HomeMy WebLinkAbout4.a. Receive preview of Miscellaneous Assets Review Internal Audit Report Page 1 of 13 Item 4.a. CENTRAL SAN November 1, 2022 TO: ADMINISTRATION COMMITTEE FROM: BENJAMIN JOHNSON, INTERNALAUDITOR REVIEWED BY: PHILIPLEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE PREVIEW OF MISCELLANEOUS ASSETS REVIEW INTERNAL AUDIT REPORT Enclosed is the Fiscal Year(FY) 2021-22 Miscellaneous Assets Draft Report. Internal Audit assessed the design of internal controls surrounding the safekeeping of high-value tools and equipment that have been affected by losses/thefts during the past several years. The audit report attached summarizes the results of this effort. The audit report attached was issued to management in July 2022 and, therefore, the findings presented are in their original language. Internal Audit will present a status update for each finding to the Administration Committee via the presentation attached. There will be regular follow-up to discuss remediation efforts and send reminders, as needed. Strategic Plan Tie-In GOAL FOUR: Governance and Fiscal Responsibility Strategy 1 - Promote and uphold ethical behavior, openness, and accessibility, Strategy 3- Maintain financial stability and sustainability ATTACHMENTS: 1. FY 2021-22 Miscellaneous Assets Review Final Report 07.08.22 2. Presentation November 1, 2022 Regular ADM IN Committee Meeting Agenda Packet- Page 4 of 62 Page 2 of 13 ATTACHMENT 1 I CENTRAL SAN CENTRAL CONTRA COSTA SANITARY DISTRICT 5019 IMHOFF PLACE. MARTINEZ, CA 9,4553-,4392 INTERNAL AUDIT REPORT DATE: July 8, 2022 TO: Neil Meyer, Plant Maintenance Division Manager Edgar Lopez, Capital Projects Division Manager Charles Mallory, Information Technology Manager Dennis Chebotarev, Project Manager/ Business Analyst Shari Deutsch, Risk Management Administrator FROM: Benjamin Johnson, Internal Auditor SUBJECT: FISCAL YEAR (FY) 2021-22 MISCELLANEOUS ASSETS REVIEW FINAL REPORT Enclosed is the Fiscal Year (FY) 2021-22 Miscellaneous Assets Review Final Report. Internal Audit identified and assessed the design of internal controls surrounding the safeguarding of Central San's high-value tools and equipment. The actions taken and/or planned are responsive to the observations in the report. There will be regular follow-up to discuss remediation efforts and send reminders, as needed. Internal Audit plans to perform an operational review of internal controls surrounding the safeguarding of high-value tools and equipment in FY 2022-23, where testing will be conducted to verify that the agreed-upon corrective actions and existing controls are operationally effective in reducing the risk of theft. Internal Audit would like to thank management for their partnership during the length of this project. If you have any questions, please contact me at (925) 229-7120. Benjamin Johnson Internal Auditor Enclosure cc: Roger S. Bailey, General Manager Philip Leiber, Director of Finance and Administration Jean-Marc Petit, Director of Engineering and Technical Services Steve McDonald, Director of Operations November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 5 of 62 Page 3 of 13 FY 2021-22 MISCELLANEOUS ASSETS REVIEW FINAL REPORT DATE: July 8, 2022 INTRODUCTION Audit Objective The objective of this engagement was to identify and assess the design of internal controls surrounding the safeguarding of Central San's high-value tools and equipment. Background Within the last few fiscal years, Central San has experienced the loss of a hot water pressure washer,two generators, and a two computer tablets. In response to these recent thefts, management has made a concerted effort to strengthen internal controls as they relate to the safeguarding of high-value tools and equipment. Notable improvements made prior to this review include: • Improved lighting and spatial organization in the Garden Shop • Implemented card/key access requirements for entry into several key areas which house valuable tools and equipment • Added new fencing around perimeter areas of the Treatment Plant site and implemented motion sensor lighting • Limited staff parking inside the Treatment Plant gate • Updated tool/equipment inspection lists and frequency as well as standard operating procedures (SOPs) related to the safeguarding of tools and equipment As noted above, management has made significant progress thus far.Any recommendations made in this report are intended to further enhance existing internal controls and reduce the risk of theft. Audit Scope, Internal Audit plans to perform an operational review of the internal controls Limitations, and surrounding the safeguarding of high-value tools and equipment in FY 2022-23. Methodology In this review, Internal Audit assessed the design of internal controls surrounding the safeguarding of high-value tools and equipment, with a focus on specific categories that have been deemed high risk, including high-pressure washers, generators, and computer tablets.The following was reviewed in relation to the safeguarding of high-value tools and equipment: • Policies and procedures • Compared the current design of internal controls with those prior to FY 2021-22 • Assessed the adequacy and reasonableness of the current design of controls The audit was performed using the following methods: 1. Reviewed available policies, guidelines, and procedures. 