The URL can be used to link to this page

Home My WebLink About11.a. Receive 2023 Miscellaneous Assets Review, Phase II reportPage 1 of 11 Item 11.a. LICENTRAL SAN February 1, 2024 FROM: BENJAMIN JOHNSON, INTERNALAUDITOR REVIEWED BY: PHILIP LEIBER, DEPUTYGENERAL MANAGER -ADMINISTRATION ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE 2023 MISCELLANEOUS ASSETS REVIEW, PHASE II REPORT Enclosed is the 2023 Miscellaneous Assets Review, Phase I I Final Report. Internal Audit assessed the operating effectiveness of internal controls surrounding the safeguarding of Central San's high -value tools and equipment. Internal Audit performed Phase I of this effort in 2022, which included a design -only review of internal controls surrounding the safeguarding of high -value tools and equipment. The focus of Phase I I was to verify that the internal controls identified in Phase 1, and any agreed -upon corrective actions in response to findings, are operationally effective in reducing the risk of theft to a satisfactory level. Strategic Plan re -In GOAL FOUR: Governance and Fiscal Responsibility Strategy 1 - Promote and uphold ethical behavior, openness, and accessibility, Strategy 2 - Encourage and facilitate public participation GOAL FIVE: Safety and Security Strategy 2 - Protect personnel and assets from threats and emergencies ATTACHMENTS: 1. 2023 Miscellaneous Assets Review, Phase I I F I NAL Report 2. Presentation February 1, 2024 Regular Board Meeting Agenda Packet - Page 91 of 130 Page 2 of 11 Attachment 1 110ENTRAL SAN INTERNAL AUDIT REPORT DATE: September 21, 2023 TO: Neil Meyer, Plant Maintenance Division Manager Paul Seitz, Collection System Operations Division Manager Edgar Lopez, Capital Projects Division Manager Charles Mallory, Information Technology Manager Shari Deutsch, Risk Management Administrator FROM: Benjamin Johnson, Internal Auditor SUBJECT: 2023 MISCELLANEOUS ASSETS REVIEW, PHASE II FINAL REPORT Enclosed is the 2023 Miscellaneous Assets Review, Phase II Final Report. Internal Audit assessed the operating effectiveness of internal controls surrounding the safeguarding of Central San's high -value tools and equipment. Internal Audit performed Phase I of this effort in 2022, which included a design -only review of internal controls surrounding the safeguarding of high -value tools and equipment. The focus of Phase II was to verify that the internal controls identified in Phase I, and any agreed -upon corrective actions in response to findings, are operationally effective in reducing the risk of theft to a satisfactory level. The actions taken and/or planned are responsive to the observations in the report. There will be regular follow-up to discuss remediation efforts and send reminders, as needed. Internal Audit would like to thank management and staff for their partnership during the length of this project. If you have any questions, please contact me at (925) 229-7120. Benjamin Johnson Internal Auditor Enclosure cc: Roger S. Bailey, General Manager Greg Norby, Deputy General Manager Philip Leiber, Deputy General Manager Jon Nicolaus, Operations and Maintenance Superintendent Dennis Chebotarev, Project Manager / Business Analyst Laci Kolc, Risk Management Specialist February 1, 2024 Regular Board Meeting Agenda Packet - Page 92 of 130 Page 3 of 11 Attachment 1 2023 MISCELLANEOUS ASSETS REVIEW, PHASE II FINAL REPORT DATE: September 21, 2023 INTRODUCTION Audit Objective The objective of this engagement was to assess the operating effectiveness of internal controls surrounding the safeguarding of Central San's high -value tools and equipment. Background In recent years, the District has experienced the loss of a hot water pressure washer, two generators, and two computer tablets. In response to these recent thefts, management has made a concerted effort to strengthen internal controls as they relate to the safeguarding of high -value tools and equipment. As Plant Maintenance continues to develop and evolve, a continued emphasis on security will be critical to achieving future operational goals. Management remains focused on enhancing areas of weakness by working with key stakeholders to find opportunities for positive change. The Information Technology Division has established a strong group of internal controls around security. Staff demonstrate an expansive knowledge of risk in both digital and physical environments. Risk Management is resolute on enhancing physical security measures to keep the safety of Central San employees and operational efficiency high priorities. Risk Management staff demonstrate a sense of urgency when opportunities for improvement are brought to the forefront of conversation and utilize a District - wide approach to move projects forward. Capital works with stakeholders across the organization to find creative solutions to safeguard assets and high -value tools and equipment. Management balances