The URL can be used to link to this page

Home My WebLink About04.c. Receive fiscal year 2020-2021 payroll design-only review final reportPage 1 of 33 Item 4.c. F__1_448�411C_S0 December 7, 2021 TO: ADMINISTRATION COMMITTEE FROM: BENJAMIN JOHNSON, INTERNALAUDITOR REVIEWED BY: PHILIPLEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE FISCAL YEAR (FY) 2020-21 PAYROLL DESIGN -ONLY REVIEW FINAL REPORT, FY 2021-22 INFORMATION TECHNOLOGY (IT) IDENTITY AND ACCESS MANAGEMENT REVIEW FINAL REPORT, AND INTERNAL AUDIT BIANNUAL FINDINGS REPORT FOR THE CLOSE OF Q2 FY2021-22 Enclosed are the FY 2020-21 Payroll Design -only Review and FY 2021-22 IT Identity and Access Management Review Final Reports. Internal Audit reviewed Central San's payroll process controls, with a focus on the segregation of duties, after the operational system migration to the Oracle Fusion Cloud. Management's responses to our recommendations have been reviewed and have been included in the audit report. Internal Audit plans to perform a traditional operational audit of the payroll process in FY 2021-22, where testing will be conducted to verify that the agreed -upon corrective actions are operationally effective. In addition, Internal Audit partnered with CliftonLarsonAllen (CLA), an external public accounting firm/consultancy, to perform an IT Identity and Access Management Review. This project focused on super -user access / administrator rights, including the controls in place to monitor activity. All the findings identified have been vetted with IT management and corrective action plans are currently being drafted. The actions taken and/or planned are responsive to the observations in the audit reports. There will be regular follow-up to discuss remediation efforts and send reminders, as needed. Please see the biannual findings report attached that reflects the status of the findings identified from Q4 FY 2020-21 through the first half of this fiscal year. Prior to the inception of this biannual report, the Internal Audit Department was able to partner with management and staff to close 10 findings related to prior audits. Although there were four open findings related to payroll when the full-time Internal Auditor position was filled in March 2021, the related processes were reassessed in the payroll review mentioned above. Therefore, the findings report attached reflects the status of all open findings to date. December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 10 of 111 Page 2 of 33 Strategic Plan Tie -In GOAL THREE: Fiscal Responsibility Strategy 1— Maintain financial stability and sustainability, , Strategy 2 — Ensure integrity and transparency in financial management ATTACHMENTS: 1. Memorandum and FY 2020-21 Payroll Design -only Review F I NAL Report 09.21.21 2. FY 2021-22 1 T I dentity and Access Management Review F I NAL Report 09.16.21 3. Internal Audit Biannual Findings Report for the Board of Directors — Close of Q2 FY 2021-22 4. Presentation December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 11 of 111 Page 3 of 33 Attachment 1 110ENTRAL SAN INTERNAL AUDIT REPORTING DATE: December 7, 2021 TO: Administration Committee FROM: Benjamin Johnson, Internal Auditor SUBJECT: INTERNAL AUDIT REPORTING FOR THE FIRST HALF OF FY 2021-22 Enclosed are the FY 2020-21 Payroll Design -only Review and FY 2021-22 IT Identity and Access Management Review Final Reports. Internal Audit reviewed Central San's payroll process controls, with a focus on the segregation of duties, after the operational system migration to the Oracle Fusion Cloud. Management's responses to our recommendations have been reviewed and have been included in the audit report. Internal Audit plans to perform a traditional operational audit of the payroll process in FY 2021-22, where testing will be conducted to verify that the agreed -upon corrective actions are operationally effective. In addition, Internal Audit partnered with Clifton LarsonAllen (CLA), an external consultant, to perform an IT Identity and Access Management Review. This project focused on super -user access / administrator rights, including the controls in place to monitor activity. All the findings identified have been vetted with IT management and corrective action plans are currently being drafted. The actions taken and/or planned are responsive to the observations in the audit reports. There will be regular follow-up to discuss remediation efforts and send reminders, as needed. Please see biannual findings report attached that reflects the status of the findings identified from Q4 FY 2020-21 through the first half of this fiscal year. Prior to the inception of this biannual report, the Internal Audit Department was able to partner with management and staff to close 10 findings related to prior audits. Although there were four open findings related to payroll when the full-time Internal Auditor position was filled in March 2021, the related processes were reassessed in the payroll review mentioned above. Therefore, the findings report attached reflects the status of all open findings to date. Central Contra Costa Sanitary District.11361.1.1._Memorandum_and_FY_2020-21_Payroll_Design- only_Review_FINAL_Report_09.21.21 December 7, 2021 Regular ADM IN Committee Meeting Agenda Packet - Page 12 of 111 Page 4 of 33 Attachment 1 Benjamin Johnson Internal Auditor Enclosures Central Contra Costa Sanitary District. 11361.1.1._Memorandum_and_FY_2020-21_Payroll_Design- on ly_Review_FI NAL_Report_09.21.21 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 13 of 111 Page 5 of 33 Attachment 1 FY 2020-21 PAYROLL DESIGN -ONLY REVIEW FINAL REPORT DATE: September 21, 2021 INTRODUCTION Audit Objective The objective of this engagement was to identify and assess the design of internal controls surrounding the payroll process, with a focus on the segregation of duties. Background The payroll function transferred from Finance to the Human Resources (HR) Division in October 2017, although, Finance still owns a few related processes. In FY 2020-21, Central San migrated most of its operational processes from SunGard to the Oracle Fusion Cloud (Oracle). In partnership with a third -party implementation resource and the IT Division, the Oracle payroll module went live in January 2021. Since implementation, HR and Finance management have worked through numerous challenges in relation to the Oracle system. Management has identified payment calculation errors, reporting limitations, and the inability to view information critical to perform a general ledger reconciliation. Although management and staff have committed a considerable amount of time and effort to manually identify/correct payroll data errors and initiate system improvements, system functionality continues to have certain limitations as of the date of this report. Central San's budgeted salaries, wages and employee benefits net of capitalized overhead and benefits for FY 2021-22: Expense Category Salaries & Wages Benefits & Capital Overhead Credit OPEB UAAL Retirement UAAL/ Unfunded Liabilities Additional UAAL Contributions Total Labor Related Costs including UAAL and Additional Contributions Source: Central San's FY2020-21 Budgets, page 57 Total as of 6/30/20 $39,543,191 11,545,173 2,451,000 12,126,016 1,250,000 66,915,380 I The 0&M budget was revised on September 2, 2021 to reflect the June pay-off of the pension UAAL. Central Contra Costa Sanitary District. 