2. Interviewed team members and observed the processes within the scope of the audit. 3. Performed an analysis of past and current controls. FY 2021-22 Miscellaneous Assets Review Final Report 07.08.22 2 November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 6 of 62 Page 4 of 13 4. Reported on the results of the review and discussed recommendations, including the following: a. Objective b. Background c. Scope, limitations, and methodology d. Summary of results e. Recommendations with management's responses INTERNAL AUDIT RESULTS Summary Based on Internal Audit's assessment of the design of internal controls surrounding the safeguarding of high-value tools and equipment, significant improvements remain to minimize risk to the organization. Management appears committed to maintaining a strong internal control environment and enhancing processes where needed. Findings and recommendations were made surrounding the following: • Formalization of the transfer process of high-value tools and equipment from Capital Projects to Plant Maintenance • Inappropriate key access to buildings housing high-value tools and equipment • Uncovered mobile equipment • Enhancing visibility to high-value tools and equipment • Inventory inspection single source of truth • Formalizing procedures/standard operating procedures (SOPS)to safeguard high-value tools and equipment The risk each finding presents to the organization is weighted using the following system: • 1—High Risk • 2—Moderate Risk • 3—Low Risk Finding 1: Formalization of the transfer process of high-value tools and equipment from Capital Projects to Plant Maintenance 2—Moderate Risk The processes related to the transfer of high-value tools and equipment (non- assets)from the Capital Projects Division to the Plant Maintenance Division have not been formalized.Although appropriate management may be copied on email correspondence between Divisions,there is no standardized form to document management's review/approval of the transfer and the necessary training performed. Similarly, when assets are transferred, although there is a formal process in place, managers are not required to document their review/approval. FY 2021-22 Miscellaneous Assets Review Final Report 07.08.22 3 November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 7 of 62 Page 5 of 13 Recommendation: A form should be developed to document the transfer of high-value tools and equipment(non-assets)from the Capital Projects Division to the Plant Maintenance Division as well as the related training performed. Appropriate management from both Divisions should formally document their review and approval of high-value asset/non-asset transfers via signature. Management must use professional judgment to develop criteria that determines which tools/equipment require manager approval,taking into consideration there are low-cost items that may be deemed low risk. Management's Response/Action Plan: Capital Projects will include additional details and forms for all non-asset items transferred over to the Operations Department, as stated in the findings. Projects already have formal documents for assets and will include a section for all other items. Forms will include senior stakeholders and respective Division Managers. Projects can take several years to complete, therefore, any items delivered prior to accepting the project will also be documented and forms developed with the appropriate signature by staff and Managers. Target Date: 09-30-22/Responsible Owner: Edgar Lopez Internal Audit's Response: Management's action plans and due date appear reasonable. Finding 2: Inappropriate key access to buildings housing high-value tools and equipment 1—High Risk Although substantial improvements have been made by the Plant Maintenance Division to reduce unauthorized key access to high-value tools and equipment after recent thefts, opportunities for improvement remain: • Buildings and Grounds (B&G)team members did not return keys to Risk Management upon departure from the department, as required by Central San's Access Control Procedure (AP 16-1).Alternatively, B&G supervisors reissued the keys directly to new, incoming team members and, consequently, Risk Management could not accurately track/manage key issuance. During our review, Risk Management met with B&G team members, assessed which keys were in possession of each team member, and updated their key inventory accordingly. —Risk Management reported completion on 04-06-22. Note: After additional review, Risk Management noted similar instances of unreturned keys and ID badges with at least two other departments indicating possible pervasiveness. • Prior to Internal Audit's review,the roll-up door to the B&G Garden Shop was locked with a standard key that was easy to duplicate and not managed by Risk Management. When asked to perform a B&G key inventory assessment, Risk Management identified this issue and rekeyed the roll-up door immediately to only allow access using the Schlage FY 2021-22 Miscellaneous Assets Review Final Report 07.08.22 4 November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 8 of 62 Page 6 of 13 Primus keys previously issued to B&G team