competing priorities of the District to ensure both staff and customers produce and receive outstanding service, respectively. The Collection System Operations (CSO) group displays a high sense of awareness around the security, and maintaining the condition of, high -value tools and equipment. The Item Loan Program has been in place and in use for several decades and there are staff dedicated to overseeing the program. In addition, there is a robust physical security process in place to reduce the risk of unauthorized individuals gaining access to campus and building entryways. Audit Scope, Internal Audit assessed the operating effectiveness of internal controls Limitations, and surrounding the safeguarding of relatively high -value tools and equipment with a Methodology focus on specific high -risk items, including compact equipment such as high- pressure washers, generators, and computer tablets. Phase I of this effort was performed in calendar year 2022, where we focused on the design of these safeguarding controls. The following was reviewed in relation to the safeguarding of high -value tools and equipment: 2023 Miscellaneous Assets Review, Phase II FINAL Report 09.21.23 February 1, 2024 Regular Board Meeting Agenda Packet - Page 93 of 130 Page 4 of 11 Attachment 1 • Policies and procedures • Perimeter fencing • Key/badge management • IT equipment custody • Tool loan programs (CSO & Plant Maintenance) • Visibility measures • Inventory inspections • Hand-offs between Divisions • Uncovered mobile equipment The audit was performed using the following methods: 1. Reviewed available policies, guidelines, and procedures. 2. Interviewed team members and observed the processes within the scope of the audit. 3. Obtained and reviewed evidence of controls for operational effectiveness. 4. Reported on audit results and discussed recommendations, including the following: a. Audit Objective b. Background c. Audit Scope, Limitations, and Methodology d. Summary of results e. Recommendations, if applicable, with Management's response INTERNAL AUDIT RESULTS Summary Based on Internal Audit's assessment of the operational effectiveness of internal controls surrounding the safeguarding of high -value tools and equipment, there are some opportunities to enhance existing security measures related to these assets. Treatment Plant site perimeter security has been a longstanding focus for key stakeholders. From an operational risk perspective, addressing areas of concern with a sense of urgency is critical to meeting current and future operational goals. Risk Management has recently contracted a third -party consultant to perform a needs assessment surrounding the District's physical security and a recommendation to install a high -security perimeter fencing structure around the Treatment Plant site is expected. Internal Audit strongly agrees with this recommendation and encourages well-defined project management and inter -Divisional collaboration to gain stakeholder support, input, and funding. As the District continues to evolve operationally, campus security and the safeguarding of high -value tools and equipment will move to the forefront of conversation. Key stakeholders appear vested in collaborating across Divisions to address weaker areas and develop creative solutions. From Internal Audit's perspective, although there are opportunities for process enhancement, the District is primed to manage future operational goals through effective security measures. 2023 Miscellaneous Assets Review, Phase II FINAL Report 09.21.23 February 1, 2024 Regular Board Meeting Agenda Packet - Page 94 of 130 3 Page 5 of 11 Attachment 1 Findings and recommendations were made surrounding the following: • CSO: Formalize policies and procedures around the safeguarding of high - value tools and equipment and the Item Loan Program • CSO: High -value tools and equipment inventory reviews • CSO: Item Loan Program master log does not comport with supporting documentation • Carpet cleaner missing from the Plant Maintenance Division's inventory The risk each finding presents to the organization is weighted with respect to meeting the operational needs of the District using the following system: • 1— High Risk • 2 — Moderate Risk • 3 — Low Risk Finding 1: CSO: Formalize policies and procedures around the safeguarding of high - value tools and equipment and the Item Loan Program 3 — Low Risk Documented procedures surrounding the Item Loan Program and the safeguarding of high -value tools and equipment at CSO are informal in nature and lack guidance around some key topics. Although there are some documented expectations around opening and closing the facility and the Item Loan Program, more detail surrounding worksite access security measures, escalation procedures to address policy violations, and clear definitions of what items can be loaned to staff is needed. Recommendation: CSO