View
216
Download
0
Category
Preview:
Citation preview
California Public Utilities Commission
Internal Audit Unit
Records and Document Management
Audit Report
October 11, 2017
RECORD AND DOCUMENT MANAGEMENT AUDIT
i
October 11, 2017
Finance and Administration Committee
California Public Utilities Commission
505 Van Ness Avenue
San Francisco, CA 94102
Final Report – California Public Utilities Commission Internal Audit (IA) Report of the Records and
Document Management Retention
Dear President Picker:
Attached is the Internal Audit Unit’s final report on the California Public Utilities Commissions’
(CPUC) records and document management practices. This report represents the IAU’s findings
and recommendations with regard to the management of the CPUC’s documents and records,
with emphases on compliance with state standards, confidentiality, organization, and the
management of external reports. We wish to credit management and staff for their full
cooperation.
The report includes findings that primarily center on the need for a required agency-wide
records management program, and some associated practices and policies. This can
incorporate many areas of strength and best practices that were also found within particular
units and divisions. Management agreed with our principal findings and proposed a schedule
for corrective actions. Certain elements of our findings were also the subject of further discussion
that is referenced in the report.
This report is intended for the information and use of the management of the CPUC; however,
this report is a public document and its distribution is not limited.
The teamwork and dedication of the internal audit unit staff is greatly appreciated.
Finally, if you have any questions, please feel free to contact me at 415-703-1823 or
carl.danner.ca.gov.
Sincerely,
Carl Danner
Chief Internal Auditor, California Public Utilities Commission
Enclosure
cc:
Commissioners
Executive Director
Deputy Executive Directors
All Division Directors
ii
Internal Audit Unit Staff
1. Carl Danner - Chief Internal Auditor
2. Francis Oh - Internal Audit Program and Projects Supervisor
3. Benjamin Schein CPA - Public Utility Regulatory Analyst V
4. John Forsythe AICP - Public Utility Regulatory Analyst IV – Now Transferred
5. Fred Kyama CIA - Public Utility Financial Examiner IV – Project Lead Auditor
6. Juliane Banks - Administrative Support – Now Transferred
RECORD AND DOCUMENT MANAGEMENT AUDIT
iii
Table of Contents 1. EXECUTIVE SUMMARY ...................................................................................................................... 1
2. AUDIT SCOPE AND METHODS ....................................................................................................... 5
1. Introduction ................................................................................................................................... 5
2. Audit Objectives .......................................................................................................................... 6
3. Audit Scope ................................................................................................................................... 7
4. Audit Methodology and Testing .............................................................................................. 7
5. Qualifications/Limitations and Exceptions ............................................................................ 8
3. DETAILED INTERNAL AUDIT FINDINGS/RECOMMENDATIONS ................................................ 8
1. FINDING 1: Records Management Program Implementation Gap .............................. 8
2. FINDING 2: Records Retention and Destruction ................................................................ 11
3. FINDING 3: Email Policy ............................................................................................................ 12
4. FINDING 4: Confidentiality ....................................................................................................... 14
5. FINDING 5: Records/Document Back Up ............................................................................ 16
6. FINDING 6: Onboarding and Training .................................................................................. 17
7. FINDING 7 Forms Management Program/Representative ............................................ 18
8. FINDING 8 Naming Conventions/Filing Plans/Indexes ..................................................... 20
4. OTHER AUDIT OBSERVATIONS ...................................................................................................... 21
1. Legal Division - Unique Challenge Observed in Legal .................................................... 21
2. Best Practice: CP&ED - Utility Enforcement Branch (UEB) .............................................. 23
3. Best Practice: Energy Division - Tariff Unit ........................................................................... 23
5. MANAGEMENT RESPONSE ........................................................................................................... 23
Management Memo ........................................................................................................................ 23
Internal Audit’s Further Comments on Management Response ......................................... 27
6. APPENDICES .................................................................................................................................... 29
APPENDIX A ......................................................................................................................................... 29
Laws and Policies Governing CPUC Records Management ............................................ 29
APPENDIX B .......................................................................................................................................... 30
CPUC Divisions and Sub-Units Sampled for Audit ................................................................. 30
iv
APPENDIX C ......................................................................................................................................... 32
List of Policy Documents Obtained from the California Energy Commission (CEC) .. 32
APPENDIX D ......................................................................................................................................... 33
Extract from I.T. Unit’s 2016 BCP Infrastructure Increase Summary .................................. 33
APPENDIX E .......................................................................................................................................... 34
Status of CPUC’s STD 73 Forms Filed on Secretary of State’s Website, 2008 to 2017 .. 34
APPENDIX F .......................................................................................................................................... 36
CPUC Staff Completion Rates 2013 – 2016 Annual Training Protecting Privacy in
State Government ......................................................................................................................... 36
APPENDIX G ......................................................................................................................................... 38
Generally Accepted Recordkeeping Principles (GARP) and ARMA International’s
Information Governance Maturity Model (ARMA-IGMM) ................................................. 38
Appendix H Utility Enforcement Knowledge Portal ............................................................... 48
Appendix I Energy Division Central Files ...................................................................................... 50
RECORD AND DOCUMENT MANAGEMENT AUDIT
1
1. EXECUTIVE SUMMARY
The Internal Audit (IA) unit has completed a review of the California Public Utilities Commission’s
(CPUC) records management practices, including their identification, storage and retention,
protection, and disposition. We reviewed and tested these practices against state laws, policies,
and recommended best practices.
In general and despite useful processes found in many parts of the agency, we found that the
CPUC’s required centralized records management program (RMP) has not been fully developed
and effectively implemented. The lack of an effective RMP has also led to failure in compliance
with associated state requirements, including maintaining an active and updated inventory of
records and retention schedules (STD 70 and 73), and limiting the destruction of records only to
those specified on STD 73 schedules with appropriate dates for disposal (per the Records
Management Act).
Factors contributing to this overall condition include a weak linkage between top-level
management and the CPUC’s divisions in terms of providing direction in unified standards,
policies, procedures, and practices that can be followed across the board. In addition, there is
lack of any regular evaluation system for records management operations.
Another significant deficiency was the lack of an email policy through which these email
communications are categorized, retained, and/or discarded on set schedules per state policy
that requires them to be treated like any other documents in this regard. This has resulted in
excessive demands on CPUC resources for managing and handling a vast number of retained
messages, including creating complications for the agency’s responsiveness to legal matters in
which emails may be implicated.1 As a comparison, the California Energy Commission (CEC)
provides a useful example of compliance by a sister agency to the CPUC, as the CEC maintains
an email policy while also fulfilling important regulatory and legal responsibilities.
Some other areas where opportunities for improvement existed included the dissemination of
information about encryption tools available at the CPUC, and general knowledge about the
availability and use of various data storage options staff can use in their work. Some staff was
not aware of the available encryption tools, while others did not know the difference between
local drive storage and server backed-up storage. New staff is not appropriately introduced to
CPUC systems or procedures in these regards. We recommend that these gaps be addressed
through education and training, including desk visits to verify that staff know how to use (and are
using) appropriate storage options for their work products and significant documents. More
generally, we also recommend onboarding and regular training and updates for all staff on their
roles and responsibilities in helping to maintain an effective records management program.
1 Note that the finding does not involve a failure by the CPUC to retain materials relevant to fulfilling Public Records Act requests or
subpoenas. We did not find evidence of such a concern.
RECORD AND DOCUMENT MANAGEMENT AUDIT
2
Table 1 summarizes these and a few other findings and recommendations (such as needs for
consistent electronic file naming conventions, and a Forms Management Representative and
program), which are addressed at greater length in the body of the report.
Table 1. Summary of Internal Audit Findings – Document Management Program
FINDING
NUMBER SUMMARY OF ISSUE SUMMARY OF RECOMMENDATIONS Ownership
1.
The mandatory California Records
Management Program (RMP) has
not been effectively implemented.
1. Develop and implement the required
records management program across
the agency, incorporating practices
already in existence within some
divisions) and: a. Create a full inventory of records and
documents of all types using STD 70 and
mandatory retention STD 73 for the
regular destruction of documents.
b. Confirm the use of a “trusted system”2 for
the electronic archive of records for
which one is required per Government
Code § 12168.7
c. Create and implement a set of
standards and common practices
expected across the CPUC.
d. At the division level, develop and
memorialize records management
policies and procedures consistent with
each unit’s operational needs and the
adopted agency-wide practices and
standards.
e. Develop consistent standards and
guidance on the following:
i. Staff roles/responsibilities in the
records management program;
ii. How assurance will be provided on the
performance of records and
information functions, including for
capabilities required by state and
federal law (such as protecting
confidentiality of sensitive records),
and including monitoring mechanisms
for the program’s functions;
iii. Mechanism for dissemination of these
policies to staff at all levels;
iv. A mechanism for the review of these
polices at regular intervals (e.g. at
least once every two years).
2. Adopt ARMA International’s Generally
Accepted Recordkeeping Principles
(GARP)3 and Information Governance
Executive
Management
/Division
Directors
2 Implies a combination of techniques, policies, and procedures for, which there is no plausible scenario in, which a
document retrieved from or reproduced by the system could differ substantially from the originally stored document. 3 GARP has 8 principles these are; Accountability, Transparency, Integrity, Protection, Compliance, Availability, Retention and
Disposition
RECORD AND DOCUMENT MANAGEMENT AUDIT
3
Model (IGMM)4 as a best practices
benchmark.
2.
The CPUC’s document and records
destruction practices do not
comply with the California State
Records Management Act (SRMA)
and state policy.
1. Suspend the destruction of potential
state records (except according to
forms STD 73 that are in effect) while
management pursues a full document
inventory and the establishment of
updated retention schedules for all
divisions.
2. Encourage staff to identify collections of
documents that may have been stored
away or overlooked so that their
potential work-related or archival value
can be evaluated.
Executive
Management
/Division
Directors
3. The CPUC does not have an email
management policy.
Develop and implement an email policy
consistent with the guidelines provided in
CalRIM’ s Practical Guidebook for
Managing Electronic Records – which
requires taking into account the content
of an email, rather than its form.
Executive
Management
/ I.T. Unit/
Division
Directors
4.
Generally staff are aware of their
responsibilities of dealing with
confidential information, however
the following deficiencies or
concerns were noted:
Pattern of a significant fraction of
eligible staff not completing the
mandatory annual privacy training
(20% average in past four years);
Observed unlocked file cabinets
containing confidential
information, per the labels on
them;
Some staff were not aware of I.T.
tools available to encrypt
information in transit such as
Accellion, or encrypted emails;
There is some continuing confusion
among staff about the practical
interpretation of Public Utilities
Code §583 for their work.
Management should closely monitor
the required annual privacy training,
with an objective of 100 percent
compliance by agency employees.
All divisions should carry out an
inspection of all their filing cabinets and
ensure that those containing
confidential information are kept
locked when not in use (including at
the end of each working day). Pay
attention to Legal, Energy and ALJ
divisions where some of these cabinets
were found
We recommend that the IT unit develop
a strategy to inform staff about
available tools for transmitting
information in an encrypted format.
Training and reference materials should
be developed and provided to staff on
the specific applicability of P.U. Code
§583 to their work, including any
modifications or clarifications to the
provisions of Decision 16-08-024 as may
occur in the rehearing process or
through appellate review.
Executive
Manage
ment/I.T.
Unit/
Division
Directors
5.
Some staff could not differentiate
between working on a local
computer hard drive that is not
backed up, vs a network resource
such as the “O” drive or Content
Server. Some were not aware of the
importance of working on a
1. In document management program,
include a stated expectation that all
staff work (including drafts and work in
progress) should be stored in a secured,
backed-up manner.
2. Each individual CPUC staff member
should receive a visit at his or her desk to
Executive
Management
/ I.T. Director
/Division
Directors
4 IGMM is based on GARP has five levels of maturity; Level 1(Sub-Standard), Level 2 (In Development), Level 3 (Essential), Level 4
(Proactive), and Level 5 (Transformative).
RECORD AND DOCUMENT MANAGEMENT AUDIT
4
backed up drive. review their methods of computer use to
help assure that all electronic work
products, reference documents and
other records are being stored
appropriately on backed-up network
resources.
6
The CPUC does not provide
onboarding or ongoing training of
its staff about agency-wide records
management legal requirements,
policies, standards, and adopted
best practices.
Management should develop
onboarding, training, and reference
materials to address the goals and
common standards and practices of the
RMP adapted by CPUC, and to provide
periodic updates on key topics and
modifications to the program.
Executive
Management
/H.R.
Director/
Records
Management
coordinator/
I.T. Unit
7
The CPUC’s Form Management
Program (FMP) is not operational
and does not have a designated
Forms Management Representative
(FMR).
1. Management should appoint a Forms
Management Representative (FMR) per
Government Code§14772 & SAM 1706 to
reinvigorate the forms management
program, including involvement in the
development of forms used to collect
information from regulated entities. The
FMR should complement the existing
Records Management Coordinator
(RMC) in the RMP, and be responsible for
establishing a repository of all updated
CPUC forms organized by divisions.
2.The CPUC should conduct an analysis
under Government Code § 14775(b) to
identify which forms and reports may be
subject to the triennial review
requirement, including eliminating those
that are no longer necessary to the
agency’s fulfillment of its responsibilities.
As a best practice we also recommend,
where practicable, including other such
forms and reports in the triennial review
process even if they may be exempt
from the requirement to do so. We
recommend that the FMR maintain an
updated inventory list of all mandatory
reports received by the CPUC.
Executive
Management
/ H.R Director
8
The CPUC lacks consistent naming
conventions, filing plans or systems
and indexes inhibiting the ability to
perform a comprehensive search
of documents relating to a subject
matter.
1. The CPUC’s records management
program should include the adoption of
file naming conventions to be applied
consistently within divisions or units, and
filing plans including directory structures
for electronic documents.