members. Primus keys are difficult to duplicate and are managed by Risk Management. —Risk Management reported completion on 04-05-22. • Risk Management does not manage the keys to any of the Conex boxes, which are in the Plant Operations area, managed by the Plant Maintenance Division, and house relatively valuable equipment and tools (i.e., generators).The keys are relatively easy to copy. In response, Risk Management rekeyed and inventoried all Conex boxes owned and operated by Central San. —Risk Management reported completion on 05-17-22. • Although key access to the B&G Garden Shop is limited to only B&G team members, keyholders have independent access to high-value tools and equipment during and after normal operating hours. Recommendation: Internal Audit recommends the following: 1. Partner with HR to create an employee departure/transfer checklist that requires issued keys/badges (Risk Management) and equipment (Information Technology) be returned to their designated departments before departure/transfer and department representatives to sign off upon receipt. 2. Risk Management should perform regular risk-based key inventory assessments,via management questionnaires and onsite walkthroughs, to identify new locks, rekey for Primus keys, and update the inventory to enhance oversight. 3. Buildings and Grounds may want to implement an electronic key cabinet (i.e.,Traka)that requires ID cards to check out shared keys. Electronic key cabinets can track when keys are checked out, by whom, and when they are checked back in, enhancing accountability during and after normal operating hours. 4. Risk Management should rekey the locks for all Conex storage containers owned and operated by Central San for Primus keys and manage these points of entry moving forward. -Risk Management reported completion on 05-17-22. Management's Response/Action Plan: 1. The Information Technology(IT) Department will hold a meeting with HR to determine an appropriate way to track keys/badges/equipment whenever employees transfer between departments or separate from Central San.The implementation of the solution might take longer than the due date shown here. Target Date: 08-31-22/Responsible Owner: Dennis Chebotarev 2. Risk Management will initiate a full key audit in Summer 2022. Findings and recommendations arising from the audit will be presented to the Security Committee in Fall 2022. Risk Management plans to replace all District badges with a new design, and where needed, updated staff photos, on new HID cards. Project implementation has been delayed FY 2021-22 Miscellaneous Assets Review Final Report 07.08.22 S November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 9 of 62 Page 7 of 13 while the HID cards are backordered.This project will commence shortly after the new cards arrive (est. 3-6 months). Target Date: 12-31-22/Responsible Owner: Shari Deutsch 3. Clint Shima will coordinate with Risk Management the details of the scope for the new Traka box and include the design and construction into the existing Maintenance and Reliability Center(MRC) project.Jon Nicolaus will provide the provide a list of staff that need access to each area which will tracked by the Traka box. Risk Management will do the following: - Work with Clint Shima regarding inclusion of a Traka key box and required infrastructure to the MRC renovations project - Work with contractor/subcontractors where possible to integrate the key box into the master security system - Work with maintenance staff to establish key access protocols and procedures - Develop and provide training to box users Target Date: 12-31-22/Responsible Owners: Clint Shima;Jon Nicolaus; Shari Deutsch 4. Alternative solution implemented. Risk Management replaced all padlocks on Conex boxes with padlocks already keyed to Central San's master key system. Key control for these points of entry has been integrated into Risk Management's existing key management procedures. -Risk Management reported completion on 05-17-22. Internal Audit's Response: Corrective action plans provided by management appear reasonable. Although the exact timing of the MRC project is unknown as of the date of this report, a due date of December 31, 2022, has been assigned to the third item.As the planning process progresses, adjustments will be made, as necessary. Finding 3: Uncovered mobile equipment 2—Moderate Risk Certain high-value mobile equipment (i.e., generators, bypass pumps, etc.) are not stored in a covered area due to a lack of space in existing storage facilities, increasing the risk of theft.This equipment is currently stored in an open field area of the Treatment Plant site. Recommendation: Build a new covered, secure area to house mobile equipment that is managed by the appropriate Division(s). Locks/keys to entry ways should be managed by Risk Management in coordination with the Plant Maintenance Division. FY 2021-22 Miscellaneous Assets Review Final Report 07.08.22 6 November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 10 of 62 Page 8 of 13 Management's Response/Action Plan: Several projects are in progress that address security and storage for equipment.These projects include, but not limited to,the storage facility for Pumping Stations at the Annex property and