Quarterly, semi-annual, or one-time diagnostics — mock DCC inspections, CCR 15000-series gap analysis, METRC reconciliation, and corrective action plans. Before an auditor puts it on paper.
DCC issued 230 license suspensions and 73 denials or revocations in 2024, plus 481 product embargoes and 63 recalls affecting roughly 25,000 retail units — against a licensee base of about 8,400 active operators. Almost every one of those embargoes traces back to the same recurring failure surface: surveillance retention dropping below the CCR 15044 90-day floor, METRC variance compounding past plausible recordkeeping error, premises that no longer match the CCR 15006 diagram on file, SOPs that look fine on paper but do not match what staff actually do under DCC Form LIC-019. A real audit finds those patterns before an inspector does. Most compliance reports read like insurance disclaimers; ours read like the deficiency notices you are trying to avoid — specific, cited, and actionable. Every finding maps to a CCR section, a DCC form, or a BPC requirement. Every remediation has an owner and a date.
Owning the audit means four concrete things. We run the fieldwork ourselves — a senior analyst on premises, not a questionnaire. We map each finding to a CCR subsection under Title 4, Division 19 and classify it by severity against the DCC Disciplinary Guidelines (amended July 2022) and the BPC 26031(b) factor analysis — the same framework DCC enforcement staff use when scoring a Notice to Comply or recommending an accusation. We draft the Corrective Action Plan in the format DCC expects under BPC 26031(b), ready to file unchanged if a Notice arrives mid-cycle. And we keep the remediation tracker live until every critical and major finding is closed with photographic evidence, revised SOP language, training-log entries, or vendor invoices attached — not just signed off in a status email.
What you keep: operational decisions, disclosure strategy, and any communication with DCC. Where counsel is needed — findings that raise accusation exposure under BPC 26031.5, privilege-sensitive observations, parallel civil litigation, or a Notice already in hand — we work under your retained counsel’s direction so the audit work product carries attorney-client privilege from the first photograph forward. The engagement letter draws this line before fieldwork begins, and the engagement coordinator confirms it on the kickoff call so there is no ambiguity if a finding crosses the boundary mid-engagement.
Figures from the DCC Feb 5 2025 enforcement recap, the DCC Disciplinary Guidelines (Sept 2021), and the DCC compliance-action record.
Running as a retainer? Here’s the annual rhythm most clients settle into. Frequency and scope are always tailored after the first diagnostic.
Full CCR 15000-series gap analysis covering every operational obligation that landed a 2024 enforcement action. Owner schedule re-verified under CCR 15003, Financial Interest Holder schedule under CCR 15004 with revenue-share landlords and profit-participating lenders documented. Material-change review under CCR 15020 to catch anything that should have triggered a Form DCC-LIC-027 filing during the prior twelve months.
CCR 15044–15047 camera and access audit including the 1280×720 minimum resolution, 24/7 recording, 90-day retention spot-check pulled from the DVR, and limited-access-area coverage under CCR 15042. Alarm-system function test, panic-button verification at points of sale, and visitor-log review. CCR 15048 and BPC 26069 waste-destruction protocol verification with witness-signature audit on the disposal log.
Package-to-package variance report pulled from the Franwell API against your POS, ERP, or seed-to-sale records. Physical-to-digital inventory count on a sampled basis, transfer manifest review for the 24-hour reporting obligation, loss and destruction log audit, and the API-key permission review (terminated employees with active integrator or user keys are a recurring finding).
60-day pre-renewal audit scoped to the items DCC actually reviews at renewal under CCR 15020. Local-authorization currency check (lapsed local permits are the most common renewal-cycle blocker), CEQA documentation refresh where the local lead agency requires updates, and premises-diagram reconciliation under CCR 15006 with Form DCC-LIC-027 modification filings drafted for any drift detected.
Every figure below is sourced to the DCC, the CCR, or published enforcement records. These are the preventable findings that become per-day penalties when an unannounced inspector arrives before you’ve run your own walkthrough.
