HomeMy WebLinkAbout3.b. Review Draft PP to approve proposed 2020 internal audit work plan Page 1 of 24
Item 3.b.
Algi CENTRAL SAN BOARD OF DIRECTORS
POSITION PAPER
DRAFT
MEETING DATE: DECEMBER 17, 2019
SUBJECT: REVIEW DRAFT POSITION PAPER TO APPROVE PROPOSED 2020
INTERNAL AUDIT WORK PLAN
SUBMITTED BY: INITIATING DEPARTMENT:
ERICA BROOKS PETERS, SENIOR INTERNAL ADMINISTRATION-FINANCE
AUDITOR
REVIEWED BY: PHIL LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION
ISSUE
Internal Audit is requesting approval of the proposed 2020 Internal Audit Work Plan.
BACKGROUND
An Internal Audit Plan was developed based on a risk assessment performed by the Internal Audit
function. The results of that risk assessment were used as a key input to arrive at the list of proposed
audits for 2020.
ALT ERNAT IVES/CONSIDERAT IONS
The Audit Plan may be approved as presented or modified.
FINANCIAL IMPACTS
The cost of performing the audits by the District's Senior Internal Auditor is included in the Operations and
Maintenance budget. The benefits of the audits include the testing and potentially improving internal
controls that can mitigate the risks of loss for errors, omissions, waste, fraud or abuse. Additionally,
findings and recommendations by Internal Audit related to internal controls, when implemented, can
improve the effectiveness and efficiency of business processes.
COMMITTEE RECOMMENDATION
The Administration Committee reviewed this item on December 17, 2019, and recommended Board
approval.
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 5 of 113
Page 2 of 24
RECOMMENDED BOARD ACTION
Approve the proposed 2020 Internal Audit Work Plan.
Strategic Plan Tie-In
GOAL ONE: Provide Exceptional Customer Service
Strategy 3- Maintain a strong reputation in the community
GOAL TWO: Strive to Meet Regulatory Requirements
Strategy 3- Comply with all federal, state, and local regulations related to District administration
GOAL THREE:Be a Fiscally Sound and Effective Water Sector Utility
Strategy 2- Manage costs
GOAL FIVE:Maintain a Reliable Infrastructure
Strategy 3- Protect District personnel and assets from threats and emergencies
ATTACHMENTS:
1. Proposed 2020 Internal Audit Work Plan
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 6 of 113
INTERNAL AUDIT
PROPOSED 2020 AUDIT PLAN
DECEMBER 17 , 2019
Executive Summary
This report provides the Internal Audit plan based on the understanding of risks at one point in time.
Unexpected future changes in internal or external factors may significantly impact the audit plan. Internal Audit
is presenting this Plan to the Board for approval as presented or for modification if there are other key areas of
concern. In addition, the proposed projects are subject to change if higher priority projects or risks are later
identified. Any changes will be communicated to the Board.
An overview of the proposed work and budget for all projects during the year is provided. In order to be
available for management's needs, a budget for "special projects" has been included.
Internal Audit sincerely appreciates the assistance received from Staff in the completion of this project.
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 8 of 113 2
This report includes the following sections :
2020 Audit Work PlF— an OF— verview............................
Internal Audit Project Plan D evelo pment.............?
• Audit ProcessUniverse
• Internal Audit Risk Assessment
Proposed Internal Audit Projects..........................12
Audit Process Universe...........................................17
F—
F—
December2019 •-cial ADMIN Committee Meeting Agenda Packet- P.•- 9 of
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 10 of 113
2020 Audit Work Plan Overview
2020 (Calendar Year) Internal Audit Work Plan
of Workload
1. Audit Projects Refer to the audit plan detail for the proposed projects. It is estimated that Internal Audit will 50%
complete approximately three audits per year.
2. ERP Implementation Internal Audit's role in the ERP is expected to increase in the upcoming calendar year as the 20%
project progresses.This includes consulting on internal control issues.
3.Special Projects Includes Management requests as needed,excluding ERP consulting. This may include requests 15%
that are more informational or consultative in nature.
3. Risk Assessment and Audit Plan Includes Internal Audit's risk assessment and improvements to the annual Audit Planning 10%
Update process.
