The compliance questions we get most, with direct answers. Missing one? Email us and we’ll add it.
For most active licensees, quarterly is the right cadence — a full internal compliance audit every 90 days keeps METRC, SOPs, ownership disclosures, and premises records fresh enough that nothing surprises you when DCC schedules an inspection. Operators at lower complexity (single-license retail, small non-volatile manufacturers with stable ownership) can step down to semi-annual after the first clean year, provided nothing material has changed.
Step up the cadence — not down — any time you take on new owners, modify the premises, add a license type, bring on a new co-manufacturer, or receive any notice from a regulator. The pattern we see in enforcement defense is that audit gaps of more than six months are where violations accumulate silently. One thing to watch: annual is not enough for cultivation or for any operator with METRC volume above a few hundred packages per month. The variance math catches up with you faster than quarterly spot-checks can clean.
A full audit is a structured gap analysis against CCR Title 4 §§15000–17905 and every applicable operational rule. That means premises verification against your DCC-approved diagram, surveillance compliance (90-day retention, camera placement, coverage arcs), waste tracking and destruction documentation, a METRC reconciliation against your on-hand inventory and historical manifests, a top-to-bottom SOP review measured against your actual workflow, and an ownership and financial-interest disclosure check against what's on file at DCC.
We also pull in the non-DCC layer most internal audits miss — Cal/OSHA postings, CUPA/HMBP status, CDTFA cannabis-tax filings, local tax and use permit renewals, and for manufacturers, the Master Manufacturing Protocol and batch records. Each finding is rated by severity and mapped to a Corrective Action Plan using the DCC Form 17 framework. The deliverable is evidence-backed, dated, and defensible if DCC later asks what you knew and when.
No. A self-audit conducted under our engagement is internal work product between you and GreenState — it is not a public record, not reportable to DCC, and not automatically discoverable in a routine inspection. DCC inspectors examine your operational records (METRC, SOPs, financials, surveillance, waste logs), not the internal memos we write about them.
That said, "not automatically visible" is different from "privileged." Our work product is consultant work product, not attorney-client privileged, so if you want full litigation-grade protection on sensitive findings, we run the audit under counsel's direction (a Kovel-style arrangement) and the audit memo is delivered to the attorney, not to you directly. One thing to watch: if you self-report a finding to DCC as part of a voluntary disclosure strategy, the underlying audit becomes part of that disclosure — we scope that decision with you before anything gets shared.
Variance in METRC is handled through systematic reconciliation, not ad-hoc adjustments. We pull the package-level ledger, cross-check every affected package against physical inventory, trace manifests forward and backward, and reconstruct the audit trail that explains what happened. Small weight variances within documented moisture-loss or processing-loss thresholds are adjusted with supporting evidence and a dated note to file. Larger variances trigger a full root-cause investigation, METRC adjustment with reason code, and where waste destruction is part of the explanation, the CCR §15048 destruction protocol (rendered unusable and unrecognizable, METRC waste event, licensed-hauler chain of custody).
Depth scales with magnitude. A 2% drift on a single cultivation batch is a documented reconciliation; a 15% variance across a quarter is a full Corrective Action Plan with SOP revisions and potentially a voluntary disclosure. One thing to watch: inventory adjustments made in METRC without supporting evidence are one of the top findings in DCC inspections. Every adjustment needs a contemporaneous reason code, a physical count record, and a named responsible person — that's what turns a variance from a finding into a non-issue.
Seven years. Under BPC §26160 and CCR Title 4 §15037, licensees must retain commercial cannabis records — sales, purchases, transfers, manifests, inventory, employee records, training logs, and destruction documentation — for a minimum of seven years and produce them on demand during an inspection. Surveillance footage carries its own minimum under CCR §15044 (90 days continuous, 1280×720 at 15 fps) on top of the 7-year rule for incident-related footage. Physical, digital, or hybrid storage is fine; what matters is that the records are complete, tamper-resistant, and retrievable.
The standard we set for our clients is that a 2019 batch record should be findable in under 15 minutes without calling a former employee. That means a document vault with a consistent folder taxonomy, indexed by METRC UID and batch, with a backup outside the premises. DCC inspectors do ask for older records — it is not a bluff — and "we can't find it" is treated identically to "we don't have it." One thing to watch: third-party software vendors change hands, and so does their data retention. Never rely on a POS or seed-to-sale vendor as your only copy of a seven-year record.
Material changes must be reported to DCC within 14 calendar days under CCR Title 4 §15020. "Material" is broader than operators usually think: it covers any change in ownership structure, addition or removal of an owner, change in financial interest holders, change in officers or directors, change of business name or DBA, modification of the premises diagram, and any change in the scope of commercial cannabis activity. File Form 27 (License Modification Request) or the ownership-change submittal as appropriate.