11361.1.1._Memorandum_and_FY_2020-21_Payroll_Design- on ly_Review_FI NAL_Report_09.21.21 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 14 of 111 Page 6 of 33 Attachment 1 Audit Scope, Limitations and Methodology Internal Audit plans to perform a traditional operational audit of the payroll process in FY 2021-22. In this review, Internal Audit verified whether internal controls related to the segregation of duties were appropriately designed to address risks surrounding key payroll processes, including: • Hires/additions • Manual checks • Terminations/deletions • Direct deposit • Payroll processing • GL reconciliations • Salary adjustments The review was performed using the following methods: • Reviewed available policies, guidelines, and procedures • Interviewed team members and observed the processes within the scope of the review • Obtained and reviewed evidence of existing controls • Reported on audit results and discussed recommendations INTERNAL AUDIT RESULTS Summary Based on Internal Audit's assessment of the controls designed around the payroll process, with a focus on the segregation of duties, critical improvements to the process are needed to minimize risk to the organization. There is ample opportunity to improve the overall governance over the payroll process. Observations and recommendations were made regarding the following: • Policies and procedures • Personnel and payroll user privileges in Oracle • Payroll data review by an employee with no payroll duties The risk each finding presents to the organization is weighted using the following system: • 1— High Risk • 2 — Moderate Risk • 3 — Low Risk Central Contra Costa Sanitary District. 11361.1.1._Memorandum_and_FY_2020-21_Payroll_Design- on ly_Review_FI NAL_Report_09.21.21 4 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 15 of 111 Page 7 of 33 Attachment 1 Finding 1: Policies and procedures 2 — Moderate Risk Policies and procedures surrounding the payroll process have not been updated since the rollout of the Oracle payroll module. Processes and system features have continuously evolved since the payroll module went live in January 2021. Currently, HR regularly emails time reporting/approval instructions to Central San employees. Although an informal payroll process is understood on an individual task level by key staff, there is an overall lack of detailed documentation with respect to key payroll processes. Key Risks: Unclear objectives, roles, and procedures Recommendation: Detailed standard operating procedures (SOP) and policies surrounding the payroll process should be developed, updated as needed, and made available to key staff. The documentation should include which tasks are performed by HR and which are performed by Finance. A detailed SOP would also facilitate cross -training of staff for succession planning and business continuity purposes. Management's Response / Action Plan: Management agrees with this finding and will begin developing new and detailed SOPS related to payroll processing within the new Oracle ERP module(s). Target Date / Responsible: December 1, 2021 / Teji O'Malley, HR and OD Manager Internal Audit's Response: Management's action plan and target date appear reasonable. Finding 2: Personnel and payroll user privileges in Oracle 1— High Risk Two HR staff have user privileges that allow them to enter new employees into the Human Capital Management (HCM) personnel module as well as edit data in the payroll module. As a result, it is possible that a single HR employee could create a fictional employee in the system, and through input of specific time entries or payroll system entries, create a payment to that fictitious employee of a specified dollar amount. Other compensating detective controls could be added, but the present situation constitutes a segregation of duties weakness that should be remediated. Key Risks: Fraud Central Contra Costa Sanitary District. 11361.1.1._Memorandum_and_FY_2020-21_Payroll_Design- on ly_Review_FI NAL_Report_09.21.21 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 16 of 111 Page 8 of 33 Attachment 1 Recommendation: Remove user privileges that allow the ability to add employees to the Oracle system for HR staff performing payroll functions. Management's Response / Action Plan: Management agrees with the finding and will remove access to enter and create new employees / transactions from the HR Analysts and will transfer that access to an Administrative Services Assistant, who will be solely responsible for the entry of any new employees as well as all personnel transactions. A second Administrative Services Assistant will serve as back-up staff and will have access to enter new employees / transactions should the need arise. The two HR Analysts responsible for payroll processing will only review and audit, not enter/edit, all transactions including new employees, prior to the processing of payroll. Target Date / Responsible: September 30, 2021 / Teji O'Malley, HR and OD Manager Internal Audit's Response: Management's action plan clearly aims to address key risks by updating controls surrounding the segregation of duties. Action plan and target date reflect a sense of urgency and appear reasonable. Finding 3: Payroll data review by an employee with no payroll duties 1— High Risk HR and Finance do not have the ability to produce detailed reporting within Oracle that provide staff and management critical data elements necessary to perform a robust accuracy review, such as: error rates, calculations, personnel changes, pay rate changes, and manual changes made in the system by HR staff or supervisors editing time reporting. Payroll data is manually reviewed for accuracy by HR staff during the bi-weekly payroll process, however, it is not subsequently reviewed by an employee with no payroll processing responsibilities prior to: A) The direct deposit process — A direct deposit data file is generated by an HR staff person and sent to an IT team member to perform the transaction within the bank's online portal. A bank confirmation is received by the HR staff person and Finance management, which they both reconcile to the payroll register. B) Printing live checks and making off -cycle payments — Live checks: An HR staff provides payroll register information to Finance to process live checks. Finance management receives a copy of the live checks along with a cover letter for approval. They agree Central Contra Costa Sanitary District. 11361.1.1._Memorandum_and_FY_2020-21_Payroll_Design- on ly_Review_FI NAL_Report_09.21.21 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 17 of 111 Page 9 of 33 Attachment 1 the cover letter to the live check amounts and review the amounts for reasonableness. However, they do not have the proper system access to verify if the amounts are accurate per the personnel records before processing payments. Off -cycle payments: All off -cycle payments are processed through the Oracle system via direct deposit or live check processes and are subject to the process gaps identified above. C) Processing supplemental retirement plan terminal pay contributions — Such contributions are not automatically captured in the Oracle report Finance runs to process retirement benefits. An HR staff person manually tells Finance staff which employees have retired in the pay period and the payment amount. Finance cannot currently generate a report of election changes (for new hires, existing employees, or terminations), and, therefore, cannot independently verify the accuracy of terminal information provided by HR. D) The general ledger (GL) reconciliation process — Finance staff have limited visibility to critical data necessary to perform a traditional payroll GL