State Auditor Recommends Risk Assessment for FI$Cal IT Controls

A recently published audit from the State Auditor’s Office identified financial and cybersecurity governance shortcomings within the Financial Information System for California (FI$Cal).

The department was one of several named in the Sept. 13 audit report focused on financial internal control and compliance issues from the previous fiscal year. Departments in the report included the Employment Development Department, State Controller's Office, Department of Health Care Services, and several others.

FI$Cal is the statewide financial system that manages budgeting, procurement and other accounting functions — functions that were previously spread across disparate independent legacy systems.

In its FI$Cal findings, the report noted that 15 of 46 control deficiencies with Plans of Action and Milestones (POAMs) were not remediated by the time of the audit.

“The deficiencies result in pervasive risks at the entity and system-level to automated controls and configurations of the FI$Cal system, which potentially impact the ability to rely on FI$Cal data used for financial reporting,” the audit reads. “Lack of IT general controls could compromise the reliability and integrity of financial data and increases the risk of misstatements in the financial reports.”

The audit recommended the following actions to correct the deficiencies:

• Update the System Security Plan (SSP) to include all security controls associated with a system categorized as moderate risk.
• Continue to update policies and procedures, which demonstrate management’s controls in place to monitor and prevent risk as designed within the SSP.
• Generate a project plan for remediation and establish a control environment which reflects the strategic goals identified as part of the comprehensive risk assessment.
• Incorporate a process to make consistent progress against open POAMs and to actively pursue remediation of findings, which incorporates post-implementation monitoring.
• Coordinate and establish validation and verification of controls identified in the SSP.
• Conduct information, communication and monitoring activities to promote awareness of updated processes.

In response to the findings, FI$Cal noted that it has “made consistent progress in closing the POAMs and improving our security posture,” adding that independent security assessments have been conducted by the California Department of Technology and the California Military Department.

“We are happy to report the department has made several improvements to governance processes, internal controls, policies, procedures and documentation review/update processes to address the findings and further improve our maturity in internal controls and compliance,” the response reads. “The department will continue to advance the maturity of our internal controls to fully meet the compliance requirements.”