The common trap is treating internal changes as non-reportable — a CEO transition, a new investor at 19% who will attend board meetings, a wall moved in the storage room. All three are reportable. Late reporting is itself a violation under the DCC Disciplinary Guidelines and compounds any underlying issue. One thing to watch: some local jurisdictions have their own notification windows that run shorter than 14 days (Palm Springs, Long Beach, and Oakland all have 10-day or 7-day local windows) — when in doubt, file both within the shorter deadline.
Inspectors arrive with a defined checklist and walk it deliberately: premises matches the CCR §15006 diagram (every wall, every camera, every limited-access boundary in the right place), surveillance system functioning at the CCR §15044–15047 spec (1280×720 minimum at 15 fps, 24/7, 90-day retention) with backup power, limited-access controls under CCR §15042 enforced (no public, vendors and visitors logged), METRC reconciled against on-hand physical inventory in real time, packaging and labeling on every active SKU compliant, license posted prominently, employee 21+ verification on file, lab COAs available for every batch, CDTFA tax filings current, and SOPs accessible and matching observed practice.
The most common findings are mismatch between premises diagram and reality, surveillance gaps (a camera offline, retention dropped under 90 days), METRC drift above 2%, expired or missing lab COAs on the shelf, and SOP-practice disconnects (the written SOP says one thing, the staff does another). Penalties run from $500 for a single labeling deficiency up to $5,000 per violation for security or recordkeeping failures and $30,000-plus for severe findings (sales to minors, embargo violations, untested product on shelf). Designate an Inspection Liaison — a manager-level employee trained on DCC procedures who handles all inspector interaction — and brief staff to refer questions rather than guess.
For state-licensed medicinal cannabis: yes, materially. The DOJ rescheduled state-licensed medical cannabis to Schedule III under the Controlled Substances Act effective April 22, 2026, which removes IRC §280E from the medicinal segment and restores ordinary business deductions for that revenue stream. Medical operators can now deduct rent, payroll, marketing, depreciation, and other ordinary and necessary business expenses against medical revenue, where prior to April 22 only direct cost of goods sold under IRC §471 was deductible. Adult-use revenue remains under §280E pending the broader DEA hearing scheduled for June 29, 2026.
The practical work is segmenting your books — medical revenue vs. adult-use revenue, allocable expenses across the two — and re-posturing your tax filings accordingly. For mixed retailers (Type 10 with both designations), the segmentation has to be defensible to both CDTFA and the IRS. California state tax treatment, the AB 564 15% excise rate (effective October 1, 2025 through June 30, 2028), and CDTFA filing cadences are unchanged by the federal rescheduling. We work through the segmentation and the §280E unwind with each affected client; full background is in the April 2026 rescheduling explainer.
A recall is run on a tight, documented sequence: receive the trigger (failed lab result, customer complaint, internal QC finding, or DCC notification), open a recall file with date and trigger, classify the recall (mandatory vs. voluntary, Class I/II/III by health risk), notify DCC and downstream licensees (every distributor, retailer, and patient who received the affected lots), pull the product from sale across the supply chain, log every unit recovered against METRC package IDs, destroy or remediate per CCR §15048 (rendered unusable and unrecognizable, METRC waste event, licensed-hauler chain of custody), and close out with a root-cause analysis and Corrective Action Plan filed on Form DCC-LIC-017.
The recall file is one of the documents DCC pulls first when investigating a downstream illness or contamination report. Build it real-time, not after the fact: dated entries, named responsible parties, contemporaneous notes, METRC waste-event confirmations, and the customer-notification record (script used, channels notified, response logged). Retention is 7 years minimum under BPC §26160; longer where any litigation arises. Run an annual mock recall against a randomly selected lot to test the system before the live recall tests it for you.
The Designated Compliance Officer (commonly the same person as the Designated Responsible Party named in the application) is the operational owner of the compliance program — the person with explicit authority to halt operations when something is out of compliance and the named contact for DCC, CDTFA, Cal-OSHA, and local jurisdiction notifications. They run the daily reconciliation cadence (METRC, physical count, surveillance health), the weekly compliance walkthrough, the quarterly self-audit, and the annual renewal package. They also own the document vault — every SOP version, every training record, every CAPA, every incident file in one indexed location with 7-year retention under BPC §26160.
The DCO is the single throat to choke when something fails. Distributed compliance responsibility means no responsibility, and DCC inspectors notice fast when the staff cannot name the person responsible for a given control. Pair the DCO with an Inspection Liaison at each licensed premises, an annual CE plan that documents continuing education, and a written authority memo signed by ownership that confirms the DCO can pause operations if a compliance condition warrants it. We help operators write the role description, the authority memo, and the cadence calendar that turns the title into a working program.
