Report 2014-120 Recommendation 11 Responses

Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)

Recommendation #11 To: Public Utilities Commission

The commission should ensure that it complies with all policy requirements in SAM Chapter 5300 no later than April 2016.

Annual Follow-Up Agency Response From November 2017

The updated information as of 11/07/17, please attached document

-0 Non-compliant

-17 Partially compliant

-31 Mostly Compliant

-17 Fully Compliant

  • Estimated Completion Date: 6/30/2020

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented


Annual Follow-Up Agency Response From October 2016

The Commission continues to work on completion of policy requirements in SAM Chapter 5300. The Commission has been given positions and plans on hiring employees to assist with the development of policies.

  • Estimated Completion Date: 12/30/2018

California State Auditor's Assessment of Annual Follow-Up Status: Not Fully Implemented


1-Year Agency Response

CPUC has hired consultants to assist with ensuring compliance of all requirements as stated in SAM Chapter 5300. CPUC has managed to prepare the Information Asset Report and the Information Security Assessment. The Risk Management Plan is due to be complete by April 15th and the Business Continuity Plan is expected on April 30

  • Estimated Completion Date: 5/2016
  • Response Date: April 2016

California State Auditor's Assessment of 1-Year Status: Partially Implemented

When we followed up with the commission to verify its compliance status, we expected, at a minimum, that it would have achieved full compliance with nearly all of SAM Chapter 5300 (security standards). However, we found that the commission significantly overstated its progress toward addressing our recommendation. Although it submitted copies of various information security documents for our review, it was substantially out of compliance with the majority of the security standards. When we questioned the commission about the disconnect between its asserted level of compliance and its actual level of compliance, it explained that it did not fully understand the depth of security standards when it provided the April 2016 status update. However, the commission explained that as a result of our follow up work, it now believes it has a much more clear understanding of the requirements. The commission also cited limited staff resources as a barrier to its ability to achieve full compliance with security standards. According to the commission, it recently received authorization to hire two more individuals to its information security team. As of August 2016, the commission asserted it was actively trying to fill these two positions. Nonetheless, the commission estimates that it will not achieve full compliance with security standards until December 2019.


6-Month Agency Response

As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.

  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of 6-Month Status: Pending


60-Day Agency Response

As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.

  • Estimated Completion Date: April 2016
  • Response Date: July 2015

California State Auditor's Assessment of 60-Day Status: Pending


All Recommendations in 2014-120

Agency responses received are posted verbatim.


Report type

Report type
















© 2013, California State Auditor | Privacy Policy | Conditions of Use | Download Adobe PDF Reader