The URL can be used to link to this page

Home My WebLink About4.e. Review draft Position Paper to adopt the Internal Audit Fiscal Year (FY) 2021-22 Audit Plan Page 1 of 28 Item 4.e. CENTRAL SAN BOARD OF DIRECTORS . , , . POSITION PAPER . , DRAFT MEETINGDATE: AUGUST3, 2021 SUBJECT: REVIEW DRAFT POSITION PAPER TO ADOPT THE INTERNAL AUDIT FISCAL YEAR (FY) 2021-22 AUDIT PLAN SUBMITTED BY: INITIATING DEPARTMENT: BENJAMIN JOHNSON, INTERNAL AUDITOR ADMINISTRATION-FINANCE REVIEWED BY: PHILIPLEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION ISSUE The annual audit plan informs the Board of Directors (Board) and Executive Management of the internal audits scheduled for FY2021-22. Adoption is recommended. BACKGROUND The Internal Audit Plan is a list of audit projects, coordinated by the Internal Auditor, to be performed during the fiscal year. Audit planning is completed annually based on evaluation of the audit process universe, risk assessments, and Management surveys/requests. Generally, internal audit projects focus on the operational effectiveness of internal controls, in accordance with established policies/procedures and relevant regulatory expectations. Additional projects may include risk evaluations for specific processes or reviewing the design of controls. The Internal Auditor plans and completes approximately two to three operational audits each year. ALTERNATIVES/CONSIDERATIONS The Committee can recommend adoption of the audit plan as presented, or propose amendments, such as: 1. Replace proposed audits with other focus areas which are viewed to be of higher priority by the Board. An attachment to this Position Paper discusses one potential such project. 2. Recommend an expanded scope of audits to be performed during the fiscal year through the increased use of supplemental/outside resources. 3. Propose changes to the timing and prioritization of the audits within the fiscal year. August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 289 of 322 Page 2 of 28 FINANCIAL IMPACTS There are no financial impacts from adopting the proposed audit plan. COMMITTEE RECOMMENDATION The Administration Committee reviewed the plan at its August 3, 2021 meeting and recommended RECOMMENDED BOARD ACTION Adopt the FY 2021-22 Audit Plan as presented. Strategic Plan Tie-In GOAL THREE: Fiscal Responsibility Strategy 1—Maintain financial stability and sustainability,, Strategy 2—Ensure integrity and transparency in financial management ATTACHMENTS: 1. Internal Audit FY 2021-22 Audit Plan Proposal for Board Approval 2. Potential Document Management Project Recommended Approach 3. Audit Plan Presentation August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 290 of 322 Attachment 1 INTERNAL AUDIT PROPOSED FY 2021 -2022 AUDIT PLAN AUGUST 3 , 2021 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 291 of 322 Executive Summary This report provides the Internal Audit FY 2021-2022 Audit Plan based on the understanding of risk within the organization at one point in time. Unexpected changes in internal or external factors may significantly impact the audit plan. Internal Audit is presenting this plan to the Board for approval as presented or for modification if there are other key areas of concern. In addition, the proposed projects are subject to change if higher priority projects or risks are later identified. Any changes will be communicated to the Board. An overview of the proposed work and budget for all projects during the fiscal year is provided. In order to be available for management's needs, a budget for "special projects" has been included. Internal Audit sincerely appreciates the assistance received from Staff in the completion of this project. 2 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 292 of 322 This report includes the followingsections : A.p • - A Audit 6� Internal • Development • Audit Process Universe • Internal Audit Risk Assessment Audit ProcessUniverse August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 293 of 322 FY 2021-2022 Audit • Plan Overview August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 294 of 322 FY 2021-2022 Audit Work Plan Overview Internal Audit Work Plan - Includes Q4 FY 2020-2021 WorkloadI Estimated%of 1. Audit Projects Refer to the audit plan detail for the proposed projects.It is estimated that Internal Audit will 1 60% complete approximately three audits per year. 2.Special Projects Includes Management requests as needed,including ERP-related projects such as process risk 15% feedback and design-only reviews. This may include requests that are more informational or consultative in nature. 3.Risk Assessment and Audit Plan Includes Internal Audit's risk assessment and improvements to the annual Audit Planning 15% Update process. 