Mid-tier operator exposure letters before counsel engages: ~$180K in compounded per-day fines plus lost inventory, suspended operations, remediation. Every dollar of it maps back to findings a mock inspection would have surfaced. (DCC Disciplinary Guidelines)
A work cell moved, a camera relocated, a limited-access area redrawn on the floor but never re-filed. Findings land the day an inspector walks the room with the DCC-approved diagram. Among the most common citation patterns at surprise inspection. (CCR 15006)
Small package-weight discrepancies, missed harvest batches, late-closed transfers — each individually minor, collectively a CCR 15046 track-and-trace citation pattern. Quarterly reconciliation catches it; annual renewal review treats it as willful. (CCR 15046)
Training logs not archived, destruction records missing a witness signature, surveillance retention breached by DVR overwrite. Cited under CCR 15037 (7-year retention) and CCR 15044–47 (90-day video). Every one of them completely preventable with a documented monthly check. (CCR 15037)
Our job is to never put you in any of these four categories. Quarterly fieldwork on the floor, on the cameras, and inside METRC. Physical-to-digital reconciliation every cycle. Remediation tracked with photographic evidence and signoff. Zero surprise citations among retained clients since 2022.
Not a narrative “observations” memo. Artifacts you can file, action, or hand to counsel. A preview — scroll for all ten.
Every deficiency DCC would flag, mapped to the citing CCR section. Color-coded by severity.
Named owner, realistic deadline, and dependency map for every gap. Your internal punchlist.
Red-lined revisions to your Form DCC-LIC-019 procedures covering receiving, storage, security, waste, recall.
Your CCR 15006 diagram verified against the physical premises — cameras, limited-access areas, product flow.
Every camera position tested against CCR 15044–15047. 90-day retention audit. Alarm integration review.
CCR 15048 and BPC 26069 disposal protocol review — rendered unusable, documented, defensible.
Package-to-package variance report, inventory physical-to-digital match, transfer manifest review.
Owner (CCR 15003) and Financial Interest Holder (CCR 15004) schedule re-verified and filed if material changes occurred.
Half-day mock DCC inspection — your team walks it live with us before any real inspector ever does.
If findings warrant one, a defensible Corrective Action Plan formatted to DCC’s expectations — ready to submit.
The point of an audit is not the report. The point is the operational posture that follows — a remediation record DCC cannot dismiss, a team that has rehearsed an inspection, and a filing-ready CAPA already in the drawer for the day a Notice to Comply arrives. Here is what that posture looks like in practice.
When a finding lands in the report, it carries a CCR subsection, a BPC statute, or a DCC form number in the margin. When DCC inspectors ask how the remediation was scoped, the reference is already there. When counsel reviews the CAPA package, the citation chain from premises condition to regulatory obligation to corrective action is visible on the first page.
California cannabis compliance touches state statute (Business & Professions Code Division 10, starting at BPC 26000), state regulation (California Code of Regulations Title 4, Division 19, the CCR 15000 series), CDTFA tax code (Revenue & Taxation Code Division 2, Parts 14.5 and 1), and the local cannabis ordinance of the premises jurisdiction. Each has its own record-retention requirements, its own reporting cadence, and its own inspector. The audit tracks all of them simultaneously — because a single findings package has to satisfy all of them simultaneously.
Annual is the minimum best practice for any DCC licensee. Most retainers settle into quarterly audits focused on a different compliance area each cycle (Q1 disclosure, Q2 security and waste, Q3 METRC, Q4 renewal-readiness — see the cadence grid above). Operators with high variance risk — Type 7 volatile-solvent manufacturers, cultivators above the medium-tier canopy threshold, multi-site distribution operations, and any operator with a prior Notice to Comply on the record — stay quarterly. Smaller, lower-variance operators often step to semi-annual after the first full year, with the pre-renewal audit always scheduled 60–90 days before the CCR 15020 renewal window opens.