the Warehouse Improvements. Other improvements have been identified and will be evaluated for the 10-Year Capital Improvements Plan. Also, staff has issued a formal Request for Qualifications soliciting for a Security Consultant for technical assistance and these services and agreement will be presented to the Board for authorization soon. Target Date: 09-30-23/Responsible Owner: Edgar Lopez Internal Audit's Response: Considering the breadth and scope of this endeavor, management's action plans and due date appear reasonable. Finding 4: Enhancing visibility to high-value tools and equipment 2—Moderate Risk There are opportunities to further reduce the risk of theft by enhancing visibility within the B&G Garden Shop and at the Plant Operations main gate. The video cameras located at the plant treatment site's main gate do not provide enough detail to identify faces or license plate numbers and increased involvement from the security guards can further improve awareness. In addition,the B&G Garden Shop does not have video cameras installed to monitor activity. Recommendation: Internal Audit recommends the following: 1. Install a security camera to better monitor the Plant Operations main gate and at any current and future points of entry. Install security cameras in the B&G Garden Shop. 2. Paint high-value mobile equipment a distinct color to increase visibility and awareness. 3. Increase security guard involvement to raise awareness of the risk of theft and to execute future security enhancements driven by management. -Risk Management reported completion on 06-10-22. Management's Response/Action Plan: 1. Additional and replacement cameras are part of the security asset installation plan. Implementation to be determined per Security Planning Consultant risk assessment and prioritization. Target Date: 12-31-22/Responsible Owner: Shari Deutsch 2. The painter has been assigned this task with plans to start in July and finish by December. Target Date: 12-31-22/Responsible Owner:Jon Nicolaus 3. This is now a standing item on the Security Committee Agenda. -Risk Management reported completion on 06-10-22. FY 2021-22 Miscellaneous Assets Review Final Report 07.08.22 7 November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 11 of 62 Page 9 of 13 Internal Audit's Response: Corrective action plans provided by management appear reasonable. Although the implementation date of the first item is unknown as of the date of this report,we will assign a due date of December 31, 2022, and adjust, if necessary, as the project progresses. Finding 5: Inventory inspection single source of truth 3—Low Risk B&G does not have a single source of truth while performing their monthly equipment and bi-weekly tool inventory inspections. When another work group desires to borrow tools/equipment from B&G, borrowers complete a tool loan release form, which is signed by a B&G Supervisor, scanned, and uploaded into Cityworks.The tool is also listed on a whiteboard to make the inventory inspector aware that it is currently loaned out. If the whiteboard is accidentally erased or the inventory inspector does not remember to reference the whiteboard,the results of the review may be inaccurate. Recommendation: Management should revamp the tool loan release form to list multiple loans, including critical information such as check-out/in signatures from both a B&G Supervisor and the borrower with corresponding dates.This form can be scanned and printed out to use for reference when performing equipment and tool inventory inspections, which would help minimize redundancy as the whiteboard is no longer needed and all loans/returns can be visible on one document. After each inspection, this form can be uploaded along with the work order into Cityworks to document the review. Management's Response/Action Plan: The form will be updated to list multiple loans, including critical information such as check-out/in signatures from both a B&G Supervisor and the borrower with corresponding dates.The form for the loaned tool checkout sheet will be digitally attached to each inspection work order in Cityworks. This will allow a digital record and history of equipment use and linked to routine inspections as outlined in the Tool and Equipment Assignment, Storage, and Distribution Procedure (finding#6).The preventative maintenance (PM) work order will be assigned to a shop and include details on routine inspection and inventory of the new equipment. Target Date: 07-31-22/Responsible Owner: Jon Nicolaus Internal Audit's Response: Management's action plan and target date appear reasonable. Finding 6: Formalizing procedures/SOPs to safeguard high-value tools and equipment 3—Low Risk Although informal language exists,the Information Technology (IT) Division and the Plant Maintenance Division have not published formal standard FY 2021-22 Miscellaneous Assets Review Final Report 07.08.22 8 November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 12 of 62 Page 10 of 13 operating procedures (SOPs)that specify procedures to safeguard high-value tools and equipment managed by the IT Division and B&G, respectively. Given the import of the controls surrounding the safeguarding of high-value tools and equipment,formally documenting, filing, and regularly