2. A process should be established in each
division through which all repositories of
retained documents will be reviewed.
Those materials kept for future use should
then be brought into the adopted filing
system.
Executive
Management
/Division
Directors
RECORD AND DOCUMENT MANAGEMENT AUDIT
5
2. AUDIT SCOPE AND METHODS
1. Introduction
Documents consist of recorded information in any format, created or received and maintained
in the transaction of business or conduct of affairs and kept as evidence of those activities. The
State Administrative Manual (SAM) 51600 defines records as “Recorded information, regardless
of medium or characteristics, made or received by an organization that is evidence of its
operations and has value requiring its retention for a specific period of time”.6 A document
management system also includes policies and guidelines for the creation, identification,
classification, retrieval, receipt and transmission, storage and protection, disposition and
preservation and sharing of information and records.
The CPUC’s documents or records are a strategically important resource that needs to be
managed like any agency asset. The CPUC requires documents to perform and account for its
regulatory activities, which include control and support of its decision-making, documentation of
the delivery of programs, evidence in legal actions and general maintenance of the agency’s
institutional memory. New technologies also pose opportunities and risks for the CPUC’s
document and records management, including the challenges of maintaining predominantly
electronic documents according to statutory requirements.
State Requirements
In order to ensure that state agency records are properly managed and preserved accordingly,
Government Code §§12270-12279, in conjunction with the rules, regulations, and standards and
procedures issued by the Secretary of State, and the California Records and Information
management Program (CalRIM) require each agency to:
Establish and maintain an active, continuing program for the economical and efficient
management of records and information practices of the agency;
Identify records essential to the functioning of state government in the event of a major
disaster; and
When requested by the Secretary of State, provide a written justification for storage or
extension of records in the state records center for a period of 50 years or more. Records
deemed to have archival value will be transferred to the State Archives.
Other statutory and policy requirements are listed in Appendix A.
5 SAM is a reference resource for statewide policies, procedures, requirements and information developed and issued by authoring
agencies which include the Department of Finance (DOF), Department of Human Resources (CalHR), Department of General
Services (DGS), California Department of Technology (CDT), and the Governor's Office. In order to provide a uniform approach to
statewide management policy, the contents are published under the authority of the Directors of DOF and DGS. 6 California Records Management Handbook - Records Retention pg.5, or California Public Records Act (see Ca. Govt. Code §
6252(e) & (g)).
RECORD AND DOCUMENT MANAGEMENT AUDIT
6
Agency Roles in Records Management
The responsibility to establish and maintain the corporate record-management program rests
with the head of each state agency7 or the Executive Director (ED), in the case of the CPUC. In
support of the ED’s mandate, individual staff, records, and information management staff
collects, organize, store, maintain and retrieve records and assist departmental clients.
All divisions of the CPUC have a responsibility to manage records as a corporate resource in
accordance with state legislation and policies. Regardless of the format, stored documents
should be organized following consistent standards and best practices so that they are easy to
access when the need arises.
CPUC employees have a duty of care to manage documents so that the agency meets its
obligations, including ensuring they are appropriately included in the agency’s
record/document management system. Management has an obligation to direct and assist
staff in the document management process, including informing staff of their responsibilities.
Practically, most divisions and units keep their own electronic and paper records that are stored
separately, although often located on some common agency IT resources. Many paper records
are stored in divisional file cabinets managed by individual units, and in personal file cabinets or
desk drawers. Electronic records are stored in a variety of systems such as shared drives
(\\sf5filesrv5\ drive), Content Server, in personal Outlook Mail (email) accounts and non-shared
drives (O:\ drive) and both official and personal flash drives. The CPUC’s website also provides
access to many official documents.
Acknowledgment
This audit covered a wide spectrum of the CPUC, and we would like to credit the assistance and
cooperation of all management and staff who were asked to participate.
2. Audit Objectives
This audit was conducted as part of the Internal Audit Unit’s annual audit plan authorized by the
Commission’s Finance and Administration Committee. Organizational risk assessments had
noted concerns about preserving institutional knowledge and memory that are at risk,
particularly due to the anticipated retirements of experienced staff from the agency. Good
document and records management practices can minimize or curtail this loss through
maintaining a well-documented and organized repository of the agency’s activities. The
applicable legal requirements and available best practice guidelines also offered motivation
and standards for this audit.
The primary audit objectives involved the following questions:
Whether the CPUC’s document and records management practices are compliant with
state law, policies, standards and best practices, which may include the Generally
Accepted Record Keeping Principles (GARP) promulgated by ARMA International, and
International Standards Organization (ISO);
7 SAM §1602, Agency Records Management Program-Govt. code §12270-12279
RECORD AND DOCUMENT MANAGEMENT AUDIT
7
Whether the CPUC’s policies, methods and practices were consistent and compliant with
the state’s confidentiality laws and requirements;
Whether external reports received by CPUC are relevant and continually evaluated for their
importance, including notifying external parties when reports are no longer needed; and,
Whether the CPUC’s management of electronic documents consistently accords with
standards and best practices.
3. Audit Scope
The audit scope covered CPUC’s current document/records management practices in all
divisions and site visits to sub units headed by a supervisor (including San Francisco, Sacramento,
and Los Angeles). This included:
Reviewing policies and procedures used in supporting the governance of
documents/records creation, collection, organization, maintenance, usage, and
dissemination within the CPUC;
Understanding the CPUC’s documents/records liaison roles, responsibilities, and
accountabilities for document/record decision making, management, and security;
Reviewing, assessing, and making comparisons with applicable standards and best
practices in document management.
4. Audit Methodology and Testing
We utilized multiple methodologies to cover the scope of the audit and its objectives. The
evidence gathering techniques included, but were not limited to the following:
Researching state, federal and CPUC rules and regulations pertaining to the management
of documents and records, and evaluating the CPUC’s compliance;8
Researching industry standards related to document and records management
promulgated by professional associations, and comparing them with CPUC practices;
Conducting interviews and discussions with CPUC’s senior management (e.g. Executive
Director, Division Directors and managers) regarding document management practices in
respective areas of their responsibility;
Selecting a stratified sample of about 40 subunits across the CPUC headed by a supervisor,
conducting interviews and discussions with the managers, supervisor and staff responsible for
each unit’s document management, and testing documents and practices within these
units;9
Contacting the California Energy Commission (CEC) for information about their record
management practices and obtaining their policy guidelines on document and records
management for our review.10
8 Appendix A - Laws, legislations, and policies governing CPUC’s records management 9 Appendix B - CPUC Divisions and Sub-Units Sampled for Audit 10 Appendix C - List of Policy documents obtained from CEC
RECORD AND DOCUMENT MANAGEMENT AUDIT
8
5. Qualifications/Limitations and Exceptions
As noted above, the audit reviewed records management practices of a sample of units
including all CPUC divisions, and located in headquarters (HQ) in San Francisco (37 units), Los
Angeles (LA) (1 unit) and Sacramento (2 units). Through this testing, management interviews and
responsive documentation provided by divisions, the audit team believes it was able to develop
a representative understanding of the relevant practices within the CPUC as a whole sufficient
to reach the indicated findings. However and except where specified, these results should not
be taken as necessarily applicable to any particular unit within the agency without a review of
its practices.
Additionally, the audit scope was planned to include all CPUC divisions or units, including the
Office of Ratepayer Advocates (ORA). ORA responded to Internal Audit’s data request and
provided information on the nature of documents it generated and stored. ORA also
participated in the audit’s management interview that we conducted separately with each
division. However, ORA declined to participate in the second phase of the audit, which included
the detailed interview and testing of individual units noted above. ORA’s stated concern was
that given that it is a party in the CPUC’s formal proceedings, a review of ORA’s document
management practices conducted by the Internal Audit Unit that reports directly to the
Commissioners could risk waiving attorney-client privilege and work product privileges. ORA
stated that it would work with the Department of Finance to ensure compliance with the state’s
document management requirements. We were therefore unable to complete the planned
audit testing for ORA, and thus are unable to provide an opinion or assurance regarding its
document and records management. ORA’s refusal to complete its participation in this audit
created an issue since the Internal Audit Unit has the chartered responsibility to audit the entire
CPUC. Resolution of this issue is beyond the scope of this report, but we believe it will need to be
addressed.
Finally, the IAU follows the Institute of Internal Auditors International Professional Standards for the
Practice of Internal Auditing, although as a unit operating for less than five years we have yet to
undertake the external quality assurance review required before we can cite to those standards.
3. DETAILED INTERNAL AUDIT
FINDINGS/RECOMMENDATIONS
1. FINDING 1: Records Management Program Implementation
Gap
The mandatory California Records Management Program (RMP) has not been
effectively implemented.
Criteria/Standard - SAM §1602 and CA Govt. Code §12274(a) require California government
agencies to establish and maintain an active, continuing Record Management Program (RMP)
for the economical and efficient management of records and information practices, as
applicable to “records” as they are defined by the Public Records Act.
RECORD AND DOCUMENT MANAGEMENT AUDIT
9
The California Public Records Act (CPRA) defines a public record as, “any writing containing
information relating to the conduct of the public’s business prepared, owned, used, or retained
by any state or local agency regardless of physical form or characteristics.”11 The CPRA provides
additional specifications of a record as any “handwriting, typewriting, printing, photostating,
photographing, photocopying, transmitting by electronic mail or facsimile, and every other
means of recording upon any tangible thing any form of communication or representation,
including letters, words, pictures, sounds, or symbols, or combinations thereof, and any record
thereby created, regardless of the manner in which the record has been stored.”12 Procedures
and processes required for the successful implementation of the RMP program are described in
the California Records and Information Management’s (CalRIM) 13 State Records Management
Handbook’s Guidelines14 and State Records Appraisal Program (SRAP).15 The Secretary of State’s
website also provides best practice sources, which include standards and principles from
recognized record and document management associations such as the International
Organization of Standards (ISO) ISO-15489 1 and 2 and ARMA-International’s Recordkeeping
Principles. In its Records Management Handbook – Records Retention guidelines, CalRIM
emphasizes that a successful implementation of the RMP requires senior management to be
aware of the goals of the program and the importance of achieving them. To this end, a strong
and ongoing relationship is to be maintained between top/mid–level management and records
management staff - even after the program has obtained initial management support and
been put into effect.16
In essence, the responsibility to establish and maintain the entity’s records management
program rests with an agency’s senior management. The program then directs and guides other
staff as they create collect, organize, store, maintain and retrieve records and assist
departmental clients.
Condition/Existing Situation/implications - Audit evidence identified major deficiencies in the
execution of an agency-wide RMP, which has not been effectively implemented by the CPUC.
We found a weak linkage between the CPUC’s top-level management and its divisions in the
creation, operation, and direction of policies and procedures that would comprise a
conforming RMP. Nearly all staff interviewed indicated that they have never received or were
not aware of any CPUC-wide guidance or policy in document or records management. There is
no coherent CPUC-wide records management strategy, consisting of a principled framework,
comprehensive policy, and guidelines setting out a roadmap on how divisions should manage
records or documents created or received by them. This is inconsistent with the CALRIM
guidelines that require top-level management to be aware of both the goals and importance of
the RMP, and to maintain a strong ongoing relationship between itself and middle management
in this regard.
Also notable was the extent of retained electronic documents. In a 2016 Budget Change
Proposal (BCP), the CPUC’s Information Technology (I.T.) division stated that between 2010 and
2015 the number of CPUC servers increased from 310 to 560, and the total documents stored
11 CPRA, Government Code §6252 (e) 12 CPRA, Government Code §6252(g) 13 CalRIM State program, which establishes guidelines, including those for the management of electronic records; provides
consultation; evaluates the effectiveness of existing records management programs; and assists in the establishment of new records
programs. 14 There are two primary hand books (i) Records Management Handbook – Records Retention and (ii) Practical Guide for Managing
Electronic Records
15 SRAP is a program developed by the California State Archives (CSA) that identifies state agency records with permanent retent ion
value for archiving. Both CalRIM and SCRAP programs oversee the complete life cycle of public records from record creation to
disposition via either transfer to the State Archives or destruction. 16 Records management Handbook – Records Retention - Establishing the Program - Page 2
RECORD AND DOCUMENT MANAGEMENT AUDIT
10
increased from 60 to 450 terabytes (increases of over 80% and 650%, respectively).17 IT data
showed that 25 percent of the over 10 million stored files have not been accessed within the
past three years. These are not costless to maintain, and their management should be included
in the operation of the policy (including deleting them when called for by adopted document
retention timeframes). According to I.T. its operations are becoming challenged in achieving the
routine full back up of the entire CPUC system due to the volume of retained information. Other
constraints have also come into play at times, such as the demands of certain necessary I.T.
tasks requiring parts of the headquarters building to be shut down temporarily to avoid
exceeding the limit of its present electricity supply. Presumably, the I.T. function should seek the
resources needed to support the CPUC’s operations, but the magnitude of those requirements
would also be influenced by the effective implementation of the required RMP.
In light of this gap and in recognition of their own operational requirements, some divisions and
units have created their own document management policies, methods, and procedures. These
are sometimes well suited to the needs of particular agency processes. However, the resulting
practices vary greatly from division to division; including a few that cannot be described as
efficient and economical methods for creating, managing, preserving and disposing of state
records. In addition, because senior management has not provided centralized direction and
emphasis, records management has effectively been relegated to individual unit staffs, who
often do not always give it priority. The overall effect has been the adoption of varying and
uncoordinated records management practices without regard to the agency-wide objectives
an RMP is intended to advance.
