noteworthy expansion since the 1970s. In fact, at the time of that report, the State’s water storage and delivery system was more than 35 years old, the federal system in the State was more than 50 years old, and some local facilities were about 100 years old. These aging systems require costly maintenance and rehabilitation and, without intervention, pose risks to public safety, water supply reliability, and water quality.

Historically, the State’s dams have posed a significant risk to human life and property. In 2017, the near failure of the Oroville Dam spillway led to our focus on the risk posed by dam safety. The Department of Water Resources’ (Water Resources) Division of Safety of Dams is responsible for overseeing the condition of the State’s more than 1,200 jurisdictional dams for the purpose of determining their safety. The division rates each dam’s condition and identifies the downstream hazard that the dam poses using the ratings that Figure 8 presents. In our previous assessment, we found that 88 dams throughout the State had both a condition rating lower than Satisfactory and a downstream hazard rating of Significant or higher.

Figure 8
Water Resources Rates the Condition and Downstream Hazard of Dams

Source: Water Resources’ dam documentation.

Dam Condition Ratings <h1>
Satisfactory <h2>
No existing or potential dam safety deficiencies are recognized.
Acceptable performance is expected under all loading conditions (static, hydrologic, seismic) in accordance with the minimum applicable state or federal regulatory criteria or tolerable risk guidelines.
Fair <h2>
No existing dam safety deficiencies are recognized for normal operating conditions. Rare or extreme hydrologic and/or seismic events may result in a dam safety deficiency. Risk may be in the range to take further action.
Poor <h2>
A dam safety deficiency is recognized for normal operating conditions which may realistically occur. Remedial action is necessary. Poor may also be used when uncertainties exist as to critical analysis parameters which     identify a potential dam safety deficiency. Investigations and studies are necessary.
Unsatisfactory <h2>
A dam safety deficiency is recognized that requires immediate or emergency remedial action for problem resolution.
Not Rated <h2>
The dam has not been inspected, is not under state jurisdiction, or has been inspected but, for whatever reason, has not been rated.
Downstream Hazard Ratings <h1>
Low <h2>
No probable loss of human life and low economic and environmental losses. Losses are expected to be principally limited to the owner’s property.
Significant <h2>
No probable loss of human life but can cause economic loss, environmental damage, impacts to critical facilities, or other significant impacts.
High <h2>
Expected to cause loss of at least one human life.
Extremely High <h2>
Expected to cause considerable loss of human life or would result in an inundation area with a population of 1,000 or more.
The source of this figure is Water Resources’ dam documentation.

In addition to dams, other elements of water infrastructure, such as levees, are of concern. Levees face serious threats—from flooding, sea level rise, and earthquakes—that could cause their failure. Water Resources inspects the maintenance of levees within the Central Valley’s State Plan of Flood Control and assigns an inspection rating of Acceptable, Minimally Acceptable, or Unacceptable. A rating of Unacceptable means that one or more deficient conditions exist that may prevent the project from functioning as designed, intended, or required. Levees rated as Minimally Acceptable have one or more conditions that need improvement or correction but will essentially function as designed with a lower degree of reliability than what the project could provide. Because many levees sustained damage from severe storms in 2017, 2019, and 2023, Water Resources developed a rehabilitation program that, in combination with efforts by the U.S. Army Corps of Engineers, has repaired 137 damaged sites, with eight additional sites that Water Resources expects to complete by 2028.

In addition to the risks associated with its aging water infrastructure, California is also at risk of experiencing water shortages that may critically disrupt its agriculture industry and limit its residents’ water supplies. The reliability of California’s water supply has been a high‑risk issue since 2013 because of ecological risk factors and pending infrastructural strategies. Figure 9 shows that Water Resources estimates that the delivery capacity of the State Water Project—California’s water storage and delivery system—could decrease by up to 23 percent by 2043 because of changes in flow patterns and extreme weather shifts.⁶ Moreover, according to California’s 2023 Water Plan, the State is experiencing increasingly longer and more intense periods of drought, punctuated by greater storms and higher flood flows, which result in significant variability in the water supply. For example, in recent years, the State Water Project, which supplies water to 750,000 acres of farmland and 27 million people, has varied widely in its ability to fulfill water requests from its contractors. Its deliveries range from as little as 5 percent of the allocations requested, approximately 200,000 acre‑feet of water, to 100 percent of the allocations those contractors requested, more than 4 million acre‑feet. In an attempt to mitigate the threat posed by this variability and climate change, Water Resources has undertaken two major endeavors: the Delta Conveyance Project and the Water Supply Strategy.

Figure 9
State Water Project Delivery Capabilities Could Decrease by as Much as 23 Percent by 2043

Source: Water Resources’ State Water Project Delivery Capability Report 2023 (published in 2024).
Note: Level of concern refers to the percent likelihood that actual future conditions would be better than those modeled in each scenario. Thus, a 95 percent level of concern for a projection means there is a 95 percent chance that actual future conditions would be better than what is projected. Current capabilities refers to Water Resources’ estimate of the State Water Project’s delivery capability in 2023 and is included as a baseline scenario for reference.

Water Resources projects various State Water Project delivery capability scenarios at different levels of concern.  Levels of concern refer to the percent likelihood that actual future conditions would be better than those modeled in each scenario. Thus, a 95 percent level of concern for a projection means that there is a 95 percent chance that actual future conditions would be better than what is projected. Current capabilities refers to Water Resources’ estimate of the State Water Project’s delivery capability in 2023 and is included as a baseline scenario for reference.
Current Capabilities in 2023 <h1>
The State Water Project has an average annual water capability of 2.2 million acre-feet per year.
50 Percent Level of Concern in 2043 <h1>
The projected average annual capability of the State Water Project is 1.9 million acre-feet per year which is a 13 percent reduction.
75 Percent Level of Concern in 2043 <h1>
The projected average annual capability of the State Water Project is 1.8 million acre-feet per year which is an 18 percent reduction.
95 Percent Level of Concern in 2043 <h1>
The projected average annual capability of the State Water Project is 1.7 million acre-feet per year, which is a 23% reduction.
The source of this figure is Water Resources’ State Water Project Delivery Capability Report 2023 (published in 2024).

California is working to address the State’s water reliability issue by focusing on investments in its water infrastructure. In our most recent high‑risk assessment in Report 2023‑601, August 2023, we focused our review on the progress of the Delta Conveyance Project—a project that would develop new water infrastructure facilities in the Sacramento–San Joaquin Delta. The Delta Conveyance Project is intended to protect and preserve California’s water supply threatened by rising sea levels, climate change, and seismic activity. We also discussed in that report the State’s release of the Water Supply Strategy in August 2022, which a variety of state agencies cooperatively created to help California adapt to anticipated hotter and drier conditions in the future. This strategic plan called for the creation of additional storage space for water, increased water recycling, more efficient water use and conservation, and other methods to diversify the State’s response to climate change.

Assessment—Water Infrastructure Safety

The condition of some of the State’s potentially most hazardous dams and the extent of related emergency planning remains a high‑risk issue. Water Resources manages 1,230 of California’s dams. Figure 10 shows that the number of dams with Poor and Unsatisfactory condition ratings has continued to increase since calendar year 2019. In fact, since our August 2023 high‑risk assessment, the number of Poor and Unsatisfactory dams increased by 73 percent—from 30 dams to 52 dams. Although these dams represent less than 5 percent of the dams Water Resources is responsible for overseeing, the Dam Safety Division intends to re‑evaluate the oldest and riskiest dams in the State beginning in January 2026. As a result of that work, the Dam Safety Division anticipates that those reevaluations will likely show that the State’s dams are in worse condition than currently reported. Moreover, as of July 2025, 114 dams throughout the State have both a condition rating lower than Satisfactory and a downstream hazard rating of Significant or higher, an increase from 88 dams in 2023. Dams that fall within these classifications have a combined reservoir capacity of nearly 8 million acre‑feet of water, approximately 37 percent of the State’s total reservoir capacity. Of particular concern, 49 of the 114 dams with condition ratings below Satisfactory are also rated as posing Extremely High downstream hazard, meaning that a dam failure would cause considerable loss of human life or would result in an inundation area with a population of 1,000 or more. Figure 11 shows where the 49 dams are located throughout the State.

Figure 10
The Number of Dams With Poor and Unsatisfactory Condition Ratings Has Increased by 73 Percent Since 2023

Source: Water Resources’ dam condition documentation.

In 2019, there were 91 dams in fair condition, 9 dams in poor condition, and 3 dams in unsatisfactory condition. As the calendar years pass from 2019 through 2025, the number of fair condition dams slightly decreases to 81 dams and the number of poor condition dams greatly increases to 51 dams by 2025, while the number of unsatisfactory dams decreases to 1 dam. We highlight specifically poor and unsatisfactory dams, noting there were 30 poor or unsatisfactory dams in 2023, which has grown to 52 dams in 2025, and this growth is a 73 percent increase. Overall, from 2019 to 2025, the amount of fair, poor, and unsatisfactory dams has increased from 103 dams to 133 dams.
The source of this figure is Water Resources’ dam condition documentation.

Figure 11
49 Dams Throughout California Are Rated as Posing Extremely High Hazard to Life and Property and Are Below Satisfactory Condition

Source: California Jurisdictional Dams dataset as of August 28, 2025.