management has an opportunity to craft formal and detailed standard operating procedures (SOPS) surrounding the safeguarding of high -value tools and equipment and the Item Loan Program. Internal Audit recommends a bifurcated approach with the following key topics addressed in each document: CSO campus security SOP document: • Facility opening and closing procedures • Ethics hotline information • Protocols surrounding: o Operational use of tools and equipment o Access to main entryways o Emergency situations (fire, disaster, active shooter, etc.) • Reference the Item Loan Program SOP document as a subset of this general security policy CSO Item Loan Program SOP document: 2023 Miscellaneous Assets Review, Phase II FINAL Report 09.21.23 February 1, 2024 Regular Board Meeting Agenda Packet - Page 95 of 130 4 Page 6 of 11 Attachment 1 • Refined definitions of items that are included in and excluded from the program • Escalation procedures for policy violations • Identify program administrator • Expectations surrounding: o Loan time duration o Condition of the item upon return o Completion of required documentation for loan authorization and recordkeeping purposes Management's Response / Action Plan: Action Plan — CSO will create two (2) Standard Operating Procedures (SOPs) in response to Finding No. 1. The first SOP will detail the security of the CSO campus as outlined in the recommendations. The second SOP will detail the policies and procedures for the CSO Tool Loan Program. A list of tools that are available to be loaned will be attached to the SOP. This procedure will also include the steps required for quality assurance and quality control regarding the documentation for lending and returning tools. In addition, the SOP will provide clear expectations for the condition and timely return for the items loaned. Target Date: 12/31/23 (End of Q2) / Responsible Owner: Paul Seitz Internal Audit's Response: Internal Audit agrees with management's action plan. Finding 2: CSO: High -value tools and equipment inventory reviews 2 — Moderate Risk CSO does not have a periodic inventory review system in place to validate whether all high -value tools and equipment are properly accounted for. CSO's warehouse is used to store tools and equipment essential to the operational needs of the Division and that vastly range in value. Many of these items are available for loan to staff via the Item Loan Program. In addition, the shop, where the vehicle fleet is maintained, houses smaller, low -value vehicle parts. Infrequent inventory reviews may increase the risk of tools and equipment going missing without staff being made aware timely. Recommendation: We recommend that the Division performs tool and equipment inventory reviews quarterly for CSO's warehouse and shop. The reviews should be well - documented and include who performed the review, when, and an up-to- date inventory checklist. Management's Response / Action Plan: Action Plan — CSO will create one (1) SOP for Finding No. 2. A list of high -value tools to be inventoried will be created for the Vehicle and Equipment Shop and Field equipment. The Vehicle Shop Supervisor and the Field 2023 Miscellaneous Assets Review, Phase II FINAL Report 09.21.23 February 1, 2024 Regular Board Meeting Agenda Packet - Page 96 of 130 Page 7 of 11 Attachment 1 Superintendent will each inventory their respective items. Inventories will be performed quarterly, with the first inventory scheduled for the end of Fiscal Year 23-24 Quarter 2. In addition to the inventory of high -value equipment, the Field Superintendent will also inventory the Tool Loan Program Log for the completeness of documentation. Target Date: 12/31/23 (End of Q2) / Responsible Owner: Paul Seitz Internal Audit's Response: Internal Audit agrees with management's action plan. Finding 3: CSO: Item Loan Program master log does not comport with supporting documentation 2 — Moderate Risk Recordkeeping pertaining to the Item Loan Program is incomplete. A critical component of the program's documentation is the master log which acts as a single source of truth for the complete inventory of loans. During our review, there were loans identified on the master log that did not have supporting documentation, which typically includes a release form with wet signatures of the loanee and their supervisor. No missing items were noted and management tracks outstanding loans, following up with loanees where necessary. Recommendation: Having staff dedicated to overseeing the Item Loan Program and managing the associated day-to-day administrative needs is critical to the program's success moving forward. In addition, as mentioned in the first finding identified in this report, crafting formal guidance around this program's documentation requirements helps establish well-defined expectations. Management's Response / Action Plan: Action Plan - CSO will not create a separate SOP