Full CCR 15000-series gap analysis covers premises-diagram verification under CCR 15006, surveillance review under CCR 15044–15047 (24/7 recording, 1280×720 minimum, 90-day retention), limited-access compliance under CCR 15042, waste protocol under CCR 15048 and BPC 26069, and record retention under CCR 15037 (7-year minimum). Add METRC reconciliation against the Franwell API, Owner disclosure refresh under CCR 15003, Financial Interest Holder disclosure under CCR 15004, employee 21+ verification under CCR 15000.6, and SOP review against the consolidated Form DCC-LIC-019 package. Manufacturing operators add Product Quality Plan and master manufacturing protocol review; cultivators add canopy-area verification and the CARB/AQMD generator rules where applicable.
No. Diagnostics are internal work product between you and GreenState. The Corrective Action Plan format we deliver only goes to DCC if you submit it in response to a real notice — typically a stronger document than a reactive CAP because the findings have been systematically remediated, not rushed.
Typical engagement is 2–3 weeks of fieldwork plus 1 week to finalize findings, with the on-site portion running 1 day for a single-premises retailer or 2–3 days for a vertically integrated operator. Larger multi-site operators or Type 7 volatile-solvent manufacturers extend to 4–6 weeks because closed-loop extraction systems, GMP records, and master manufacturing protocols add scope. First-time diagnostics run longer than ongoing quarterly audits because baseline documentation work happens once. Rush audits scoped to an imminent DCC visit, a renewal deadline, or a Notice already in hand close in 7–10 days.
We brief you verbally before anything is written. You decide the disclosure path — we don’t volunteer findings to the state. Serious findings (imminent public-safety risks, willful non-compliance) are escalated to retained counsel, not DCC. Our role is diagnosis and remediation support, not self-reporting.
Yes, and many clients do exactly that. The typical pattern: a one-time diagnostic uncovers enough remediation work that the team needs ongoing support to close it inside the 30/60/90-day deadlines on the tracker. Conversion to quarterly retainer happens at the post-engagement review 30 days after report delivery, at a reduced per-audit rate because baseline documentation is already in place. The Q1 disclosure / Q2 security / Q3 METRC / Q4 renewal-readiness rotation begins with the next quarter on the calendar.
Yes — METRC audit is a core component, run against the Franwell API with our own tooling. The scope covers UID tag accuracy, harvest batch creation against the one-business-day deadline, transfer manifest review for the 24-hour reporting obligation under CCR 15046, package lifecycle traceability, loss and destruction log audit, and physical-to-digital inventory match on a sampled basis. Stale or shared API keys (terminated employees with active integrator or user keys) and late receipt acceptance are the recurring failure patterns. For deeper METRC work outside the audit envelope we recommend our dedicated METRC Reconciliation service.
Common finding — premises drift against the as-filed CCR 15006 diagram is among the most-cited issues at first inspection. We document the variance with timestamped photographs, classify whether the change is material (size, capacity, or permit-requiring) or minor (within-room equipment moves), and draft the Form DCC-LIC-027 modification accordingly. Material changes require prior DCC approval before the physical layout becomes permanent; minor changes are notification-only but still require the form. If the diagram is wrong and the build-out is correct, we re-file the diagram to match what is actually on the ground.
Yes. Security staff, receiving, inventory, and key-management personnel are interviewed using a structured script modeled on the DCC investigator interview. Each interview runs 15–25 minutes and is low-pressure; staff are told upfront that the SOP is being tested in practice, not the individual. The disconnect between the written DCC-LIC-019 SOP and what staff actually do is the single most-cited finding on first DCC inspection — this is exactly where it surfaces during a mock run.
One-time diagnostics run $8K–$24K depending on license type, site count, and depth of the operation (single-premises retail at the lower end, vertically integrated cultivation-plus-manufacturing at the upper end). Quarterly retainers run $3K–$10K per quarter once baseline documentation is established. Rush audits (imminent renewal, post-citation response, or known DCC visit) are quoted at a premium aligned with the 7–10 day turnaround. We quote after a 20-minute scoping call once we understand the footprint, license stack, and prior enforcement history.
A 20-minute call establishes scope, cadence, and fit. You leave with a clear next step — whether it’s with us or not.