4.Administrative Includes administrative activities such as presentations,audit findings tracking and follow-up. 5%
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 11 of 113 5
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 12 of 113
Internal Audit ProjectPlan Development
Key Components in developing the Internal Audit Project Plan
ProposedAudit Process Universe
Internal Audit Risk Assessment
Management Requests*
InternalAudit Projects
* Internal Audit captured prior audit requests from Executive Management in developing the Internal Audit
�Project Plan. However, specific audit requests may come from the Board, Executive and Operations
D��'A�I � cA�l I�1 acJii Litt �t� 4aW lARket- Page 13 of 113
InternalAuditPlanDevelopment
Key Audit Process Universe Inputs
Managements' strategic and operational risk assessment
Internal documentation regarding Central San"s operating
departments
Known business process areas
Management surveys
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 14 of 113
Internal Au ProJect Plan Developmen
Internal Audit Risk Assessment — Management Survey
Internal Audit conducted a survey regarding the existing internal controls within Central San's
operating departments where a risk score was given based on the response to each survey
question.
Areas were ranked based on the score received, i.e. divisions with higher scores were
considered higher risk areas.
Areas with potential segregation of duties conflicts received additional points towards a higher
score.
Qualitative factors were also considered. Divisions impacted by system implementations and/or
with no prior audit coverage were considered higher risk, prioritizing some areas above those
with a higher risk score.
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 15 of 113
Internal Au ProJect Plan Developmen
Internal Audit Risk Assessment - Executive Management Survey
Internal Audit conducted a survey of Executive Management members regarding the areas they
consider to be of higher risk and/or of key concern.
Some areas of ERP implementation
key interest Physical security of assets
identified were as Professional Engineering agreements process
follows: Sewer billing
Construction management & e-Builder
Any areas not previously identified were added to the Audit Process Universe for inclusion in the
current or future audit plan.
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 16 of 113
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 17 of 113
Proposed Internal Audit Projects
Depending on the scope, each project is expected to be completed
within 3-4 months of the start date.
However, due to the involvement of staff with the ERP
implementation, Internal Audit will need to be flexible on the
timeline . Significant changes will be communicated to Management.
Projects for 18 months are presented . Risks should be re-evaluated
in the next year to determine if there are other higher risk areas.
Any changes will be communicated to the Board .
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 18 of 113
Proposed Internal Audit Projects
Internal Audit Key Focus Areas
Area of Focus f L Risk Evaluation and Rationale
__m WA&
Process changes due to new system implementations High
Changes to existing manual processes with the opportunity to strengthen controls
Asset Tracking and Monitoring Controls High
Smaller,portable assets are more susceptible to loss or theft
Considered high risk by Management
Segregation of Duties(SOD) High
Several processes exist with potential SOD conflicts
Opportunities for redesign due to new system implementations
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 19 of 113 13
Proposed Internal Audit Projects
Proposed 2020-2021 Audits — 18 Month Plan
ProposedProcess Date Timeline Potential Areas Covered AA--md
1 1 19 1 T 20201 1 1 1 1
1.Asset Inventory x A review of the controls in place to prevent loss or theft of
Management assets and identify best practices on how such assets are
tracked from request to issuance and return. This includes
smaller dollar(non-IT)assets not tracked by Accounting and
stored in various locations. Also, IT assets such as such as
smaller mobile devices could be included.
2. Revenue Controls Part II x Requested by Senior Management in 2018. Part I over the
—Non Residential Permit Counter Residential Customers was completed in 2019.
Customers Part II could include the process from calculation and billing in
Planning& Development Services to collection in Finance with
a focus on Industrial/Non Residential Customers.
3. Finance—Accounts x Business process cycle review including changes due to new
Payable ERP and any potential segregation of duties conflicts.
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 20 of 113 14
Proposed Internal Audit Projects
Proposed 2020-2021 Audits — 18 Month Plan
Proposed Audit Start Date Timeline Potential Areas Covered
2020 19 1 2020 1 1 1 1 1
4. Construction and e- x Change in key processes related to project bidding guidelines
Builder Process redesign for public works projects as well as invoice approval and
review construction management due to the recent system change to
e-Builder.This would include a review of the new processes
around e-builder.A separate e-builder post implementation
review to identify best practices on internally managed system
implementations could also be performed. Depending on how
the project is scoped and therefore,the IT audit skillset
required,outside 3rd party resources or internal subject
matter experts can be used to complete this project.