Recommendations:
1. Develop and implement the required records management program across the agency,
through processes and procedures to accomplish the following (note that these will build on
or incorporate practices already in existence within some divisions):
f. Create a full inventory of records and documents of all types (using STD 70) and
associated retention periods (using STD 73), including periodic updating and the
regular destruction of obsolete paper and electronic records when called for by STD
73.
g. Confirm the use of a “trusted system” for the electronic archive of records for which
one is required per Government Code § 12168.7 (…” ‘trusted system’ means a
combination of techniques, policies, and procedures for which there is no plausible
scenario in which a document retrieved from or reproduced by the system could
differ substantially from the document that is originally stored.”).
h. Create and implement a set of standards and common practices expected across
the CPUC on how records (including electronic records) are to be managed; this
should include defining the objectives of records management.
i. At the division level, develop and memorialize records management policies and
procedures consistent with each unit’s operational needs and the adopted agency-
wide practices and standards.
j. Develop consistent standards and guidance on the following:
i. The roles and responsibilities of staff in the records management program;
ii. How assurance will be provided on the performance of records and information
functions, including for capabilities required by state and federal law (such as
17 Appendix D – Extract from I.T. Unit’s 2016 BCP Infrastructure Increase Summary
RECORD AND DOCUMENT MANAGEMENT AUDIT
11
protecting confidentiality of sensitive records), and including monitoring
mechanisms for the program’s functions;
iii. A mechanism for dissemination of these policies to staff at all levels;
iv. A mechanism for the review of these polices at regular intervals (e.g. at least
once every two years).
2. We recommend that management adopt ARMA International’s Generally Accepted
Recordkeeping Principles (GARP)18 and Information Governance Model (IGMM)19 as a
benchmark for developing document management practices (see Appendix F). The ARMA
GARP and IGMM are some of the widely recommended sources of best practices listed on
the Secretary of State’s website, and were used by the Federal government for its 2013/2014
Information Governance Benchmarking Survey.
2. FINDING 2: Records Retention and Destruction
The CPUC’s document and records destruction practices do not comply with the
California State Records Management Act (SRMA) and state policy.
Criteria/Standard - Govt. Code §12275(a) prohibits the destruction or disposal of state records
unless if it has been determined by the Secretary of State, that the record has no further
administrative, legal, or fiscal value and the Secretary of State has determined that the record is
inappropriate for preservation in the State Archives. Per SAM 1615, form STD 73 is supposed to be
the basis for the designation of records for retention, transfer, or destruction in a particular
records series and serves to identify vital,20 confidential, and public records. Thus, compliance
with state law requirements occurs through the establishment of the mandatory Records
Management Program (RMP), including establishing the required retention schedules21 that
detail the public records the agency keeps to direct their management and eventual
destruction when they have no further operational or archival value. To implement these
requirements, SAM 1612 requires that agencies take inventory of their records at least once
every five years using Records Inventory Worksheet form STD 70, while SAM 1615 directs that on
completion of the inventory records must be listed on a an STD 73. SAM 1616 provides further
guidance and emphasis that an agency’s authorization to dispose of its records is based on its
approved current and active STD 73 after the scheduled retention period.
Condition/Existing Situation/implications - Audit evidence showed that for some time the CPUC
has not performed an inventory of its records using form STD 70, and that only four units have up
to date approved STD 73 Retention Schedules filed with the Secretary of State.22 As indicated
above, records should not be destroyed except as provided on these schedules. Most of the
staff interviewed indicated that they were not aware of these requirements, with some noting
that they would benefit from policy guidance to help them evaluate the aging records in their
possession; instead, record destruction was determined by units or individuals at their discretion.
18 GARP includes 8 principles; Accountability, Transparency, Integrity, Protection, Compliance, Availability, Retention and Disposition -
See Appendix F for more details 19 IGMM is based on GARP has five levels of maturity; Level 1(Sub-Standard), Level 2 (In Development), Level 3 (Essential), Level 4
(Proactive), and Level 5 (Transformative) See Appendix F for more details 20Vital records contain information necessary for the operation of government in an emergency due to disaster, and records to
protect the rights and interests of individuals or to re-establish and affirm the powers of government in the resumption of operation
after a disaster. Such records require special protection from loss using vault storage, microfilm, CD, magnetic tape or simi lar storage
media (Records Retention Handbook CalRIM April 2008 pg. 51). 21 SAM 1611 22 Appendix E – Extract of CPUC’s STD 73 Filed on Secretary of State Website 2008 to 2017
RECORD AND DOCUMENT MANAGEMENT AUDIT
12
The audit also noted that about two to three years ago during the “restack” building renovation
process, many divisions discarded substantial quantities of documents that they deemed
unnecessary (rather than move them back and forth between temporary locations). Practically
speaking, the audit team was not able to examine or evaluate any of the discarded documents
to determine whether potentially valuable archival material may have been involved. In many
instances, stored physical documents on hand that were examined in the audit amounted to
duplicates or copies of materials that are kept elsewhere or electronically, suggesting that the
documents that were destroyed may have included such duplicates that did not amount to
records in themselves. Given the opposite concern – i.e. the quantities of potentially obsolete or
unneeded documents that were observed in some locations that were tested - it was likely
beneficial that such document “purges” took place, sometimes accompanied by a subsequent
commitment to an increased use of electronic document storage by some units. The division-
level systems that are in place to categorize, organize, and retain many documents of evident
importance (such as the formal case files kept by the Administrative Law Judge Division) likely
reduced the risk of loss of significant information. As well, when we came across a few troves of
quite old documents during our field-testing (sometimes unexpectedly), we found a general
caution among staff about discarding them without an assessment of their potential usefulness.
Nonetheless, the state’s requirements are that the written and electronic products of the
agency’s professional work be categorized and evaluated in a systematic way so that their
ongoing operational value and desirability as archival materials can be considered before they
are discarded, and so that excessive quantities of information will not be retained when they are
no longer of benefit. In addition, state agencies are required to identify vital and confidential
records on their retention schedule form STD 73 for proper preservation and protection. Failure to
maintain these schedules might result in the irregular destruction of public records, which is in
violation of state law and policy.
Recommendations:
1. We recommend that agency management and staff be advised of the need to avoid the
destruction of state records (except according to forms STD 73 that are approved current
and active) while management pursues a full document inventory and the establishment of
updated retention schedules for all divisions.
2. Staff should also be encouraged to identify collections of documents that may have been
stored away or overlooked for some time, so that their potential work-related or archival
value can be evaluated.
3. FINDING 3: Email Policy
The CPUC does not have an email management policy.
Criteria/Standard - The California Public Records Act (CPRA) defines a public record as, “any
writing containing information relating to the conduct of the public’s business prepared, owned,
used, or retained by any state or local agency regardless of physical form or characteristics.”23
The CPRA provides additional specifications of a record as any “handwriting, typewriting,
printing, photostating, photographing, photocopying, transmitting by electronic mail or
facsimile, and every other means of recording upon any tangible thing any form of
communication or representation, including letters, words, pictures, sounds, or symbols, or
combinations thereof, and any record thereby created, regardless of the manner in which the
record has been stored.”24 The CPRA thus also applies to email messages, and so government
23 CPRA, Government Code §6252 (e) 24 CPRA, Government Code §6252(f)
RECORD AND DOCUMENT MANAGEMENT AUDIT
13
agencies are required to properly identify, classify, manage and dispose of emails as records
following recommended policy guidelines and practices in CalRIM’ s Practical Guidebook for
Managing Electronic Records. CalRIM recommends the incorporation of an email policy within
the broad records management policy of an agency. CalRIM guidelines emphasize that “an
agency must have an email management policy in place to ensure record emails are not
deleted alongside transitory emails.”25 Furthermore, CalRIM explains that emails are merely
formats in which messages are sent and that the retention or disposition of emails should
depend on the messages they contain, purposes they serve, and the relevant record series to
which they belong. To that end, CalRIM recommends that emails include a clearly descriptive
subject line to help categorize it into the appropriate series for storage purposes.
Condition/Existing Situation/Implications - The CPUC does not have an email policy to help
perform the functions CalRIM identifies. Instead, emails are kept indefinitely, and no agency
guidelines exist for organizing or categorizing them. This retention is contributing to increasing
demands on the CPUC’s Information Technology (I.T.) resources, and complicating the agency’s
response to associated legal obligations. In its 2016 budget change proposal, according to the
I.T. unit between 2010 and 2015 the number of CPUC servers increased from 310 to 560, and the
total documents stored increased from 60 to 450 terabytes (increases of over 80% and 650%,
respectively).26 Of the 69 million archived emails that are at least a year old, 59 percent date
from 1-3 years ago, while 41 percent date from four years or longer and some go back as far as
2002. The larger the number of retained emails, the more extensive is the review process that
must be undertaken by Legal to determine which emails may be responsive to a given Public
Records Act request or subpoena, and which are subject to a legal privilege that can be
asserted against their production. While aspects of this process have been automated (such as
the search to identify potentially responsive emails using key words or phrases), a skilled
professional (usually an attorney) performs the ultimate review of such materials.
To fully analyze the impact of the lack of an email policy would have required the creation of a
specific counterfactual in terms of what the adopted policy would be, and its operational
implications; then the analysis would compare the current circumstances to those that would
otherwise occur. While the audit team was not able to create this analysis using resources
available to it, the sheer number and age of archived emails served to confirm the interview
evidence from I.T. and Legal that the lack of a retention schedule or policy is causing
meaningful operational impacts. As a comparison, the California Energy Commission (CEC) has
an email policy that provides guidance to staff on their responsibilities regarding email
preservation and disposition, and enforces a standing requirement of automatically deleting
emails 90 days from the date they are received, sent, or drafted.
We note that concerns have been expressed regarding the ability to institute such a policy
within the CPUC at a time when the agency is under investigation and facing numerous Public
Records Act requests; however, the CEC’s analogous profile as a state energy regulatory
agency strongly suggests that an email policy is also feasible for the CPUC. To the extent, there
are agency business justifications or legal reasons for the retention of particular emails or for a
transition into a requirement such as the CEC enforces, our suggestion would be that those
could appropriately be considered in the design and implementation of the required policy.
Recommendations:
1. Consistent with the applicable requirements and the adoption of an agency-wide records
management program, the CPUC should develop and implement an email policy consistent
25 CalRIM (10/20/2015) Practical Guidebook for Managing Electronic Records p.8 26 Appendix D – Extract from I.T. Unit’s 2016 BCP Infrastructure Increase Summary
RECORD AND DOCUMENT MANAGEMENT AUDIT
14
with the guidelines provided in CalRIM’ s Practical Guidebook for Managing Electronic
Records - which requires taking into account the content of an email, rather than its form.
4. FINDING 4: Confidentiality
Although the audit noted a general good awareness by staff of their
responsibilities in dealing with confidential information, the audit team noted the
following concerns or deficiencies:
1. There was a pattern of a significant fraction of staff not completing the
mandatory annual privacy training. On average, for the past four years 20
percent of CPUC eligible staff did not complete the training.
2. Unlocked file cabinets containing confidential information (in some cases
marked as such by labels on drawers) were observed in some locations.
3. A portion of staff were not aware of IT tools available to encrypt information in
transit such as Accellion, or encrypted emails.
4. There is some continuing confusion among staff about the practical
interpretation of Public Utilities Code §583 for their work.
Annual Privacy Training
Criteria/Standard - SAM 5300 mandates state agencies to establish and maintain an information
security and privacy training and awareness program. SAM 5320.1 requires state entities to
provide basic security and privacy awareness training to all information asset users including all
personnel, managers, and senior executives as part of initial training for new users and annually
thereafter. As part of this mandate, the CPUC requires every employee and user of its
information assets to take the annual privacy protection training provided by the California
Office of Privacy Protection.
Condition/Existing Situation/Implications -The audit noted that on average, for the past 4 years
20 percent of CPUC staff were not completing this mandatory training.27 This non-compliance
may result in staff not getting updated information on privacy and confidentiality, exposing the
CPUC to the risk of mishandling confidential information.
Unlocked Filing Cabinets
Criteria/Standard - Best practices suggest that file cabinets containing confidential records have
restricted access and be securely locked to protect them from unauthorized access.
Condition/Existing Situation/Implications - The audit team noted that some filing cabinets
marked confidential were unlocked, potentially allowing unauthorized individuals to view or
obtain their contents. These cabinets were mostly in the Legal Division, some of which contained
information that had been left behind by retired staff; many such cardboard boxes were also
observed. Certain instances in other divisions involved file cabinets that are used routinely by
staff during the course of a working day, and then locked at night; these tended to be located
in areas with high employee foot traffic or visibility, which reduced risks by making access more
difficult for non-staff members (with regard to information that should be kept confidential within
27 Appendix F - CPUC staff completion rates – Annual Training Protecting Privacy in State Government.
RECORD AND DOCUMENT MANAGEMENT AUDIT
15
the agency as a whole).28 Another factor reducing risks was that almost all staff interviewed
confirmed that unknown visitors are uncommon in their work areas, and that those who may
appear are routinely greeted and offered help in locating their appropriate destinations. A
further test involved asking about specific instances of petty thefts from employees in or around
the units that were tested, and few such instances were reported. The audit team’s assessment
of risks varied across these circumstances, and a few high-priority concerns were addressed
collaboratively with management during the audit. The recommendations below focus on the
consistent maintenance of some associated controls.
Lack of Knowledge of I.T. Capabilities for Secure Transfer of Information
Criteria/Standard - Best practices suggest that staff be well informed and knowledgeable about
the available resources used to transmit confidential information, as the necessity to transmit
such information may be unpredictable.
Condition/Existing Situation/Implications - The audit revealed that in some Instances CPUC staff
was not aware of the available tools at CPUC used to transmit confidential information. These
included the secure file-transfer protocol Accellion, and activating the encryption of an email
(send to an address outside the CPUC’s system) through typing the word “encrypt” in the
subject line. Although most of the staff without this knowledge also indicated that they rarely
handled confidential information that requires extra security in transmission, the audit team
believes that all employees should generally be aware of these tools as the need to protect
confidential information in transit may arise at any time.
