HomeMy WebLinkAbout01. Conduct an Internal Audit Workshop Page 1 of 9
Item 1.
CENTRALSAN
Jdf A- hom
CENTRAL CONTRA COSTA SANITARY DISTRICT
February 9, 2023
TO: HONORABLE BOARD OF DIRECTORS
FROM: BENJAMIN JOHNSON, INTERNALAUDITOR
REVIEWED BY: PHILIP LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION
ROGER S. BAILEY, GENERAL MANAGER
SUBJECT: CONDUCT THE 2023 1 NTERNAL AUDIT WORKSHOP
Central San's Internal Auditor, Benjamin Johnson, will facilitate an internal audit workshop to create an
opportunity for exclusive interaction with the Board. This is the first workshop of its kind with the intent to
conduct this an annual special board meeting moving forward. A presentation is attached to lay the
groundwork for subsequent open conversation and to provide the Board with additional detail surrounding
the internal audit role, its inputs and outputs, and the annual audit plan.
Strategic Plan Tie-In
GOAL FOUR: Governance and Fiscal Responsibility
Strategy 1 - Promote and uphold ethical behavior, openness, and accessibility, Strategy 3- Maintain financial stability
and sustainability
ATTACHMENTS:
1. Internal Audit Biannual Findings Report- Close of Q4 Calendar Year 2022
2. Presentation
February 9, 2023 Special Board Meeting Agenda Packet- Page 3 of 11
Page 2 of 9
Attachment 1
1
Internal Audit Biannual Findings Report-..se.f".of
Calendar year 2022
Current as of:01.20.23
Prepared by:Benjamin Johnson,Internal Auditor
General Category of Observations Total
Risk Rating Total Need for documentation of procedures orupdates 5 "Highlight Legend"
1-High Risk 7 Segregation of duties 3 Past Due
2-Moderate Risk 30 IT-related controls 14 High Risk
3-Low Risk 10 General process and/or controllmprovements 4 Closed
FY Total to Dafe 2] Automation opportunities 1
Finding Risk Rating Observation Executive
Finding Title Audit Name Number Finding Description (Residual) Category Department Owner Manager Report Date Due Date Date Closed
1 Payroll data review by an H2020-21 Payroll Design-only Review 3 HR and Finance do not have the ability t.produce 1 Segregation of Human Resources; O'Malley; Bailey; 09.21.21 HR- HR-
employeewithnopayroll detailed reporting within Oracle that provide staff and duties Finance Mizuno Leiber 08.01.21 08.01.21
duties anagemeor critical data elements necessary to
perform a robust accuracy review.Payroll data is Finance- Finance-
uaRy reviewed for accuracy by HR staff during the 43:8424 11.12.21
bi weekly payroll process,however,it is not (Original) (Partially
subsequently re viewed by an employee with no Payroll 12.31.22 Closed-
processing responsibilities prior to key processes. (Extended) Changes to
the GL are
wed by
eFinance
Manager)
2 Physical check payment FY 2021-22 Accounts Payable Audit 2 Given the strong internal controls in place prior to the 3 Automation Finance Mizuno Leiber 03.2.22 12.31.23
run,
county's involvement in the payment process,the opportunities
County's countersignature process appears duplicative
and inefficient.
3 Inappropriate key access Fy 2021-22 Miscellaneous Assets Review 2 Although substantial improvements have been made 1 General process Information Chess— Leiber; 07.08.22 IT- RM-
to buildings housing high- bythe Plant Maintenance Division to reduce and/or control Technology;Risk Mallory, Selo 08.3422 12.01.22
value tools and .authorized key access to high-value tools and improvements Management; Deutsch; (Interim) (Original)
equipment equipment after recent thefts,opportunities for Plant Maintenance Shim.; 03.31.23 RM/PM-
improvementrern.m. Nicolaus (Extended) 12.02.22
But.
12.31.22
RM/PM-
12.31.22
4 Uncovered mobile FY 2021-22 Miscellaneous Assets Revlew 3 Certain high-value mobile equipment I-,generators, 2 General process Capital Projects Lopez Gemmell 07.08.22 09.30.23
equipment bypass pumps,etc.)ar not stored in a covered area and/or control (Interim)
due to a lack mspacen existing storage facilities, improvements
sing the risk of theft.This equlpme nt is currently
stored in an open field area of the Treatment Plant site.