This graphic shows the location of each of the 49 dams Water Resources has indicated are extremely high hazard and are below satisfactory condition. The following list identifies, by county, the name and condition rating of all 49 dams. The list is sorted alphabetically by county name:

Butte County; one dam <h3>
• Oroville, Fair
Contra Costa County; one dam <h3>
• Lafayette, Fair
Fresno County, two dams <h3>
• Huntington Lake 1, Poor
• Vermilion Valley, Fair
Los Angeles County; five dams <h3>
• Bouquet Canyon, Fair
• Castaic, Poor
• Eagle Rock, Fair
• Pyramid, Fair
• Sawpit Debris Basin, Fair
Monterey County, one dam <h3>
• San Antonio, Fair
Napa County, two dams <h3>
• Conn Creek, Fair
• Napa County, Lake Curry, Poor
Nevada County; three dams <h3>
• Lake Fordyce, Fair
• Lake Spaulding, Fair
• Scotts Flat, Fair
Orange County; two dams <h3>
• Rattlesnake Canyon, Fair
• Santiago Creek, Poor
Plumas County; one dam <h3>
• Lake Almanor, Fair
Riverside County; two dams <h3>
• McVicker Canyon Debris Basin, Fair
• Vail, Fair
San Diego County; eight dams <h3>
• Barrett, Fair
• El Capitan, Poor
• Lake Hodges, Unsatisfactory
• Lake Wohlford, Fair
• Morena, Poor
• Murray, Fair
• Savage, Poor
• Sweetwater Main, Fair
San Mateo County; three dams <h3>
• Bear Gulch, Poor
• Pilarcitos, Poor
• San Andreas, Fair
Santa Clara County; eight dams <h3>
• Almaden, Poor
• Calero, Poor
• Coyote, Poor
• Felt Lake, Fair
• Guadalupe, Poor
• James J. Lenihan, Fair
• Leroy Anderson, Poor
• Stevens Creek, Fair
Santa Cruz County; one dam <h3>
• Newell, Fair
Solano County; two dams <h3>
• Lake Frey, Fair
• Swanzy Lake, Poor
Sonoma County; one dam <h3>
• Annadel No. 1, Fair
Stanislaus County; one dam <h3>
• ConAgra Aerated and Settling Ponds, Fair
Tuolumne County; two dams <h3>
• Cherry Valley, Fair
• Relief, Poor
Ventura County; two dams <h3>
• Matilija, Poor
• Santa Felicia, Poor
Yuba County; one dam <h3>
• Camp Far West, Fair

The source of this figure is the California Jurisdictional Dams dataset as of August 28, 2025.

Water Resources is striving to improve dam conditions. The Dam Safety Division indicates that since 2023, it upgraded the condition assessment of 16 dams to Satisfactory because these dams received repairs, and it removed six dams that are no longer considered state‑jurisdictional dams. Further, Water Resources intends to administer $480 million through the Dam Safety and Climate Resilience Local Assistance Program, which was established in June 2023 to fund dam repair or improvement projects. However, recent budgetary changes resulted in the funding for the program shifting from the General Fund to Proposition 4 funding.⁷ As a result of this funding shift, Water Resources canceled its initial solicitation for the program and expects to issue a new solicitation in 2026 after details regarding Proposition 4 funding are confirmed.

The State must ensure that dam owners have emergency action plans (emergency plans) to address their dam’s downstream hazard. After the Oroville Dam spillway incident in 2017, the Legislature amended state law to require that owners of state‑regulated dams with a downstream hazard of Significant or higher develop emergency plans to address the potential loss of life and potential property damage of a dam failure. The California Governor’s Office of Emergency Services (Emergency Services) is responsible for reviewing and approving emergency plans. An emergency plan must be based on one or more inundation maps that illustrate the potential flooding that may result from a dam’s failure. Water Resources is responsible for approving inundation maps and asserts that it has now approved inundation maps for 96 percent of the total number of dams that require these maps.

Dam safety planning throughout the State remains incomplete. Despite Water Resources’ efforts to approve inundation maps for nearly all dams that require these maps, Emergency Services’ approval of emergency plans lags. Specifically, Emergency Services has approved emergency plans for only 577 dams, or about 67 percent of the total number of dams required to submit such plans. At the current rate of submission and approval, it will take more than three years for the State to have emergency plans in place for all dams that require them. Further, there are 68 dams without approved emergency plans that Water Resources has assessed as having Extremely High downstream hazard ratings, indicating a risk of considerable loss of human life.

Levee conditions also continue to pose a high risk to the State. In our previous assessment, we reported that Water Resources had assessed the maintenance of levees within the Central Valley’s State Plan of Flood Control in 2022 and rated 38 of 106 levees as Unacceptable and another 33 levees as Minimally Acceptable. However, results from Water Resources’ 2024 levee maintenance inspections indicate that levee maintenance has worsened slightly. The total number of levees rated as Unacceptable or Minimally Acceptable increased from 71 levees in 2022 to 80 levees in 2024. Water Resources indicated that this increase resulted from changes to its methodology for rating levees. Nonetheless, more than two‑thirds of levees are rated as Unacceptable or Minimally Acceptable.

Because of the risks presented and the inadequate progress to mitigate those risks, the State’s water infrastructure will remain a high‑risk issue. The significant number of high‑hazard dams with condition ratings below Satisfactory demonstrates that circumstances have not substantially changed. Further, the high number of emergency plans that Emergency Services has yet to approve shows that significant corrective action has not yet occurred. Finally, audit work by our office could assist efforts in mitigating the risk presented by this issue area by examining the State’s process for inspecting dams and approving emergency plans.

Status: Retained on the high‑risk list

Assessment—Water Availability

The State has not made adequate progress in addressing water supply availability, and thus, it will remain a high‑risk issue. Water Resources has highlighted that, among evaluated strategies, the Delta Conveyance Project is the single most effective strategy to address the challenges presented by climate risks. The Delta Conveyance Project has achieved key milestones, including the completion of an environmental impact report and an analysis of the benefits and costs of the project. However, Figure 12 shows that the Delta Conveyance Project remains in the permitting, procurement, and design phases. Further, the majority of permitting processes rely on approval from other agencies. Water Resources projects that construction will not begin until 2029 and that the project will not be fully operational until 2045. Historically, three similar projects, Peripheral Canal (1982), Bay Delta Conservation Plan (2009), and California WaterFix (2017), all experienced significant debate and controversy, and they were ultimately abandoned. The Delta Conveyance Project is facing significant public opposition similar to these past projects and may encounter future challenges related to funding and the timeline for its completion.

Figure 12
The Delta Conveyance Project Will Not Be Fully Operational Until 2045

Source: Delta Conveyance Design and Construction Authority Memorandum.

Beginning from 2024, the Delta Conveyance Project will be in permitting processes through 2026 and simultaneously in design through 2039. Procurement will start from 2025 through 2033. Construction is anticipated to last from 2029 through 2044, and then startup will last from 2042 until 2045, when the project becomes fully operational in 2045. The source of this figure is the Delta Conveyance Design and Construction Authority Memorandum.

Finally, at the current rate of progress, the State is at risk of forgoing significant water savings that would aid in stabilizing the water supply. For instance, Water Resources estimates that if the Delta Conveyance Project had been operating for just the past four winters, it could have captured enough water to supply 21.6 million people for one year. Based on the projected operational date of 2045, the water savings expected to be missed in the next 20 years could be substantial.

Similarly, the Water Supply Strategy has made limited progress toward its goals. This strategy consists of four actions: develop new water through recycling and desalination, capture and save more stormwater, reduce use of water in cities and farms, and improve all water management with better data, conveyance, and administration of water rights. These actions are organized into supporting objectives, which in total call for the generation of 5.9 million acre‑feet of water and the reduction of demand for water by 500,000 acre‑feet. If achieved, the Water Supply Strategy could address the 2043 projections that the State Water Project delivery capacity could decrease by 23 percent or approximately 500,000 acre‑feet.

Although multiple agencies are involved in implementing the Water Supply Strategy, Water Resources is responsible for implementing a significant portion of the strategy’s objectives. For example, to support the overall goal of investing in desalination technology, Water Resources will coordinate with the State Water Resources Control Board and other local agencies to expand brackish groundwater desalination production by 28,000 acre‑feet per year by 2030. Water Resources stated in June 2025 that it projects to exceed this goal, indicating that its grant program funding will result in an increase of nearly 40,000 acre‑feet per year by 2030. Even though Water Resources expects to achieve some of these objectives, it is still only in the early stages of development for many others. In an effort to increase water storage, an additional objective is the planned expansion of the San Luis Reservoir by 135,000 acre‑feet, a federal project that involves Water Resources’ collaboration to seismically upgrade the reservoir dam. However, the media reported in April 2025 that two of eight participating water agencies have dropped out of the project, and the financial future of the project is uncertain. Additionally, the anticipated completion date of the project has been delayed from 2028, as stated in the supply strategy, to 2032. The strategies in progress from the Water Supply Strategy in conjunction with the uncertain status of the Delta Conveyance Project demonstrate that the State continues to miss substantial opportunities for water savings.

Because of the current risks and limited progress, the availability of water will remain a high‑risk issue. The State’s cycle of ongoing drought and flood, as well as the still‑pending Delta Conveyance Project and ongoing Water Supply Strategy, show that circumstances have not changed substantially and that water availability continues to be a concern. Finally, additional audit work by the State Auditor could assist in mitigating the risk presented by this issue by proposing methods to streamline project management at the responsible agencies, as we did in our audit of the WaterFix project, Report 2016‑132, October 2017. Such additional audit work could examine the State’s progress and barriers toward enhancing water storage, increasing recycling, and expanding desalination.

Status: Retained on the high‑risk list

Response from the California Natural Resources Agency, Response from Emergency Services, and State Auditor’s comments.

Other Area Reviewed

ACCOUNTABILITY OVER HOMELESSNESS SPENDING AND PROGRAM OUTCOMES

This year’s state high‑risk list does not include homelessness and the State’s efforts to improve accountability over related spending. In April 2024, our office issued an audit report—2023‑102.1, Homelessness in California: The State Must Do More to Assess the Cost‑Effectiveness of Its Homelessness Programs—highlighting the State’s failure to collect and comprehensively report program‑specific fiscal and outcome data covering billions of dollars in state homelessness spending.⁸ If available, such data would help the Legislature identify which of the State’s various homelessness programs are the most effective and therefore warrant ongoing financial support.