Challenges in the Interpretation of P.U. Code §583
Criteria/Standard - Best practices suggest that that there should be a uniform understanding and
interpretation of CPUC policy and related Decisions among staff across the board, particularly
regarding confidentiality of certain information that is protected by statute.
Condition/Existing Situation/Implications - We found a consistent understanding among staff of
the importance of protecting confidential information, including that provided by utilities or
other parties before the Commission. Indeed no one interviewed was unaware of this concern,
and those whose jobs involve handing confidential information were able to explain their
responsibilities in a reasonable manner. At the same time, we also found multiple, varying
interpretations among staff about the specific application of Public Utilities Code §58329, which
provides statutory protection for such information. The differences principally involved the need
for (or significance of) the marking of documents with a confidential stamp, and the specific
process that must be undertaken to make public a document that may be subject to
confidential treatment. Initially we did see some risk in the interpretations of some staff that
documents not specifically marked confidential are public information. However, during the
course of the audit the Commission provided clarification in Decision 16-08-02430 about the
28 Another type of requirement relates to information that must be kept confidential even among or between agency staff, such as
the contents of HR-related files. In that case, substantial foot traffic by agency staff around unlocked cabinets would become a risk
factor rather than the control it tends to provide where the concern extends only to precluding access by outsiders. 29 “No information furnished to the commission by a public utility, or any business which is a subsidiary or affiliate of a publ ic utility, or a
corporation which holds a controlling interest in a public utility, except those matters specifically required to be open to public
inspection by this part, shall be open to public inspection or made public except on order of the commission, or by the commission or
a commissioner in the course of a hearing or proceeding. Any present or former officer or employee of the commission who divu lges
any such information is guilty of a misdemeanor”. 30 E.g., …”any documents for which the submitting party seeks confidential treatment must be marked as confidential, the basis for
confidential treatment must be specified, and the request for confidentiality must be accompanied by a declaration signed by an
officer of the requesting entity or by an employee or agent designated by an officer. The officer delegating signing authority to an
employee or agent must be identified in the declaration”.
RECORD AND DOCUMENT MANAGEMENT AUDIT
16
specific meaning of §583 as applied to CPUC staff, and how such documents should be marked
when provided to the CPUC and subsequently reviewed if their disclosure is requested.
Recommendations:
1. Annual Privacy Training
Management should closely monitor the required annual privacy training, with an objective
of 100 percent compliance by agency employees.
2. Unlocked Filing Cabinets
All divisions should carry out an inspection of all their filing cabinets and ensure that those
containing confidential information are kept locked when not supervised (including at the
end of each working day). Specific attention should be paid in the Legal, Energy and ALJ
divisions where some of these cabinets were found.
3. Lack of Knowledge of I.T. Capabilities For Secure Transfer of Information
We recommend that the I.T. unit develop a strategy to inform all staff of the availability and
capabilities of tools for transmitting information in a confidential encrypted format.
4. Challenges in the Interpretation of P.U. Code §583
Training and reference materials should be developed and provided to staff on the specific
applicability of P.U. Code §583 to their work, including any modifications or clarifications to
the provisions of Decision 16-08-024 as may occur in the rehearing process or through
appellate review.
5. FINDING 5: Records/Document Back Up
Some staff did not know the difference between working on a local computer or
laptop hard drive that is not backed up, versus network resources such as the
“O” drive or Content Server. Some others were aware of the difference, but
preferred working on local drives rather than network resources.
Criteria/Standard - Best practice suggests that data is stored on a media that is backed up to
enable retrieval in case of accidental damage or loss of local drive or other storage media. Documents, data, or other work products stored on local laptop or desktop computer hard
drives are not backed up by the CPUC’s I.T. systems, nor are they readily accessible to a staff
member’s supervisor or colleagues. Although such hard drives have become highly reliable and
data may be recoverable from them in the case of a crash, there is also a risk that a laptop may
be stolen or misplaced, and certain emergencies might threaten the integrity of many hard
drives at once (such as extreme heat, fire, smoke, or water from the sprinklers). Thus, the audit
team identified the routine use of backed-up IT resources for work-related documents and data
as a best practice to recommend across the agency,
Among the network resources available to all staff are a personal “O” drive they can use for
their own purposes, and Content Server that permits sharing of stored information among staff
along with some other useful capabilities. Other, unit-or task-specific IT network systems also exist.
Condition/Existing Situation/Implications - Our audit interviews and site visits consistently found
some staff who were not aware of available network resources, or did not fully understand the
difference between a hard drive and the network. In a few instances staff believed they were
RECORD AND DOCUMENT MANAGEMENT AUDIT
17
working on a network resource but testing revealed they were not. Concerns also were
expressed about a lack of ease of use of Content Server, and we found some staff who had
chosen to work locally for that reason. However, many staff had no knowledge of the network-
based personal “O” drive, which in our judgment is no more difficult to use than a local hard
drive. Another variation involved a few units where staff would prepare work products on local
hard drives and only touch a network resource when emailing the draft to a supervisor for
review. Some interviewees reported that these efforts would go on for as long as two would or
three months before any back up occurred. Even considering just the compensation and
overhead support expenditures for a CPUC analyst for that time, such a draft work product is
created at a significant cost, and saving it on a local drive would increase the potential risk of
losing valuable information through loss or damage to the computer. Laptops and desktops
used by staff are more prone to damage or theft resulting in loss of information. We would
suggest that such valuable information is safeguarded using the resources the agency is
providing for that purpose.
Recommendations:
1. We recommend that the agency’s document management program include a stated
expectation that all staff work (including drafts and work in progress) will be stored in a
secured, backed-up manner.
2. We recommend that each individual CPUC staff member receive a visit at his or her desk
(e.g. from an I.T. representative, or the unit’s supervisor) to review their methods of computer
use to help assure that all electronic work products, reference documents and other needed
records are being stored appropriately using backed-up network resources.
6. FINDING 6: Onboarding and Training
The CPUC does not provide onboarding or ongoing training of its staff about
agency-wide records management policies, legal requirements, standards, and
adopted best practices.
Criteria/Standard - SAM 1600, Cal RIM guidelines and best practice emphasize that for any
records management program to be successful, it must be effectively communicated, made
known, and understood throughout the agency through training and activities that raise
awareness of policy guidelines and procedures. Without training staff may be unaware of their
record keeping roles and responsibilities, resulting in the inefficient operation or failure of the
record management program. Best practice suggests appropriate onboarding as a means of
transferring the necessary policy and practices to new employees to enable them to follow
them.
Condition/Existing Situation/Implications - The audit team’s observation was that there was no
established onboarding or training program covering CPUC policies, state requirements, or
CPUC recommended best practices for document management. The same gap was evident
with regard to the onboarding of new staff. In some instances, interviewees who had come to
the CPUC from other state agencies were able to contrast the specific training and guidance
they had previously received to the lack of such information provided on their arrival here.
Generally, most of the units reviewed by the audit relied heavily on the experience and
organizational knowledge of individual long-term staff for consultation to ensure that the unit’s
recordkeeping responsibilities are met. This was particularly evident in some divisions where staff
who were interviewed revealed that they had not undertaken any document management
training for a long time, and were not aware of any specific state compliance requirements or
related CPUC policies. Some staff stated that training would be beneficial in light of a lack of
RECORD AND DOCUMENT MANAGEMENT AUDIT
18
confidence in their own knowledge of document management and ability to comply with
legislative requirements.
Based on the wide variety of responses on these topics we received in our interviews with staff
and the issues found with compliance, there is a need for formalized records management
training and/or published guidance. Management should frequently communicate the
expectations of proper record keeping, as well as the goals of the overarching records
management program within the CPUC.
Recommendations:
1. Management should develop onboarding, training, and reference materials to address the
goals and common standards and practices of the RMP adapted by CPUC, and provide
periodic updates on key topics and modifications to the program.
7. FINDING 7 Forms Management Program/Representative
The CPUC’s Form Management Program (FMP) is not operational and does not
have a designated Forms Management Representative (FMR).
Criteria/Standard - Government Code Section 14771 establishes the State Forms Management
Program (SFMP) for all state agencies to facilitate the statewide standardization of all agencies’
forms and Forms Management Programs (FMP). Government Code Section 14772 requires each
state agency to “…appoint a forms management representative and provide necessary
assistance to implement the State Forms Management Program within the agency”.
Additionally, Government Code Section 12274(a) provides that the Records Management
Program shall “…ensure that the information needed by the agency may be obtained with a
minimum burden upon individuals and businesses, especially small business enterprises and
others required to furnish the information. Unnecessary duplication of efforts in obtaining
information shall be eliminated as rapidly as practical.” The effective use of forms would
augment the easy collection of required information.
The Forms program deals with the management, coordination, and development of multiple
forms, which include:
Business-Use Forms/Reports - State forms and/or reports used to collect and/or solicit
information, including signatures, from businesses.31
Public-Use Forms - State forms used to obtain or solicit facts, opinions, or other information
from the public or private citizens, etc.32
State Standard (STD.) Forms - State forms developed for use by all agencies to carry out
common statewide administrative functions.33
Agency / Departmental Forms - State forms created and used specifically by an agency
to carry out the agency’s administrative functions.
According to SAM 1705, the effectiveness of this program depends on a clear understanding of
the responsibilities of the operating agencies, Department of General Services (DGS) and the
Forms Management Center (FMC).34 According to SAM, the cited responsibilities were derived
31 Government Code §14771(c) and 14775 32 Government Code §14741(1) 33 See Government Code §14771(a) (2-6) 34 Government Code §14771(a)(4), FMC) provides training and assistance in all aspects of establishing and implementing the SFMP
RECORD AND DOCUMENT MANAGEMENT AUDIT
19
from the statutes and formulated from good business practices gathered from forms
professionals and forms associations. SAM also recommends housing the program at a level high
enough to give the perspective and authority needed for across-the-board improvements and
to provide technical guidance and department-wide coordination between functions. In
addition, SAM emphasizes centralization, backing, upper-level support, and stature in the
organization to be successful. Government Code Sections 14771(a) and 14775 require the
director of each state agency to fulfill legislative requirements needed for the effective
implementation of the SFMP, including ongoing triennial reviews of certain forms and reports
required to be provided by businesses.35 Such requirements may involve submitting various
reports to the DGS or FMC. The Forms Management Representative required by Section 14772
usually has a level of responsibility equivalent to a staff services manager position.
SAM 1706 provides a list of responsibilities for an agency’s FMR that include:
Coordinating the agency forms management program, and delegating duties to other
appropriate personnel.
Acting as the primary contact between the agency and the FMC, and providing timely
responses.
Providing safeguards in all forms management activities for the protection of individual
privacy and confidentiality of information plus inventorying and establishing an ongoing
system of controls for the forms ordered and maintained by the agency.
Reviewing and approving requests for printing or creation of electronic versions of forms for
the agency or delegating those responsibilities in the way that is most effective for the
agency.
Determining that only necessary forms are ordered or established in electronic media and
that those forms meet the standards set forth in the Forms Design Handbook.
Ensuring that the new or revised forms meet the standards set forth in the Forms Design
Handbook and the Forms Management Handbook.
Conducting research into forms management problems and ensuring discontinuance of
obsolete forms from the agency system.
Conducting forms analysis for designing or redesigning the agency’s forms.
Being responsible for administrative program reports required by the FMC, which include,
but are not limited to reports on the agency Public Use Forms Program and the Business Use
Forms/Reports Program and distributing information on forms management activities.
Coordinating with the agency training office to provide and make arrangements for
appropriate training of forms management personnel.
Condition/Existing Situation/Implications - The audit did not find any designated staff or person
to perform the required Forms Management Representative role as required by SAM. The audit
found some Agency/Departmental forms on the CPUC’s internet/intranet categorized by
departmental use; however, we found no further evidence to indicate how other forms are
managed or coordinated across the agency. This made the audit team conclude that CPUC
35 Note that Section 14775 contains some exceptions to the triennial review requirement that seem applicable to CPUC activities. As
noted in the recommendations, we suggest a legal analysis of these provisions to determine to what extent (i.e. to which forms and
reports) this requirement applies.
RECORD AND DOCUMENT MANAGEMENT AUDIT
20
does not have an operational FMP. Given the interconnection between forms and records, the
applicable standards also presume that the FMP and the RMP will work on a complementary
basis, as in many instances the use of forms facilitates the ease collection and classification of
data.
During the audit, we noted that utilities are mandated to provide various reports and information
through Commission decisions or other regulatory procedures. Nearly all the CPUC staff we
interviewed indicated that the continued assessment of the usefulness of these reports is not
done. The main reason given was that the process to eliminate such a filing requirement is
usually cumbersome, and staff focus their available time on higher priority activities. Utilities or
other regulated entities can seek to modify these requirements if it is a priority for them. As well,
reports that are required by formal decisions result from proceedings in which the Commission
has considered the views of the parties in determining what information might be necessary.
Recommendations:
1. Management should appoint a FMR (as required by Government Code Section 14772 and
policy under SAM 1706) to reinvigorate the forms management program, including
involvement in the development of forms used to collect information from regulated entities.
The FMR should complement the existing Records Management Coordinator (RMC) in the
RMP, and be responsible for establishing a repository of all updated CPUC forms organized
by divisions. We also recommend that the FMR maintain an index or inventory list of all
mandatory reports that are received by the CPUC, to help position the FMR to monitor these
2. The CPUC should conduct an analysis under Government Code § 14775(b) to identify which
forms and reports required from businesses may be subject to the triennial review
requirement, including eliminating those that are no longer necessary to the agency’s
fulfillment of its responsibilities. As a best practice we also recommend, where practicable,
including other such forms and reports in the triennial review process even if they may be
exempt from the requirement to do so. We note that the result of such a review may be a
recommendation to the Commission for its consideration, if a formal decision would be
needed to modify a particular reporting requirement. We also recommend that the FMR
maintain an updated inventory list of all mandatory reports that are received by the CPUC,
to help independently review them and identify potentially obsolete or duplicative
requirements.
