The URL can be used to link to this page

Home My WebLink About09. Consider Internal Audit FY 2021-2022 Audit Plan and potential document management project Page 1 of 18 Item 9. CENTRAL SAN BOARD OF DIRECTORS POSITION PAPER MEETING DATE: SEPTEMBER 16, 2021 SUBJECT: CONSIDER ADOPTION OF THE INTERNALAUDIT FISCAL YEAR (FY) 2021-22 AUDIT PLAN SUBMITTED BY: INITIATING DEPARTMENT: BENJAMIN JOHNSON, INTERNAL AUDITOR ADMINISTRATION-FINANCE REVIEWED BY: KEVIN MIZUNO, FINANCE MANAGER PHILIP LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION Roger S. Bailey General Manager ISSUE The annual audit plan informs the Board of Directors (Board) and Executive Team of the internal audits scheduled for FY 2021-22. Adoption is recommended. BACKGROUND The Internal Audit Plan is a list of audit projects, coordinated by the Internal Auditor, to be performed during the fiscal year. Audit planning is completed annually based on evaluation of the audit process universe, risk assessments, and Management surveys/requests. Generally, internal audit projects focus on the operational effectiveness of internal controls, in accordance with established policies/procedures and relevant regulatory expectations. Additional projects may include risk evaluations for specific processes or reviewing the design of controls. The Internal Auditor plans and completes approximately two to three operational audits each year. ALTERNATIVES/CONSIDERATIONS The Board can recommend adoption of the audit plan as presented, or propose amendments, such as: 1. Replace proposed audits with other focus areas which are viewed to be of higher priority by the September 16, 2021 Regular Board Meeting Agenda Packet- Page 63 of 85 Page 2 of 18 Board.An attachment to this Position Paper discusses one potential such project. 2. Recommend an expanded scope of audits to be performed during the fiscal year through the increased use of supplemental/outside resources. 3. Propose changes to the timing and prioritization of the audits within the fiscal year. FINANCIAL IMPACTS There are no financial impacts from adopting the proposed audit plan. COMMITTEE RECOMMENDATION The Administration Committee reviewed the plan at its August 3, 2021 meeting and recommended Board approval. RECOMMENDED BOARD ACTION Adopt the FY 2021-22 Audit Plan as presented. Strategic Plan Tie-In GOAL THREE:Fiscal Responsibility Strategy 1—Maintain financial stability and sustainability, Strategy 2—Ensure integrity and transparency in financial management ATTACHMENTS: 1. FY 2021-2022 Internal Audit Plan Proposal 2. Potential Document Management Project- Recommended Approach 3. Presentation September 16, 2021 Regular Board Meeting Agenda Packet- Page 64 of 85 Page 3 of 18 Attachment 1 INTERNAL AUDIT PROPOSED FY 2021 -2022 AUDIT PLAN SEPTEMBER 16, 2021 -1 1 Executive Summary This report provides the Internal Audit FY 2021-2022 Audit Plan based on the understanding of risk within the organization at one point in time. Unexpected changes in internal or external factors may significantly impact the audit plan. Internal Audit is presenting this plan to the Board for approval as presented or for modification if there are other key areas of concern. In addition,the proposed projects are subject to change if higher priority projects or risks are later identified.Any changes will be communicated to the Board. An overview of the proposed work and budget for all projects during the fiscal year is provided.In order to be available for management's needs,a budget for"special projects"has been included. Internal Audit sincerely appreciates the assistance received from Staff in the completion of this project. 2 2 September 16, 2021 Regular Board Meeting Agenda Packet- Page 65 of 85 1 Page 4 of 18 This report includes the following sections: AuditF--.w--Y 2021-2022 Audit Work Plan 0vervieW—.—...n--..- . Development • Audit Process Universe • Internal Audit Risk Assessment Proposed Internal AuditProjects F-L F-L 3 AuditFY 2021-2022 • Plan Overview 4 September 16, 2021 Regular Board Meeting Agenda Packet- Page 66 of 85 2 Page 5 of 18 FY 2021-2022 Audit Work Plan Overview Internal Audit Work Plan-Includes Q4 FY 2020-2021 1.Audit Projects Refer to the audit plan detail for the proposed projects.It is estimated that Internal Audit will 60% complete approximately two-three audits per year. 2.Special Projects Includes Management requests as needed,including ERP and HCM-related projects such as 15% process risk feedback and design-only reviews.This may include requests that are more informational or consultative in nature. 3.Risk Assessment and Audit Plan Includes Internal Audit's risk assessmentand improvements to the annual Audit Planning 15% Update process. 