In September 2024, five months after our audit report, the Governor signed Assembly Bill 799 (Chapter 263, Statutes of 2024) (AB 799), which directs the California Interagency Council on Homelessness (Cal ICH) to collect and publicly report both fiscal and program‑specific outcome data regarding state homelessness programs. Under this new law, all state agencies and departments that administer certain homelessness programs must provide fiscal year 2025–26 data to Cal ICH no later than February 1, 2027, with subsequent fiscal year reporting annually thereafter. Further, Cal ICH must make such data publicly available on or before June 1, 2027 and every year afterwards.

This current update to the State Auditor’s state high-risk list comes just six months into fiscal year 2025–26—the first year in which the AB 799 data described above must be collected—and about 14 months before February 2027, when state agencies and departments must submit outcome and fiscal data to Cal ICH. Therefore, it is premature to formally designate Cal ICH and the State’s efforts to enhance accountability over homelessness spending—as envisioned through AB 799—as a high‑risk issue.

Nevertheless, the State’s slow pace toward implementing AB 799 may cause us to add accountability over homelessness spending to our high‑risk list before our next cyclical update. During the 10‑month period from January 2025, when AB 799 became effective, through October 2025, Cal ICH has demonstrated limited progress toward completing the required planning and coordination necessary to make AB 799’s oversight reporting possible. The only deliverable marked as complete on Cal ICH’s implementation plan is a six‑page preliminary methodology proposal that explores how performance outcomes might be calculated from the State’s Homeless Data Integration System. The potential methodologies discussed in the proposal are at a summarized and high‑level of detail that is conceptual instead of program‑specific. Notably, the document further underscores that the categorizations used in the descriptions of these performance measures and their methodology are all preliminary. The proposal also discusses the need to consult with state departments to better understand which performance measures might apply to specific programs. Cal ICH’s discussions with departments are planned to take place between October and December 2025. According to its own timeline, Cal ICH does not intend to develop and then validate its performance outcome measures until the fourth quarter of fiscal year 2025–26—about six months from now. We remain somewhat skeptical of this timeline given Cal ICH’s limited progress over the previous 12 months since AB 799 became effective in January 2025. We will continue monitoring Cal ICH’s progress to evaluate whether it can finalize its performance outcome measures as planned.

Aside from collecting outcome data, Cal ICH is also required to collect and report fiscal data. However, Cal ICH currently lacks the ability to collect and store financial data from the various departments and agencies that administer the State’s homelessness programs. Further, Cal ICH has yet to define the fiscal data it intends to collect. According to its own internal timeline, Cal ICH plans to discuss fiscal reporting requirements with applicable state entities in the second and third quarters of the current fiscal year—from October 2025 through March 2026—leading to the development of a reporting system before July 2026. However, this time frame provides limited opportunities for departments to understand what specific financial data they will be required to report as fiscal year 2025–26—the first year when financial data must be collected—concludes. In our view, Cal ICH should have had these fiscal discussions with state entities by March 2025, only months after AB 799 became effective and well before the first year of fiscal reporting was set to begin in fiscal year 2025–26. As with outcome data reporting, we are skeptical of Cal ICH’s timeline of roughly six months to build and implement a new financial reporting process.

Overall, the Legislature and the administration deserve credit for strengthening state law by mandating additional accountability and reporting requirements for the State’s homelessness spending; however, more progress is needed from Cal ICH to ensure that the intended benefits of AB 799 become a reality. After Cal ICH’s reporting process is established and data are collected, our office plans to evaluate the accuracy and completeness of the information that is reported to the Legislature and the public.

Response from Cal ICH and State Auditor’s comments.

---

We prepared this report under the authority vested in the California State Auditor by Section 8546.5 of the California Government Code.

Respectfully submitted,

GRANT PARKS
California State Auditor

December 11, 2025

Staff:
Ben Ward, MSA, CISA, Audit Principal
John Lewis, MPA, CIA, Audit Principal
Vance Cable, Audit Principal
Kate Monahan, MPA, Senior Auditor
Ryan P. Coe, MBA, CISA, Senior Auditor
Sean McCobb, Senior Auditor
Ainslie Coughran
Alexis Hankins
Arseniy Sotnikov
Brandon Clift, CPA
Brenna Farris
Emily Chang
Kaleb Knoblauch
Kurtis Nakamura, CFE, CIA
Richard Power, MBA, MPP
Sean Nguyen, MPP

Legal Counsel:
David King
Jacob Heninger

Responses

• California Department of Social Services
  • California State Auditor’s Comments on the Response From the California Department of Social Services
• Employment Development Department
• Department of Finance
  • California State Auditor’s Comments on the Response From the Department of Finance
• State Controller’s Office
  • California State Auditor’s Comments on the Response From the State Controller’s Office
• Department of Health Care Services
  • California State Auditor’s Comment on the Response From the Department of Health Care Services
• California Department of Technology
  • California State Auditor’s Comments on the Response From the California Department of Technology
• California Natural Resources Agency
• California Governor’s Office of Emergency Services
  • California State Auditor’s Comments on the Response From the California Governor’s Office of Emergency Services
• California Interagency Council on Homelessness
  • California State Auditor’s Comments on the Response From the California Interagency Council on Homelessness

---

California Department of Social Services

November 5, 2025

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

SUBJECT:    RESPONSE TO STATE HIGH-RISK AUDIT REPORT 2025-601

Dear Grant Parks:

The California Department of Social Services (CDSS) provides the following response to the California State Auditor’s (CSA) draft State High-Risk Audit Program report, Report 2025-601. CSA has preliminarily determined that CDSS’ CalFresh program is high risk because “its high error rate will lead to increased costs to the State.” CDSS provides the following additional information to support removal of the CalFresh program from the high-risk audit list.

① CDSS does not agree that the CalFresh program is a High-Risk program in accordance with Government Code section 8546.5. Government Code section 8546.5(a) allows the CSA to establish a high-risk audit program when the CSA identifies a “high risk for the potential of waste, fraud, abuse, and mismanagement or that has major challenges associated with its economy, efficiency, or effectiveness.” As noted by the draft CSA report, H.R. 1, the “One Big Beautiful Bill Act,” enacted changes to the Supplemental Nutrition Assistance Program (SNAP), known as CalFresh in California. H.R.1 was passed less than four months ago and includes a series of policy provisions that CDSS has been working diligently to evaluate and implement. One of these changes is that starting in 2027, states with a payment error rate exceeding a specified rate will be required to pay for a portion of benefits. ② Requiring states to contribute to the benefit cost, something previously covered entirely by the federal government, is not an unintentional side effect of the H.R. 1, but the intended purpose of this change in the law.

As noted explicitly in CSA’s draft report, California’s payment error rate has hovered around the national average since FFY 2017. Although the change in federal law may come with a fiscal consequence, it is the change in federal law which will cause that result, not any of the factors identified in Government Code section 8546.5 which are needed to identify a program as “high-risk.”

In addition, during the pendency of CSA’s request for additional information on this matter, CDSS has been engaged in responding to the federal government shutdown which has impacted numerous programs, including CalFresh. Further, California has been engaged in litigation related to the government shutdown, withholding of, and subsequent reduction of CalFresh benefits (See Commonwealth of Mass. Et Al v. U.S.D.A Et Al. (D. Mass. 2025) Case No. 1:25-cv-13165). Due to these ongoing matters, CDSS has been unable to provide CSA with a more comprehensive response to the draft report. CDSS will provide additional information as soon as it is able to.

The CDSS is committed to the control and mitigation of risk. Questions can be directed to Daniel Tobia, Branch Chief, Office of Audit Services, at Daniel.Tobia@dss.ca.gov or (916) 203-6534.

In partnership,

JULIANNA VIGNALATS
Chief Operating Officer
on behalf of Director Jennifer Troia

---

California State Auditor’s Comments on the Response From the California Department of Social Services

To provide clarity and perspective, we are commenting on the response to our assessment from Social Services. The numbers below correspond with the numbers we have placed in the margin of the response. Please note that we made minor editorial changes prior to publication that clarified, but did not substantially change, this report. Therefore, text quoted in the response may differ slightly from the final text of the report.

① We disagree with Social Services’ statement that the CalFresh program is not a high‑risk program in accordance with state law. As Social Services notes, state law allows the State Auditor to determine that an issue or program is high risk when our office identifies a concern that has major challenges associated with the State’s economy, efficiency, or effectiveness. As we explain in our report, if the State’s PER remains unchanged, the OBBBA will lead to more than $1.8 billion in additional costs to the State to maintain CalFresh benefits. We find that the additional costs associated with California’s PER and the OBBBA are a major challenge associated with California’s economy, and we stand by our conclusion that this presents a high risk to the State.

② We agree with Social Services’ assertion that requiring some states to contribute to SNAP benefit costs was an intended purpose of the OBBBA’s SNAP changes. Nonetheless, OBBBA’s changes are in effect, and Social Services is responsible for the State’s PER. Given that OBBBA ties the State’s share of benefit costs to its PER, we stand by our conclusion that California’s PER is a high risk to the State.

---

Employment Development Department

October 24, 2025

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Mr. Parks:

Subject:  Responses to 2025-601 – State High-Risk Assessment

Thank you for the opportunity to respond to the upcoming state high-risk assessment report 2025-601 relating to the issues impacting the Employment Development Department (EDD). Below are the responses to each issue:

EDD Continues to Struggle with Improper Payments, Claimant Service, and Eligibility Decision Appeals:

EDD’s Efforts to Reduce Unacceptably High Levels of Improper Payments Including Fraudulent Payments in its UI Program Are Not Yet Adequate

EDD acknowledges that our Improper Payment Rate, as estimated by the Benefit Accuracy Measurement (BAM) program, has been higher than the 10 percent threshold outlined in the Federal Acceptable Levels of Performance (ALP).

The BAM program samples 480 weekly payments each reporting year. For context, EDD made 18,208,321 weekly payments in 2024. EDD staff conduct an independent investigation to determine if these payments were properly administered. The results of these investigations produce the Improper Payment Rate, which is used to calculate an estimate of the total dollars improperly paid in the UI program. The estimated amount improperly paid only serves as a methodology for projecting potential overpayments and underpayments that may exist.

