California IT department ‘high-risk’ agency, auditor says

A biennial report released Thursday by California State Auditor Elaine Howle found that the California Department of Technology continues to be a “high-risk state agency.”

The statewide review, which studied everything from California’s outdated water infrastructure to its problematic financial reporting system, found that state agencies mismanaged $71 billion in federal COVID-19 relief funding as they rushed to respond to the health crisis. But also among the findings were two “high-risk” concerns with the technology bureau, as well as “weaknesses” in the state’s overall information security practices. Howle’s criticisms of the California Department of Technology revolve around its governance structures for large, complex IT projects, which have frequently spiraled past their initial budgets and timelines.

Howle’s office in January found that the department’s project approval lifecycle, or PAL, was not effective on “highly critical and complex” projects. Her office argues in the latest report that the department has still not proven that adequate work has been to prove its efficacy.

“[CDT’s cost analysis] does not include an assessment of project schedules or scopes, nor does it include any highly critical and complex projects,” the audit reads.

Howle also faulted the department for shortcomings in oversight of projects that use “adaptive approaches,” such as iterative or agile development, adding that California state agencies lack experience using such methodologies. Howle cited a replacement for the California Medicaid Management Information System and the FI$Cal accounting system as two major modernization projects currently using adaptive approaches that aren’t properly monitored.

(The latest audit also included a review of FI$Cal itself, noting that agencies using the system “struggle” to complete their required financial reports on time. Difficulties with the platform, which has cost the state more than $1 billion, caused 12 “large entities” to miss their reporting deadlines, risking a downgrade of California’s credit rating, the audit states.)

Howle wrote that the technology department is currently piloting oversight mechanisms for adaptive IT methodologies, but that it doesn’t plan to implement the process until 2024.

“Given that CDT is already overseeing projects that are using adaptive approaches but has not yet completed development of its reporting and monitoring process for these kinds of projects, CDT continues to be a high-risk state agency,” the audit reads.

And despite California’s technology officials frequently naming cybersecurity as a priority, the audit found that agencies “struggle” to improve their information security controls and that they’ve not made “adequate progress.”

“Reporting entities have self-reported weaknesses in their information security programs since at least 2018, rating themselves on average slightly below the federally recommended minimum level,” the audit reads. “Further, reporting entities have remained stagnant in their information security development, as the State’s average scores remained nearly unchanged between 2018 and 2020.”

Of 31 state entities reviewed, the auditor said only four reported full compliance with their chosen information security framework and standards. Three entities, Howle wrote, have not adopted any framework or standard.

“Consequently, because weaknesses persist in information security controls across all types of state entities, information security remains a high-risk statewide issue,” the audit reads.

In an email to StateScoop, Amy Norris, a CDT spokesperson, said the department “takes seriously the findings” in the audit and pointed to its recent work in bolstering the state’s cybersecurity, including a 40% reduction in “the average number of high-risk vulnerabilities in key critical systems.”

“We agree we must keep cyber security and information security oversight as a high-risk issue and focus on encouraging continued progress through objective measures in the oversight program. We also agree effective oversight is crucial for the success of California’s information technology projects,” Norris wrote.

She also pointed to the state’s work during the pandemic to turn around IT projects quickly, citing projects such as CA Notify, myCAvax, MyTurn, CalCONNECT, CalWorkshare and the COVID Reporting System.