S Enhancing visibility to high FY 2021-22 Miscellaneous Assets Review 4 There are opportunities to further reduce the risk of 2 General process Risk Management; Deutsch; Leber; 07.08.22 RM- RM-
value toolsand equipment theft by enhancing visibility within the B&G Garden and/or control Plant Maintenance Nicolaus Sebz 12.3422 12.06.22
Shop and at the Plant Operations main gate. Improvements (Interim) Original (Partially
12.31.23 Closed-Will
(Extended) install
PM- cr main
12.31.22 gate but no
need for
Garden
Shop)
PM-
11.23.22
6 Inaccurate off-cycle FY 2021-22 Payroll Operational Audit 1 In lune 2022,excess holiday compensation time earned 2 IT-related Human Resources O'Malley Bailey 11.01.22 41-3442
payments related to for seven District employees was manually calculated controls (Original)
ess holiday and processed as off-cycle payments.Due to the manual 03.31.22
compensation nature of this payment process,four of the seven (Extended)
employees were erroneously issued duplicate longevity
Payments on June 13,2022.
1
February 9, 2023 Special Board Meeting Agenda Packet- Page 4 of 11
Page 3 of 9
Attachment 1
Closed
1 Personnel and payroll FY 2020-21 Payroll Design-only Review 2 Two HR staff have user privileges that allow them to 1 Segregation of Hum an Resources O'Malley Bailey 09.21.21 g83B.24 10.05.21
er privileges in Oracle enter new employees into the Human Capital duties (Original)
Management(HCM)personnel module as well as edit
data in the payroll module. 10.29.21
Extended
2SP-IA.05-Access FY 2021-22 IT Identity and Access 2 The Organization has established a formal process to 2 Need for Information Chebotarev Lelber 09.16.21 01.15.22 01.15.22
Management Management Review request access for new employees.However,the new documentation Technology
hire form does not formally document who is approving of procedures or
the access for the new em to ee. ..dates
3SP-IA.0]-Access FY 2021-22 IT Identity and Access 3 The Organization removes accounts for users Ina 1 IT-related Information HHeshew Leiber 09.16.21 01.15.22 01.15.22
Management Management Review timely manner for employees.However,CW identified controls Technology
six(6)ac .nts belonging to third parry users that wer,
n d,I.d and had not logged into the a unt for the
Past three(3)years.These accounts had'password
expired'm.blod.
4SP-IA.20-Access FY 2021-22 IT Identity and Access 5 The Organization has"'formally performed a review 1 IT-related Information Hart LI09.16.21 03.28.22 03.28.22
Manage..rt(App- Management Review dmxcwtnk access that ensures network a¢essrights controls Technology
Office 365) are appropriate to all individuals within the
organ
5SP-IA.21-Access FY 2021-22 IT Identity and Access 6 The Organization has not formally performed a review 1 IT-related Information Chebotarev LI 09.16.21 02.15.22 02.15.22
Management(App- Management Review of user access within Oracle Fusion tocontrols Technology
Oracle Fusion) rights are appropriate to all individuals withime
n the
Organization.
6SP-IA.23-Access H2021-22 IT Identity and Access 8 The Organization has not forma lly performed.review 3 IT-related Information Hart Leiber 09.16.21 03.28.22 03.28.22
Management(App-Office Management Review of user access within Office 365 to ensu ss rights controls Technology
365) a appropriate to all individuals within the CCe
Organization.
]SP-IA.24-Access H2021-22 IT Identity and Access 9 The Organization currently does not formally review 3 IT-related Information Hart Leiber 09.16.21 03.28.22 03.28.22
Management(App Office Management Review administrator activity on a periodic basis within Office controls Technology
365) 365.
8SP-PS.03-Physical FY 2021-22 IT Identity and Access 12 The Organization's data center is locked,and only 3 IT-related Information Hiteshew Wilbur 09.16.21 12.15.21 12.15.21
Security of IT Assets Management Review authorized personnel are able to access the center. controls Technology
Reports can be generated to ensure all access is
appropriate.However,there is currently no formal
review of these reports being performed on a periodic
basis
9SP-11R.0I-11115ecurity FY 2021-22 IT Identity and Access 14 The Organization provides acceptable use and security 2 IT-related Information Hart Leiber 09.16.21 04.01.22 03.30.22
Management Review policies to all new hires.However,existing employees controls Technology
and new employees are not required to complete
security awareness training.
10 SD-EM.02-Lug and Event FY 2021-22 IT Identity and Access 15 The Organization has alerts generated for suspicious 3 IT-related Information Vega;Hart Leiber 09.16.21 01.15.22 01.15.22
Management Management Review behaviors related to the network.How—r,the alert for controls Technology
attempts to access disable accounts is currently not
enabled.
