Responses to the Audit
Use the links below to skip to the specific response you wish to view:Judicial Council of California
California State Auditor's Comment on the Response From the Judicial Council of California
JUDICIAL COUNCIL OF CALIFORNIA
November 19, 2015
Ms. Elaine M. Howle
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, California 95814
Re: Judicial Branch Procurement—Judicial Council of California, Audit 2015-302
Dear Ms. Howle:
As the Administrative Director for the Judicial Council of California, I received your report on the above referenced audit and the associated cover letter. This is the second audit performed of the procurement practices of the Judicial Council of California as required by the California Public Contract Code section 19210 to assess the implementation of the Judicial Branch Contract Law (Public Contract Code, §§ 19201-19210).
The report contains two recommendations and identifies no new issues concerning procurement documentation, internal controls, and payments. This represents progress from the last audit in 2013. With the continued training on the Judicial Branch Contracting Manual that is planned in the next few months and on an on-going basis, we hope to have resolved or fully implemented all recommendations relating to procurement policies and practices from the prior audit.
We note your recognition that the judicial branch has made some progress since the last audit in addressing information security controls. As the information security landscape is continually evolving, so too will information security controls evolve to address the new technology advancements. While the Judicial Council’s policy and procedure structure for information security controls is in place, implementation of comprehensive information security controls is an on-going process for achieving and then maintaining substantive compliance.
As your report properly indicates, the judicial branch still needs to continue to enhance and build upon the policies and procedures previously approved and currently being implemented. Information security controls is an area where the public and private sectors are racing to improve – and we are no exception. With limited resources, public sector entities are constrained in the ability to fully address all information security requirements. Years of severe budget cuts exacerbates this situation for the judicial branch so that any redirection of its funding and limited resources within the branch, and especially within the Judicial Council, can have an impact on access to justice. The audit report helps to illuminate this issue and we hope it will aid us in our advocacy for improvements that may require resources. The Judicial Council has an action plan in place to implement all of the policies and procedures and it will be updated by February 29, 2016.
Again, thank you for your team’s work on the audit and the opportunity to respond to it on behalf of the Judicial Council. Enclosed is our response to your recommendations.
cc: Jody Patel, Chief of Staff, Judicial Council of California
Curt Soderlund, Chief Administrative Officer, Judicial Council of California
Millicent Tidwell, Chief Operating Officer, Judicial Council of California
Judicial Branch Procurement—Judicial Council of California, Audit 2015-302
The Judicial Council should update its judicial contracting manual to include the required minimum fuel economy standard for the judicial branch’s vehicle purchases.
In the next revision of the Judicial Branch Contracting Manual (JBCM) currently scheduled to be effective July 1, 2016 it is our intention to include in the appropriate section of the JBCM the following paragraph.
Under Public Resources Code (PRC) 25722.7, fleet vehicle purchases by JBEs must meet minimum fuel economy standards. Under PRC 25722.7(a) and (b), the fleet vehicle purchases must meet the fuel economy standard in Section 3620.1 of the State Administrative Manual (SAM), which sets forth a minimum miles per gallon standard for the combined annual purchases of vehicles by each JBE. Please refer to PRC 25722.7 and SAM 3620.1 for further information.
As discussed with you, this revision and others that may be made are subject to review and approval by the JBCM Working Group, the Advisory Committee on Financial Accountability and Efficiency for the Judicial Branch, and the Judicial Council.
The Judicial Council should develop a corrective action plan by February 29, 2016, to address the recommendation from our December 2013 report related to the controls over its information systems. The corrective action plan should include Judicial Council’s prioritization of tasks, resources, primary and alternative funding sources, milestones for all of the actions required to fully implement its framework of information systems controls by June 2016. Further, the Judicial Council should continue to provide guidance and routinely follow up with the superior courts to assist with their effort to make the necessary improvements to their information systems controls.
The following paragraph is also referenced in our rebuttal point number 1
In 2014 the Judicial Council approved an Information Systems Controls Framework that was mapped to security policy standards of the National Institute of Standards and Technology (NIST). In 2014 a plan was created to implement this new framework, and work was started on implementation of the supporting policies and procedures. It is important to understand however that several key areas, such as data classification, contingency planning, and the establishment of a formalized information security program may not be fully addressed until funding that has again been requested in a budget change proposal has been obtained. Even if the budget change proposal is approved, the funding would not be received until fiscal year 2016–2017 and without receipt of those funds our full implementation of the plan cannot be accelerated from the current plan’s estimated completion date of 2018. The June 2016 date contained in the recommendation for full implementation of the framework of information system controls would seem to be unrealistic regardless of whether the requested funding is received.
Similarly, without additional funding for this effort for most if not all of the 58 trial courts, full implementation of an information security plan will not occur in the expected timeframe proposed in the recommendation. Judicial Council staff continue to work with court technology officers on the framework to establish a standard security approach within the judicial branch. As you can appreciate, the branch has trial courts ranging from very small (less than 20 staff) to large and extra large. Court expertise, needs, and resources concerning information security controls range in the same manner. This requires a unique plan for each trial court.
The Judicial Council’s corrective action plan will be developed by February 29, 2016 and will address the specific items included in the recommendation. Some of the items will be discussed in general, such as funding sources, as there are other priorities and dependencies that may not be resolved at that time and may require further investigation and analysis.
The Judicial Council’s staff has and will continue to provide guidance and routinely follow up with the superior courts to discuss the necessary improvements to their information system controls.
California State Auditor’s Comment On The Response From the Judicial Council of California
To provide clarity and perspective, we are commenting on the response to our audit report from the Judicial Council of California (Judicial Council). The number below corresponds to the number we placed in the margin of the Judicial Council’s response.
We question the lack of urgency with which the Judicial Council is approaching this problem. The Judicial Council has continued to expose its confidential or sensitive information to compromise for nearly two years since we first reported on the pervasive weaknesses in its information system controls and it estimates that, without additional funding, it will not fully implement its framework of information system controls for at least another two years. By recommending that the Judicial Council implement its framework of information system controls by June 2016 we are essentially rejecting the notion that timely completion of these critical activities be contingent on receiving additional funding. Rather, the goal date we established is based on what we would consider to be a reasonable response time to resolve this problem.