updating these procedures is critical to driving a strong internal control environment. Recommendation: The Plant Maintenance Division should craft a formal, high-level SOP that covers all the Plant Maintenance shops, or a separate SOP for each shop, detailing the definitions of high-value tools and equipment as well as assignment, storage, and distribution procedures. References to existing SOPs (i.e., B&G's equipment and tool inventory inspections) should be included to communicate how individual shops monitor activity. Similarly,the IT Division should craft a formal SOP that outlines the controls in place to safeguard high-value equipment, such as laptops and tablets, when in their possession as well as any tracking services (i.e., Mobile Device Management software) Central San currently uses when a loaned-out item goes missing. SOPS for both Divisions should be documented on District-approved templates and updated as needed. Management's Response/Action Plan: IT: High-value IT equipment control/tracking SOP will be created to formalize the current practices. Target Date: 07-31-22/Responsible Owner: Dennis Chebotarev Plant Maintenance: An SOP has been developed and will be distributed to all Division staff.The procedure identifies a process and procedure to meet the operational needs of the Treatment Plant and Pumping Station sites while providing a strong prevention program for loss,theft, and damage to District equipment and tools.The SOP includes how individual shops will monitor and control District equipment assign to an individual or a shop. -Plant Maintenance reported completion on 06-21-22. Internal Audit's Response: Management's action plans and due date appear reasonable. FY 2021-22 Miscellaneous Assets Review Final Report 07.08.22 9 November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 13 of 62 Page 11 of 13 ATTACHMENT 2 November 1,2022 , FY 2021-22 �. Miscellaneous Assets Review -- Report Administration Committee Meeting Benjamin Johnson Internal Auditor 1 1 FY 2021-22 Misc. Assets Review Final report issued 07/08/22 Background Within the last few fiscal years, management has reported the theft of a hot water pressure washer,two generators, and a two computer tablets. In response, management has made notable improvements prior to this review including: Improved lighting and spatial organization in the Garden Shop Implemented card/key access requirements for entry into several key areas which ' house valuable tools and equipment "= Added new fencing around perimeter areas of the Treatment Plant site and — L implemented motion sensor lightingtF Moved staff parking off the Treatment Plant site re = Updated tool/equipment inspection lists and frequency as well as standard M— operating procedures(SOPS)related to the safeguarding of tools and equipment h 2 November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 14 of 62 1 Page 1t0Jf11%(2022 FY 2021 -22 Misc. ASSETS REVIEW FINAL REPORT ISSUED 07/08/22 t Audit Objective The objective of this engagement was to identify and assess the - design of internal controls surrounding the safeguarding of Central San's high-value tools and equipment. Audit Scope Internal Audit plans to perform an operational review of the internal controls surrounding the safeguarding of high-value tools and equipment next year. In this review, Internal Audit assessed the design of related internal controls,with a focus on specific categories that have been deemed high risk, including high-pressure washers, generators, and computer tablets. 3 r FY 2021 -22 Misc. ASSETS REVIEW FINAL REPORT ISSUED 07/08/22 Audit Scope (Continued) -- ; The following was reviewed in relation to the safeguarding of high- value tools and equipment: Policies and procedures Compared the current design of internal controls with those prior to FY 2021-22 V Assessed the adequacy and reasonableness of the current design of x=' controls j 4 November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 15 of 62 2 Page 1bOJf1,%(2022 FY 2021-22 Misc. Assets Review Final report issued 07/08/22 Audit Results Six findings reported Formalization of the transfer process of high-value tools and equipment from Capital Projects to Plant Maintenance—Moderate Risk Finding closed on 10/03/22(three days past due date) +?„ Inappropriate key access to buildings housing high-value tools and equipment—High Risk Uncovered mobile equipment—Moderate Risk -- Enhancing visibility to high-value tools and equipment—Moderate Risk Inventory inspection single source of truth—Low Risk Finding closed on 07/28/22 Formalizing procedures/SOPS to safeguard high-value tools and equipment—Low Risk Finding closed on 07/27/22 5 FY 2021-22 Misc. Assets Review Final report issued 07/08/22 Next Steps Internal Audit will continue to follow-up with open finding owners via: Quarterly meetings with executive management and managers that have audit findings with approaching due dates as an opportunity for remediation updates and open dialogue Email reminders sent out to appropriate management and executive management three weeks before each finding component is due Meetings with finding owners to provide additional clarification,as needed 1 6 November 1, 2022 Regular ADMIN Committee Meeting Agenda Packet- Page 16 of 62 3