New Law Expands State Controller’s Audits of Local Agencies

California State Assembly Bill 804, signed into law in September 2017, amends Government Code Section 12422.5 to authorize the State Controller to proactively audit almost any local agency for the purpose of determining whether the agency’s internal controls are adequate to detect and prevent financial errors and fraud. Before AB 804, the Controller only had the authority to audit local agencies that receive State funding. Now, the Controller can choose to audit the internal control environment of any local agency in the State regardless of that agency’s funding sources. Under the law, local agencies include any city, special district, county, city and county, or local governmental entity (except a school district).

AB 804’s change to the Government Code relates to Assembly Bill 1248, which required the Controller to develop internal control guidelines to assist local agencies in establishing a system of internal control to safeguard assets and prevent and detect financial errors and fraud. Please click here to access the guidelines on the Controller’s Office website. As budget preparation for the next fiscal year and beyond gets underway, local elected and appointed officials should review the guidelines, which are derived from the American Institute of Certified Public Accountants’ Auditing Standard AU-C Sec. 315.A91. AICPA defines “control activities” as “policies and procedures that help ensure that management directives are carried out.” The guidelines further state that control activities also should “respond to identified risks in the internal control system.”

Citing AICPA, the guidelines provide the following examples of categories of control activities:

• Authorization – activities should be authorized in accordance with the local government’s policies and procedures.
• Performance Reviews – local government should perform analyses of financial data, including comparing actual results to budget forecasts and historical data, to ensure variances are in accordance with expectations, considering internal and external factors.
• Information Processing – two aspects, Application Controls and General IT Controls, which relate to the overall effectiveness of IT controls to ensure the proper operation of the local government’s information systems.
• Physical Controls – include ensuring the safeguarding of both tangible and intangible assets. In addition, access to computer programs or data files should be restricted to appropriate personnel.
• Segregation of Duties – the functions of authorization, recording or reconciling, and maintaining custody of assets should be segregated.

AB 804 continues the Legislature’s ongoing efforts to hold local agencies fiscally accountable, which began in 2011 with the signing into law of Assembly Bill 187 – the law that created the “high-risk local government audit program” in response to the discovery of numerous financial fraud, fiscal mismanagement and funding crises in cities across the state. AB 804 opens the door to increased attention from the Office of the State Controller. Because AB 804 authorizes the Controller to act on a proactive basis, local agencies should also be proactive in ensuring that they have a control environment in place that complies with the law.