Report 2014-120 All Recommendation Responses

Report 2014-120: California Public Utilities Commission: It Needs to Improve the Quality of Its Consumer Complaint Data and the Controls Over Its Information Systems (Release Date: April 2015)

Recommendation for Legislative Action

To ensure that the commission has the information it needs to better report on VoIP-related complaints, the Legislature should give the commission the authority to collect information from providers regarding their VoIP customers and require VoIP providers to furnish this information to the commission.

Description of Legislative Action

Legislation has not been introduced to address this recommendation.

  • Legislative Action Current As-of: January 2016

California State Auditor's Assessment of Status: No Action Taken


Recommendation #2 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should update and provide further training to its staff on properly classifying complaints by September 30, 2015.

Agency Response*

Revised all training materials related to coding and classification of complaints. Provided training for all branch staff using revised materials including guides on: general coding, non-jurisdictional coding and VoIP coding.

  • Response Type†: 6-Month
  • Completion Date: October 2015
  • Response Date: October 2015

California State Auditor's Assessment of Status: Fully Implemented


Agency Response*

Branch is in process of reviewing and refreshing all training materials related to coding and classification of complaints.

  • Response Type†: 60-Day
  • Estimated Completion Date: September 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #3 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should continue to implement its quality management team program component focused on reviewing the categorization of complaints and correcting identified errors.

Agency Response*

The Branch's Quality Management Team (QMT) program is on-going. As outlined in the response to Recommendation #4, the QMT team's expertise was utilized in 2017 to staff a ongoing project to automate portions of the quality assurance functions within the Consumer Information Management System (CIMS) database. The Branch was not successful in securing approval for personnel classifications better able to perform the higher level analysis necessary to ensure quality management.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 6/30/2018
  • Response Date: November 2017

California State Auditor's Assessment of Status: Pending


Agency Response*

The Branch's Quality Management Team (QMT) program is on-going. As outlined in CPUC's response to Audit Recommendation #4, CAB's multi-year QMT plan has been updated to reflect progress on improvements to the quality assurance processes as well as automation of those processes. A further component of the QMT plan is to pursue resources and approval for personnel classifications better able to perform the higher level analysis necessary to ensure quality management. The appropriate personnel classification for performing such work is a Public Utilities Regulatory Analyst ranging from level 1 to level 3 depending on the complexity of specific case assignments.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 1/1/2018
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

The Branch's quality management team program has established an on-going program. This program was outlined in CPUC's response to Audit Recommendation #4 a multi-year plan is being developed to improve quality assurance processes and increase automation of those processes.

  • Response Type†: 1-Year
  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Pending

CPUC staff indicate that its Quality Management Team project plan will be complete in September 2016.

  • Auditee did not substantiate its claim of full implementation

Agency Response*

Branch has enhanced its technological capability with regard to reviewing case attributes in the quality management team (QMT) process. Specifically, branch has enhanced the data query tools in CIMS to allow for systematic retrieval and review of all attribute coding associated with any case record.

  • Response Type†: 6-Month
  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

Branch is continuing ongoing efforts to make its quality management team more effective in ensuring that coding errors are identified and addressed.

  • Response Type†: 60-Day
  • Estimated Completion Date: Ongoing
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #4 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should develop and implement tools by September 30, 2015, to measure the quality management team program's effectiveness.

Agency Response*

In 2017, the Branch has secured resources to automate and improve parts of the quality management processes within the CIMS database. Resources include the CPUC's IT Applications Programming and Project Management units as well as a vendor specializing in business analysis. The project was chartered on 11/09/2016 by the CPUC as the "Consumer Information Management System - Audit Response Mitigation for Quality Assurance". The project was approved by the California Department of Technology in a Stage 1 Business Analysis on 01/23/2017. (Public Utilities Commission (8660): 8660-082 CIMS Audit Response Mitigation for Quality Assurance) The project requirements and design phases were approved on 03/17/2017 and 07/05/2017, respectively. The applications development was initiated on 08/14/2017. It is estimated that the project will complete and the automation be in place in mid-2018.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 6/30/2018
  • Response Date: November 2017