4.Administrative Includes administrative activities such as presentations,audit findings tracking and follow-up. 10% 5 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 295 of 322 AuditInternal Project Development August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 296 of 322 Internal Audit Project Plan Development Key Components in developing the Internal Audit Project Plan AuditProcess Univ- - Periodic - rnal Audit Risk Assessment Management Requests* _2 Proposed Internal Audit Projects * Internal Audit captured prior audit requests from Executive Management in developing the Internal Audit Project Plan. However, specific audit requests may come from the Board, Executive and Operations Management and/or the We-Tip Hotline. August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 297 of 322 Internal Audit Plan Development Key Hualt Process universe Inputs Managements' strategic and operational risk assessment Internal documentation regarding Central San's operating departments Known business process areas Management surveys August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 298 of 322 Internal Audit Project Plan Development Internal Audit RISK Assessment - IVlanagement Survey; completes In late July Internal Audit conducted a survey regarding the existing internal controls within Central San's operating departments where a risk score was given based on the response to each survey question. Areas were ranked based on the score received, i.e. divisions with higher scores were considered high-risk areas. Areas with potential segregation of duties conflicts received additional points towards a higher score. Qualitative factors were also considered. Divisions impacted by system implementations and/or with no prior audit coverage were considered higher risk, prioritizing some areas above those with a higher risk score. August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 299 of 322 Internal Audit Project Plan Development nternal Audit KISK Assessment - txecutive Management Survey; completes In late July Internal Audit conducted a survey of Executive Management members regarding the areas they consider to be of higher risk and/or of key concern. Some areas of ERP implementation key interest Physical security of assets identified were as Professional Engineering agreements process fOI Iows: Sewer billing Construction management&e-Builder Any areas not previously identified were added to the Audit Process Universe for inclusion in the current or future audit plan. 10 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 300 of 322 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 301 of 322 Proposed InternaI Audit ProJjects Depending on the scope, each project is expected to be completed within 3-4 months of the start date with special projects generally completed within a month . However, due to the involvement of staff with the ERP implementation, Internal Audit will need to be flexible on the timeline. Significant changes will be communicated to Management. Projects for 14 months are presented . Risks should be re-evaluated in the next year to determine if there are other higher risk areas. Any changes will be communicated to the Board . August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 302 of 322 Proposed Internal Audit Projects Internal Audit Key Focus Areas Area of Focus I f L Risk Evaluation and Rationale Process changes due to new system implementations High Changes to previous processes and legacy systems through deployment of new systems with the opportunity to strengthen controls Asset Tracking and Monitoring Controls High Smaller,portable assets are more susceptible to loss or theft Considered high risk by Management Segregation of Duties(SOD) High Several processes exist with potential SOD conflicts New system implementation warrants an independent review of changed responsibilities 13 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 303 of 322 Proposed Internal Audit Projects Proposed Current Fiscal Year and FY 2021-2022 Audits Proposed71- Process Date Timeline Potential 1 1 1-21 2022(FY 2021-22) 1.IT Identity and Access x Super user access/administrator rights,including the controls Management in place to monitor activity.We will partner with third-party subject matter experts(Clifton LarsonAllen)to complete this project. 2.Accounts Payable xl x x1:Provided feedback in Q4 FY 2021 on risks identified by management related to the new ERP system's A/P process. Business process cycle review in late 2021 including changes due to new ERP and any potential segregation of duties conflicts. 3.Payroll x2 x x2:Design-only review completed in Q4 FY 2021 to verify that controls are adequately designed and addressed process risks related to the new ERP roll-out.This review had a specific focus on the segregation of duties. Audit of payroll process in Q3 FY 2022 using a risk-based approach.Verify any segregation of duties conflicts. 4.Asset Inventory x A review of the controls in place to prevent loss or theft of Management assets and identify best practices on how such assets are tracked from request to issuance and return. This includes smaller dollar(non-IT)assets not tracked by Accounting and stored in various locations. Also,IT assets such as such as smaller mobile devices could be included. 