11 Policies and procedures FY 2020-21 Payroll Design-only Review 1 Policies and procedures surrounding the payroll 2 Need for Human Resources O'Malley Bailey 09.21.21 i�:823! 41.11.22
process have not been updated since the rollout of the dOcu..ntark- (Original)
Oracle payroll moduleof procedures or
updates03.31.22
(Extended)
12 SP-IA.01-Access FY 2021-22 IT Identity and Access 1 The Organization has an access management guideline 2 Need for Information Hiteshew Leiber 09.16.21 04.30.22 04.20.22
Management Management Review that is distributed to all employees that have network documentation Technology
access.However,the policym place does not include of procedures or
standard,of segregation of duties,role change updates
procedures,and the use of access checklists.In addition,
CLA identified that three(3)of the five(5)new user
amples did not have acknowledgement of the access
management guideline policy documented.
13 SP-IA.12-Access FY 2021-22 IT Identity and Access 4 Per review of the domain administrative listing,CLA was 2 IT-related Information Hart Lelber 09.16.21 04.30.22 04.20.22
Management Management Review informed that no formal documentation is maintained controls Technology
to identify the purpose of service accot,that have
domain administration access along with an annual
approval.Cl identified one(3)user m the
administrative listing whose access was deemed as
inappropriate.
14SP-IA.22-Access FY 2021-22 IT Identity and Access T The Organisetioncurrendydoesnotformallyrevit. 1 IT-related Information Chebotarev Leiter 09.16.21 04.30.22 04.20.22
Management(App- Management Review administrator.0aity onap.rimi,basis within Oracle controls Technology
Oracle Fusion) Fusion.
15 SP-P5.05-Physical FY 2021-22 IT Identity and Access 13 The Organization currently do as not have video 2 IT-related Information Hiteshew Leiber 09.16.21 12.31.22 03.31.22
Security of IT Assets Management Review survefflance In the data center to ensure entry and controls Technology
ntemal activity is appropriate.
16 SP-DS.01-Data Security&H2021-22 IT Identity and Access 10 The Organization currently allows users to access their 3 IT-related Information Chebotarev; Leiber 09.16.21 04:30:22 05.25.22
Privacy Management Review personal email accounts within the network.No web controls Technology Hart (Original)
content filtering is currently in place to restrict the use
of personal email sites. 05.31.22
Extended)
1]SP-DS.02-Data Security&FY 2021-22 IT Identity and Access 11 The Organization has domain administrator accou nts 3 IT-related Information Hart Leiber 09.16.21 0430.22 05.25.22
Privacy Management Review assigned to individuals and only used for adminix-tive controls Technology (Original)
purposes.However,the Organizaticncurrently allows
domain administrators to directly access the Internet 05.31.22
(Extended)
1B Policies and procedures FY 2021-22 Accounts Payable Audit 1 Although some documentation exists,policies and 3 Need for Finance Mizuno Leiber 03.25.22 07.01.22 06.28.22
procedures su rrounding the accounts payable process documentation
have not been formalized or regularly of procedures or
revlewedbrucated to reflect Oracle system changes. updates
19 Formalizing FY 2021-22 Miscellaneous Assets Review 6 Although informal language exists,the Information 3 Needfor Information Chebotarev Lelber 07.08.22 07.31.22 0].2].22
procedures/Sops to Technology(IT)Division and the Plant Maintenance documentation Technology
safeguard high-value tools Division have not published formal standard operating of procedures or
and equipment procedure,(SOPs)that specify procedures to safeguard updates
high-value tools and equipment managed by the IT
Division and B&G,respectively.
Note:Plant Maintenance reported completion on 06-21-
22.
20 Inventory inspection single FY 2021-22 Miscellaneous Assets Review 5 B&G does not have a single source of truth while 3 General process Plant Maintenance Nicol... Mc0en.ld 07.08.22 07.31.22 07.28.22
source
of truth performing their monthly equipment and b,-weekly tool and/or control
inventory inspections. improvements
21 Formalization ofthe FY 2021-22 Miscellaneous Assets Review 1 The processes related to the transfer of high-value tools 2 Segregation of Capital Projects Lopez Petit 07.08.22 09.30.22 10.03.22
transfer process of high- and
de
transfer from the Capital Projects duties
value tools and equipment Division to the Plant Maintenance Division have not
from Capital Projects to beenlormall2ed.Similarly,when assets are transferred,
Plant Maintenance although there is a formal process in place,managers
are not required to document their review/approval.