California State Auditor's Assessment of Status: Pending


Agency Response*

The Branch has updated its plan to measure and improve the effectiveness of its quality management team (see attached "CAB Quality Management Team Enhancement Plan"). As described in the plan, the Branch has completed the quality management process analysis described as Phase I. In Phase II, the Branch has begun to analyze baseline measures of its processes. That analysis has been completed for 2013-14 and 2014-15; it is anticipated that the analysis for 2015-16 will be completed in late 2016. Moreover, the Branch is actively pursuing a project to automate and improve parts of the quality management processes (Phases III and IV). As noted in the prior audit status responses, these process improvements will require resources from outside of the Branch, including support from the CPUC's IT unit and the database vendor, as well as additional staffing resources for CAB to ensure optimal quality management. To that end, the Branch's project request to build a database module to automate quality management processes was updated and approved in August 2016. The Branch began work in September 2016 securing funding to use a vendor to create a business analysis for the project. As of September 28, 2016, the Branch received budget approval to move forward with the project. It is anticipated that the project will begin in November 2016, with an estimated duration of six to nine months.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 12/30/2016
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

The Branch has created a draft plan to measure and improve the effectiveness of its quality management team. As part of the draft plan, the Branch has begun to analyze baseline measures of its process. The Branch continues to research the feasibility of automating parts of the quality management processes and continues to research ability of its database to create multiple alerts to enable case progress to be better measured. Preliminary findings are the process improvements will require resources from outside of the Branch, including support from CPUC IT and the database vendor.

  • Response Type†: 1-Year
  • Estimated Completion Date: 4/9/2017
  • Response Date: April 2016

California State Auditor's Assessment of Status: Pending


Agency Response*

Branch has analyzed current QMT processes and is researching the feasibility of automating parts of the processes. Preliminary findings are that process improvements will require resources from outside of the branch, including support from CPUC IT and the CIMS database vendor. Current estimates are that IT resources will not be available until early to mid-2016.

  • Response Type†: 6-Month
  • Estimated Completion Date: Late 2016.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

Branch is working with IT to expand its measurement capabilities in CIMS to assist in quality management team efforts.

  • Response Type†: 60-Day
  • Estimated Completion Date: September 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #5 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to accurate consumer complaint data in CIMS, the branch should update by June 30, 2015, its guidance for categorizing complaints to better integrate with the BRM. For example, the guidance should specify that nonjurisdictional complaints should be classified as such.

Agency Response*

With assistance of CPUC Legal Division, branch revised the Non-Jurisdictional Job Aid and consumer assistance letters. Branch also revised the BRM coding guides and integrated into training materials. Branch delivered training to all staff, using revised materials, on the following: general coding, non-jurisdictional coding, and VoIP coding.

  • Response Type†: 6-Month
  • Completion Date: October 2015
  • Response Date: October 2015

California State Auditor's Assessment of Status: Fully Implemented


Agency Response*

Branch has initiated review of the Non-Jurisdictional Job Aid including engaging the Legal Division for guidance. Guidance will be updated by June 30, 2015. Guidance will be integrated into general coding training on or before September 30, 2015.

  • Response Type†: 60-Day
  • Estimated Completion Date: June 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #6 To: Public Utilities Commission

To ensure that policy makers, enforcement officials, and the general public have access to more complete and meaningful consumer complaints data in CIMS, the branch should, to the fullest extent possible, include the attributes of each complaint in the data it records in CIMS.

Agency Response*

The Branch is providing a sample data set for the period August 1, 2016 to September 16, 2016 of written telecommunications complaints. This data includes attributes associated with each complaint in CIMS in compliance with Recommendation #6 for the Branch to include attributes, to the fullest extent possible, in each case record. For each case the following information is provided:

- CIMS case number

- Date case was received

- Category

- Primary Subcategory

- Associated Attributes

- Comments

  • Response Type†: Annual Follow Up
  • Completion Date: September 2016
  • Response Date: October 2016

California State Auditor's Assessment of Status: Fully Implemented

Data provided by CPUC shows a substantial decrease in the percentage of complaints coded without any attribute data, from immediately after it provided training to its staff in late 2015 to late 2016.


Agency Response*

The Branch provided case statistical data to the CA State Auditor on November 19, 2015, and met via phone conference on January 8, 2016, to discuss the recommendation and data that the Branch provided. The Branch has utilized attributes to the fullest extent possible, where appropriate, in complaint case coding. In certain of the Branch's processes, including LifeLine Appeals, attributes do not provide additional benefit in case processing or provide additional information to policy makers, enforcement officials and the general public. The Branch continues to work with relevant stakeholders to ensure the data collected under the current coding scheme is relevant and useful.