reconciliation. Instead, a Finance staff runs a payroll journal accounting string error report within the Oracle system and manually corrects any system -generated errors in the GL. The Finance staff is unable to verify whether the figures are accurate, and any changes made to the GL are not reviewed for accuracy by a supervisor before or after being posted. Key Risks: Fraud; inaccurate/late payments; regulatory non-compliance; accounting/reporting inaccuracies Recommendation: Management and staff require the ability to produce more meaningful reporting from the Oracle system that includes the forenamed data elements to effectively validate payroll. The Oracle system does not appear to contain such reports as a standard feature, and such reports would require specific development. A single system -generated report that includes all the necessary elements could serve as the single source of truth for both divisions. Please see our recommended process below: • Utilizing the Oracle report, HR staff can review for personnel information accuracy, including timekeeping, when processing payroll. • Finance can be notified after the review is complete and a Finance team member can perform a reasonableness review of the personnel information and any manual changes to the system, as well as a detailed review of the payment calculations. Central Contra Costa Sanitary District. 11361.1.1._Memorandum_and_FY_2020-21_Payroll_Design- on ly_Review_FI NAL_Report_09.21.21 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 18 of 111 Page 10 of 33 Attachment 1 • Once the report is reviewed and it is approved by Finance management, it can be sent to HR management for a final, high-level reasonableness review. • Once HR management notifies Finance of their approval, a GL reconciliation can be performed, which should be reviewed for accuracy by a supervisor in Finance before and after any changes are posted. • Payment transactions can then be made by designated Finance team members utilizing updated system information. Improving system access (allowing relevant Finance staff visibility into the relevant Oracle modules) is essential in allowing Finance staff to perform a proper GL reconciliation, a critical component of the payroll process. In addition, any changes made to the GL should be reviewed by a supervisor before and after being posted. Segregation of duties should always be maintained and with each level of review, if there are questions, coordination should be made with appropriate staff to provide further clarity or to make corrections in the system. We strongly recommend all payment transactions are performed by Finance using information direct from the Oracle system to minimize the risk of either human error or fraud. In addition, key staff performing accuracy reviews in both divisions should have a trained back-up staff. HR Division Management's Response / Action Plan: HR management agrees with the findings but is recommending a different review process than what is detailed above. Since HR will be assigning all personnel transaction data entry to one Administrative Services Assistant, the other Administrative Services Assistant will be responsible for maintaining a Personnel Action Form (PAF) log within HR detailing each transaction in any given pay period. Once those transactions have been entered and payroll processed, an HR Analyst responsible for processing payroll will extract an Oracle report that details all transactions in any given pay period (new hires, pay adjustments, terminations, etc.). The Oracle report and a copy of the PAF log and will be routed via DocuSign to another HR Analyst within the division with no payroll responsibilities for review and then to the HR Manager for final review. Target Date / Responsible: Completed as of August 1, 2021 / Teji O'Malley, HR and OD Manager Internal Audit's Response: Internal Audit has reviewed the Personnel Action Form (PAF) log and Oracle report for the pay period ending July 3, 2021. There is evidence that the documentation was signed by the HR Analyst processing payroll, another HR Analyst with no payroll responsibilities, and the HR Manager. These controls, as they are designed, appear to mitigate key risks surrounding the segregation of duties. Internal Audit has closed this portion of the finding for design effectiveness. Central Contra Costa Sanitary District. 11361.1.1._Memorandum_and_FY_2020-21_Payroll_Design- on ly_Review_FI NAL_Report_09.21.21 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 19 of 111 Page 11 of 33 Attachment 1 Finance Division Management's Response / Action Plan: Finance management agrees with the findings but proposes slightly different solutions to address certain risks in consideration of limited resources and prioritization of divisional staff time and objectives. A combination of inter - divisional protocol changes as well as system modifications are being explored to address the findings listed previously. Regarding protocol changes, Finance and HR have agreed the payroll payment processing and reconciliation functions should be more fully transitioned to the Finance Division. While HR will continue to be responsible for processing payroll and preparing the payroll register, Finance shall be responsible for auditing the payroll register (employing a "risk -based" approach) and administering the timely payment of payroll obligations such as: employee direct deposits, employee manual checks, IRS withholding taxes, EDD withholding taxes, retirement contributions, etc. Finance has also been working with IT and the ERP implementation consultants (Emtec) on system modifications to address several of the concerns noted previously. While Oracle Fusion Cloud currently does not have a standard user role that allows Finance to access HCM data in a view - only capacity to facilitate payroll register audit needs, IT and Emtec are working on developing several custom payroll reports that can be independently generated by authorized Finance staff. Custom reports will include information on HCM changes in specified timeframes such as: new hires, pay changes, terminations/retirements, and benefit election changes. Emtec is also exploring the possibility of preventing the same person that generates the payroll journal entry from also being able to post/approve it to ensure any edits are reviewed by a second party. This functionality does not appear to be available with the standard Oracle product and may necessitate some system customizations. Should a systematic control such as this not be available or feasible, Finance will implement a manual process to ensure edits to the system -generated payroll journal entry are reviewed and approved by a supervisor. There are two areas where Finance management disagrees slightly with recommended actions and proposes alternative mitigating controls. The first is regarding the proposed recommendation for a detailed review of payment calculations included in the payroll register and the second is regarding a proposed approval of the payroll register by Finance management prior to approval by HR management. Finance management believes the recommended detailed review of payment calculations in the payroll register should be redefined to focus on the areas of risk to better prioritize the use of limited staff time. Unlike manual processes, once configured correctly, the outputs from the payroll subledger Central Contra Costa Sanitary District. 