4.Administrative Includes administrative activities such as presentations,audit findings tracking and follow-up. 10% 5 5 AuditInternal • Development 6 September 16, 2021 Regular Board Meeting Agenda Packet- Page 67 of 85 3 Page 6 of 18 Internal Audit Project Plan Development Key Components in developing the Internal Audit Project Plan Audit • Periodic • AM management '-• uests- Proposed internal Audit Frojects *Internal Audit captured prior audit requests from Executive Management in developing the Internal Audit Project Plan. However,specific audit requests may come from the Board,Executive and Operations Management and/or the We-Tip Hotline. ' 7 Internal Audit Plan Development Key Audit Process Universe Inputs Managements' strategic and operational risk assessment Internal documentation regarding Central San's operating departments Known business process areas Management surveys 8 September 16, 2021 Regular Board Meeting Agenda Packet- Page 68 of 85 4 Page 7 of 18 Internal Audit Project Plan Development Internal Audit Risk Assessment-Management Survey;completed in late 2019 Internal Audit conducted a survey regarding the existing internal controls within Central San's operating departments where a risk score was given based on the response to each survey question. Areas were ranked based on the score received,i.e.divisions with higher scores were considered high-risk areas. Areas with potential segregation of duties conflicts received additional points towards a higher score. Qualitative factors were also considered. Divisions impacted by system implementations and/or with no prior audit coverage were considered higher risk, prioritizing some areas above those with a higher risk score. 9 Internal Audit Project Plan Development Internal Audit Risk Assessment-Executive Management Survey;completed in late 2019 Internal Audit conducted a survey of Executive Management members regarding the areas they consider to be of higher risk and/or of key concern. Some areas of _ ERP/"CM implementation key interest Physical security of assets Identified were as Professional Engineering agreements process follows: Sewer billing Construction management&e-Builder Any areas not previously identified were added to the Audit Process Universe for inclusion in the current or future audit plan. is 10 September 16, 2021 Regular Board Meeting Agenda Packet- Page 69 of 85 5 Page 8 of 18 Proposed Internal AuditProjects 11 Proposed Internal Audit Projects Depending on the scope, each project is expected to be completed within 3-4 months of the start date with special projects generally completed within a month. However, due to the involvement of staff with the ERP implementation, Internal Audit will need to be flexible on the timeline. Significant changes will be communicated to Management. Projects for 14 months are presented. Risks should be re-evaluated in the next year to determine if there are other higher risk areas. Any changes will be communicated to the Board. 12 12 September 16, 2021 Regular Board Meeting Agenda Packet- Page 70 of 85 6 Page 9 of 18 Proposed Internal Audit Projects Internal Audit Key Focus Areas Area of Focus Risk Evaluation and Rationale Process changes due to new system implementations High Changes to previous processes and legacy systems through deployment of new systems with the opportunityto strengthen controls Asset Tracking and Monitoring Controls High Smaller,portable assets are more susceptible to loss or theft Considered high risk by Management Segregation of Duties(SOD) High Several processes exist with potential SOD conflicts New system implementation warrants an independent review of changed responsibilities 13 13 Proposed Internal Audit Projects Proposed Current Fiscal Year and FY 2021-2022 Audits Process Proposed Audit Start Date Tintellne Potential Areas Covered r r r r r I.IT Identity and Access x Super user access/administrator rights,including the controls Management in place to monitor activity.We partnered with third-party subject matter experts(Clifton LarsonAlIen)to complete this project. 2.Accounts Payable xl x x1:Provided feedback in Q4 FY 2021 on risks identified by management related to the new ERP system's A/P process. Business process cycle review in late 2021 including changes due to new ERP and any potential segregation of duties conflicts. 3.Payroll x2 x x2:Design-only review completed in Q4 FY 2021 to verify that controls were adequately designed and addressed process risks related to the new ERP roll-out.This review had a specific focus on the segregation of duties. Operational audit of payroll process in Q3 FY 2022 using a risk- based approach.Verify any segregation of duties conflicts. 4.Asset Inventory x A review of the controls in place to prevent loss or theft of Management assets and identify best practices on how such assets are tracked from request to issuance and return.This includes smaller dollar(non-IT)assets not tracked by Accounting and stored in various locations.Also,IT assets such as such as smaller mobile devices could be included. 14 14 September 16, 2021 Regular Board Meeting Agenda Packet- Page 71 of 85 Page 10 of 18 Audit Process Universe 15 Audit Process Universe The Audit Universe will be updated as needed, leveraging discussions and process questionnaires completed by Executive Management. This is a list of areas that could be considered for audit projects within the various departments. Therefore, project-specific details will be determined when the projects are scoped. In some cases, multiple areas can be covered as part of one audit, or an area may be split into multiple audits. The expertise available will be considered as projects are selected and scoped. Specific expertise can be obtained externally or internally. 