  • Response Type†: 1-Year
  • Completion Date: November 2015
  • Response Date: April 2016

California State Auditor's Assessment of Status: Pending

The complaint data that the commission provided in November 2015 does not show an appreciable difference in the percentage of complaints that include attribute data that it coded before the September 2015 training when compared to complaints coded after the training. We will reassess at the next annual review.

  • Auditee did not substantiate its claim of full implementation

Agency Response*

Branch delivered training to all staff, using revised materials, on the following: general coding, non-jurisdictional coding, and VoIP coding. All training modules now contain specific guidance for using attributes and comments.

Branch enhanced its technological capability with regard to coding case attributes and accompanying QMT processes. Specifically, branch has created enhanced data query tools in CIMS to allow for systematic retrieval and review of all attribute coding associated with any case record.

  • Response Type†: 6-Month
  • Completion Date: October 2015
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending

Our assessment of complaints received by the commission after its September 2015 training revealed that the data do not yet support that the commission is including the attributes of each complaint in the data it records in CIMS. We will reassess in April 2016 at the one-year review.


Agency Response*

Branch is reviewing and refreshing all training materials and Job Aids to reinforce the use of attributes where applicable. Training materials are on schedule to be delivered with general coding training on or before September 30, 2015.

  • Response Type†: 60-Day
  • Estimated Completion Date: September 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #7 To: Public Utilities Commission

To ensure that branch staff provide the appropriate assistance to consumers with VoIP-related complaints, the branch should, by September 30, 2015, further train its staff on the requirements of the VoIP job aid and on providing correspondence to complainants as its guidelines require.

Agency Response*

With assistance of CPUC Legal Division, branch revised the VoIP Job Aid and consumer letters. Branch also created a "quick resource guide" that presents a graphic overview of VoIP processes for staff to refer to for coding and processing assistance. Branch delivered training to all branch staff, using revised materials, on VoIP coding including enhanced use of attributes and comments.

  • Response Type†: 6-Month
  • Completion Date: October 2015
  • Response Date: October 2015

California State Auditor's Assessment of Status: Fully Implemented


Agency Response*

Branch met with the Communications Division to request their assistance in better identifying VoIP providers. Branch met with the Legal Division for assistance with correspondence to be used for VoIP. Further staff training on the requirements of the VoIP job aid are on schedule to be delivered in parallel with general coding training on or before September 30, 2015.

  • Response Type†: 60-Day
  • Estimated Completion Date: September 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #8 To: Public Utilities Commission

To ensure that consumers have access to complaint data that will enhance their ability to make informed choices about their telecommunication services, the branch should, by June 30, 2015, create an updated plan that specifies the types of data the branch intends to post online and a timeline for fully implementing that plan.

Agency Response*

Branch updated plan, with appropriate approvals, for data posting online and with a revised schedule.

  • Response Type†: 6-Month
  • Completion Date: July 2015
  • Response Date: October 2015

California State Auditor's Assessment of Status: Fully Implemented


Agency Response*

Branch is in progress of updating data posting plan. Plan is on schedule to be completed with appropriate approvals on or before June 30, 2015.

  • Response Type†: 60-Day
  • Estimated Completion Date: June 30, 2015
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #9 To: Public Utilities Commission

To ensure that it can assess the value to the public of the complaint data it presents on its website, the branch should create a process for those who view its complaint data to provide feedback to the branch including, if necessary, modifying the survey that it uses to collect feedback on LEP data.

Agency Response*

The Branch worked with the CPUC's web team to establish a link to an expanded survey for feedback for all of the Branch's data including limited-English proficiency data. The link can be found by going to the CPUC homepage http://www.cpuc.ca.gov/default.aspx and scrolling down to section labeled,"How Do I.." and clicking on "Find Consumer Contacts Statistics". On the CAB Consumer Statistics page, in the fourth paragraph, select "Data Feedback Survey" to complete the form. Information from the survey is automatically emailed to the Branch.

  • Response Type†: 1-Year
  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Fully Implemented


Agency Response*

CPUC website redesign work is in progress with a projected go-live date before the end of 2015. Feedback solutions are being explored with CPUC web team for all branch data including LEP.