8. FINDING 8 Naming Conventions/Filing Plans/Indexes
Lack of consistent naming conventions, filing plans or systems and index inhibit
the CPUC’s ability to perform a comprehensive search of documents relating to
a subject matter.
Criteria/Standard - CalRIM and other best practices recommend the adaption of a consistent
and descriptive file naming methods that will provide a more organized and easily understood
collection of related records. They recommend having a filing system based on use and content
of records, to help in developing a planned method of indexing and arranging records for
storage. These can aid in the rapid, accurate, and complete retrieval of records.
Condition/Existing Situation/Implications - The audit team performed some limited document
location tests and reviewed some documents retrieved from various units. The documents
themselves were obtained from hard copy storage cabinets and file rooms, as well as shared
drives and Content Server.
RECORD AND DOCUMENT MANAGEMENT AUDIT
21
Many units did not have naming conventions, filing systems or fully indexed catalogues or lists of
stored documents. Some units had organized their documents in a comprehensive manner,
including descriptive file names. Some of the best results in this regard involved purpose-built IT
systems to track particular types of activities (e.g. investigation databases). Some other tested
units were able to locate documents readily from among their current files, in part through staff
knowledge of the contents even where consistent file names or organizational structures were
not used.
The audit team also noted that most units had a repository of other documents that were no
longer relevant to current work. These were typically kept without a consistently organized filing
plan or system to current staff. In a few instances the staff in the units being tested were curious
about what these repositories contained, and welcomed the opportunity to look.
There is a diversity of types of documents and stored information across the CPUC and its various
operations, a point reinforced by observations during our site visits. While no single naming
convention or filing system would be appropriate for this entire range of material, any
comprehensive search for documents (e.g. of a particular kind, on a given topic etc.) would be
hampered by the combination of un-indexed document repositories, and the need for expertise
to search current files organized in non-standard ways. Bringing more order to this information
would potentially reduce the time and effort needed for searches, and enhance the agency’s
ability to use the entirety of the information it has retained.
Recommendations:
1. The CPUC’s records management program should include the adoption of file naming
conventions to be applied consistently within divisions or units, and filing plans including
directory structures for electronic documents.
2. A process should be established in each division through all repositories of retained
documents will be reviewed. Those materials kept for future use should then be brought into
the adopted filing system.
4. OTHER AUDIT OBSERVATIONS
This section discusses a set of audit observations we believed worthy of further comment, and
two examples within the agency that helped to illustrate some good document and record
management practices that might be worth emulating in other units.
1. Legal Division - Unique Challenge Observed in Legal In the course of the audit, we came across a unique situation within the Legal Division. Activities
of the Legal steno pool appeared sound with regard to document management and retention;
however, we also found that the division otherwise has no system in place for managing
documents in the custody of attorneys. Some audit observations included the following:
Large quantities of unorganized materials reside in boxes in storerooms or file cabinets in
hallways – including documents left over from former employees that have proven too
time-consuming to be reviewed and evaluated for useful records or documents. As an
RECORD AND DOCUMENT MANAGEMENT AUDIT
22
example, twenty-eight boxes of presumably confidential material from a retired senior
attorney were observed in a hallway.
No routine purging occurs for obsolete documents.
No repository exists of work papers, division-prepared reference materials, or any other
work products that were not processed by the Legal steno pool.
Attorneys are personally responsible for keeping records for cases in which they are
involved, but without any common system or standards of organization. Supervisors are not
necessarily aware of how their direct reports store or manage any documents.
Outside of the steno pool, no divisional policy exists on what records to retain or how they
should be arranged in a filing structure or by use of a naming convention.
In the absence of a formalized process for handling or indexing documents or case files,
the standard approach for locating such information is to identify the responsible attorney,
and ask personally.
While some similar conditions were also observed in a number of other units across the CPUC,
their combination and extent in Legal was unique. These conditions also build upon one
another, e.g. a lack of organization of materials kept by individual attorneys complicates the
transfer of work products, or records to other counsel when they retire, and can deter efforts to
sort and categorize materials in file cabinets or boxes left behind.
We also noted that Legal is a unit in which several particular factors come into play with regard
to document management:
Confidentiality is paramount, including between some colleagues who cannot view each
other’s work products or files due to conflicts (e.g. counsel representing ORA are often
adverse to other counsel in Legal).
Judgments about which documents to retain are often individualized to attorneys based
on knowledge of particular cases, issues, circumstances, etc. (one size does not fit all).
Individual “curating” of documents can be important, as case or subject matter experts
can offer useful context for information provided to colleagues.
As well, Legal management noted some related challenges they have faced:
Support staffing is a key concern. Legal is authorized only two paralegals to support 77
attorneys. In law firms and other legal operations, their experience is that paralegals
provide considerable support in organizing documents, as well as some other important
functions such staff should be performing.
Prior efforts to obtain added staff for important priorities (e.g. handling PRA requests) have
usually been unavailing.
A variety of I.T. systems have been made available to Legal in recent years, some helpful
and some less so in their view. Legal management is concerned that the capacity of
current IT systems might not be sufficient to handle all Legal records if they were kept
electronically.
Legal Division managers are familiar with some examples of document management systems
used in outside law firms or other agencies, and see potential benefits for their operation in those
approaches.
Our analysis is that while the above working requirements and concerns are significant, they are
not contrary to the need to maintain an organized document management system consistent
with state requirements. However, Internal Audit is not in a position to recommend specific
remedies or processes that Legal should adopt, given its specialized needs.
RECORD AND DOCUMENT MANAGEMENT AUDIT
23
We suggest that Legal consider obtaining the services of a consultant familiar with successful
legal document management systems in public sector agencies – to evaluate Legal’s operation
in light of the requirements of its work, and to identify a plan for creating an effective system
along with any added resources needed to achieve it.
2. Best Practice: CP&ED - Utility Enforcement Branch (UEB)
CP&ED’s Utility Enforcement Branch (UEB) provided an example of a good use of existing I.T.
resources to store a unit’s historical information about its operations in an easily accessible and
secure manner.
Over time, UEB has developed its own intranet-based system for maintaining records about how
the various operations in the unit are performed, popularly referred to as UEB’s Knowledge
Portal. Information kept there includes process follow diagrams, writing templates, white papers,
reference materials, and detailed UEB work guidelines. Based on a quick review of the portal
contents, material in the portal appeared to be organized indexed, and serves as a useful
knowledge retention resource.
Appendix H provides some further detail on this system.
3. Best Practice: Energy Division - Tariff Unit
Energy Division has developed a Central File filing system using Content Server to help it manage
a large number reports received from utilities and other documents. This system replaced the
previous manual and email based approach. With the new central filling system based on
Content Server, the filing room previously used to store hard copy documents was cleared out
and converted into a modern conference room. Other CPUC units can emulate this and
potentially save and release physical space for other uses.
Appendix I. provides some further detail on this system.
5. MANAGEMENT RESPONSE
Management Memo
Refer to the following page below for detailed memo.
RECORD AND DOCUMENT MANAGEMENT AUDIT
27
Internal Audit’s Further Comments on Management Response
We welcome management’s commitments to improve the CPUC’s document management
practices. Indeed, the response references a variety of plans and actions to be developed and
implemented in the coming months (e.g. for the records management program, Form STD 73
completion, records destruction, an email policy, privacy training compliance, and PU Code
Section 583). In that regard, we would request that within six months management provide a
follow-up report on this audit that contains the implementation plans, and a status report on
their implementation.
We would also like to make the following additional specific comments, as described below:
Comments on response to finding # 1:
The California Mandatory Records Management Program (RMP) Has Not Been Effectively
Implemented.
We acknowledge management’s commitment to have each division complete a proper
inventory of records with STD 70, and filing of STD 73, however, we should also note CALRIM’s
emphasis on the need for a documented organized filing system or plan as the basis for doing
so. At a minimum the system should include or enable the determination of information like the
following: Records series/description, location of record series, media type, years of records,
reference status (active/no active), and volume.36
Furthermore, the role of Internal Audit includes addressing opportunities to achieve greater
efficiency and effectiveness in agency operations. It was in this sense that we recommended
the use of ARMA’s Generally Accepted Recordkeeping Principles (GARP) and information
Governance Model (IGM). As a maturity model, it provides tangible examples of stages through
which a records management and retention system can develop, and in this way offers a
practical benchmark against which divisions and the agency can measure their progress. While
recognizing management’s prerogative to consider such recommendations as it sees fit, we
would encourage further consideration of this tool as the agency’s practices are improved and
utilized over time.
Comments on response to finding # 2:
The CPUC's Document and Records Destruction Practices Do Not Comply with the California
State Records Management Act and State Policy.
We agree with management that records destruction practices are part of the overall records
retention program to be developed. Until that is in place, however, we think it would be helpful
to advise staff to cease destroying any information or documents that could be considered
records, to avoid an inadvertent violation of state law and policy. The regularized destruction of
obsolete records according to state policy is also consistent with appropriate responses to
36 Records Management Handbook page 6 to 8
RECORD AND DOCUMENT MANAGEMENT AUDIT
28
outside requests for information, for example, CalRIM’ s handbook states that agencies can
defend their actions if records that have been subpoenaed are unavailable due to having
been destroyed pursuant to approved records retention schedules.37
Comments on response to finding # 5:
Staff Unaware of the 0: Drive Versus the C: Drive.
With regard to the use of local hard drives versus network resources: We note a distinction
between the IT unit providing additional tools and information to staff, versus some kind of
supervisorial or peer interaction within the divisions to help assure good employee practices. The
response focuses on the former, i.e. I.T’s efforts alone. While these are potentially helpful, such
efforts have been undertaken before and did not prevent the issue that was seen. Consistent
with the standards cited in this report, we suggest that the working oversight of storage and
management of documents is a managerial function more than it is a matter of technical
solutions. In that light we would encourage management to consider supervisorial approaches
within the divisions, to make the best use of the capabilities that IT can provide.
Comments on response to finding # 7:
CPUC Lacks a Form Management Program.
With regard to forms management, we note that the BCP process is uncertain and would take
approximately a year’s time to result in a new employee to begin to address this requirement (in
fiscal year 2018-19). We would suggest that compliance activities start sooner and with greater
certainty. For example, management should make an initial effort to identify which CPUC forms
are subject to the mandatory three-year review cycle.
Comments on response to finding # 8:
CPUC Lacks Consistent Naming Conventions & filing plan.
With regard to naming conventions, we agree that different approaches can be appropriate for
different types of documents or data, but that does not diminish their usefulness. We suggest
that management encourage the use of consistent naming conventions at appropriate levels
throughout the agency (e.g. for divisions, units, specific work products etc.), particularly for
significant records that may be retained into the future. Consistent with the requirements noted
above in the comments to response to finding #1, divisions and units should also maintain a
documented filing plan of the location of their records to aid in research and retrieval.
37 Records Management Handbook page 18 bullet 3
RECORD AND DOCUMENT MANAGEMENT AUDIT
29
6. APPENDICES
APPENDIX A
Laws and Policies Governing CPUC Records Management
1. Federal Records Act of 1950 (FRA)38
Federal law providing legal framework for
federal records management, including record
creation, maintenance, and disposition.
2. Federal Freedom of Information Act (FOIA)
Federal law that allows for the full or partial
disclosure of previously unreleased information
and documents controlled by the United States
government.
3. State Records Management Act
Directs California's Secretary of State to
establish and administer a records
management program that applies efficient
and economical management methods to the
creation, utilization, maintenance, retention,
preservation, and disposal of state records.
Provides further guidance on how records
should be managed in state agencies
4. California Public Records Act (CPRA)
California law requiring inspection or disclosure
of governmental records to the public upon
request, unless exempted by law. Defines
public records and provides guidance on
confidentiality.
5. State Administrative Manual (SAM) Chapter
1600
Provides State policy guidance on an agency’s
records management
6. State Administrative Manual (SAM) Chapter
1700
Provides State policy guidance on an agency’s
forms management
7. State Administrative Manual (SAM) Chapter
5300
Provides State policy guidance on an agency’s
information security
8. CPUC’s General Order 66-C – and
subsequent clarifications or revisions.
Provides guidance on how CPUC and its staff
should treat confidential information proved to
it by utilities.
38
FRA and FOIA are noted due to the CPUC’s participation in some federal programs.
RECORD AND DOCUMENT MANAGEMENT AUDIT
30
APPENDIX B
CPUC Divisions and Sub-Units Sampled for Audit
Division/ Units
Executive Division (ED)
1. Executive Director
2. Deputy Executive Director
News and Outreach Office (N&OO)
3. Public Advisors Office (PAO)
4. Equal Employment Opportunity Office (EEOO)
Consumer Protection & Enforcement Division (CP&ED)
5. Consumer Issues & Analysis Branch
6. Consumer Affairs - San Francisco
7. Utility Enforcement Branch
8. Consumer Protection Initiative Fraud Sect.
Office of Government Affairs (OGA)
9. Office of Government Affairs
Energy Division
10. Administrative Support & Tariff Unit
11. Market Structure Costs& Natural Gas
12. Electric Market Structure & Design
13. Demand Response Customer Generation & Retail
14. Customer Generation
Communication Division
15. Communications Adm. Unit
16. Carrier Oversight & Program.
17. Service Quality & Eligible Telecom Carrier
19. Broadband, Policy & Analysis
20. California Advanced Services Fund (CASF)
Safety & Enforcement
21. Gas Safety & Reliability Branch
22. Gas & Safety Reliability
23. Rail Transit Safety Branch
24. Rail Transit Operations Safety
25. Administration & Budgets Unit
Water & Audits
25. Administrative Unit
26. Water & Sewer Advisory
27. Small Company & Policy
Legal Division
RECORD AND DOCUMENT MANAGEMENT AUDIT
31
28. Adm. Unit
29. Telecommunications
30. Energy Procurement
Administrative Law Judges
31. ALJ – Administrative - Section
32. The STAR Unit
33. Central File Unit
Administrative Services
34. Information Technology Services
35. Information Security Office
36. Business Services
37. Budget & Fiscal
38. Human Resources
Policy & Planning
40. Policy and planning
Office of Ratepayer Advocates
41. Energy - Detailed Audit of unit denied by OGA
RECORD AND DOCUMENT MANAGEMENT AUDIT
32
APPENDIX C
List of Policy Documents Obtained from the California Energy Commission (CEC)
1. Email Policy
Provides email system users with policy and rules for
the disposition and preservation of State records
that are in form of email messages and
attachments.