The US Department of Labor (DOL) reports the National Improper Payment Rate as required by law, which is July 1 through June 30 of the following year. For the Payment Integrity Information Act (PIIA) 2023 reporting period, EDD’s Improper Payment Rate was 15.428% and the National rate was 14.908%. For the PIIA 2024 reporting period, EDD’s Improper Payment Rate was within the ALP at 9.314% while the National rate was 14.424%.

The California State Auditor (CSA) used Calendar Year (January 1 through December 30) BAM data for its assessment of improper payments and fraud. The table below identifies relevant data used by CSA for its calculations.

Calendar Year	Amount Paid	Improper Payment Rate	Estimated Amount Improperly Paid	Fraud Rate
2023	$6,356,870,069	11.438%	$727,107,587	7.688%
2024	$6,493,691,581	11.96%	$776,916,976	7.90%

The Fraud Rate is calculated from a subset of the overpayments reported in the BAM Improper Payment Rate data. In general, fraud involves a knowing and willful act and/or concealment of material facts to obtain or increase benefits when benefits are not due. For EDD, the top two root causes related to fraud included in this rate are benefit year earnings and separation issues. While the total estimated dollar amount of overpayments related to Fraud in the BAM data for this period is substantial, it should be noted the amount of fraud overpayments established for the same period is significantly less.

Calendar Year	Estimated Fraud Overpayments [Amount Paid x Fraud Rate] (source: BAM data)	Fraud Overpayments Established [c3 + c4] (source: ar227)
2023	$488,716,171	$231,254,477
2024	$513,001,635	$189,077,521

NOTE: The ETA 227 Report (ar227) provides information on determinations, overpayments, and recoveries of overpayments on intrastate and liable interstate claims under State and Federal UI programs. For the comparison above cells c3 (total dollar of UI fraud) and c4 (total dollar of UCFE/UCX fraud) are used since Extended Benefits (EB) payments are not subject to the BAM sample.

EDD continues to assess and implement countermeasures to reduce the Improper Payment Rate and to combat fraud in the UI program. We’ve outlined some recent examples below.

Historically, the leading root cause of improper payments are related to claimants failing to report or underreporting their benefit year earnings. In October 2025, EDD launched its Weekly Wage Reporting Tool solution designed to help our customers more accurately track and report their earnings while claiming benefits. This tool has a built-in calculator that automatically computes and saves the sum of all the income/wages entered by the claimant, including relevant employer information. This targeted solution is expected to significantly reduce our top root cause of benefit payment errors caused by claimants.

In August 2025, EDD introduced an innovative identity verification process powered by Socure. This new addition will strengthen our identity fraud prevention and security by delivering integrated real-time identity-proofing. The goal is to create a frictionless experience for most UI myEDD users while effectively blocking fraudulent registrations and bad actors from accessing the system.

EDD Has Not Provided State Residents with Sufficient Customer Service, Resulting in Significant Challenges to Claimants Obtaining UI Benefits 

Unemployment Insurance Customer Service Center

EDD recognizes that our contact center plays a crucial role in facilitating timely communication with unemployment insurance customers, providing them with relevant information, statuses, and updates on their benefit claims. EDD strives to connect with every customer that needs our support to help them through the claims process. Incoming call volume is notably higher during peak hours, such as Monday mornings, or after holidays, which can affect contact center volumes. To support customers in obtaining timely assistance, the EDD proactively communicates the best times to contact the center through public channels and online resources.

Customers contact the EDD for a wide range of reasons, not limited to eligibility determinations or benefit payment inquiries. Common reasons include clarifying program requirements, assisting with online account navigation, updating claimant information, and following up on documentation. For those reasons, the contact center call volume does not directly indicate barriers to access or service delivery gaps; rather, it reflects the dynamic nature of claimant needs and seasonal demand trends.

Based on aggregate contact center data reviewed for the period from May 2023 to May 2025, the analysis indicates that the average number of call attempts per unique caller is fewer than three, representing approximately 62% of overall contact center activity. This demonstrates that most customers can connect with EDD within a limited number of attempts.

As EDD continues to modernize our approach to providing customers with 24/7 access to information about available services, it is essential to clarify that customer service delivery extends beyond inbound call metrics and encompasses a range of support channels designed to meet customer needs efficiently and effectively.

Since 2023, the EDD has implemented multiple operational and technical efficiencies to improve service to Californians, which range from improvements in language access to tracking and monitoring customer satisfaction and quality assurance management. EDD has and continues to provide multiple avenues of support to ensure customers can obtain timely information. In addition to phone-based services, customers have access to self-service tools, text messages on claim status, secure messaging, and online resources to manage their claims, with the implementation of the myEDD portal, which is the entry point for EDD-related services. In June 2024, EDD implemented a Voice of the Customer initiative to track customer priorities and identify emerging trends in customer needs. We use this data to identify and develop solutions to better serve our customers. For example, in July 2025, EDD launched a new authenticated live chat feature that allows customers to securely chat with EDD agents online.

Customer service remains a core operational priority, and the EDD continues to enhance accessibility through modernization initiatives, process improvements, and data-driven resource management. EDD plans to launch additional enhancements to the contact center in 2026.

First Payment Promptness Federal Reporting Metrics

EDD recognizes that the federal reporting metric associated with First Payment Promptness (FPP) serves as a key indicator of both program integrity and the quality of customer service delivered to claimants. FPP measures the timeliness of issuing the first benefit payment after eligibility has been established, in accordance with the standards outlined by DOL. This measure ensures that eligible claimants receive unemployment benefit assistance, supporting both customer satisfaction and program compliance.

During the pandemic, FPP rates were significantly affected by unprecedented claim volumes, complex eligibility factors, and expanded federal benefit programs that introduced additional verification and adjudication requirements. EDD worked to ensure payment accuracy and prevent improper payments; the need to thoroughly review and adjudicate eligibility determinations extended the first payment timelines.

Following the pandemic and the sunset of federal unemployment programs, additional workload pressures emerged as deferred determinations were systematically processed to ensure program compliance and conformity as directed by DOL. These operational impacts are reflected in the data for that timeframe, as shown by the decline illustrated in Figure 1.

In response, EDD implemented a series of modernization and process improvement initiatives aimed at strengthening both the timeliness and accuracy of first payments. Targeted workload management strategies and system automation have allowed employees to focus resources on the most time-sensitive determinations. Notably, the introduction of Electronic Determinations in December 2023 has enhanced our ability to streamline eligibility reviews, reduce manual processing time, and accelerate payment issuance.

Historically, EDD conducted UI eligibility interviews by phone. This new eligibility review process includes the ability for customers to respond electronically to their potential eligibility issue, 24/7. EDD has continued to iterate Electronic Determinations, with the latest enhancement in June 2024. To assist with balancing customer service demands and federal reporting requirements, responses provided by customers are prioritized by FPP, ensuring streamlined business processes and reducing wait-times for customers.

Through these and other efforts, we continue to enhance operational efficiency to better align with federal performance standards as illustrated in Figure 1, which shows improvements to FPP. EDD reaffirms our commitment to delivering timely, accurate, and customer-focused service to California’s workforce.

Many of EDD’s UI Eligibility Decisions Are Not Upheld on Appeal

EDD acknowledges that the federal reporting metric associated with appeal reversal and modification rates is a key indication of adjudication accuracy, program integrity, and the overall baseline of the appeals process. This measure provides insight into how often determinations are upheld, modified, or reversed upon appeal, helping to ensure that claimants receive equitable and well-supported decisions in accordance with the U.S. DOL standard. It should be noted that the review period for this report includes deferred determinations originating from pandemic-related workload, which introduced unique outliers that are no longer contributing influences.

Following the pandemic, EDD experienced an increase in deferred determinations due to the extraordinary workload associated with eligibility reviews and the prioritization of timely payments. As these deferred cases were later processed, many involved complex factors such as good cause determinations, late responses, or additional claimant information submitted after the initial adjudication. These factors occasionally resulted in modified appeal outcomes, not because of an error in the original decision, but due to new or clarifying evidence presented during the appeal hearing.

In most instances, modified decisions (also classified as reversals by the CUIAB) can be attributed to the removal or reversal of the false statement disqualification or adjustments made to overpayments. These outcomes are categorized as modifications rather than full reversals, as they represent partial changes to the original determination made by the EDD rather than a complete overturning of the original eligibility decision. When this occurs, the underlying eligibility decision is affirmed, with only the disqualification period or monetary adjustment revised to reflect the updated information.

It is important to note that appeal outcomes can also be influenced by the interpretation of available documentation or by the absence of corroborating evidence at the time of the original determination. These factors do not necessarily indicate deficiencies in adjudication quality but rather demonstrate CUIAB’s jurisdiction over new information and commitment to due process.

EDD continues to make significant improvements to the UI program through transformative policy and program changes, new tools and technology, and vital public-private partnerships. EDD appreciates audit feedback and remains open to any additional recommendations that strengthen accountability for our essential state and federal programs.

Sincerely,

Nancy Farias
Director

---

Department of Finance

November 5, 2025

Grant Parks, State Auditor
California State Auditor’s Office
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

2025-601-State High Risk Assessment

Thank you for the opportunity to respond to the California State Auditor’s State High Risk Assessment draft report. In response to your assessment that the State’s management of COVID-19 federal funding remains high risk, we provide the following comments:

Given legislative and administrative actions, the Department of Finance does not agree that the management of the COVID-19 federal funds should continue to be a high-risk issue. In line with our responses to the California State Auditor’s State High-Risk Audit Program reports, issued August 2021 and August 2023, ① Finance continues to assert the state’s management of COVID-19 federal funds does not meet the regulatory criterion of presenting a substantial risk of serious detriment to the state or its residents. However, to ensure the proper oversight of the COVID-19 federal funds, in the 2021 Budget, the Legislature approved the establishment of the Federal Funds Accountability and Cost Tracking (FFACT) Unit, later renamed the Statewide Unit, with several positions within Finance, to track the receipt and expenditure of COVID-19 federal funds provided under the following six federal bills: (1) Coronavirus Preparedness and Response Supplemental Appropriations Act (Public Law 116-123), ② (2) Families First Coronavirus Response Act (Public Law 116-127), (3) Coronavirus Aid, Relief, and Economic Security Act (Public Law 116-136), (4) Paycheck Protection Program and Health Care Enhancement Act (Public Law 116-139), (5) Coronavirus Response and Relief Supplemental Appropriations Act (Public Law 116-260), and (6) American Rescue Plan Act (Public Law 117-2). The Statewide Unit also provides leadership, direction, training, and support to departments with respect to this funding.