14 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 304 of 322 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 305 of 322 Audit Process Universe The Audit Universe will be updated as needed, leveraging discussions and process questionnaires completed by Executive Management. This is a list of areas that could be considered for audit projects within the various departments. Therefore, project-specific details will be determined when the projects are scoped. In some cases, multiple areas can be covered as part of one audit, or an area may be split into multiple audits. The expertise available will be considered as projects are selected and scoped. Specific expertise can be obtained externally or internally. August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 306 of 322 Auditable Process Universe The following listing provides the universe of auditable process areas for Executive Management and Administration Department based upon discussions with management and known business processes. TechnologyExecutive Management and Secretary of the District Information • Executive Risk Management(Risk Management) Software Licensing(Procurement) Disaster Recovery(IT) • Records Management IT Asset Management Crisis Management (Communications) • Ethics Compliance Monitoring and Reporting Software Management Business Continuity • Brown Act&Board/Committee Meeting Facilitation Cybersecurity Leases/Rental Property Management • Ethics Hotline—We Tip Plant Control Systems(Plant Ops) • IT Support • Business Continuity(Risk Management) • Project Management and System Implementation • Financial Systems • Risk Management Strategy • Information Security • Cloud Security and Strategy • Policies and Procedures August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 307 of 322 Auditable Process Universe The following listing provides the universe of auditable processes for Administration Department based upon discussions with management and industry-specific guidance. IntergovernmentalPurchasing and Materials Services Communication Services and Relations • General Ledger,Financial Close Materials and Supplies Inventory Controls Social Media Policy Compliance(IT) • Accounting Policies and Procedures Purchasing • Accounts Payable and Expense Reporting Consulting Agreements and Contracts • Accounts Receivable and Revenues P-Cards • Capital Assets Supplier Risk Management(Risk Management) • Treasury Processes,Cash Management and Budgeting • ERP Role Design • Expense Reports • Petty Cash Controls • Capital Allocation • Key Internal Reports Controls 1P August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 308 of 322 Auditable Process Universe The following listing provides the universe of auditable processes for Engineering and Technical Services Department based upon discussions with management and industry-specific guidance. Capital Projects Planning . Development Services Environmental and Regulatory • Construction Project Management and Reporting Financial Planning for rates,fees,SSC and permits Title V Compliance Reporting • New System Implementation-E-builder Development Services(Counter and Inspection) Air Pollution Monitoring and Reporting • Asset Management Water Quality Monitoring and Reporting • Revenue and Collection of Rates Policies and Procedures/SOPs • QA/QC Inspections August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 309 of 322 Auditable Process Universe The following listing provides the universe of auditable processes for Operations Department based upon discussions with management and industry-specific guidance. Plant Maintenance Plant Operations Collection System Operations • Plant Maintenance Program and Equipment Reliability Plant Operational Efficiency and Effectiveness Fleet Maintenance Scheduling and Reporting • Policies and Procedures/SOPs Policies and Procedures/SOPs Sewer System Management • Recycled Water(Plant Ops and Planning&Development) August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 310 of 322 Auditable Process Universe The following listing provides the universe of auditable processes for Operations Department based upon discussions with management and industry-specific guidance. Human Resources • Payroll Internal Controls and Compliance Physical Security • Timekeeping Safety Compliance Reporting • Employee Relations Hazardous Materials Management(SOPS) • Recruiting/Hiring • Employee Benefits Administration August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 311 of 322 Page 24 of 28 Attachment 2 Central Contra Costa Sanitary District August 3, 2021 TO: Administration Committee FROM: Benjamin Johnson, Internal Auditor SUBJECT: Potential Document Management Project - Internal Audit's Recommended Approach At least one member of the Board has expressed interest in an audit of the document management / records retention process. Central San had a third-party consultant review this process in 2014 and meaningful feedback was provided. In response to the report, there was an Electronic Document Management Advisory Group (EDMAG) formed, which held eight meetings between 2015 and 2016 to help identify root causes to known issues and formulate solutions. After discussions with key staff, it appears significant work remains towards developing an overall framework and system to address identified issues. Challenges include: 1. Garnering commitment amid competing priorities 2. Limited resources, both perceived and actual 3. A lack of published policies and procedures surrounding this process Although Internal Audit was able to garner feedback from the former Records Program Administrator before they recently retired, currently, the position is vacant, pending recruitment. The current IT Master Plan includes a separate task where a consultant is to review our existing document management system/process and provide recommendations where needed. The current anticipated scope of the project includes a holistic analysis of the document management process, including a review of related systems, interviews with key staff, developing an inventory of documents, and developing future state requirements with recommendations of how to clean up file storage