2. Information Security Policy
Provides policy on information security guidelines
observed while conducting CEC business activities.
This policy is a foundation for additional practices
and standards that specifically communicate
Agency rules related to information security.
3. Confidential Information Policy
Provides an overview of the policies and
procedures CEC has enacted to safeguard and
protect the confidentiality and integrity of
information(including paper and electronic
documents, records, files, databases, and all
products derived from confidential information)
with which it has been entrusted to it
4. Records Retention Guidelines -2007
Provide guidelines to Commissioners, advisers, the
various divisions, and offices of the Energy
Commission, and its staff and contractors regarding
the length of time official documents are retained
by the Energy Commission.
5. Incident Reporting Guidelines
Provides policy guidelines on when suspected or
actual incidents of confidential information
compromise occur or get lost.
6. Information Classification Policy
Provides policy guidelines to CEC staff on the
classification of records/ documents between
confidential and non-confidential
records/documents.
7. Information Handling Guidelines Provides additional policy guidelines on handling of
confidential information
8. Records Retention Guidelines - 2014
Document provides records/document
management policies and procedures for
California Energy Commission (CEC) staff and its
contractors, which are consistent with the
statewide California Records and Information
Management Program (CalRIM) for the retention of
public documents.
RECORD AND DOCUMENT MANAGEMENT AUDIT
33
APPENDIX D
Extract from I.T. Unit’s 2016 BCP Infrastructure Increase Summary
Infrastructure Increase by year 210 2011 2012 2013 2014 CY
Number of physical
servers/appliances 210 160 150 116 125 135
Number of virtual servers/appliances 100 150 176 200 337 425
Weekly Backup 5 TB 10 TB 12 TB 15 TB 25 TB 30 TB
Percentage of physical
servers/appliances 68% 52% 46% 37% 27% 24%
Total number of servers 310 310 326 316 462 560
Total TB of document storage 60 100 135 176 276 450
RECORD AND DOCUMENT MANAGEMENT AUDIT
34
APPENDIX E
Status of CPUC’s STD 73 Forms Filed on Secretary of State’s Website, 2008 to 2017
#
Approval
Number Schedule Number Agency
1* 2015-018 NPI-1
Executive - San Francisco -News and Public
Information
2* 2015-001 ALJ-4 Administrative Law Judge - Central Files
3* 2014-320 IMSD-A4 Administration - Human Resources
4* 2013-033 C-07 Contracts 2
Administration - Management Services --
Contract Services
5 2008-178 MD-1 Ratepayer Advocates
6 2008-177 RRB 98-1 Ratepayer Advocates
7 2008-176 SACTO-1 Ratepayer Advocates
8 2008-175 CIB-1 Ratepayer Advocates
9 2008-174 UPA-1 Ratepayer Advocates
10 2008-132
WAB (1-13)KRB 98-1 (1-
10)
Water And Sewer Advisory Branch --
Administrative Law Judge Support And
Compliance
11 2008-097 BSS-2
Information and Management Services --
Business Services
12 2008-083 IMSD-A4
Information and Management Services --
Human Resources
13 2008-082 OGA-1 Governmental Affairs
14 2008-076 CAB-1 Consumer Services -- Consumer Affairs
15 2008-071 LA-310 Consumer Services -- Consumer Affairs
16 2008-068 DSP-1 Strategic Planning
17 2008-057 ALJ-1 Administrative Law Judge -- Administration
18 2008-055 USRB-1
Consumer Protection and Safety Division --
Utilities Safety and Reliability Branch
19 2008-054 ROSB-SF-1
Consumer Protection and Safety Division --
Railroad Operations Safety Branch
20 2008-053 ROSB-SACTO-1
Consumer Protection and Safety Division --
Railroad Operations Safety Branch
21 2008-052 CPSD-1
Consumer Protection and Safety Division --
Administrative Branch
22 2008-045 ED-1 Energy
23 2008-039 LL1 Legal
24 2008-038 DRA-1 Ratepayer Advocates
25 2008-036 CD1 Communications
26 2008-035 F0-07-01
Information and Management Services --
Fiscal
RECORD AND DOCUMENT MANAGEMENT AUDIT
35
27 2008-032 CRC-1 Commissioner's Office -- Commissioners
28 2008-031 ED-1 Commissioner's Office -- Executive Director
29 2008-030 JB2-2 Commissioner's Office -- Commissioners
30 2008-029 DGX001 Commissioner's Office -- Executive Director
31 2008-028 TAS 1 Commissioner's Office -- Commissioners
32 2008-026 MP1-1 Commissioner's Office -- President
33 2008-025 IMSD-01
Information and Management Services --
Administration
34 2008-024 WAB-(1-13)RRB98-1(1-10) Water and Audits Division
35 2008-020 NPI-1
Executive - San Francisco -- News and
Public Information
36 2008-016 ALJ-3 Administrative Law Judge -- Central Files
37 2008-015 ALJ-5 Administrative Law Judge -- Process Office
38 2008-014 ALJ-4 Administrative Law Judge -- Docket Office
39 2008-013 ALJ-6 Administrative Law Judge -- Reporting
40 2008-012 ALJ-2 Administrative Law Judge -- Calendar Clerk
41 2008-011 RSCB-1
Consumer Protection and Safety Division --
Rail Safety and Carriers -- Rail Crossings
Engineering Section
42 2008-010 ISB-1
Information and Management Services --
Information Services Branch
43 2008-009 EGPB 07-1 & EGPB 07-2
Consumer Protection and Safety Division --
Electric Generation Performance Branch
44 2008-008 C-07 CONTRACTS 1
Information and Management Services --
Contracts Office
45 2008-007 LA103 Executive - Los Angeles
46 2008-006 TEB-1
Consumer Protection and Safety Division --
Enforcement Branch -- Transportation
Enforcement
47 2008-005 UEB-1
Consumer Protection and Safety Division --
Enforcement Branch -- Utility Enforcement
*-Denotes approved, current and active STD 73 forms filed with the secretary of State published
on website. CPUC had only four of these as per 04/06/17.
RECORD AND DOCUMENT MANAGEMENT AUDIT
36
APPENDIX F
CPUC Staff Completion Rates 2013 – 2016 Annual Training Protecting Privacy in
State Government
The average completion rate for the four years 2013 to 2016 is 80%, sum of the four years total %
completed divided by 4 (89% +68%+71%+91%)/4, while the non-completion rate is the difference
of 20%.
2016
Divisions
Total
Employees Complete
Not
Completed
%
Completed
Administration 183 152 31 83%
ALJ 76 70 6 92%
Comm. 60 59 1 98%
CPED 111 104 7 94%
Energy 137 129 8 94%
Executive 85 67 18 79%
Legal 77 74 3 96%
ORA 138 135 3 98%
PPD 10 10 - 100%
SED 170 160 10 94%
Water 43 43 - 100%
Unassigned 8 - 8 0%
Total 1,098 1,003 95 91%
2015
Divisions
Total
Employees Complete
Not
Completed
%
Completed
Administration 176 117 59 66%
ALJ 96 61 35 64%
Comm. 66 63 3 95%
CSID 67 44 23 66%
Energy 132 97 35 73%
Executive 84 42 42 50%
Legal 84 53 31 63%
ORA 139 104 35 75%
PPD 10 7 3 70%
SED 233 184 49 79%
Water 40 33 7 83%
Unassigned 11 0 11 0%
Total 1,138 805 333 71%
RECORD AND DOCUMENT MANAGEMENT AUDIT
37
2014
Divisions
Total
Employees Complete
Not
Completed
%
Completed
Administration 153 105 48 69%
ALJ 97 67 30 69%
Comm. 69 54 15 78%
CSID 73 56 17 77%
DRA 140 94 46 67%
Energy 138 83 55 60%
Executive 91 50 41 55%
Legal 85 69 16 81%
PPD 8 7 1 88%
SED 239 182 57 76%
Water 43 31 12 72%
Unassigned 41 - 41 0%
Total 1,177 798 379 68%
2013
Divisions
Total
Employees Complete
Not
Completed
%
Completed
Administration 120 111 9 93%
ALJ 85 73 12 86%
Comm. 68 65 3 96%
CSID 66 62 4 94%
DRA 134 122 12 91%
Energy 128 109 19 85%
Executive 59 49 10 83%
Legal 84 72 12 86%
PPD 9 8 1 89%
SED 231 215 16 93%
Water 41 40 1 98%
Unassigned 18 6 12 33%
Total 1,043 932 111 89%
RECORD AND DOCUMENT MANAGEMENT AUDIT
38
APPENDIX G
Generally Accepted Recordkeeping Principles (GARP) and ARMA International’s
Information Governance Maturity Model (ARMA-IGMM)
About ARMA International and the Generally Accepted Recordkeeping Principles)
ARMA International (www.arma.org) is a not-for-profit professional association and the authority
on governing information as a strategic asset. Established in 1955, it has approximately 27,000
members in the United States, Canada, and more than 30 other countries. ARMA International
created and promulgated the Generally Accepted Recordkeeping Principles GARP, which is a
framework for managing records in a way that supports an organization's immediate and future
regulatory, legal, risk mitigation, environmental and operational requirements. These principles
were created with the assistance of legal and IT professionals who reviewed and distilled global
best practice resources. These included the international records management standard
ISO15489-1 from the American National Standards Institute and court case law. The Principles
were vetted through a public call-for-comment process involving the professional records
information management community. More information about the Principles can be found at
www.arma.org/principles.
1. Principle of Accountability
A senior executive (or a person of comparable authority) shall oversee the information
governance program and delegate responsibility for records and information management
to appropriate individuals. The organization adopts policies and procedures to guide
personnel and ensure that the program can be audited.
2. Principle of Integrity
An information governance program shall be constructed so the information generated by
or managed for the organization has a reasonable and suitable guarantee of authenticity
and reliability.
3. Principle of Protection
An information governance program shall be constructed to ensure a reasonable level of
protection for records and information that are private, confidential, privileged, secret,
classified, or essential to business continuity or that otherwise require protection.
4. Principle of Compliance
An information governance program shall be constructed to comply with applicable laws
and other binding authorities, as well as with the organization’s policies.
5. Principle of Availability
An organization shall maintain records and information in a manner that ensures timely,
efficient, and accurate retrieval of needed information.
6. Principle of Retention
An organization shall maintain its records and information for an appropriate time, taking into
account its legal, regulatory, fiscal, operational, and historical requirements.
7. Principle of Disposition
RECORD AND DOCUMENT MANAGEMENT AUDIT
39
An organization shall provide secure and appropriate disposition for records and information
that are no longer required to be maintained by applicable laws and the organization’s
policies.
8. Principle of Transparency
An organization’s business processes and activities, including its information governance
program, shall be documented in an open and verifiable manner, and that documentation
shall be available to all personnel and appropriate interested parties.
Source: Generally Accepted Recordkeeping Principles® ©2014 ARMA International,
www.arma.org.
ARMA International’s Information Governance Maturity Model (ARMA-IGMM)
Information is one of the most vital, strategic assets organizations possess. They depend on
information to develop products and services, make critical strategic decisions, protect property
rights, propel marketing, manage projects, process transactions, service customers, and
generate revenues. This critical information is contained in the organizations’ business records.
It has not always been easy to describe what “good recordkeeping” looks like. Yet, this question
gains in importance as regulators, shareholders, and customers are increasingly concerned
about the business practices of organizations. ARMA International recognized that a clear
statement of “Generally Accepted Recordkeeping Principles®” (GARP®) would guide:
• CEOs in determining how to protect their organizations in the use of information assets;
• Legislators in crafting legislation meant to hold organizations accountable; and
• Records management professionals in designing comprehensive and effective records
management programs.
The GARP® principles identify the critical hallmarks of information governance, which Gartner
describes as an accountability framework that “includes the processes, roles, standards, and
metrics that ensure the effective and efficient use of information in enabling an organization to
achieve its goals. “ As such, they apply to all sizes of organizations, in all types of industries, and
in both the private and public sectors. Multi-national organizations can also use GARP® to
establish consistent practices across a variety of business units.
A Picture of Effective Information Governance
The Information Governance Maturity Model begins to paint a more complete picture of what
effective information governance looks like. It is based on the eight GARP® principles as well as
a foundation of standards, best practices, and legal/regulatory requirements.
The maturity model goes beyond a mere statement of the principles by beginning to define
characteristics of various levels of recordkeeping programs. For each principle, the maturity
model associates various characteristics that are typical for each of the five levels in the model:
• Level 1 (Sub-Standard): This level describes an environment where recordkeeping concerns
are either not addressed at all, or are addressed in a very ad hoc manner. Organizations that
identify primarily with these descriptions should be concerned that their programs will not meet
legal or regulatory scrutiny.
RECORD AND DOCUMENT MANAGEMENT AUDIT
40
• Level 2 (In Development): This level describes an environment where there is a developing
recognition that recordkeeping has an impact on the organization, and that the organization
may benefit from a more defined information governance program. However, in Level 2, the
organization is still vulnerable to legal or regulatory scrutiny since practices are ill defined and still
largely ad hoc in nature.