The Statewide Unit continues to monitor and oversee the progress of expenditures with the various departments. In addition to this oversight, internal audits are performed to assist in the monitoring of the COVID-19 federal funds by identifying and providing recommendations to address risks. Finally, the Single Audit and the U.S. Treasury’s authority to audit provides additional assurance that the state’s COVID-19 federal funds are expended appropriately.

For example, in the 2023 desk review of the state’s Coronavirus Aid, Relief, and Economic Security Act Coronavirus Relief Fund (CRF) allocation of $9.5 billion, auditors contracted by the U.S. Treasury Office of Inspector General determined that California’s risk of unallowable use of funds was low and did not recommend California for a full audit. They determined the only expenditure that fell beyond the period of availability for CRF was $6,952 for the third year of a California Department of Public Health software subscription. This was considered immaterial, and Finance made the necessary reporting correction. This result clearly demonstrates that the Statewide Unit oversight and coordination with departments has mitigated the risks in managing this federal funding.

③ Additionally, while approximately $2 billion remains to be spent at the time of this assessment, the risk of not utilizing these funds before they expire is not significant. The amount of funding remaining to be spent represents less than 1 percent of the $285 billion in COVID-19 federal funds originally awarded to the state and many of the state recipients with larger remaining balances have three to five years remaining to expend funding before awards expire.

If you have any questions or need additional information, please contact Cheryl McCormick, Chief, Office of State Audits and Evaluations, at (916) 322-2985.

Sincerely,

JOE STEPHENSHAW
Director, California Department of Finance

---

California State Auditor’s Comments on the Response From the Department of Finance

To provide clarity and perspective, we are commenting on the response to our assessment from Finance. The numbers below correspond to the numbers we have placed in the margin of the response.

① We disagree with Finance and stand by our assessment that the State’s management of federal COVID‑19 funds continues to meet the regulatory criterion of presenting a substantial risk of serious detriment to the State or its residents.

② Notwithstanding the means Finance describes by which the State and federal government provide oversight of the State’s expenditure of these federal COVID‑19 funds, we still have concerns. Specifically, as we state in our report, there were a significant number of findings of mismanagement in audits previously conducted of departments administering federal COVID‑19 funds, and about 20 percent of the recommendations related to those previous findings have yet to be addressed. Further, many of the programs with remaining funds have not been audited by our office or Finance. Because COVID‑19 funds will remain eligible for expenditure through December 31, 2030, the risk of serious detriment remains high and has not been sufficiently mitigated.

③ As we note in our report, the $2 billion of remaining federal COVID‑19 funds is still a significant amount for the State to manage, and the State has a history of not fully spending these funds, as demonstrated by the $820 million it was unable to spend from grants that have now expired. Our concerns, therefore, are justified regarding the State’s ability to fully expend the remaining balance of federal COVID‑19 funds, and especially for the $1.3 billion in awards that expire within the next 12 months—by December 2026.

---

State Controller’s Office

December 4, 2025

Mr. Grant Parks, State Auditor
State of California
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

① Subject: REVISED State Controller’s 2025-601 – State High-Risk Assessment Response

Dear California State Auditor Grant Parks:

I write to respectfully disagree with your continued designation of the State’s Financial Reporting and Accountability as a high-risk issue.

② As stated in my correspondence to you on October 15, 2025 (See Attached), California’s financial reporting system has entered a phase of sustained improvement. The criteria for maintaining a “high-risk” designation are clear. ③ Two conditions must persist: first, that an agency has not taken adequate corrective action; and second, the likelihood of impaired economy, efficiency, or effectiveness constitutes a substantial risk of detriment to the State or its residents. Currently, neither condition applies. Many of the corrective actions are active, effective, and independently verified by your office. For these reasons, the issue of the State’s Financial Reporting and Accountability no longer meets the threshold for a high-risk designation.

④ The draft report narrative your office provided my office fails to acknowledge the investment and associated progress under my administration.

It is clear that the investments made by my office and the subsequent work that followed warrants recognition and reconsideration. My administration has demonstrated a strong commitment to mitigating or eliminating any risks associated with inaccurate and late financial reporting.

I urge your office to look not only at where California once stood, but where it stands now. ⑤ The high-risk label was born of a different moment—one defined by backlog, fragmentation, and uncertainty. That moment has passed. What stands in its place is a unified effort, unprecedented in both scope and collaboration, to restore confidence in the State’s financial reporting.

To continue to brand this work as “high risk” is to overlook the transformation happening in real time. ⑥ It diminishes the long hours invested by public servants who rebuilt these systems from the ground up. It erases the extraordinary cooperation between branches of government that has brought California back into alignment. And it sends a message to departments—who have moved mountains to correct course—that their progress is invisible.

California has turned the page. We ask only that your assessment reflects the chapter we are writing now, not the one we have already closed.

⑦ For the sake of accuracy, fairness, and the integrity of our shared public mission, I respectfully request that this designation be lifted. The people of California deserve recognition of the progress achieved—and the clear affirmation that their government is no longer mired in the risks of the past, but firmly on the path toward disciplined, timely, and transparent financial stewardship.

Sincerely,

Malia M. Cohen

Copy: The Honorable Gavin Newsom, Governor
The Honorable John Harabedian, Chair, Joint Committee on Legislative Audit
The Honorable John Laird, Vice Chair, Joint Committee on Legislative Audit
The Honorable Monique Limon, President pro Tempore, California State Senate
The Honorable Brian W. Jones, Minority Leader, California State Senate
The Honorable Robert Rivas, Speaker, California State Assembly
The Honorable Heath Flora, Republican Leader, California State Assembly

---

California State Auditor’s Comments on the Response From the State Controller’s Office

To provide clarity and perspective, we are commenting on the response from the State Controller. The numbers below correspond with the numbers we have placed in the margins of the response.

① The State Controller initially provided its response to our assessment on November 6, 2025, and then provided a revised response on December 4, just five business days before the release of our report. The rationale for the State Controller’s revised submission is unclear, given we did not alter our report’s text or conclusions. Nevertheless, we include the State Controller’s updated response and provide additional comments based on the contents of this response.

② The State Controller references its letter from October 15, 2025, in which it reluctantly agreed to participate in the contractor’s audit given its assertion of sustained improvement. For context, the State Controller has spent more than a year resisting an independent, external examination of the State’s processes for preparing the Annual Comprehensive Financial Report (ACFR). The State Controller’s reluctance nearly resulted in the State Auditor initiating legal action to compel the State Controller’s participation, finally resulting in the State Controller’s consent this past October. The independent, external audit currently underway by KPMG will offer a complete analysis of all collective opportunities for improvement—both at the State Auditor’s Office and at the State Controller—as well as at several other large departments and agencies that report financial data material to the State’s ACFR and that did not provide timely and accurate financial reports. Despite the State Controller’s desire to publicly proclaim it has fixed the State’s ACFR before all the facts are known, the State Auditor prefers to await the conclusions and recommendations from KPMG’s report before deciding whether to remove this item from the high-risk list.

③ The State Controller’s response is a partial summary of the criteria used when the State Auditor considers agencies or statewide issues for inclusion on the state high-risk list. The State Controller further states that many of its corrective actions have been “verified” by the State Auditor’s Office. The State Controller’s response is both incomplete and misleading. The response is incomplete because the State Controller fails to make any mention of the quality issues associated with the ACFR it prepares from the financial information provided by departments, as evidenced by the “disclaimer of opinion” on the Unemployment Programs Fund, or the “qualified opinion” issued on the State’s Business-Type Activities in the governmentwide financial statements for fiscal year 2023–24, the State’s most recent ACFR. Further, the State Controller’s response fails to acknowledge the recurring internal control findings we report annually regarding its own internal policies and practices. For example—as the State Controller is aware—it made material errors totaling $6.1 billion in the latest ACFR during its reconciliation processes for education funding under Proposition 98. Ultimately, designation as a high-risk issue requires the professional judgment of the State Auditor—not just the criteria cited by the State Controller in its response—and the inclusion of the State’s ACFR on the high-risk list is warranted pending KPMG’s report due this winter.

④ The State Controller’s response states that we have failed to acknowledge the investment and associated progress achieved under the current Controller’s administration. This is not true. We acknowledge the progress achieved with respect to issuing timelier ACFRs. Nevertheless, the ACFR remains late, and the State Controller continues to experience the quality issues described in comment #3. We encourage the State Controller to see KPMG’s audit as an opportunity to identify and address longstanding root causes associated with the ACFR’s challenges, some of which may have existed prior to the State Controller’s current leadership.

⑤ The State Controller’s response concludes “the high-risk label [for the ACFR] was born of a different moment…[and] that moment has passed.” For the reasons mentioned in comment #3, along with our ongoing involvement and acute awareness of the State’s ACFR process and its key participants, we respectfully disagree. We look forward to KPMG’s analysis as a possible path toward sustainable improvement for all entities involved with the State’s ACFR.

⑥ The State Controller’s response states that our report “diminishes the long hours invested by public servants who rebuilt these systems from the ground up,” and that our report sends a message to departments that “their progress is invisible.” For clarity and context, we are fully aware of the State Controller’s activities, and we hold operational meetings with its staff every week to discuss the ACFR and those specific departments that have difficulty submitting GAAP-compliant accounting information, often advising the State Controller which departments need greater assistance from the State Controller’s contractors. During our audit, we also frequently communicate with accounting leadership at several large state departments and agencies when we audit their transactions. Although the State Controller may be pleased by the progress made thus far on the ACFR—as expressed in its written response—the State Auditor’s Office will await KPMG’s report that is expected this winter.