11361.1.1._Memorandum_and_FY_2020-21_Payroll_Design- on ly_Review_FI NAL_Report_09.21.21 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 20 of 111 Page 12 of 33 Attachment 1 are system -generated and should be mathematically correct. This can be further validated through the upcoming phase II payroll internal audit. Accordingly, the review of detail calculations will be concentrated on areas where there is manual intervention or system overrides and focus on changes such as new hires, terminations/retirements, pay changes, and benefit election changes. As the HR Division possesses primary ownership of the payroll function, it does not seem appropriate that Finance's approval of the payroll register should precede that of HR Management's. Following HR management's approval of the payroll register, it should be turned over to Finance for an independent review and reconciliation of the information followed by the funding and payment process. Any concerns or potential errors identified by Finance should be promptly communicated to HR for further investigation and corrections, if applicable. Target Date / Responsible: November 1, 2021 / Kevin Mizuno, Finance Manager Internal Audit's Response: Management's action plan addresses key risks related to the segregation of duties while accommodating the operational needs of the divisions involved. Taking into consideration the anticipated challenges of making significant changes to the Oracle system, the action plan and target date appear reasonable. Central Contra Costa Sanitary District. 11361.1.1._Memorandum_and_FY_2020-21_Payroll_Design- only_Review_FINAL_Report_09.21.21 10 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 21 of 111 Page 13 of 33 Attachment 2 IT Identity and Access Management Central Contra Costa Sanitary District September 16, 2021 This document and the information contained within is considered Proprietary & Confidential and NOT to be reproduced, duplicated or disclosed without expressed written consent by CliftonLarsonAllen LLP. December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 22 of 111 Page 14 of 33 Attachment 2 Table of Contents Executive Summary Objective 3 3 Scope 3 Approach 5 Control Results and Benchmarking 7 Recommendations 9 References 17 _(J-yb Create Opportunities ©2021 Clifton LarsonAllen LLP 1 2 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 23 of 111 Page 15 of 33 Attachment 2 Executive Summary Objective The objective of the IT Identity and Access Management was to identify gaps in the current control environment that could put Central Contra Costa Sanitary District (the Organization) data (by type) at risk including: • Financial Data • Employee Data • Intellectual Property • Confidential Consumer Data Deficiencies in control design or effectiveness that could negatively impact the confidentiality or integrity of Central Contra Costa Sanitary District data or availability of critical systems are identified within this report with recommendations for remediation. CLA performed this engagement in accordance with the Statement of Standards for Consulting Services issued by the American Institute of Certified Public Accountants. This engagement is not an assurance audit as defined by professional standards and should not be construed as such. Scope The scope of this review was focused on the following domains: Section 1 Access Management Section 2 Data Security and Privacy Section 3 Endpoint Security Section 4 Physical Security of IT Assets Section 5 HR Security Section 6 Log and Event Management _(J-yb Create Opportunities ©2021 Clifton LarsonAllen LLP 1 3 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 24 of 111 Page 16 of 33 Attachment 2 Application reviews focused on system infrastructure for the following applications: A - Oracle Fusion Core Application Financial Data Proprietary Externally Internally B - Office 365 Business Use Application Proprietary Proprietary Externally Externally _(J-yb Create Opportunities ©2021 Clifton LarsonAllen LLP 1 4 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 25 of 111 Page 17 of 33 Attachment 2 Approach Overview To achieve the project objectives, CLA conducted the IT Identity and Access Management Review by interviewing staff, reviewing documentation provided by Central Contra Costa Sanitary District, and observing current processes and procedures within the Organization. BPtt PractirP As a basis for the review, current processes and procedures specific to information technology within the Organization were compared to Best Practice controls outlined in CLA's Information Technology and Systems Management Work Programs. The work programs were initially developed based on the guidelines of regulatory requirements and have since been revised to incorporate elements of COBIT, COSO, ITIL, Info -Tech Research Group, and NIST 800-53 Revision 5. Controls proven to be important based on experience of the Cybersecurity group staff within CLA have also been included in the work programs. CLA's controls are categorized as either required, essential or recommended. • A required control is either stated or implied by regulatory guidance as an expected practice. • An essential control is stated or implied by other authoritative guidance as expected practice. • A recommended control is considered by CLA as an industry best practice. Risk and Lw,'L. W. ,-, Wlya.. Overall risk is determined based on the magnitude of the impact of an event after consideration of the Organization's controls and the likelihood that event would negatively impact the Organization. Controls specific to each control domain and topic were reviewed, risk was determined as follows: Inherent Risk— determined based on the probability of the defined risk (threat) risk with subjective consideration of the impact. Inherent Risk is calculated based on the following: Low Low Low Low Medium Medium Low High Medium Medium Low Low Medium Medium Medium Medium High High High Low Medium High Medium Medium High High High _(J-yb Create Opportunities ©2021 Clifton LarsonAllen LLP 1 5 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 26 of 111 Page 18 of 33 Attachment 2 Control Risk — determined based on the evaluation of each current control's design, effectiveness, strength and likelihood of failure. Control Risk is determined based on the following: Critical Immediate potential to impact availability, integrity or confidentiality (no control) High Potential to impact availability, integrity or confidentiality (weak control) Medium Intermittent potential to impact availability, integrity or confidentiality (control exists but not enforced) Low Controls are in place and operating effectively - however inherent risk exists Residual Risk— determined by subjectively evaluating the extent Control Risk could reduce Inherent Risk. Residual Risk assumes the Organization has not taken action on the Recommended Remediation to reduce the overall risk to the Organization. Residual Risk is determined based on the following: Critical Immediate potential to impact availability, integrity or confidentiality (Controls cannot be designed appropriately or be effective on a consistent basis) High Potential to impact availability, integrity or confidentiality (Controls are not designed appropriately or be effective on a consistent basis) Intermittent potential to impact availability, integrity or confidentiality Medium (Controls are designed appropriately and can be effective on a consistent basis but can be bypassed or overlooked) Low Controls are in place and operating effectively - however inherent risk exists Remedir 'CO. As a result of the issue(s) identified, remediation recommendations were provided to improve