16 16 September 16, 2021 Regular Board Meeting Agenda Packet- Page 72 of 85 8 Page 11 of 18 Auditable Process Universe The following listing provides the universe of auditable process areas for Executive Managementand Administration Department based upon discussions with management and known business processes. Executive Management and Secretary ofthe District Information Technology Risk Management Executive Risk Management(Risk Management) Software Licensing(Procurement) Disaster Recovery(IT) Records Management IT Asset Management Crisis Management(Communications) • Ethics Compliance Monitoring and Reporting Software Management Business Continuity • Brown Act&Board/Committee Meeting Facilitation Cybersecurity Leases/Rental Property Management • Ethics Hotline—We Tip Plant Control Systems(Plant Ops) Keycards and Keys(Finance/Management) ITSupport Business Continuity(Risk Management) • Project Management and System Implementation • Financial Systems • Risk Management Strategy • Information Security • Cloud Security and Strategy • Policiesand Procedures 17 17 Auditable Process Universe The following listing provides the universe of auditable processes for Administration Department based upon discussions with management and industry-specific guidance. Communication Services and Intergovernmental Purchasing and Materials Services Relations • General Ledger,Financial Close Materials and Supplies Inventory Controls Social Media Policy Compliance(IT) Accounting Policiesand Procedures Purchasing • Payables Consulting Agreements and Contracts • Expenses Module(P-Cards,travel reimbursement,etc.) P-Cards(Program Administration) • Receivables Supplier Risk Management(Risk Management) capital Assets Treasury Processes,Cash Management and Budgeting ERP Role Design • Petty Cash Controls • Capital Allocation • Key Internal Reports Controls Projects 18 September 16, 2021 Regular Board Meeting Agenda Packet- Page 73 of 85 9 Page 12 of 18 Auditable Process Universe The following listing provides the universe of auditable processes for Engineering and Technical Services Department based upon discussions with management and industry-specific guidance. Capital Projects Planning and Development Services Environmental and Regulatory Compliance Construction Project Management and Reporting Financial Planning for rates,fees,SSC and permits Title V Compliance Reporting New System Implementation-E-builder Development Services(Counter and Inspection) Air Pollution Monitoring and Reporting • Projects Asset Management Water Quality Monitoring and Reporting • Capital Construction Purchase Orders Revenue and Collection of Rates/Permit Fees Policies and Procedures/SOPS • QA/QC Inspections Concord/Clayton Flow Meter Monitoring 19 Auditable Process Universe The following listing provides the universe of auditable processes for Operations Department based upon discussions with management and industry-specific guidance. OperationsPlant Maintenance Plant Plant Maintenance Program and Equipment Reliability Plant Operational Efficiency and Effectiveness Fleet Maintenance Scheduling and Reporting Policies and Procedures/SOPS Policies and Procedures/SOPS Sewer System Management • Recycled Water(Plant Ops and Planning&Development) 20 September 16, 2021 Regular Board Meeting Agenda Packet- Page 74 of 85 10 Page 13 of 18 Auditable Process Universe The following listing provides the universe of auditable processes for operations Department based upon discussions with management and industry-specific guidance. Human Resources • Payroll Internal Controlsand Compliance Physical Security • Timekeeping Safety Compliance Reporting • Employee Relations Hazardous Materials Management(Sops) • Recruiting/Hiring • Employee Benefits Administration 21 21 September 16, 2021 Regular Board Meeting Agenda Packet- Page 75 of 85 11 Page 14 of 18 Attachment 2 Central Contra Costa Sanitary District September 16, 2021 TO: Board of Directors FROM: Benjamin Johnson, Internal Auditor SUBJECT: Potential Document Management Project - Internal Audit's Recommended Approach At least one member of the Board has expressed interest in an audit of the document management / records retention process. Central San had a third-party consultant review this process in 2014 and meaningful feedback was provided. In response to the report, there was an Electronic Document Management Advisory Group (EDMAG) formed, which held eight meetings between 2015 and 2016 to help identify root causes to known issues and formulate solutions. After discussions with key staff, it appears significant work remains towards developing an overall framework and system to address identified issues. Challenges include: 1. Garnering commitment amid competing priorities 2. Limited resources, both perceived and actual 3. A lack of published policies and procedures surrounding this process Although Internal Audit was able to garner feedback from the former Records Program Administrator before they recently retired, currently, the position is vacant, pending recruitment. The current IT Master Plan includes a separate task where a consultant is to review our existing document management system/process and provide recommendations where needed. The current anticipated scope of the project includes a holistic analysis of the document management process, including a review of related systems, interviews with key staff, developing an inventory of documents, and developing future state requirements with recommendations of how to clean up file storage practices. The task would be brought back for Board approval for the consultant