2
February 9, 2023 Special Board Meeting Agenda Packet- Page 5 of 11
Page 4 of 9
Attachment 2
February 9,2023
2023 Internal
Audit
Workshop
Special Board Meeting
Benjamin Johnson _
Internal Auditor '=
Table of Contents
Background
Responsibilities
Organizational Role
Philosophy and Approach + r -
Audit Process
Support for this Function r�
7 Biannual Findings Report
8. 2023 Audit Plan - -
r
2
1
February 9, 2023 Special Board Meeting Agenda Packet- Page 6 of 11
Page 5 of 9
Attachment 2
TL11
Background
Notable Engagements in Former Roles
Public Accounting
State of California
Contra Costa County
CalPERS
CA Department of Education
California Governor's Office of Emergency Services
Banking Industry
State-wide Branch Audit Program -
Security Management
Bank Secrecy Act :
Operational Soundness
w
Responsibilities E
The Institute of Internal Auditors' definition of internal audit:
Internal audit helps an organization accomplish its objectives by bringing -
a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance processes.
'�•• .
IF
L R
Central San's internal audit function aims to provide
management with additional tools and perspective to:
,rte
Identify and lower risk
Improve process accuracy
Enhance operational efficiency
Improve oversight of key processes
2
February 9, 2023 Special Board Meeting Agenda Packet- Page 7 of 11
Page 6 of 9
Attachment 2
Organizational The 11A's Three Lines Model
RoleFVERNING BODY rh
.
--I
First Line of Defense-Management Governing body rales:integrity,leadership,and transparency
Maintains effective internal controls and
executes risk and control procedures on a day
to-day basis tn
MANAGEMENT X
Second Line of Defense Risk Management and
achieve orgamizatoona�objectives 0
Compliance
First line roles: Second line roles: Third line roles:
Supports management to help ensure risk andProvision of Expertise,support, Independentand
controls are effectively managed producwservices monitoring and objective assurance
to clients; challenge on and advice on all I El
managing risk risk-related matters matters related to
Third Line of Defense-Internal Audit the achievement
of objectives
Provides assurance to senior management and
the board that the first and second lines'efforts
are consistent with expectations
KEY' Accountability,reporting 4,❑elega[ian,direction, Alignment,communication
resources,oversight coordination,collaboration
11
Philosophy and '
Approach .
f
Key elements critical to the success of the
internal audit function: ` i±
Developing and maintaining
partnerships with business lines
Y L
Communicating out a complete story
subsequent to any review
Recognizing that stereotypes
surrounding this function should not
determine how this function interacts
with its business partners
TRALSAN!i9
3
February 9, 2023 Special Board Meeting Agenda Packet- Page 8 of 11
Page 7 of 9
Attachment 2
I.
Audit Process
Planning
Perform high-level walkthroughs to determine key -
subprocesses - _ - _ � ._ _ _ TM
Determine high-risk areas
Develop scope and risk-based testing approach
Fieldwork * _ 1 i.i
Perform testing and review of processes
Identify and communicate potential findings to
management for validation
Reporting
Draft audit report and request feedback and
corrective action plans from management for any - s
findings identified
Issue final report to appropriate management and
the Board
�r
`..
A
Support for this
Function
Key Sources of Support
Roger Bailey
Mr. Bailey's support of this function has been ell, � • '
critical to its success
We meet regularly to discuss any important --
matters regarding the District and project
progression
Phil Leiber
Internal Audit works closely with Mr. Leiber to
gain valuable perspective and help formulate
an audit approach for various projects
The Board
The Board's support gives this function the
authority it needs to add value to the
organization
t_! .
4
February 9, 2023 Special Board Meeting Agenda Packet- Page 9 of 11
Page 8 of 9
Attachment 2
Biannual Findings
Report �y
Overview
27 findings reported since Q1 2021
21 findings have been closed
5 findings have future due dates
1 finding is currently overdue as of 12.31.22
Management has been proactive and
responsive in remediating audit findings
Roger Bailey, Phil Leiber, and I meet
quarterly with finding owners to track �
remediation progress and create space -
for open dialog
I•CENTRALSAN
- -n
f
L " 7
2023 Audit Plan
44
The following audit plan is based on the input from
management and the Board in addition to Internal
Audit s assessment of risk:
P-Card Audit—Q1
15
Maze&Associates will assist with testing
Audit to begin in early February with planning
efforts already underway
Miscellaneous Assets Review, Phase II —Q2 Ar :.
Follow-up to last year's review of this process
Will review operational effectiveness of the
safeguarding of high-value tools and equipment
Permit Counter Design-only Review—Q3/Q4
Will review the design of internal controls related to
the permit counter process in general as well as the
new system rollout
CENTRALSAN
5
February 9, 2023 Special Board Meeting Agenda Packet- Page 10 of 11
Page 9 of 9
Attachment 2
Let's chat.
9.AM
C .
R I'
6
February 9, 2023 Special Board Meeting Agenda Packet- Page 11 of 11