the position of the Organization related to the defined security or technology management topic. Each recommendation was subjectively assigned an effort that indicates the level of effort associated with implementing the remediation as follows: Critical Within 10 Days Within 30 Days High Within 30 Days Within 30 - 60 Days Medium Within 90 Days Within 90 - 120 Days Recommendations are based on "best practice" and can be addressed Low Within 120 Days as time permits to determine if additional controls should be implemented. _(J-yb Create Opportunities ©2021 Clifton LarsonAllen LLP 1 6 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 27 of 111 Page 19 of 33 Attachment 2 Control Results and Benchmarking CLA evaluated 46 controls and rated each control by effectiveness. Effective controls earn 100% of the points, Mostly Effective earns 80%, Partially Effective earns 50% and Not Effective controls earn 0%. The maturity score by control domain and in total represents the Organization's maturity in Information Security Management. Scores for each control were summarized by domain as follows: Access Management 82.05% Data Security and Privacy 95.20% Endpoint Security 100.00% Physical Security of IT Assets 86.88% HR Security 86.36% Log and Event Management 95.71% Average Score 86.07% _(J-yb Create Opportunities ©2021 Clifton LarsonAllen LLP 1 7 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 28 of 111 Page 20 of 33 Attachment 2 The results of the review process indicated that the following residual risks are present within the control domains under review: 5 2 1 0 6 ■ Critical ■ High Medium ■ Low Detail to support these conclusions is contained within the remaining section of the report. Within each domain, the control segments that were identified as Critical, or High Risk gaps represent the most significant threat to the Organization. These issues require either Critical or High Priority attention by management. Additional Medium and Low Risk gaps are also identified and require review by management to determine a remediation strategy. Effective controls are shown to demonstrate overall effectiveness of the tested domain. _(J7C) Create Opportunities ©2021 Clifton LarsonAllen LLP 1 8 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 29 of 111 Attachment 2 Recommendations Domain: Access Management Best Practice: Appropriate administration of network user accounts is a critical element of a secure environment. The user account provisioning process should be adequately supported by structured procedures that can be monitored by management, and segregated from personnel with other pervasive or sensitive duties. Individuals authorized to add/delete/modify user access should be selectively restricted to ensure only approved requests are processed. Network access should be based on business need, and require a valid username and password that establishes group memberships and authorization. Employees should be instructed on the importance of password confidentiality. In addition, In order for the Organization to appropriately manage business applications, organization -wide risk and controls should be evaluated and applied based upon the criticality and risk of the application. The Organization should establish a standard for limiting and reviewing administrator access based upon the risk rating. The Organization should implement role -based access for the application, establish a new hire, change of access, and termination procedure for the application, and establish a user access and privilege review process. Control Objective Users, processes, and devices are authenticated prior to being granted system access. _) Create Opportunities 9 Results Control Rating: Partially Effective Inherent Risk: High Comments: The Organization has an access management guideline that is distributed to all employees that have network access. However, the policy in place does not include standards of segregation of duties, role change procedures, and the use of access checklists. In addition, CLA identified that three (3) of the five (5) new user samples did not have acknowledgement of the access management guideline policy documented. Priority and Recommendation Remediation Priority: Medium Residual Risk: Medium Recommendation: CLA recommends that an access management policy or procedure be documented and includes standards for role -based access and role changes. It should also outline how those changes should be approved and documented within the Organization. Consideration for segregation of duties should be outlined as well. In addition, this document should be reviewed and signed by all new employees. ©2021 CliftonLarsonAllen LLP December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 30 of 111 Attachment 2 Control Objective User access grants to systems and information is approved by appropriate authorities. Results Control Rating: Partially Effective Inherent Risk: Medium Comments: The Organization has established a formal process to request access for new employees. However, the new hire form does not formally document who is approving the access for the new employee. Control Objective Results User accounts for temporary users are configured with Control Rating: Partially Effective appropriate expiry dates. Inherent Risk: High Comments: The Organization removes accounts for users in a timely manner for employees. However, CLA identified six (6) accounts belonging to third party users that were enabled and had not logged into the account for the past three (3) years. These accounts had 'password never expired' enabled. Control Objective Results User access privileges are regularly reviewed for Control Rating: Partially Effective appropriateness. Inherent Risk: Medium Comments: Per review of the domain administrative listing, CLA was informed that no formal documentation is maintained to identify the purpose of service accounts that have domain administration access along with an annual approval. CLA identified one (1) user in the administrative listing whose access was deemed as inappropriate. -(J7C) Create Opportunities 10 Priority and Recommendation Remediation Priority: Medium Residual Risk: Medium Recommendation: CLA recommends that new user access includes a documented request process that includes approval and retention requirements. Priority and Recommendation Remediation Priority: High Residual Risk: High Recommendation: CLA recommends that network accounts that are no longer needed be disabled immediately, added to a disabled accounts group, and removed on a standard timeframe based on the criticality of the account. Priority and Recommendation Remediation Priority: Medium Residual Risk: Medium Recommendation: CLA recommends that all domain accounts that are not specifically assigned to an individual (i.e., service accounts) be documented and approved by management. Service accounts should be reviewed at least annually to identify accounts that are not needed or expired. The various departments within the Organization should review users within their department and communicate those changes to IT during the access review. ©2021 CliftonLarsonAllen LLP December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 31 of 111 Attachment 2 Control Objective Access Management (App -Office 365) Application user access is reviewed at least annually to ensure all user accounts are valid and appropriate and that permissions granted in each role have been reviewed and remain appropriate. Documentation of the review and associated changes is retained. Control Objective Access