5. Materials and x Business process cycle review including changes due to new
Warehouse Management ERP and any potential segregation of duties conflicts.
6. IT Segregation of Duties x Super user access/admin rights,including the controls in place
and Access Review to monitor activity.Depending on how the project is scoped
and therefore,the IT audit skillset required,outside 3rd party
resources or internal subject matter experts can be used to
complete this project.
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 21 of 113 15
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 22 of 113
Audit Process Universe
The Audit Universe should be updated as needed and revisited at least annually.
This is a list of areas that could be considered for audit projects within the various
departments. Therefore, project-specific details will be determined when the
projects are scoped . In some cases, multiple areas can be covered as part of one
audit or an area may be split into multiple audits.
The expertise available should be considered as projects are selected and scoped .
Specific expertise can be obtained externally or internally.
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 23 of 113
AuditableProcess Universe
The following listing provides the universe of auditable process areas for Executive Management and Administration Department
based upon discussions with management and known business processes.
TechnologyExecutive Management and Secretary of the District Information
• Executive Risk Management(Risk Management) • Software Licensing(Procurement) • Disaster Recovery(IT)
• Records Management • IT Asset Management • Crisis Management (Communications)
• Ethics Compliance Monitoring and Reporting • Software Management • Business Continuity
• Brown Act& Board/Committee Meeting Facilitation • Cybersecurity • Leases/Rental Property Management
• Ethics Hotline—We Tip • Plant Control Systems (Plant Ops)
• IT Support
• Business Continuity(Risk Management)
• Project Management and System Implementation
• Financial Systems
• Risk Management Strategy
• Information Security
• Cloud Security and Strategy
• Policies and Procedures
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 24 of 113
Auditable Process Universe
The following listing provides the universe of auditable processes for Administration Department based upon discussions with management
and industry-specific guidance.
IntergovernmentalPurchasing and Materials Services I Communication Services and
Relations
• General Ledger, Financial Close • Materials and Supplies Inventory Controls Social Media Policy Compliance(IT)
• Accounting Policies and Procedures • Purchasing
• Accounts Payable and Expense Reporting • Consulting Agreements and Contracts
• Accounts Receivable and Revenues • P-Cards
• Capital Assets • Supplier Risk Management(Risk Management)
• Treasury Processes, Cash Management and Budgeting
• ERP Role Design
• Expense Reports
• Petty Cash Controls
• Capital Allocation
• Key Internal Reports Controls
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 25 of 113
Auditable Process Universe
The following listing provides the universe of auditable processes for Engineering and Technical Services Department based
upon discussions with management and industry-specific guidance.
DevelopmentCapital Projects Planning and
• Construction Project Management and Reporting • Financial Planning for rates,fees,SSC and permits • Title V Compliance Reporting
• New System Implementation -E-builder • Development Services (Counter and Inspection) • Air Pollution Monitoring and Reporting
• Asset Management • Water Quality Monitoring and Reporting
• Revenue and Collection of Rates • Policies and Procedures/SOPS
• CA/QC Inspections
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 26 of 113
Auditable Process Universe
The following listing provides the universe of auditable processes for Operations Department based upon discussions with management
and industry-specific guidance.
Plant Maintenance Plant Operations Collection System Operations
• Plant Maintenance Program and Equipment Reliability • Plant Operational Efficiency and Effectiveness • Fleet Maintenance Scheduling and Reporting
• Policies and Procedures/SOPS • Policies and Procedures/SOPS • Sewer System Management
• Recycled Water(Plant Ops and Planning& Development)
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 27 of 113
Auditable Process Universe
The following listing provides the universe of auditable processes for Operations Department based upon
discussions with management and industry-specific guidance.
Human Resources
• Payroll Internal Controls and Compliance • Physical Security
• Timekeeping • Safety Compliance Reporting
• Employee Relations • Hazardous Materials Management(SOPS)
• Recruiting/Hiring
• Employee Benefits Administration
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 28 of 113