  • Response Type†: 6-Month
  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

Branch has engaged in the CPUC website redesign project and has met with the Executive Division, IT and IT's contractor. Branch is part of the team tasked with updating the CPUC's Consumer Information Center on the website. As part of this effort, Branch is exploring use of social media with web design team as a means for gathering feedback.

  • Response Type†: 60-Day
  • Estimated Completion Date: Contingent on CPUC Webpage Upgrade
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #10 To: Public Utilities Commission

To ensure that the public can easily locate customer complaint data the branch publishes on its website, the commission should make navigating to its customer complaint data more intuitive and direct.

Agency Response*

CPUC Website design was completed and the new webpages went live on January 11, 2016. Navigation to consumer complaint data can now be completed in one click. All of the Branch's data including consumer contact data regarding complaints and inquiries, limited-English-proficiency contacts data and LifeLine data is consolidated in one webpage at http://cpuc.ca.gov/General.aspx?id=5400. On the CPUC homepage http://cpuc.ca.gov/default.aspx scroll down to the section labeled, "How Do I..." and click on "Find Consumer Contacts Statistics".

  • Response Type†: 1-Year
  • Completion Date: January 2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Fully Implemented


Agency Response*

CPUC website redesign work is in progress with go-live date before the end of 2015. Navigation solutions are being explored with CPUC web team including designing links to CAB data to enhance the ability to locate the data with one "click" from the homepage.

  • Response Type†: 6-Month
  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

Branch has engaged in the CPUC website redesign project and has met with the Executive Division, IT and IT's contractor. Branch is part of the team tasked with updating the CPUC's Consumer Information Center on the website. As part of this effort, Branch is exploring navigation to its data with the web design team.

  • Response Type†: 60-Day
  • Estimated Completion Date: Contingent Upon Completion of CPUC Webpage Upgrade
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #11 To: Public Utilities Commission

The commission should ensure that it complies with all policy requirements in SAM Chapter 5300 no later than April 2016.

Agency Response*

The updated information as of 11/07/17, please attached document

-0 Non-compliant

-17 Partially compliant

-31 Mostly Compliant

-17 Fully Compliant

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 6/30/2020
  • Response Date: November 2017

California State Auditor's Assessment of Status: Partially Implemented


Agency Response*

The Commission continues to work on completion of policy requirements in SAM Chapter 5300. The Commission has been given positions and plans on hiring employees to assist with the development of policies.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 12/30/2018
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

CPUC has hired consultants to assist with ensuring compliance of all requirements as stated in SAM Chapter 5300. CPUC has managed to prepare the Information Asset Report and the Information Security Assessment. The Risk Management Plan is due to be complete by April 15th and the Business Continuity Plan is expected on April 30

  • Response Type†: 1-Year
  • Estimated Completion Date: 5/2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Partially Implemented

When we followed up with the commission to verify its compliance status, we expected, at a minimum, that it would have achieved full compliance with nearly all of SAM Chapter 5300 (security standards). However, we found that the commission significantly overstated its progress toward addressing our recommendation. Although it submitted copies of various information security documents for our review, it was substantially out of compliance with the majority of the security standards. When we questioned the commission about the disconnect between its asserted level of compliance and its actual level of compliance, it explained that it did not fully understand the depth of security standards when it provided the April 2016 status update. However, the commission explained that as a result of our follow up work, it now believes it has a much more clear understanding of the requirements. The commission also cited limited staff resources as a barrier to its ability to achieve full compliance with security standards. According to the commission, it recently received authorization to hire two more individuals to its information security team. As of August 2016, the commission asserted it was actively trying to fill these two positions. Nonetheless, the commission estimates that it will not achieve full compliance with security standards until December 2019.


Agency Response*

As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.

  • Response Type†: 6-Month
  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

As described in response to items 12, 13, and 14, steps are underway at the CPUC to implement changes to address the issues identified by CSA. Once these steps are implemented, the CPUC will fully be able to comply with item #11.

  • Response Type†: 60-Day
  • Estimated Completion Date: April 2016
  • Response Date: July 2015

California State Auditor's Assessment of Status: Pending


Recommendation #12 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should complete and maintain inventory of all its information assets, specifically categorizing the level of required security of the information assets based on the potential impact that a loss of confidentiality, integrity, or availability of such information would have on its operations and assets.