⑦ The State Controller’s response implicitly accuses the State Auditor of lacking accuracy, fairness, and integrity by his decision to continue placing the State’s ACFR on the high-risk list. For clarity and context, it was the State Auditor who gave the State Controller an additional year to design and implement process improvements before contracting with KPMG, and it was the State Auditor who made sure KPMG would evaluate his own office in addition to the State Controller and others, given the key role the State Auditor’s Office plays in the ACFR.

---

Department of Health Care Services

October 23, 2025

THIS LETTER SENT VIA EMAIL

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

RESPONSE TO DRAFT ASSESSMENT REPORT 2025-601

Dear Mr. Parks:

The Department of Health Care Services (DHCS) hereby submits the enclosed response to the California State Auditor (CSA) confidential draft assessment report number 2025-601, titled, “The California State Auditor’s Updated Assessment of Issues and Agencies That Pose a High Risk to the State and Selected Agencies.”

DHCS is committed to effective and efficient administration of the Medi-Cal program, including its oversight of and partnership with the counties for eligibility functions, to ensure limited resources go to providing vital health care to millions of Californians. DHCS acknowledges CSA’s ongoing concerns regarding Medi-Cal eligibility thus the Department’s retention on the high-risk list. DHCS, however, has a different view. 

DHCS has implemented significant policy and system enhancements to improve oversight and address Medi-Cal Eligibility Data System (MEDS) alert conflicts, specifically alerts resulting in eligibility in CalSAWS, without corresponding eligibility in MEDS. The efforts include expanding monitoring statewide, issuing new performance standards, and clarifying key alert processes.  DHCS acknowledges CSA’s need for more time to thoroughly assess the effectiveness of the new MEDS monitoring policy.

DHCS appreciates the work performed by CSA and the opportunity to provide feedback on the draft assessment report. If you have any questions, please contact the DHCS Office of Compliance, Internal Audits at (916) 261-0346.

Sincerely,

Michelle Baass
Director

Enclosure

cc:     

Erika Sperbeck
Chief Deputy Director
Policy and Program Support
Department of Health Care Services
Erika.Sperbeck@dhcs.ca.gov

Tyler Sadwith
Chief Deputy Director
Health Care Programs, and State Medicaid Director
Department of Health Care Services
Tyler.Sadwith@dhcs.ca.gov

Lindy Harrington                                                               
Assistant State Medicaid Director
Department of Health Care Services
Lindy.Harrington@dhcs.ca.gov 

Saralyn Ang-Olson, JD, MPP
Chief Compliance Officer
Office of Compliance
Department of Health Care Services
Saralyn.Ang-Olson@dhcs.ca.gov

Wendy Rasmussen, MPA
Chief
Internal Audits
Department of Health Care Services
Wendy.Rasmussen@dhcs.ca.gov

Yingjia Huang
Deputy Director
Health Care Benefits and Eligibility
Department of Health Care Services
Yingjia.Huang@dhcs.ca.gov

Department of Health Care Services

Assessment: “The California State Auditor’s Updated Assessment of Issues and Agencies That Pose a High Risk to the State and Selected Agencies”

External Entity: California State Auditor
Report Number: 2025-601 (25-10) (State High-Risk Assessment)             
Response Type: DHCS’ Response to CSA’s Draft Assessment Report

Assessment – Medi-Cal Eligibility
DHCS has not adequately resolved problems involving Medi Cal eligibility and will remain on the state high-risk list.

DHCS’ Response:
DHCS acknowledges the California State Auditor’s ongoing concerns regarding Medi-Cal eligibility thus the Department’s retention on the high-risk list. DHCS, however, has a different view. 

① DHCS has implemented significant policy and system enhancements to improve oversight and address Medi-Cal Eligibility Data System (MEDS) alert conflicts, specifically alerts resulting in eligibility in CalSAWS, without corresponding eligibility in MEDS. The efforts include expanding monitoring statewide, issuing new performance standards, and clarifying key alert processes. 

In 2023 and 2024, DHCS implemented policies to strengthen oversight of county Medi-Cal eligibility outcomes, focusing on MEDS alert monitoring and timeliness of application and redetermination processing. These enhanced monitoring policies are outlined in the following documents shared with CSA:

• ACWDL 23-14E (MEDS Alert Hierarchy)
• MEDIL 24-12 (Reinstatement of Performance Standards)
• ACWDL 24-17 (Enhancing County Medi-Cal Performance Standards)
• ACWDL 25-08 (County Medi-Cal Performance Data Standards and Calculations)

In 2023 and 2024, DHCS drafted policy and developed monitoring systems to expand MEDS alert monitoring capability from the six MEDS Alert Pilot (MAP) counties to all 58 counties, commencing on January 1, 2025, and on a monthly monitoring basis thereafter. CSA’s previous assessments, contained in reports 2020-613 and 2021-601, only evaluated MAP processes. This monitoring expansion to all 58 counties, combined with the enhanced performance monitoring contained in the above-mentioned ACWDLs and MEDIL, is an exceptional step forward.

Additionally, during this current assessment, DHCS clarified to CSA that the MEDS alert of most concern to CSA, alert 6001 (Eligibility in CalSAWS, no eligibility in MEDS), are not cumulative alerts, but only generated once every three months during the county RECON process. We further clarified, once the 6001 alert is generated, eligibility for individuals identified by this alert is added to MEDS immediately, significantly reducing the time an individual may have eligibility in CalSAWS with no eligibility in MEDS.

① DHCS acknowledges CSA’s need for more time to thoroughly assess the effectiveness of the new MEDS monitoring policy.

---

California State Auditor’s Comment on the Response From the Department of Health Care Services

To provide clarity and perspective, we are commenting on the response to our assessment from Health Care Services. The number below corresponds to the number we have placed in the margin of the response. Please note that we made minor editorial changes prior to publication that clarified, but did not substantially change, this report. Therefore, text quoted in the response may differ slightly from the final text of the report.

① We acknowledge that Health Care Services has recently implemented additional processes to improve its oversight of Medi‑Cal eligibility. However, we continue to see a large number of eligibility discrepancies, and it is yet to be determined whether the new processes will result in substantial improvement in program performance. Therefore, we stand by our determination that Heath Care Services remains a high‑risk agency.

---

California Department of Technology

October 28, 2025

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

SUBJECT: 2025-601 STATE HIGH-RISK ASSESSMENT- CALIFORNIA DEPARTMENT OF TECHNOLOGY.

Dear Mr. Parks:

CDT is providing the following response to the California State Auditor’s (CSA) High Risk Assessment.

The State’s Information Security Remains a High-Risk Issue:

The California Department of Technology (CDT) acknowledges the CSA’s assessment in Report 2025-601 that Information Security must remain a high-risk issue. Given the increased sophistication of the cyber threat landscape and interdependence of technology, information security must be a priority for all. Through its oversight and enhanced information security services, CDT has improved the overall cyber resiliency of reporting entities as well as voluntary non-reporting entities. However, continued vigilance and distribution of cybersecurity resources across all branches of government serving the people of California remain a priority. CDT appreciates the CSA’s support in maintaining a constant, vigilant focus on this critical issue.

① While the CSA notes that reporting entities slightly increased their information security maturity scores, it is important to recognize that the benchmark has become more rigorous since the last report. CDT uses the California Cybersecurity Maturity Metrics (CMM) scale and encourages a medium target goal of 2.0 out of 4.0. This benchmark is intended to serve as a goal of achievement and a framework for continuous improvement beyond the foundations across entities, rather than a fixed minimum baseline requirement. This goal is set as a moving target and reevaluated annually based on threats and new standards to encourage continuous maturity. As a result, evenmodest increases reflect meaningful improvement that may not be fully captured.

① A singular focus on the CMM score presents an incomplete view and fails to reflect the full spectrum of indicators that CDT tracks to measure progress and compliance. Cybersecurity maturity is shaped by several contextual factors, including each entity’s risk environment operational complexity, and organizational structure. The benchmark is designed to guide entities of varying sizes and operational complexities toward achievable, measurable, and continuously improving outcomes in their cybersecurity capabilities.

Thus, in 2023, CDT established a new advisory services program aimed at entities performing below the desired goals to help drive up their maturity levels. To date, CDT has assisted over 90 entities, closing out over one thousand gap findings identified through this increased oversight. In addition to CMM metrics, CDT also factors in ISA metrics to gauge the maturity of preventive controls against simulated threat activity. Based on these ISA metrics, reporting entities have demonstrated a 20-point increase in scores, showing improved resilience to internal and external compromise activity.

As cybersecurity standards, frameworks, and threats continue to evolve, CDT refines and strengthens the 2.0 benchmark each year to reflect these changes. This intentional progression ensures that the benchmark remains aligned with emerging best practices, including the NIST Cybersecurity Framework (CSF) 2.0, the integration of NIST SP 800-53 Revision 5 controls, and the introduction of new state policies and legislative mandates. Examples of these efforts include CDT’s proactive integration of Zero Trust Architecture (ZTA) objectives into the audit criteria, which stemmed from recent development of statewide cybersecurity policy, best-practices, and proposed legislative bills. Another effort included the addition of a third input into the CMM score that enables CDT to conduct a Technology Recovery Plan (TRP) analysis to evaluate each entity’s maturity of recovery and resiliency capabilities.

As the current threat landscape evolves, CDT recognizes the importance and the increasing need to maintain a strong focus on non-reporting entities. Cybercriminal threat actors do not discriminate based on whether an entity falls under reporting or non-reporting authority. Threat actors target vulnerabilities wherever they exist, across state, local, and educational institutions, as well as private and nonprofit sectors, seeking the greatest potential impact or disruption. This reality underscores the importance of statewide collaboration, information sharing, and the consistent adoption of baseline security controls across all entities handling government data or services. Although participation by these entities is voluntary, ② CDT continues to encourage alignment with statewide security and risk management standards. As referenced in the report, 46 percent of non-reporting entities were identified as out of compliance with certification requirements.