• Level 3 (Essential): This level describes the essential or minimum requirements that must be
addressed in order to meet the organization’s legal and regulatory requirements. Level 3 is
characterized by defined policies and procedures, and more specific decisions taken to
improve recordkeeping. However, organizations that identify primarily with Level 3 descriptions
may still be missing significant opportunities for streamlining business and controlling costs.
• Level 4 (Proactive): This level describes an organization that is initiating information
governance program improvements throughout its business operations. Information governance
issues and considerations are integrated into business decisions on a routine basis, and the
organization easily meets its legal and regulatory requirements. Organizations that identify
primarily with these descriptions should begin to consider the business benefits of information
availability in transforming their organizations globally.
• Level 5 (Transformational): This level describes an organization that has integrated information
governance into its overall corporate infrastructure and business processes to such an extent
that compliance with the program requirements is routine. These organizations have recognized
that effective information governance plays a critical role in cost containment, competitive
advantage, and client service.
How to Use the Maturity Model
The Information Governance Maturity Model will assist an organization in conducting a
preliminary evaluation of its recordkeeping programs and practices. Thoughtful consideration of
the organization’s practices should allow users to make an initial determination of the maturity of
their organization’s information governance.
Initially, it is not unusual for an organization to be at differing levels of maturity for the eight
principles. It is also important to note that the maturity model represents an initial evaluation. In
order to be most effective, a more in-depth analysis of organizational policies and practices
may be necessary.
The maturity model will be most useful to leaders who wish to achieve the maximum benefit from
their information governance practices. Effective information governance requires a continuous
focus. However, in order to get started, organizations can look to the steps below:
1. Identify the gaps between the organization’s current practices and the desirable level of
maturity for each principle.
2. Assess the risk(s) to the organization, based on the biggest gaps.
3. Determine whether additional information and analysis is necessary.
4. Develop priorities and assign accountability for further development of the program.
ARMA International has a variety of resources and assessment tools available that will help
organizations take the next steps in improving their information governance practices. They can
be located at www.arma.org.
RECORD AND DOCUMENT MANAGEMENT AUDIT
41
GARP
Principle LEVEL1 (Sub-
Standard) LEVEL 2 (In
development) LEVEL 3
(Essential) LEVEL 4
(Proactive) LEVEL 5
(Transformational)
1. Accountability
A senior
executive (or
person of
comparable
authority)
oversees the
recordkeeping
program and
delegates
program
responsibility to
appropriate
individuals. The
organization
adopts policies
and procedures
to guide
personnel, and
ensure the
program can be
audited.
No senior
executive (or
person of
comparable
authority) is
responsible for
the records
management
program.
The records
manager role is
largely non-
existent or is an
administrative
and/or clerical
role distributed
among general
staff.
No senior executive
(or person of
comparable
authority) is involved
in or responsible for
the records
management
program.
The records
manager role is
recognized,
although he/she is
responsible for
tactical operation of
the existing program.
In many cases, the
existing program
covers paper records
only.
The information
technology function
or department is the
de facto lead for
storing electronic
information, but this is
not done in a
systematic fashion.
The records
manager is not
involved in
discussions of
electronic systems.
The records
manager is an
officer of the
organization
and is
responsible for
the tactical
operation of
the ongoing
program on an
organization-
wide basis.
The records
manager is
actively
engaged in
strategic
information
and record
management
initiatives with
other officers of
the
organization.
Senior
management is
aware of the
program.
The
organization
has defined
specific goals
related to
accountability
The records
manager is a
senior officer
responsible for
all tactical and
strategic
aspects of the
program.
A stakeholder
committee
representing all
functional
areas and
chaired by the
records
manager
meets on a
periodic basis
to review
disposition
policy and
other records
management
related issues.
Records
management
activities are
fully sponsored
by a senior
executive
The
organization’s
senior
management
and its
governing
board place
great emphasis
on the
importance of
the program.
The records
management
program is
directly
responsible to
an individual in
the senior level
of
management,
(e.g., chief risk
officer, chief
compliance
officer, chief
information
officer) OR,
A chief records
officer (or similar
title) is directly
responsible for
the records
management
program and is
a member of
senior
management
for the
organization.
2. Transparency
The processes
and activities of
an
organization’s
recordkeeping
pro- gram are
documented in
a manner that is
open and
It is difficult to
obtain
information
about the
organization or its
records in a
timely fashion.
No clear
documentation is
readily available.
The organization
realizes that some
degree of
transparency is
important in its
recordkeeping for
business or regulatory
needs.
Although a limited
amount of
Transparency in
recordkeeping
is taken
seriously and
information is
readily and
systematically
available when
needed.
There is a
Transparency is
an essential
part of the
corporate
culture and is
emphasized in
training.
The
organization
monitors
The
organization’s
senior
management
considers
transparency as
a key
component of
information
governance.
RECORD AND DOCUMENT MANAGEMENT AUDIT
42
verifiable and is
available to all
personnel and
appropriate
interested
parties.
There is no
emphasis on
transparency.
Public requests
for information,
discovery for
litigation,
regulatory
responses, or
other requests
(e.g., from
potential
business partners,
investors, or
buyers) cannot
be readily
accommodated.
The organization
has not
established
controls to
ensure the
consistency of
information
disclosure.
transparency exists in
areas where
regulations demand
transparency, there
is no systematic or
organization- wide
drive to
transparency.
written policy
regarding
transparency.
Employees are
educated on
the importance
of
transparency
and the
specifics of the
organization’s
commitment to
transparency.
The
organization
has defined
specific goals
related to
transparency.
compliance on
a regular basis.
The
organization’s
stated goals
related to
transparency
have been met.
The
organization
has
implemented a
continuous
improvement
process to
ensure
transparency is
maintained
over time.
Software tools
that are in
place assist in
transparency.
Requestors,
courts, and
other
legitimately
interested
parties are
consistently
satisfied with
the
transparency of
the processes
and the
response.
3. Integrity
A recordkeeping
program shall be
constructed so
the records and
in- formation
generated or
managed by or
for the
organization
have a
reasonable and
suitable
guarantee of
authenticity and
reliability.
There are no
systematic audits
or defined
processes for
showing the
origin and
authenticity of a
record.
Various
organizational
functions use ad
hoc methods to
demonstrate
authenticity and
chain of custody,
as appropriate,
but their
Some organizational
records are stored
with their respective
metadata that
demonstrate
authenticity;
however, no formal
process is defined for
metadata storage
and chain of
custody.
Metadata storage
and chain of
custody methods are
acknowledged to be
important, but are
left to the different
The
organization
has a formal
process to
ensure that the
required level
of authenticity
and chain of
custody can
be applied to
its systems and
processes.
Appropriate
data elements
to demonstrate
compliance
with the policy
There is a clear
definition of
meta- data
requirements
for all systems,
business
applications,
and paper
records that
are needed to
ensure the
authenticity of
records.
Metadata
requirements
include security
and signature
There is a
formal, defined
process for
introducing new
record-
generating
systems and the
capture of their
metadata and
other
authenticity
requirements,
including chain
of custody.
This level is
easily and
regularly
RECORD AND DOCUMENT MANAGEMENT AUDIT
43
trustworthiness
cannot easily be
guaranteed.
departments to
handle as they
determine is
appropriate.
are captured.
The
organization
has defined
specific goals
related to
integrity.
requirements
and chain of
custody as
needed to
demonstrate
authenticity.
The metadata
definition
process is an
integral part of
the records
management
practice in the
organization.
audited.
The
organization’s
stated goals
related to
integrity have
been met. The
organization
can consistently
and confidently
demonstrate
the accuracy
and
authenticity of
its records.
4. Protection
A recordkeeping
program shall be
constructed to
ensure a
reasonable level
of protection to
records and
information that
are private,
confidential,
privileged,
secret, or
essential to
business
continuity.
No consideration
is given to record
privacy.
Records are
stored
haphazardly,
with protection
taken by various
groups and
departments
with no
centralized
access controls.
The author, if
any, assigns
access controls.
Some protection of
records is exercised.
There is a written
policy for records
that require a level of
protection (e.g.,
personnel records).
However, the policy
does not give clear
and definitive
guidelines for all
records in all media
types.
Guidance for
employees is not
universal or uniform.
Employee training is
not formalized.
The policy does not
address how to
exchange these
records between
employees.
Access controls are
still implemented by
individual record
owners.
The
organization
has a formal
writ- ten policy
for protecting
records and
centralized
access
controls.
Confidentiality
and privacy
are well
defined.
The importance
of chain of
custody is
defined, when
appropriate.
Training for
employees is
available.
Records and
information
audits are only
conducted in
regulated
areas of the
business. Audits
in other areas
may be
conducted,
but are left to
the discretion
of each
function area
The
organization
has
implemented
systems that
provide for the
protection of
the information.
Employee
training is
formalized and
well
documented.
Auditing of
compliance
and protection
is conducted
on a regular
basis
Executives
and/or senior
management
and the board
place great
value in the
protection of
information.
Audit
information is
regularly
examined and
continuous
improvement is
undertaken.
The
organization’s
stated goals
related to
record
protection have
been met.
Inappropriate or
inadvertent
information
disclosure or loss
incidents are
rare
RECORD AND DOCUMENT MANAGEMENT AUDIT
44
The
organization
has defined
specific goals
related to
record
protection.
5. Compliance
The
recordkeeping
program shall be
constructed to
comply with
applicable laws
and other
binding
authorities, as
well as the
organization’s
policies.
There is no clear
definition of the
records the
organization is
obligated to
keep.
Records and
other business
documentation
are not
systematically
managed
according to
records
management
principles.
Various groups of
the organization
define this to the
best of their
ability based on
their
interpretation of
rules and
regulations.
There is no
central oversight
and
no consistently
defensible
position.
There is no
defined or
understood
process for
imposing “holds
The organization has
identified the rules
and regulations that
govern its business
and introduced
some compliance
policies and record-
keeping practices
around those
policies. Policies are
not complete and
there is no apparent
or well-de- fined
accountability for
compliance.
There is a hold
process, but it is not
well integrated with
the organization’s
information
management and
discovery processes.
The
organization
has identified
all relevant
compliance
laws and
regulations.
Record
creation and
capture are
systematically
carried out in
accordance
with records
management
principles.
The
organization
has a strong
code of
business
conduct, which
is integrated
into its overall
information
governance
structure and
record-
keeping
policies.
Compliance
and the
records that
demonstrate it
are highly
valued and
measurable.
The hold
process is
integrated into
the
organization’s
information
The
organization
has
implemented
systems to
capture and
protect
records.
Records are
linked with the
meta- data
used to
demonstrate
and measure
compliance.
Employees are
trained
appropriately
and audits are
conducted
regularly.
Records of the
audits and
training are
available for
review.
Lack of
compliance is
remedied
through
implementation
of defined
corrective
actions.
The hold
process is well-
managed with
defined roles
and a
repeatable
process that is
integrated into
The importance
of compliance
and the role of
records and
information in it
are clearly
recognized at
the senior
management
and board
levels.
Auditing and
continuous
improvement
processes are
well established
and monitored
by senior
management.
The roles and
processes for
information
management
and discovery
are integrated.
The
organization’s
stated goals
related to
compliance
have been met.
The
organization
suffers few or no
adverse
consequences
based on
information
governance
and
compliance
failures
RECORD AND DOCUMENT MANAGEMENT AUDIT
45
management
and discovery
processes for
the “most
critical”
systems.
The
organization
has defined
specific goals
related to
compliance
the
organization’s
information
management
and discovery
processes
6. Availability
An organization
shall maintain
records in a
manner that
ensures timely,
efficient, and
accurate
retrieval of
needed
information.
Records are not
readily available
when needed
and/or it is
unclear who to
ask when records
need to be
produced.
It takes time to
find the correct
version, the
signed version, or
the final version,
if it can be found
at all.
The records lack
finding aides: in-
dices, metadata,
and locators.
Legal discovery is
difficult because
it is not clear
where
information re-
sides or where
the final copy of
a record is
located.
Record retrieval
mechanisms have
been implemented
in certain areas of
the organization.
In those areas with
retrieval
mechanisms, it is
possible to distinguish
between official
records, duplicates,
and non-record
materials.
There are some
policies on where
and how to store
official records, but a
standard is not
imposed across the
organization.
Legal discovery is
complicated and
costly due to the
inconsistent
treatment of
information.
There is a
standard for
where and how
official records
and
information are
stored,
protected, and
made
available.
Record
retrieval
mechanisms
are consistent
and contribute
to timely
records
retrieval.
Most of the
time, it is easy
to deter- mine
where to find
the authentic
and final
version of any
record.
Legal discovery
is a well-
defined and
systematic
business
process.
The
organization
has defined
specific goals
related to
There are
clearly defined
policies
regarding
storage of
records and
information.
There are clear
guidelines and
an inventory
that identifies
and defines the
systems and
their
information
assets. Records
and
information are
consistently
and readily
avail- able
when needed.
Appropriate
systems and
controls are in
place for legal
discovery.
Automation is
adopted to
facilitate the
implementation
of the hold
process.
The senior
management
and board
levels provide
support to
continually
upgrade the
processes that
affect record
availability.
There is an
organized
training and
continuous
improvement
program.
The
organization’s
stated goals
related to
availability have
been met.
There is a
measurable ROI
to the business
because of
records
availability.
RECORD AND DOCUMENT MANAGEMENT AUDIT
46
availability.
7. Retention
An organization
shall maintain its
records and
information for
an appropriate
time, taking into
account legal,
regulatory, fiscal,
operational, and
historical
requirements.
There is no
current
documented
records retention
schedule.
Rules and
regulations that
should define
retention are not
identified or
centralized.
Retention
guidelines
are haphazard
at best.