Management (App -Oracle Fusion) Application user access is reviewed at least annually to ensure all user accounts are valid and appropriate and that permissions granted in each role have been reviewed and remain appropriate. Documentation of the review and associated changes is retained. Control Objective Access Management (App -Oracle Fusion) Administrator activity is logged, monitored, and reviewed by an independent party not associated with the process. This includes any third -party monitoring activity that has access to the application. Create Opportunities 11 Results Priority and Recommendation Control Rating: Partially Effective Remediation Priority: High Inherent Risk: High Residual Risk: High Comments: The Organization has not formally Recommendation: CLA recommends a review be performed a review of network access that ensures performed at least annually to validate that network access rights are appropriate to all individuals within the Organization. Results Control Rating: Partially Effective Inherent Risk: High Comments: The Organization has not formally performed a review of user access within Oracle Fusion to ensure access rights are appropriate to all individuals within the Organization. Results Control Rating: Partially Effective Inherent Risk: High Comments: The Organization currently does not formally review administrator activity on a periodic basis within Oracle Fusion. accounts belong to active employees or current vendors, and that access matches job responsibilities, and accounts are consistently defined. This review should include all service accounts and ensure only appropriate accounts are remained active. The various departments within the Organization should review users within their department and communicate those changes to IT during the access review. Priority and Recommendation Remediation Priority: High Residual Risk: High Recommendation: CLA recommends a review be performed at least annually to validate that defined accounts remain necessary, access matches job responsibilities, and accounts are consistently defined. Priority and Recommendation Remediation Priority: High Residual Risk: High Recommendation: CLA recommends that administrator activity within Oracle Fusion be reviewed periodically. This review should be performed by an independent party not associated with the process. ©2021 CliftonLarsonAllen LLP December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 32 of 111 Attachment 2 Control Objective Access Management (App -Office 365) Application user access is reviewed at least annually to ensure all user accounts are valid and appropriate and that permissions granted in each role have been reviewed and remain appropriate. Documentation of the review and associated changes is retained. Control Objective Access Management (App -Office 365) Administrator activity is logged, monitored, and reviewed by an independent party not associated with the process Domain: Data Security and Privacy Results Control Rating: Partially Effective Inherent Risk: Low Comments: The Organization has not formally performed a review of user access within Office 365 to ensure access rights are appropriate to all individuals within the Organization. Results Control Rating: Partially Effective Inherent Risk: Low Comments: The Organization currently does not formally review administrator activity on a periodic basis within Office 365. Priority and Recommendation Remediation Priority: Low Residual Risk: Low Recommendation: CLA recommends a review be performed at least annually to validate that defined accounts remain appropriate. Priority and Recommendation Remediation Priority: Low Residual Risk: Low Recommendation: CLA recommends that administrator activity within Office 365 be reviewed periodically. This review should be performed by an independent party not associated with the process. Best Practice: Data Security and Privacy involves the data archival and/or deletion including electronic data communication/transmissions and data at rest (in storage). The Organization should maintain policies/standards/procedures, and design controls that support in protecting the availability, confidentiality, and integrity of data. Create Opportunities 12 ©2021 CliftonLarsonAllen LLP December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 33 of 111 Attachment 2 Ctl SP-DS.02 Control Objective Data is only shared externally through approved methods. Control Objective Data Security & Privacy Domain administrator accounts are specifically assigned to individuals and are used only when needed for administrative purposes. Administrator accounts are not used for email, office documents, or other general purposes, and are prevented from directly accessing the internet. Results Control Rating: Mostly Effective Inherent Risk: Medium Comments: The Organization currently allows users to access their personal email accounts within the network. No web content filtering is currently in place to restrict the use of personal email sites. Results Control Rating: Mostly Effective Inherent Risk: Medium Comments: The Organization has domain administrator accounts assigned to individuals and only used for administrative purposes. However, the Organization currently allows domain administrators to directly access the internet. Priority and Recommendation Remediation Priority: Low Residual Risk: Low Recommendation: CLA recommends that a web content filter be applied to restrict the usage of personal email sites and file sharing sites. This will reduce the risk of potential sensitive data being stored or sent to third parties that are not appropriate. Priority and Recommendation Remediation Priority: Low Residual Risk: Low Recommendation: CLA recommends that a web content filter be applied to restrict the usage of personal email sites and file sharing sites. This will reduce the risk of potential sensitive data being stored or sent to third parties that are not appropriate. Domain: Endpoint Security Best Practice: The objective of endpoint security is to protect an Organization's network, and all major host types including servers, workstations, laptops, mobile devices, databases, network devices, and multifunction printers. Controls should be implemented to detect and block potential attacks at all endpoints. Controls effective, no recommendations. Create Opportunities 13 ©2021 CliftonLarsonAllen LLP December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 34 of 111 Attachment 2 Domain: Physical Security of IT Assets Best Practice: Controls should be designed to provide reasonable assurance that physical access to areas where organization technology assets are located is limited to appropriate and authorized personnel. Environmental controls are intended to protect all organization assets including computer hardware, software, and account holder information that is either electronic or on printed documents from environmental hazards. Control Objective Entry to the data center and network closets provide individual accountability. Alerts or a regular review of these systems are performed. Control Objective Video surveillance captures entry/exit and internal activity to the data center. Create Opportunities 14 Results Control Rating: Mostly Effective Inherent Risk: Medium Comments: The Organization's data center is locked, and only authorized personnel are able to access the center. Reports can be generated to ensure all access is appropriate. However, there is currently no formal review of these reports being performed on a periodic basis. Results Control Rating: Partially