to proceed after the initial phase of the IT master plan approved by the Board in July. Internal Audit is carefully considering performing a review of the document management process in coordination with, or after, the consultant's review scheduled in that task of the IT Master Plan. This approach would give the organization enough time to fill the vacant Records Program Administrator position, have that person assess the program and begin their improvement efforts, and serve as the point of contact for the external Potential Document Management Project-Internal Audit Recommended Approach September 16, 2021 Regular Board Meeting Agenda Packet- Page 76 of 85 Page 15 of 18 Board of Directors September 16, 2021 Page 2 and internal audit review. Coordinating and proceeding in this manner would be most efficient and reduce the chance of work duplicity. Furthermore, whether management decides to implement a new document management system or not in response to the consultant's review, any subsequent work performed by Internal Audit would reflect the most current system, policies, and procedures. Potential Document Management Project-Internal Audit Recommended Approach September 16, 2021 Regular Board Meeting Agenda Packet- Page 77 of 85 Page 16 of 18 Attachment 3 INTERNAL AUDIT PROPOSED FY 2021 -2022 AUDIT PLAN SEPTEMBER 16, 2021 1 1 FY 2021-2022 Audit Work Plan Overview Internal Audit Work Plan-Includes Q4 FY 2020-2021 ��AMMIL— Descriptio 1.Audit Projects Refer to the audit plan detail for the proposed projects.It is estimated that Internal Audit will 60% complete approximately two-three audits per year. 2.Special Projects Includes Management requests as needed,including ERP and HCM-related projects such as 15% process risk feedback and design-only reviews.This may include requests that are more informational or consultative in nature. 3.Risk Assessment and Audit Plan Includes Internal Audit's risk assessmentand improvements to the annual Audit Planning 15% Update process. 4.Administrative Includes administrative activities such as presentations,audit findings tracking and follow-up. 10% 2 2 September 16, 2021 Regular Board Meeting Agenda Packet- Page 78 of 85 1 Page 17 of 18 Internal Audit Project Plan Development Key Components in developing the Internal Audit Project Plan Audit • Periodic • AM Management '-• uests- Proposed internal Audit Frojects *Internal Audit captured prior audit requests from Executive Management in developing the Internal Audit Project Plan. However,specific audit requests may come from the Board,Executive and Operations Management and/or the We-Tip Hotline. 3 3 Proposed Internal Audit Projects Depending on the scope, each project is expected to be completed within 3-4 months of the start date with special projects generally completed within a month. However, due to the involvement of staff with the ERP implementation, Internal Audit will need to be flexible on the timeline. Significant changes will be communicated to Management. Projects for 14 months are presented. Risks should be re-evaluated in the next year to determine if there are other higher risk areas. Any changes will be communicated to the Board. 4 4 September 16, 2021 Regular Board Meeting Agenda Packet- Page 79 of 85 2 Page 18 of 18 Proposed Internal Audit Projects Proposed Current Fiscal Year and FY 2021-2022 Audits Potential Areas Covered r r r r21(IFY 2021-22) r d 1.IT Identity and Access x Super user access/administrator rights,including the controls Management in place to monitor activity.We partnered with third-parry subject matter experts(Clifton LarsunAlIen)to complete this project. 2.Accounts Payable x1 x x1:Provided feedback in Q4 FY 2021 on risks identified by management related to the new ERP system's A/P process. Business process cycle review in late 2021 including changes due to new ERP and any potential segregation of duties conflicts. 3.Payroll x2 x x2:Design-only review completed in Q4 FY 2021 to verify that controls were adequately designed and addressed process risks related to the new ERP roll-out.This review had a specific focus on the segregation of duties. Operational audit of payroll process in Q3 FY 2022 using a risk- based approach.Verify any segregation of duties conflicts. 4.Asset Inventory x A review of the controls in place to prevent loss or theft of Management assets and identify best practices on how such assets are tracked from request to issuance and return.This includes smaller dollar(non-IT)assets not tracked by Accounting and stored in various locations.Also,IT assets such as such as smaller mobile devices could be included. 5 5 Potential Document Management Project Staff Recommended Approach Internal Audit is carefully considering performing a review of the document management process in coordination with, or after, the consultant's review anticipated as a task of the IT Master Plan. This approach would give the organization enough time to fill the vacant Records Program Administrator position and greatly reduce the chance of work duplicity. Furthermore, whether management decides to implement a new document management system or not in response to the consultant's review, any subsequent work performed by Internal Audit would reflect the most current system, policies, and procedures. 6 September 16, 2021 Regular Board Meeting Agenda Packet- Page 80 of 85 3