Consequently, the voluntary nature of these submissions, coupled with late or incomplete responses by non-reporting entities, makes meeting the statutory reporting deadline challenging without full oversight authority causing delays in presenting accurate and timely reporting. Nonetheless, CDT makes significant efforts to promote voluntary participation in order to ensure a more comprehensive and accurate statewide risk posture with what data is gathered.

CDT will continue to partner with the CSA and the Legislature to emphasize the importance of information security maturity. We are committed to not only providing effective mechanisms for oversight but also assisting all entities in their journey to evolve their defensive postures commensurate with the threat landscape by providing guidance, preventive services, and increased collaboration across our respective branches of authority.

Technology Has Not Made Sufficient Progress in Its Oversight of State IT Projects:
PAL Duration – PAL Takes Too Long

CSA has correctly identified the importance of project planning through the Project Approval Lifecycle (PAL) as an essential and important element in acquisition and development of information technology (IT) for the state of California. The project approval lifecycle (PAL) is a process designed to support and reinforce rigorous, thorough, and comprehensive planning by state entities to help ensure projects are set up for success before being approved to begin development. Planning elements focus on areas that are potential challenges in acquiring and developing large complex IT systems.

CSA has reflected the contributing factors to the duration of PAL which include the state annual budget process, organizational maturity, the quality of state entities planning documents, and changes in state entity business priorities. ③ However, the report fails to elaborate on the correlation between these factors and the delay in PAL approval. The annual budget process is well understood. Organizational maturity relates to the level of IT project management experience and capacity to conduct comprehensive planning. This necessarily leads to a high dependency on the project management resources skills, knowledge, and ability to perform high quality planning and develop the IT requirements and the associated planning documents. Not all state entities are appropriately resourced for this and often require additional skilled resources.

③ The report inaccurately concludes that the PAL process results in project delays. The table fails to appropriately allocate the contributing factors to the duration of PAL. For the 7 projects identified in the report, a significant percentage – 88% of the delay was due to the department actions. 

④ The Department of Technology is providing the following details for the projects identified in the audit report (Fig. 3). The table and chart below show the allocation of contributing factors to the duration of PAL for those projects currently in the planning phase. For projects currently in PAL, departments have 89% of the time is attributed to department actions. ⑤ ⑥ The auditor has also overlooked the critical fact that 4 of the 7 listed projects are still navigating the budget process to obtain funding to proceed with the next PAL stages.

The Department of Technology has provided a PAL duration analysis to the auditor summarized here. As indicate in the table below the median duration for PAL approval is twenty-four (24) months. The table below represents the total planning duration of PAL for all seventy-six (76) projects from 2014-2025 and is inclusive of the contributing factors identified above. Accounting for the budget cycle, departments generally require at least 12 months to secure funding. Allocating another 12 months for planning critical projects is both prudent and necessary to support successful outcomes.

PAL Duration Analysis Period 2014-2025 for 76 projects.
Duration	Months
Average	28
Median	24
Minimum	2
Maximum	95

The Project Delivery Lifecycle (PDL) will apply similar metrics to assess planning timelines and drivers, enhancing efficiency and rigor while balancing risks in IT acquisition and development.

Clarifications

⑦ On Page 7 of 10.

④ “Figure 2 shows that according to Technology’s metrics, PAL performed better that industry standard between…”

⑧ The sentence should be rewritten to state as follows – “PAL produces better project outcomes than the industry benchmark”.

CDT measures the project outcomes rather than the PAL performance. The project outcomes are an indicator of the effectiveness of PAL. It would be incorrect to report these metrics as project approval lifecycle (PAL) performance. PAL is a project Planning phase of the five project phases. The shown metrics are reflecting the project outcomes which include planning and execution (development and implementation) see the Project Lifecycle here https://capmf.cdt.ca.gov/Overview.html and Discussion of Lifecycles. 

Further, the metrics are considered a benchmark not a standard. The Standish Group defines the benchmark used for success, challenged, and failed projects.

Our position is that the enhanced rigor introduced through PAL in key planning areas has likely contributed to improved project outcomes.

⑦ On Page 8 of 10.

“Criticality is determined based on a range of factors, including the size, business impact, financial risk, and security needs of the project.”

⑨ The statement is incomplete in terms of including the criteria for assessing the project’s criticality rating. Criticality is determined based on a range of factors including technical complexity, business complexity, budget, and duration. (see SIMM 45 Appendix C Complexity Assessment, and SIMM 45 Appendix D Complexity Assessment Instructions) which includes more factors than indicated.

CDT values the CSA’s continued commitment to advancing cybersecurity and the success of statewide IT projects. This collaboration enhances transparency, promotes accountability, and supports continuous improvement in project delivery and risk management. Through these shared efforts, the State is better positioned to achieve its technology and public service goals.

Sincerely,

Liana Bailey-Crimmins
State Chief Information Officer and Director
California Department of Technology

cc: Nick Maduros, Secretary, Government Operations Agency
       Jared Johnson, Chief Deputy Director, California Department of Technology

---

California State Auditor’s Comments on the Response From the California Department of Technology

To provide clarity and perspective, we are commenting on the response to our assessment from Technology. The numbers below correspond to the numbers we have placed in the margin of the response. Please note that we made minor editorial changes prior to publication that clarified, but did not substantially change, this report. Therefore, text quoted in the response may differ slightly from the final text of the report.

① We stand by our use of Technology’s own maturity metric scores as a valid manner to assess the strength of the State’s information security posture. As we state in our report, a majority of reporting entities had a maturity metric below Technology’s baseline standard of 2.0, indicating that reporting entities on average are still in the process of developing the practices and procedures to implement their information security programs.

② Technology’s response inaccurately states that these requirements are voluntary. As we state in our report, nonreporting entities are required by state law to annually certify to Technology their compliance with certain security requirements or confirm to Technology that they voluntarily comply with Technology’s information security policies and procedures.

③ We disagree with Technology that it is necessary to further elaborate regarding the factors that may delay an IT project’s approval and that we have inaccurately concluded that the PAL process results in project delays. We note that factors outside of Technology’s control contribute to delayed project execution. Further, we note that Technology has expressed its desire for a faster process and that it developed the PDL to, in part, allow for faster IT project planning. Nonetheless, we stand by our assessment that the length of time IT projects spend in the PAL, and Technology’s lack of outcomes to support the success of the PDL, demonstrate that oversight of IT projects should remain on the high‑risk list.

④ We provided a redacted draft report for Technology’s review and, consequently, Technology references Figures 2 and 3 in its response, which are Figure 5 and Figure 6 in this final published report.

⑤ We disagree with Technology’s assertion that we overlooked that some of the IT projects are still navigating the budget process. We state that the annual budget process contributes to the delayed execution of IT projects. Although we note that these delays pose a risk of impairing the delivery of important government services, our conclusion to retain IT oversight on the high‑risk list was also based on the new PDL process, which has not yet proven to be successful because Technology has not yet implemented it.

⑥ After we provided Technology with a redacted draft report for its review and response, we identified an additional IT project in the PAL IT project proposal tracking website—the Life Outcome Improvement System—that Technology rated as highly critical. Thus, we have since added that IT project to Figure 6.

⑦ During the publication process for this report, page numbers shifted. Therefore, the page numbers cited by Technology in its response do not correspond to the page numbers in the final published report.

⑧ We agree with Technology’s suggested change and updated the report accordingly.

⑨ We disagree with Technology that our explanation of its criteria for assessing criticality is incomplete. We note that criticality is determined based on a range of factors, and we provide sufficient relevant examples of those factors.

---

California Natural Resources Agency

October 28, 2025

Grant Parks
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Mr. Parks,

The Department of Water Resources (DWR) and the California Natural Resources Agency (CNRA) acknowledge receipt of the California State Auditor’s redacted draft State high-risk report section titled “California’s Deteriorating Water Infrastructure and Climate Change May Threaten the Lives and Property of Its Residents and the Reliability of the State’s Water Supply.” We agree that climate-stressed water infrastructure and supplies pose a high risk to California public safety and prosperity. We appreciate your recognition of our commitment and ongoing work with local, State, and federal agencies to achieve the goals of the Governor’s 2022 Water Supply Strategy and to adapt aging water systems for this new era of extreme flood and drought.

Thank you for the opportunity to comment on the draft, redacted State high-risk report.

Sincerely,

Samantha Arthur
Deputy Secretary for Water
California Natural Resources Agency

---

California Governor’s Office of Emergency Services

November 5, 2025

Mr. Grant Parks     
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

Dear Mr. Parks:

The California Governor’s Office of Emergency Services (Cal OES) received the California State Auditor’s (CSA) Redacted Draft Report regarding the results of the Fiscal Year 2024-2025 High Risk Assessment for Dam Safety via encrypted email on October 30, 2025. Cal OES’s comments are solely on the section titled “California’s Deteriorating Water Infrastructure and Climate Change May Threaten the Lives and Property of Its Residents [Redacted]”.

① The CSA Reports states, “Emergency Services has approved emergency plans for only 577 dams, or about 67 percent of the total number of dams required to submit such plans.” The 577 approved Emergency Action Plans (EAPs) reflect an increase of 158 EAPs, an increase of 19%, from the 48% reported during the 2023 High Risk Assessment.

② The CSA Report states, “Further, there are 68 dams without approved emergency plans that Water Resources has assessed as having Extremely High downstream hazard ratings…” The number of dams with Extremely High downstream hazard ratings without approved EAPs decreased from 121 to 68, a change of 53 EAPs since the 2023 High Risk Assessment. Of the 68 dams, 62 EAPs are currently in progress. Specifically, these EAPs are either under Cal OES review, awaiting inundation map approval from Water Resources, or have been reviewed by Cal OES and returned to the respective dam owners for revision and resubmission.