Effective Inherent Risk: Medium Comments: The Organization currently does not have video surveillance in the data center to ensure entry and internal activity is appropriate. Priority and Recommendation Remediation Priority: Low Residual Risk: Low Recommendation: CLA further recommends that data center physical access reviews be performed every 6 to 12 months. Priority and Recommendation Remediation Priority: Medium Residual Risk: Medium Recommendation: CLA recommends cameras be installed to identify anyone entering or exiting a systems area (within the data center), as well as internal activity, to ensure suspicious or malicious activity is captured. Video records should be retained for a defined period of time within accordance to incident response procedures and data retention policies. ©2021 CliftonLarsonAllen LLP December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 35 of 111 Attachment 2 Domain: HR Security Best Practice: User security programs should start with the new hire process, ensuring that all employees are subjected to a background and credit history check. The Organization should periodically re-evaluate employee backgrounds for those in sensitive roles to ensure the company is aware of any employee -related risks that arise during their employment. Employees should be trained in appropriate data handling and protection procedures. Part of appropriate data protection is understanding and affirming confidentiality and acceptable use policies. Employees should have information security awareness training annually to ensure employees understand the risks and threats likely to impact them and the organization, how to prevent and report incidents. Control Objective During onboarding, employees are provided with awareness of security training and responsibilities and must sign all agreements as needed. Create Opportunities 15 Results Control Rating: Partially Effective Inherent Risk: Medium Comments: The Organization provides acceptable use and security policies to all new hires. However, existing employees and new employees are not required to complete security awareness training. Priority and Recommendation Remediation Priority: Medium Residual Risk: Medium Recommendation: CLA recommends specific and effective security awareness training for employees upon hire and at least once each year thereafter. Training should consist of a management -approved blend of in person training or web training. Training topics should evolve with threats, but at a minimum should address: Password strength and confidentiality Document destruction Locking and Logging Off Computers Social Engineering and Phishing Data Loss Risks (Removable Media, Email, Third - Party Storage Sites, Social Media Posts) - Acceptable Use ©2021 CliftonLarsonAllen LLP December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 36 of 111 Attachment 2 Domain: Log and Event Management Best Practice: Logging and monitoring are key elements in information security that involve the tools and mechanisms that provide a record of events related to IT systems and processes. They provide the data and diagnostic tools that allow the Organization to investigate and respond to significant events and security access issues. Controls should be implemented that include analysis and alerts/triggers for high -risk activities and suspicious access behaviors, and procedures for reviewing and retaining access log records. Control Objective Alerts should be generated for suspicious behaviors related to the network or key systems. Alerts should cover the following events: The creation or modification of user accounts Consecutive invalid password attempts on multiple user IDs from the same I - Attempts to access disabled accounts Create Opportunities 16 Results Control Rating: Mostly Effective Inherent Risk: Medium Comments: The Organization has alerts generated for suspicious behaviors related to the network. However, the alert for attempts to access disable accounts is currently not enabled. Priority and Recommendation Remediation Priority: Low Residual Risk: Low Recommendation: The Organization has alerts generated for suspicious behaviors related to the network. However, the alert for attempts to access disable accounts is currently not enabled. ©2021 CliftonLarsonAllen LLP December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 37 of 111 Page 29 of 33 Attachment 2 References — NIST Special Publication 800-30 Risk Management Guide for Information technology Systems, September 2012 NIST Special Publication 800-39 Managing Information Security Risk, March 2011 NIST Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, December 2016 — NIST Special Publication 800-53 Revision 5 Security and Privacy Controls for Federal Information Systems and Organizations, September 2020 Center for Internet Security Controls Version 7.1, April 2019 — Info -Tech Research Group IAM Initiative Tool, November 2020 Create Opportunities ©2021 Clifton LarsonAllen LLP 1 17 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 38 of 111 Page 30 of 33 Our,— as of: 11.16.21 Administration Ocunninift- meeting date: 12.07.21 Prepared by: Benjamin Johnson, Internal Audit., Finding Risk Rating Executive Att,,h,,,t 3 Highlight Legend' Past Do, High Risk Closed I Policies and procedures FY 2020-21 payroll Design -only Review I PI,!,, and procedures surrounding the payroll process 2 Human Resources Teji Bailey 0.21.21 have ombee. updated since the call— fthe 0-1, 0' M.II.y (Original) payroll module. 01.31.22 (Extended) 2 ,y,,Il data by an FY 2020-21 Payroll Design -only Review HR and Finance do out have the ability to Pinar!... 1 Human Resources; Tji Bailey, 09.21.21 HR- HR - 08.01.21 employeewith no payroll detailed reporting within 0-1e that provide staff oil Finance 0. M.117 Leiber 08.01.21 (Closed) duties management critical data .1—ins necessary to Kevin perform . robust accuracy review. Payroll data is MI—. Finance- Fimm. - ..—Ily —I ... d for accuracy by Hill ..ff during the bi aislii 11.12.21 weekly payroll lam—, however, it is not subsequently (Original) (Partially .vl..ed by an employ.e with no payroll processing 02.31.22 Closed - responsibilities prior to key p,,,e,,e,. (Extended) Ch ogesto the GIL are Zw,.viewed by Finance I I I Manager) I 3 SP-IA.01 - Access FY 2021-22 IT Identity and Access I The Organization has an am,,, management guideline 2 Information Huie L.1b., 09.16.21 TBD Management ManagementReview that is distributed to all employee, that h... --k Technology However, the policy I. place does not include standards of segregation of duties, role change procedures, and the use of access checklists. In addition, CtA identified that three (3) of the five (5) new usa, s.mpl.s did not have acknowledgement of the access management guideline policy documented. 4 SP-IA.05 - Access FY 2021-22 IT Identity and Access 2 The Og..iz.ti.n has established . formal process to 2 I.f.—ticu, Huie L.1b., 0.16.21 TBD Management IvIii-&—t Review request access for new employees. However, the new hir- Technology form does not formally document who is approving the access for the new employee 5 SP- A.07 - Access FY 2021-22 IT Identity and Ames. 3 The Organization remove, accounts for users in , timely I IMormation Hula Leiber 09.16.21 TBD M.n.gc..nt Management Review me ... r for employee,. However, CA identified 1, (6) Technology belonging to third party use, that or, :oo-o— bled and had not logged into the account for the Past three (3) years. Th... accounts h,d'p,,,,,rd past r -pired'o-blod. 6 SP-IA. 12 - Access FY 2021-22 IT Identity and Access 4 Per review of the domain administrative listing, CLA was 2 Information Huie Leiber 09.16.21 TBD Management Management Review informed that no formal documentation is maintained to Technology identify the purpose of service amounts that have domain administration access along with an annual approval. CLA identified one (1) user in the administrative listing whose access was deemed as inappropriate. 