Agency Response*

Inventory of information assets inventory and classification attached. CPUC is in the process of deploying Data Loss Prevention solution, that will allow CPUC to protect data at rest and in motion.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 6/30/2018
  • Response Date: November 2017

California State Auditor's Assessment of Status: Partially Implemented


Agency Response*

The Commission has performed a partial inventory on information assets and plans on fulfilling this requirement with the addition of staff.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 12/30/2018
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

CPUC's consultants have completed their entity-wide Information Asset Report.

  • Response Type†: 1-Year
  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.

  • Auditee did not substantiate its claim of full implementation
  • Auditee did not address all aspects of the recommendation

Agency Response*

CPUC has external resources working with CPUC staff and in the process of developing Information Security document along with inventory for information assets.

  • Response Type†: 6-Month
  • Estimated Completion Date: April 30, 2016
  • Response Date: November 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

Plan to allocate resources to complete these tasks during this year.

  • Response Type†: 60-Day
  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #13 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should develop a risk management and privacy plan and conduct an assessment of risks facing its information assets.

Agency Response*

CPUC will be undergoing an information security risk assessment in Nov/Dec 2017 conducted by the CA Military Dept. Establishing/implementing a formal risk Mgmt program/process is planned for near future (estimated for 2018)

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 6/30/2018
  • Response Date: November 2017

California State Auditor's Assessment of Status: Partially Implemented


Agency Response*

The Commission continues to work to develop an entity wide risk assessment plan and privacy plan with the addition of staff.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 12/30/2018
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

CPUC consultants have been assisting with the risk management plan and it is on track to be finalized by April 15, 2016.

  • Response Type†: 1-Year
  • Estimated Completion Date: 4/15/2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


Agency Response*

CPUC has awarded contract to a vendor and the consultants are working with CPUC staff.

  • Response Type†: 6-Month
  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

RFO released to conduct security assessment, attended privacy training.

  • Response Type†: 60-Day
  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #14 To: Public Utilities Commission

As part of developing, implementing, and maintaining an entitywide information security program, the commission should develop, implement, and maintain an information security plan as part of its entitywide information security program.

Agency Response*

In progress. CPUC have developed a master written Information Security Policy along with 20 sub-policies addressing specific areas as recommended by NIST and CDT, please see attached documents

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 6/30/2018
  • Response Date: November 2017

California State Auditor's Assessment of Status: Partially Implemented


Agency Response*

The Commission continues to work to implement an information security program with the addition of staff.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 12/30/2018
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

CPUC has completed the Information Security Assessment and has performed a vulnerability scan and penetration testing to determine areas of risk. Remediation from these scans and the assessment is on-going.

  • Response Type†: 1-Year
  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.

  • Auditee did not substantiate its claim of full implementation
  • Auditee did not address all aspects of the recommendation

Agency Response*

Security plan development is in progress.

  • Response Type†: 6-Month
  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

Security plan development is in progress.

  • Response Type†: 60-Day
  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #15 To: Public Utilities Commission

The commission should develop, disseminate, and maintain an incident response plan.

Agency Response*

The Commission has developed a draft incident plan but continues to work towards a final version.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 1/1/2018
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

CPUC has finalized the Incident Response Plan.

  • Response Type†: 1-Year
  • Completion Date: April 2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.

  • Auditee did not substantiate its claim of full implementation
  • Auditee did not address all aspects of the recommendation

Agency Response*

Incident response plan development in progress, initial document draft completed and is being reviewed.

  • Response Type†: 6-Month
  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

Incident response plan development in progress.

  • Response Type†: 60-Day
  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #16 To: Public Utilities Commission

The commission should revise its existing recovery plan to include a list of applications supporting critical business functions, their maximum acceptable outage time frames, and detailed recovery strategies for each application.

Agency Response*

Updated technology recovery plan was submitted to CDT Office of Information Security. CPUC is currently in the process of updating this plan to address the infrastructure changes.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 12/31/2017
  • Response Date: November 2017

California State Auditor's Assessment of Status: Partially Implemented


Agency Response*

The Commission has developed some of the recovery plan and continues to work this to address all of the requirements needed.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 12/30/2018
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

CPUC Business Continuity Plan is in draft form and scheduled to be completed April 30th, 2016.