practices. The task would be brought back for Board approval for the consultant to proceed after the initial phase of the IT master plan approved by the Board in July. Internal Audit is carefully considering performing a review of the document management process in coordination with, or after, the consultant's review scheduled in that task of the IT Master Plan. This approach would give the organization enough time to fill the vacant Records Program Administrator position, have that person assess the program and begin their improvement efforts, and serve as the point of contact for the external Potential Document Management Project-Internal Audit Recommended Approach August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 312 of 322 Page 25 of 28 Administration Committee August 3, 2021 Page 2 and internal audit review. Coordinating and proceeding in this manner would provide be most efficient and reduce the chance of work duplicity. Furthermore, whether management decides to implement a new document management system or not in response to the consultant's review, any subsequent work performed by Internal Audit would reflect the most current system, policies, and procedures. Potential Document Management Project-Internal Audit Recommended Approach August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 313 of 322 Page 26 of 28 Attachment 3 INTERNAL AUDIT PROPOSED FY 2021 -2022 AUDIT PLAN AUGUST 3, 2021 1 FY 2021-2022 Audit Work Plan Overview Internal Audit Work Plan-Includes Q4 FY 2020-2021 Description 1.Audit Projects Refer to the audit plan detail for the proposed projects.It is estimated that Internal Audit will 60% complete approximately three audits per year. 2.Special Projects Includes Management requests as needed,including ERP-related projects such as process risk 15% feedback and design-only reviews.This may include requests that are more informational or consultative in nature. 3.Risk Assessment and Audit Plan Includes Internal Audit's risk assessment and improvements to the annual Audit Planning 15% Update process. 4.Administrative Includes administrative activities such as presentations,audit findings tracking and follow-up. 10% 2 2 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 314 of 322 1 Page 27 of 28 Internal Audit Project Plan Development Key Components in developing the Internal Audit Project Plan Audit Process Periodic • Management • Proposed • Projects *Internal Audit captured prior audit requests from Executive Management in developing the Internal Audit Project Plan.However,specific audit requests may come from the Board,Executive and Operations Management and/or the We-Tip Hotline. 3 3 Proposed Internal Audit Projects Depending on the scope, each project is expected to be completed within 3-4 months of the start date with special projects generally completed within a month. However, due to the involvement of staff with the ERP implementation, Internal Audit will need to be flexible on the timeline. Significant changes will be communicated to Management. Projects for 14 months are presented. Risks should be re-evaluated in the next year to determine if there are other higher risk areas. Any changes will be communicated to the Board. 4 4 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 315 of 322 2 Page 28 of 28 Proposed Internal Audit Projects Proposed Current Fiscal Year and FY 2021-2022 Audits Process Proposed Audit Start Date Timeline Potential Areas Covered r r r r r 111111111111WJ 1.IT Identity and Access x Super user access/administrator rights,including the controls Management in place to monitor activity.We will partner with third-party subject matter experts(CliftonLarsonAllen)to complete this project. 2.Accounts Payable x1 x x1:Provided feedback in Q4 FY 2021 on risks identified by management related to the new ERP system's A/P process. Business process cycle review in late 2021 including changes due to new ERP and any potential segregation of duties conflicts. 3.Payroll x2 x x2:Design-only review completed in Q4 FY 2021 to verify that controls are adequately designed and addressed process risks related to the new ERP roll-out.This review had a specific focus on the segregation of duties. Audit of payroll process in Q3 FY 2022 using a risk-based approach.Verify any segregation of duties conflicts. 4.Asset Inventory x A review of the controls in place to prevent loss or theft of Management assets and identify best practices on how such assets are tracked from request to issuance and return.This includes smaller dollar(non-IT)assets not tracked by Accounting and stored in various locations.Also,IT assets such as such as smaller mobile devices could be included. 5 5 Potential Document Management Project Staff Recommended Approach Internal Audit is carefully considering performing a review of the document management process in coordination with, or after, the consultant's review anticipated as a task of the IT Master Plan. This approach would give the organization enough time to fill the vacant Records Program Administrator position and greatly reduce the chance of work duplicity. Furthermore, whether management decides to implement a new document management system or not in response to the consultant's review, any subsequent work performed by Internal Audit would reflect the most current system, policies, and procedures. 6 August 3, 2021 Regular ADMIN Committee Meeting Agenda Packet- Page 316 of 322 3