Cal OES has consistently met the statutory deadlines for reviewing submitted EAPs and will continue to work collaboratively with dam owners to ensure their EAPs are comprehensive, effective, and support the safety of downstream communities and public safety agencies. In addition, Cal OES has created and shared tools to assist dam owners in completing their EAPs including a template, review tools, and a sample of an acceptable plan.

Although there are still EAPs that need to be approved, Cal OES has made significant progress. Of the 850 state jurisdictional dams requiring approval, Cal OES has received and reviewed over 780 distinct EAPs at least once and approved 577. Cal OES will continue working diligently to engage dam owners and to review and approve EAPs in a timely manner. Given Cal OES’s significant progress made since the 2023 High Risk Assessment and the efforts made to meet all applicable compliance mandates, Cal OES respectfully requests to be taken off the State High Risk list.

Cal OES appreciates the opportunity to review and comment on CSA’s 2025-601 High Risk Assessment Draft Report. If you have additional questions or concerns, please contact Ralph Zavala, Cal OES Chief of Audits and Investigations, at (916) 845-8437.

Sincerely,

Nancy Ward
Director

c:       Lori Nezhura, Deputy Director of Planning, Preparedness, Prevention
         Ralph Zavala, Chief of Audits and Investigations

---

California State Auditor’s Comments on the Response From the California Governor’s Office of Emergency Services

To provide clarity and perspective, we are commenting on the response to our assessment from Emergency Services. The numbers below correspond to the numbers we have placed in the margin of the response. Please note that we made minor editorial changes prior to publication that clarified, but did not substantially change, this report. Therefore, text quoted in the response may differ slightly from the final text of the report.

① Although Emergency Services states in its response that it has approved a larger proportion of required emergency plans since the time of our previous assessment, it still has a significant number of emergency plans that it must approve.

② Emergency Services states that the number of dams with extremely high downstream hazard ratings without approved emergency plans has decreased since our last assessment; however, we stand by our conclusion that the high number of emergency plans that Emergency Services has yet to approve shows that significant corrective action has not yet occurred.

---

California Interagency Council on Homelessness

November 7, 2025

Grant Parks, State Auditor
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814

RE: State High-Risk Audit Program Report 2025-601

Dear Mr. Parks:

Thank you for the opportunity to coordinate with the California State Auditor (CSA). We share the expectations of the Administration, Legislature, and State Auditor that homelessness investments must deliver measurable and meaningful improvements for Californians experiencing homelessness, and we take that responsibility seriously.

CSA states in the draft report that “During the 10-month period between January and October 2025, Cal-ICH has demonstrated limited progress towards completing the required planning and coordination necessary to make AB 799’s oversight reporting possible.”

① We respectfully disagree that only limited progress has been achieved. Cal ICH has undertaken significant foundational work over the past year to ensure AB 799 reporting can be implemented effectively and with technical accuracy. The implementation of AB 799 builds on the significant accomplishments already achieved through the implementation of AB 977. We offer the following clarifications:

Significant Outcome Data Progress Since April 2024

Since CSA issued its audit recommendations in April 2024, Cal ICH has:

• ② Designed and deployed standardized outcome reporting through the Homeless Data Integration System (HDIS) for all applicable state homelessness programs providing direct services.
• Publicly reported statewide California System Performance Measures (CA SPMs) tracking entries into homelessness, exits to permanent housing, and returns to homelessness — providing transparency previously unavailable.
  • CA Open Data Portal: https://data.ca.gov/organization/california-interagency-council-on-homelessness.

• Initiated data quality improvements and accountability tools, including internal dashboards to monitor state department compliance and performance.
  • AB 977 Homeless Program Data Reporting and Technical Assistance page: https://www.bcsh.ca.gov/calich/ab977.html

③ Cal ICH is already collecting and analyzing outcome data aligned with AB 799, and aggregate data summaries are provided back to administering departments under AB 977 requirements. FY 2025–26 outcome data collection is already underway, as required by statute. Cal ICH’s planned publication timeline aligns with the AB 799 mandate for public reporting beginning June 1, 2027, ensuring access to complete fiscal-year data.

④ CSA’s statement in the draft report omits this context and may inadvertently give the impression that outcome accountability work under AB 799 has not begun, which is inaccurate.

Fiscal Data Foundations Are in Place

Cal ICH acknowledges that AB 799 adds new fiscal accountability expectations. Although the full fiscal reporting system has not yet launched — due to staffing resources only being approved by the AB 799 BCP in recent weeks — Cal ICH has completed essential preparatory work, including:

• Identifying all state programs required to report fiscal data under AB 799
• Identifying amounts of state funding associated with each program
• Cataloging eligible uses and cost categories across programs

With staffing secured, Cal ICH is now developing a fiscal data approach that will:

• Define fiscal data elements to be collected across state programs
• Standardize reporting criteria and align fiscal data to outcome performance
• Avoid duplicative burden on departments and grantees

These activities represent active and timely compliance with legislative direction — not inaction.

Operational Improvements Already Realized

For the first time in California’s history, homelessness outcomes can be tracked across programs and systems through a standardized statewide reporting approach. Cal ICH has developed department-specific internal dashboards using HMIS data required under AB 977 — providing actionable insight that simply did not exist before. While these dashboards remain internal to ensure strict privacy protections, they are actively informing accountability discussions and data-driven decision-making.

⑤ The active progress on AB 977 is illustrated through the public dashboard Cal ICH created for HCD to monitor aggregate program outcomes: https://public.tableau.com/app/profile/california.business.consumer.services.and.housing.agency/viz/HHAPReport/Overview.

These are not future goals — they are operational improvements achieved today.

In closing, Cal ICH remains fully committed to transparency, accountability, and partnership with CSA to ensure California’s homelessness investments deliver measurable and meaningful results for the people we serve.

We appreciate CSA’s time, collaboration, and continued dedication to strengthening the State’s homelessness accountability framework. We welcome continued oversight and are confident that the progress ahead will demonstrate the value, integrity, and effectiveness of Cal ICH’s leadership and its accountability to the mission of preventing and ending homelessness for Californians.

Sincerely,

Meghan Marshall
Executive Officer
California Interagency Council on Homelessness

CC: Tomiquia Moss, Secretary, BCSH
Melinda Grant, Undersecretary, BCSH
Dhakshike Wickrema, Deputy Secretary of Homelessness, BCSH
Amy Manasero, Deputy Secretary for Fiscal Policy and Administration, BCSH
Nicole Hisatomi, Deputy Secretary for Legislation, BCSH

---

California State Auditor’s Comments on the Response From the California Interagency Council on Homelessness

To provide clarity and perspective, we are commenting on the response from Cal ICH. The numbers below correspond with the numbers we have placed in the margins of the response.

① Cal ICH disagrees with our report’s characterization of the limited progress made thus far. However, we stand by our assessment, which is informed by Cal ICH’s own AB 799 implementation plan—provided to us in October 2025—as well as our review of materials provided by Cal ICH and our discussions with Cal ICH. As we note in our report, only one deliverable from Cal ICH’s implementation plan is complete and efforts to finalize program performance outcomes and fiscal reporting processes are either underway or have yet to begin. The end of the 4th quarter of fiscal year 2025–26 is Cal ICH’s goal for finalizing performance outcome measures and creating a method for obtaining and reporting fiscal information pursuant to AB 799, which leaves only six months to meet this goal. As noted in our report, although we are not adding this issue to the state high-risk list at this time, we plan to continue monitoring Cal ICH to see whether its actual progress meets the planned targets outlined in its implementation plan.

② Cal ICH states that it has designed and deployed standardized outcome reporting through the Homeless Data Integration System (HDIS) for all applicable state homelessness programs providing direct services. While this response implies that Cal ICH has completed and finalized all performance outcomes for all applicable state homelessness programs, according to materials provided by Cal ICH during our assessment, it has not. However, Cal ICH acknowledged during our assessment that staff are in the process of refining their methodologies and coding to calculate the new AB 799 program‑specific measures.

③ Cal ICH’s response indicates it is already collecting and analyzing data aligned with AB 799. We asked Cal ICH what data was being collected, given that performance measures have yet to be finalized and program‑specific fiscal data cannot be collected due to technology limitations with HDIS. In response, Cal ICH clarified that it was finalizing program‑specific performance measures in parallel with collecting and sharing data that already exists within HDIS. Thus, we agree that Cal ICH is collecting some data, but we remain focused on the pace of progress towards implementing AB 799.

④ Our report provides the appropriate context for Cal ICH’s progress towards implementing AB 799, which is based, in part, on its own implementation plan and reported status.

⑤ Cal ICH’s response provides an example of its progress towards implementing AB 799 by sharing data for certain programs administered by HCD. Although we are encouraged by this reporting, our primary focus and concern is on evaluating whether Cal ICH can finalize the program‑specific outcome measures and fiscal reporting processes for all applicable homelessness programs over the next six months, as envisioned in its own implementation plan.

Footnotes

1. The USDA is the federal entity responsible for SNAP and determines states’ PERs using a multistep quality control process. First, each state agency reviews a select number of household case files. The USDA then conducts a second review of approximately half of the selected case files. When state agencies identify errors, they must make corrections to ensure each household gets exactly what it is eligible to receive. Lastly, the USDA analyzes the final data collected from states and uses the data to determine the national and state PERs. ↩︎
2. Amount based on the State Auditor’s calculations using California’s State Fiscal Year (SFY) 2024–25 Spending Plan. ↩︎
3. SFY 2024–25 spanned July 1, 2024, through June 30, 2025. ↩︎
4. The dollar amounts we discuss in this assessment are sourced from Finance’s data, unless otherwise noted. ↩︎
5. For example, the California State Auditor’s Office is part of the group of nonreporting entities. ↩︎
6. According to Water Resources, the delivery capacity may further decline as a result of aqueduct subsidence. ↩︎
7. Proposition 4 allocates funding to finance projects for safe drinking water and other climate resilience efforts. ↩︎
8. The Legislature appropriated roughly $37 billion in funding for housing and homelessness‑related programs between 2019 and 2025. ↩︎