  • Response Type†: 1-Year
  • Estimated Completion Date: 4/30/2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


Agency Response*

Critical business outage time frame and recovery strategies for applications will addressed in the form of Business Continuity plan as a subset of security assessment. The consultants and CPUC staff are meeting with business divisions to collect pertinent information.

  • Response Type†: 6-Month
  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

Critical business outage time frame and recovery strategies for applications will addressed in the form of Business Continuity plan as a subset of security assessment.

  • Response Type†: 60-Day
  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #17 To: Public Utilities Commission

The commission should revise its existing recovery plan to include detailed procedures for rebuilding its technology infrastructure at an alternate processing site.

Agency Response*

CPUC is in the process of revising update Business continuity plan to incorporate the infrastructure changes.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 6/30/2018
  • Response Date: November 2017

California State Auditor's Assessment of Status: Partially Implemented


Agency Response*

The Commission continues to work to improve the recovery plan with detailed procedures for rebuilding its technology infrastructure.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 12/30/2018
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

CPUC Business Continuity Plan is in draft form and scheduled to be completed April 30th, 2016.

  • Response Type†: 1-Year
  • Estimated Completion Date: 4/30/2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


Agency Response*

Recovery plan updates will be addressed in Business continuity plan as a subset of Security assessment. Contract has been awarded and CPUC staff is working with consultants.

  • Response Type†: 6-Month
  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

Recovery plan updates will be addressed in Business continuity plan as a subset of Security assessment (RFO was released).

  • Response Type†: 60-Day
  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #18 To: Public Utilities Commission

The commission should conduct regular tests and exercises to assess the sufficiency of the revised recovery plan and refine the plan when necessary.

Agency Response*

The Commission will develop a plan for testing once the recovery plan is completed.

  • Response Type†: Annual Follow Up
  • Estimated Completion Date: 12/30/2018
  • Response Date: October 2016

California State Auditor's Assessment of Status: Not Fully Implemented


Agency Response*

CPUC Business Continuity Plan is in draft form and scheduled to be completed April 30th, 2016.

  • Response Type†: 1-Year
  • Estimated Completion Date: 4/30/2016
  • Response Date: April 2016

California State Auditor's Assessment of Status: Partially Implemented

The commission explained that as a result of our follow up work, it reevaluated its progress and now believes it has not fully implemented this recommendation. The commission estimates that it will not achieve full compliance with SAM Chapter 5300 until December 2019.


Agency Response*

This will be scheduled after recovery plan is updated.

  • Response Type†: 6-Month
  • Estimated Completion Date: Ongoing implementation.
  • Response Date: October 2015

California State Auditor's Assessment of Status: Pending


Agency Response*

This will be scheduled after recovery plan is updated.

  • Response Type†: 60-Day
  • Estimated Completion Date: April 2016
  • Response Date: June 2015

California State Auditor's Assessment of Status: Pending


Recommendation #19 To: Public Utilities Commission

The commission should ensure that any certifications it submits to CalTech accurately represent its information security environment.

Agency Response*

Modified internal certification process.

  • Response Type†: 60-Day
  • Completion Date: January 2015
  • Response Date: June 2015

California State Auditor's Assessment of Status: Fully Implemented

To address the California State Auditor's recommendation that it ensure that any certifications it submits to California Department of Technology (CalTech) accurately represent its information security environment, the California Public Utilities Commission (CPUC) has created a new policy that modifies its existing internal certification process. The new policy requires all certification documentation submitted to CalTech to be reviewed by a CPUC internal committee consisting of the manager of the Information Technology Unit, the Information Security Officer, and the Chief Information Officer. After the initial review and approval by the committee, the certification documentation will be sent to the Executive Director or designee for final sign off.


All Recommendations in 2014-120

Response Type refers to the interval in which the auditee is providing the State Auditor with their status in implementing recommendations made in an audit report. Auditees must submit a response regarding their progress in implementing recommendations from our reports at three intervals from the release of the report: 60 days, six months, and one year or subsequent to one year.

*Agency responses received after June 2013 are posted verbatim.


Report type

Report type
















© 2013, California State Auditor | Privacy Policy | Conditions of Use | Download Adobe PDF Reader