In the absence
of retention
schedules,
employees either
keep every-
thing or dispose
of records based
on their own
business needs,
rather than
organizational
needs
A retention schedule
is available, but does
not encompass all
records, did not go
through official
review, and is not
well known around
the organization.
The retention
schedule is not
regularly updated or
maintained
Education and
training about the
retention policies are
not available
A formal
retention
schedule that is
tied to rules
and regulations
is consistently
applied
throughout the
organization.
The
organization’s
employees are
knowledgeable
about the
retention
schedule and
they
understand
their personal
responsibilities
for records
retention.
The
organization
has defined
specific goals
related to
retention.
Employees
understand
how to classify
records
appropriately.
Retention
training is in
place.
Retention
schedules are
reviewed on a
regular basis,
and there is a
process to
adjust retention
schedules as
needed.
Records
retention is a
major
corporate
concern
Retention is an
important item
at the senior
management
and board
levels.
Retention is
looked at
holistically and
is applied to all
information in
an organization,
not just to
official records.
The
organization’s
stated goals
related to
retention have
been met.
Information is
consistently
retained for
appropriate
periods of time
8. Disposition
An organization
shall provide
secure and
appropriate
disposition for
records that are
no longer
required to be
maintained by
applicable laws
and the
organization’s
policies.
There is no
current
documented
records retention
schedule.
Rules and
regulations that
should define
retention are not
identified or
centralized.
Retention
guidelines
are haphazard
at best.
In the absence
of retention
schedules,
employees either
keep every-
Preliminary guidelines
for disposition are
established.
There is a realization
of the importance of
suspending
disposition in a
consistent manner,
repeatable by
certain legal
groupings.
There may or may
not be enforcement
and auditing of
disposition
Official
procedures for
records dis-
position and
transfer are
developed.
Official policy
and
procedures for
suspending
disposition
have been
developed.
Although
policies and
procedures
exist, they are
not
standardized
Disposition
procedures are
under- stood by
all and are
consistently
applied across
the enterprise.
The process for
suspending
disposition due
to legal holds is
defined,
understood,
and used
consistently
across the
organization.
Electronic
information is
The disposition
process covers
all records and
information in all
media.
Disposition is
assisted by
technology and
is integrated
into all
applications,
data
warehouses,
and repositories.
Disposition
processes are
consistently
applied and
effective.
RECORD AND DOCUMENT MANAGEMENT AUDIT
47
thing or dispose
of records based
on their own
business needs,
rather than
organizational
needs.
across the
organization.
Individual
departments
have de- vised
alternative
procedures to
suit their
particular
business needs.
The
organization
has defined
specific goals
related to
disposition.
expunged, not
just deleted, in
accordance
with retention
policies.
Processes for
disposition are
regularly
evaluated and
improved.
The
organization’s
stated goals
related to
disposition have
been met.
Sources: ARMA International, www.arma.org.
RECORD AND DOCUMENT MANAGEMENT AUDIT
48
Appendix H Utility Enforcement Knowledge Portal
Utility Enforcement Branch (UEB) Knowledge Portal, Document Repository, and
Work Module
The Utility Enforcement Branch (UEB) of the Consumer Protection and Safety Division (CPED)
maintains three repositories to manage and retain information necessary for staff to perform their
work well. 1. UEB’s Knowledge Portal resides on the CPUC’s intranet website and is accessible from UEB’s
landing page as shown below. The left hand column under the words “UEB Staff Only” shows
the various categories or types of information UEB maintains. Because the portal contains
confidential investigative information, access is restricted to UEB management and assigned
staff.
In particular, “Process Flows” contains process flow diagrams that show, at both high and
detailed levels, the primary work processes performed by UEB, such as UEB’s enforcement
progression. “Writing templates” contains Word templates for UEB’s most frequently
produced work products, such as staff reports and testimony. “Reference Materials” is the
largest folder, containing nearly 50 white papers and detailed guidelines for UEB’s work. These documents have been developed over the years and are continually being updated
as UEB refines its best practices and expands its knowledge sources. UEB’s Knowledge Portal
ensures the long-term retention of institutional knowledge, and serves as an effective
onboarding mechanism to quickly bring new staff up to speed on UEB’s practices.
Additionally, having an available, robust, and up-to-date knowledge base helps us achieve
efficiency and enables consistent and repeatable work outputs.
2. UEB’s Document Repository resides in the CPUC’s Content Server. To achieve efficiencies in
investigations and effective prosecutions of our cases, UEB has developed a formalized
document management system for complex investigations and litigations that provides both
investigators and counsels with ready access to a common, well-organized body of
RECORD AND DOCUMENT MANAGEMENT AUDIT
49
evidence. The storage system contains all types of documents relating to an investigation,
and is organized and stored in Content Server to enable UEB staff and assigned attorneys to
efficiently search and retrieve relevant data by utilizing search functions. The document
management system is utilized when conducting a complex and expansive investigation,
and/or if the investigation leads to a formal Commission proceeding such as an Order
Instituting Investigation. The investigator and his/her supervisor determine, on a case-by-case
basis, whether the efficiencies intended to be achieved by this document management
system warrant its use.
3. UEB’s Utility Enforcement Work Module (UEWM) is an Oracle database designed by UEB staff
and developed by the CPUC’s IT staff. It is a case management system that records case
information, staffing assignments, case status, and documents for UEB’s less complex
investigations.
RECORD AND DOCUMENT MANAGEMENT AUDIT
50
Appendix I Energy Division Central Files
Energy Division Central Files
What:
Energy Division’s (ED) Central Files represents an organized, safe, and durable way to store
compliance files and other important documents related to proceedings, general orders, and, in
the future, other significant documents (e.g., documents presented by utilities at workshops or
meetings, plant closure notices, etc.).
Why:
General Order 96-B addresses issues concerning both Advice Letters and information-only filings.
Both are considered public documents to be made generally available.
ED Central Files is designed specifically for information-only filings. "Information-only Filings" are
informal reports, required by statute or Commission order, that are submitted by a utility to the
Commission, but that are not submitted in connection with a request for Commission approval,
authorization, or other relief. "Information-only Filings" includes both periodic and occasional
reports.
Prior to creation of ED Central Files, ED had no repositories for information-only filings.
It is a structure to replace ED’s current compliance report filing systems (desk top HDs, paper in
cubicles, paper in common file cabinets, and files on CS or SF5Filesvr5).
How:
ED notified executives at utilities of changes to filing procedures for information only filings.
Utilities have adapted easily to the new filing system.
ED management has trained ED staff on the use Central Files.
Front End Design:
Data is sent to ED via a single email address: EnergyDivisionCentralFiles@cpuc.ca.gov.
All reports are sent with a coversheet that provides information to identify:
o the trigger for the filing (most often a proceeding with a specific ordering paragraph
although it could be a General Order, a document request, or other request),
o the confidentiality status of the document with a declaration of confidentiality, as required)
o the purpose of the document (a document or executive summary)
o names of other employees (in ED, ALJ, Legal, ORA, SED etc.) who receive a copy of the filing
All reports are accepted with a provision that the text is searchable electronically.
All reports are named according to a naming convention that is designed to highlight missing
incidences of reports; the data elements move from most general to most specific: the utility
name comes first, the reporting interval second, the report name comes third, and the data’s
date (year first) fourth, and document type last (very important) for example monthly reports:
for February might be named PacifiCorp Monthly Gas Report 201602 COV CONF
for March data might be named PacifiCorp Monthly Gas Report 201603 COV CONF
ED also provides a way for utilities to send large files to ED.
File Design:
Reports (along with the coversheet) are manually filed by proceeding number by ED staff.
ED staff files reports within other categories such as those related to General Orders, data
request, memo, and balancing accounts, and compliance in response to resolutions —when all
efforts to link a filing to a specific proceeding fail.
RECORD AND DOCUMENT MANAGEMENT AUDIT
51
Proceedings folders generally have two sub-folders: compliance filings and decisions; all
inbound documents are placed in the compliance filing bucket while the decision folder holds
hyperlinks into the CPUC’s decision database for the specific proceeding.
ED staff creates cross references between proceedings and the functional areas that work on
specific proceedings; this is possible because ED is organized functionally by work areas and
sub-work areas and because ED proceedings are assigned within ETS to specific work area and
sub-work area; consequently, ED can see, by sub-work area the area’s associated proceedings.
ED administrative staff notifies ED content experts when documents related to their sub-work
area arrive in Central Files.
ED content experts are responsible for proper review of documents.
Objectives of Filing System:
When the documents are filed in an organized fashion, data can be retrieved easily to support:
o Ordering paragraphs database checks
o Public Records Act Requests
o Historical profiling of reported utility activity
o Compliance related to a particular work area/sub-work area
o Compliance related to a specific utility.
Coordination with Other Divisions:
ED collaborated with IT to maximize Central File’ use of Content Server features.
ALJ Division helped draft Ordering Paragraphs to become standard additions to decisions to
communicate to utilities how and where to file specific filings
GO 96-B may need to be updated—by industry heading—as ED Central Files protocols evolve.
The E-Fast system that is being developed Commission wide and should be able to support
Central Files by providing a filing portal, electronic document filing, and automatically
notification the appropriate ED staff.
ED monitors compliance filings that are filed through the CPUC’s central filing portal (via Docket
Card), and ED notifies utilities that are filing ED-related information to also file those filing to ED
Central Files.
Benefits Achieved So Far:
Analysts can locate information to substantiate their Ordering Paragraphs Database checks.
Supervisors who see staff promoted to other areas know that the staff’s information-only filings
are safely stored and will not be lost from file drawers or the analysts’ computer’s drive
All ED employee’s no longer need to search for documents in file drawers, hard drives, and in
miscellaneous storage locations
Analysts can see filing compliance over time because the names of documents filed are
standardized to show a constant topic name, a mandated filing interval, and an identified data
filing per filing interval
Analysts can immediately see if a specific interval instance is missing (e.g. for Q3 from a quarterly
filing is missing).
RECORD AND DOCUMENT MANAGEMENT AUDIT
56
Energy Division Central Files Document Coversheet
Directions: Submit all documents and submittal questions to Energy Division Central Files via
email EnergyDivisionCentralFiles@cpuc.ca.gov
1. Fill out coversheet completely. Coversheet can be embedded as page 1 of the
electronic compliance filing, or can be submitted as a separate document that is
attached to the email that delivers the compliance filing.
2. All documents are required to be submitted in an electronically searchable format.
3. Documents need to reference the reason for the mandate that ordered the filing in
Section B or C. If you are unable to reference a proceeding or explain the origin of your
filing, please contact Energy Division Central Files.
4. To find a proceeding number (if you only have a decision number), go to
http://docs.cpuc.ca.gov/DecisionsSearchForm.aspx; enter the decision number, and the
results shown include the proceeding number.
RECORD AND DOCUMENT MANAGEMENT AUDIT
57
A. Document Name
Today’s Date (Date of Submittal) 1/30/2017
Name:
1. Utility Name: Southern California Edison
2. Document Submission Frequency (Annual, Quarterly, Monthly, Weekly, Once, Ad Hoc): Weekly
3. Report Name: SCE Demand Response Weekly Forecast
4. Reporting Interval (the date(s) covered by the data, e.g. 2015 Q1): 01/30-02/05/17
5. Name Suffix: Cov (for an Energy Division Cover Letter), Conf (for a confidential doc), Ltr (for a letter from
utility)
6. Document File Name (format as 1+2 + 3 + 4 + 5): SCE Weekly DR Forecast 20170130-0205
Sample Document Names:
Utility Name + Submittal Frequency + Report Name + Year + Reporting Interval
SCE Annual Procurement Report 2014
SDG&E Ad Hoc DR Exception 2015Q1 Conf
SEMPRA Monthly Gas Report 201602
SEMPRA Daily Gas Report 20160230 <no suffix for regular, non-confidential compliance data>
SEMPRA Daily Gas Report 20160230 Cov
SEMPRA Daily Gas Report 20160230 Ltr
7. Identify whether this filing is ☒original or ☐revision to a previous filing.
a. If revision, identify date of the original filing: Click here to enter text.
B. Documents Related to a Proceeding
All submittals should reference both a proceeding and a decision, if applicable. If not applicable, leave
blank and fill out Section C.
1. Proceeding Number (starts with R, I, C, A, or P plus 7 numbers): A.12-12-016, A.12-12-017
2. Decision Number (starts with D plus 7 numbers): D.13-07-003
3. Ordering Paragraph (OP) Number from the decision: 13
C. Documents Submitted as Requested by Other Requirements
If the document submitted is in compliance with something other than a proceeding, (e.g. Resolution,
Ruling, Staff Letter, Public Utilities Code, or sender’s own motion), please explain: Click here to enter text.
D. Document Summary
Provide a Document Summary that explains why this report is being filed with the Energy Division. This
information is often contained in the cover letter, introduction, or executive summary, so you may want to
copy it from there and paste it here.
Forecast of load impacts for SCE’s Demand Response Programs that are not integrated into the CAISO
market.
E. Sender Contact Information
1. Sender Name: Eric Lee
2. Sender Organization: Southern California Edison
3. Sender Phone: 626-302-0674
4. Sender Email: Eric.Lee@sce.com
F. Confidentiality
1. Is this document confidential? ☒No ☐Yes
RECORD AND DOCUMENT MANAGEMENT AUDIT
58
a. If Yes, provide an explanation of why confidentiality is claimed and identify the expiration of the
confidentiality designation (e.g. Confidential until December 31, 2020.) Click here to enter text.
G. CPUC Routing
Energy Division’s Director, Edward Randolph, requests that you not copy him on filings sent to Energy
Division Central Files. Identify below any Commission staff that were copied on the submittal of this
document.
1. Names of Commission staff that sender copied on the submittal of this Document: Bruce Kaneshiro,
Scarlett Liang-Uejio, Doug Kemmer, Werner Blumer
Recommended