7 SP-IA.20 - Am s FY 2021-22 IT Identity and Access 5 The Organizationion has not formally performed , review I Information Huie Leiber 09.16.21 TBDManagement (App - Office Management Review of network access that ensure, network mr, right, Technology 365) are appropriate to all individuals within the Organization. 8 SP- A.21 - Access FY 2021-22 IT Identity and Access 6 has fo The formally performed a review 1 Information Huie Leiber 09.16.21 TBD Management (App - Management Review user Of access within ratio Fusion to ensure access Technology Oracle Fusion) rights are appropriate to all individuals within the Organization. 9 SP. A.22 - Access FY 2021-22 IT Identity and Access 7 Th. Organization currently does not formally review I Information Huie Leiber 09.16.21 TBD Management (App - Management Review administrator activity on a periodic basis within Oracle Technology Oracle Fusion) Fusion. 10 SP-IA.23 -Access FY 2021-22 IT Identity and Access 8 TheOrganization has not formally performed review of 3 Information Huie Leiber 09.16.21 TBD Management (App - Office Management Review user accesswithin Office 365 to ensure access rights are Technology 365) appropriate to all individuals within the Organization. 11 SP-IA.24 - mess FY 2021-22 IT Identity and Access 9 The Organization currently does not formally review 3 Information Huie Leiber 09.16.21 TBD Management (App - Office Management Review administrator activity on a periodic basis within Office Technology 365) 365 12 SP-DS.0 -DataSecurity& FY 2021-22 IT Identity and Access 10 The Organization currently allows users to access their 3 Information Huie Leiber 09.16.21 TBD Privacy Management Review personal email accounts within the network. No web Technology content filtering iscurrently in place to restrict the use of Personal email sites.I I I I 13 SP-DS.02 - Data Security & FY 2021-22 IT Identity and Access 11 - — The Organization has domain administrator accounts 3 Information Huie Leiber 09.16.21 TBD Privacy Management Review assigned to odwiduals and only used for administrative Technology purpose'. However, the Organization currently allows domain administrators to directly access the intemet. 14 SP-PS.03 - Physical Security FY 2021-22 IT Identity and Access 12 The Orga ni,ation's data center is locked, and only 3 Information Huie Leiber 09.16.21 TBD of IT Assets Management Review authorized personnel are able to mess the center. Technology Reports can be generated to ensure all access is appropriate. However, there is currently no formal review of these reports being performed on a periodic basis. 15 SP-PS.05 - Physical Security FY 2021-22 IT Identity and Access 13 The Organi,ation:urrently oesnothavevideo 2 Information Huie Leiber 09.16.21 TBD of IT Assets Management Review surveillance I nth data center to ensure an" and interna Technology is appropriate. 16 SP-HR.01 - HR Security FY 2021-22 IT Identity and Access -activity 14 The Organization provides acceptable use and security 2 Information Huie; Leiber 09.16.21 TBD Management Review policies to all new hires. H.—er, existing employees and Technology O'Malley new employees are not req uird to complete security awareness training. 17 SD-EM.02 - Log and Event FY 2021-22 IT Identity and Access 11 The Org naation has a lcrts generated for suspicious a 3 Information Huie Winer 09,16,21 TBD Management Management Review beh,vi,s related to the network. However, the Iq for Technology attompt toacc... disable accounts is currently not enabled. 'MEIN= I Personnel and pay roll user� f2020-21 Payroll Design-only Review 2 Two HR staff have uPrivileges that .11the. to I H.... Re sources p W � Top � 01.21.21 100521 P— privileges in Oracle enter new employees into the Hu- n C. Pita Malley Management (HCM) personnel module as well as mfit data in the payroll modulo. 10.29.21 Extended December 7, 2021 Regular ADM IN Committee Meeting Agenda Packet - Page 39 of 111 Page 31 of 33 Attachment 4 INTERNAL AUDIT REPORTING FOR THE FIRST HALF OF FISCAL YEAR 2021-22 Administration Committee Meeting December 7, 2021 Benjamin Johnson, Internal Auditor �r 1 FY 2020-21 PAYROLL DESIGN -ONLY REVIEW FINAL REPORT ISSUED 09/21/21 • Background • HR and Finance have worked through numerous challenges related to ERP implementation as it relates to the payroll process • Although management and staff have committed a considerable amount of time and effort to manually identify/correct payroll data errors and initiate system improvements, system functionality continues to have certain limitations as of the date of the audit report • Scope of the review • Reviewed the design of controls to assess whether they help meet the objectives of the organization • Will review the operating effectiveness of controls (a traditional operational audit) in Q4 of this fiscal year 2 2 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 40 of 111 Page 32 of 33 Attachment 4 FY 2020-21 PAYROLL DESIGN -ONLY REVIEW FINAL REPORT ISSUED 09/21/21 • Audit results • Three findings reported • Need for policies and procedures surrounding this process — Moderate Risk — Due date extended • Inappropriate Oracle user privileges noted for two HR staff — High Risk — Closed for design effectiveness • Lack of payroll data review by an employee with no payroll duties — High Risk — Due date extended and partially closed for design effectiveness • Next steps • Management is working closely with ERP implementer to increase system functionality and enhance the payroll process Internal Audit will continue to follow-up with management to track . remediation progress 3 3 FY 2021-22 IT IDENTITY AND ACCESS MANAGEMENT REVIEW FINAL REPORT ISSUED 09/16/21 • Background • Internal Audit partnered with CliftonLarsonAllen (CLA), an external consultant, to perform this review • This process has not been previously reviewed by Internal Audit • Scope of the review • This project focused on super -user access / administrator rights, including the controls in place to monitor activity, specifically as they relate to: • Oracle Fusion Cloud • Microsoft Office 365 ' � C 4 December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 41 of 111 Page 33 of 33 Attachment 4 FY 2021-22 IT IDENTITY AND ACCESS MANAGEMENT REVIEW FINAL REPORT ISSUED 09/16/21 • Audit results • 15 findings reported • High Risk: 4 • Moderate Risk: 5 • Low Risk: 6 • Next steps • All findings have been vetted with IT management and corrective action plans are being drafted as of mid -November 2021 • Internal Audit will continue to follow-up with management to track remediation progress 5 5 INTERNAL AUDIT BIANNUAL FINDINGS REPORT FOR THE BOARD OF DIRECTORS CLOSE OF Q2 FY 2021-22 • Cumulative results • 2 audit reports issued • 18 findings reported • High Risk: 6 • Moderate Risk: 6 • Low Risk: 6 • 1 finding is closed for design effectiveness • Current and future projects • The FY 2021-22 Accounts Payable Audit is near conclusion as of the date of this presentation • The Asset Inventory Review and Payroll Operational Audit are scheduled to be performed in Q3 and Q4 of this fiscal year, espectively �� s N. December 7, 2021 Regular ADMIN Committee Meeting Agenda Packet - Page 42 of 111