for Finding No. 3. Instead, CSO will include the recommendations from Finding No. 3 into the new SOP that is being created for Finding No. 1, "CSO Tool Loan Program". CSO will assign the Field Supervisor for the Construction Workgroup to perform the day-to-day administration for the Tool Loan Program. In addition, the CSO Tool Loan Program SOP will provide guidance regarding required documentation and clear expectations for the condition and timely return for the items loaned. Target Date: 12/31/23 (End of Q2) / Responsible Owner: Paul Seitz Internal Audit's Response: Internal Audit agrees with management's action plan. 2023 Miscellaneous Assets Review, Phase II FINAL Report 09.21.23 February 1, 2024 Regular Board Meeting Agenda Packet - Page 97 of 130 Page 8 of 11 Attachment 1 Finding 4: Carpet cleaner missing from the Plant Maintenance Division's inventory 1— High Risk A carpet cleaner with an estimated value of $500 is missing from the Plant Maintenance inventory. The Buildings and Grounds group noted that the item was missing during a monthly equipment inventory review completed in Q1 2023. Before the item was noted as missing, the Conex box (shipping container) in which the item, and a handful of similar items, were housed was not secured with a lock. Recommendation: Internal Audit would like to highlight the importance of an elevated awareness around physical security of high -value tools and equipment. Management should continue to focus on securing key storage areas to lower the risk of theft. Management's Response: B&G audited the equipment list and updated the serial number and model number information. A few items were found to have missing or inaccurate serial/model numbers. The equipment in the shed was engraved with CCCSD and the correct serial/model numbers were recorded on the inspection form. A lock with hasp was installed in addition to the existing door handle lock on the shed. Access is limited to only the B&G staff, and we are currently looking into key control box upgrades with the Reliability Engineering and Risk Management teams. We also plan to add cameras as part of the MRC project, with construction estimated to start in early 2024. B&G will consolidate stored equipment when a new structure is installed by Capital Projects around 2025-2027. Finally, the Division reemphasized the importance of an elevated awareness around physical security of high -value tools and equipment. Management and staff will continue to focus on securing key storage areas to lower the risk of theft. We updated the tool and equipment procedure for inspection and inventory, then redistributed it to all staff. Target Date: Complete as of Report Date / Responsible Owner: Jon Nicolaus Internal Audit's Response: Management has secured the storage area and has mitigated the risk of theft to an acceptable level prior to Internal Audit's review. This finding is closed as of the date of this report. 2023 Miscellaneous Assets Review, Phase II FINAL Report 09.21.23 February 1, 2024 Regular Board Meeting Agenda Packet - Page 98 of 130 i7 Page 9 of 11 Attachment 2 2023 Miscellaneous Assets Review, Phase II 10 Final report issued on 09.21.23 Background In response to a handful of thefts in recent years, management has made a concerted effort to strengthen internal controls As the District continues to identify areas of improvement, the internal controls surrounding safeguarding are tighter, overall, today compared with controls identified in Phase I of this effort In Phase I of this audit project, we focused on the design of internal controls around safeguarding In Phase II, we looked at the operational effectiveness of these controls at our Martinez and Walnut Creek facilities February 1, 2024 Regular Board Meeting Agenda Packet - Page 99 of 130 Page 10 of 11 2023 Miscellaneous Assets Review, Phase II Final report issued on 09.21.23 Audit objective The objective of this engagement was to assess the operating effectiveness of internal controls surrounding the safeguarding of Central San's high -value tools and equipment. Audit Scope Internal Audit reviewed the design of internal controls with respect to the following: Policies and procedures Perimeter fencing Key/badge management IT equipment custody Tool loan programs Visibility measures Inventory inspections Hand-offs between Divisions Uncovered mobile equipment 3 2023 Miscellaneous Assets Review, Phase II Final report issued on 09.21.23 Audit Results CSO—Three Findings Formalize policies and procedures around the safeguarding of high -value tools and equipment and the Item Loan Program (Low Risk) High -value tools and equipment inventory reviews (Moderate Risk) Item Loan Program master log does not comport with supporting documentation (Moderate Risk) Plant Maintenance — One Finding Carpet cleaner missing from the Plant Maintenance Division's inventory (High Risk) 4 Attachment 2 " i -,, T, �_'ti a° , �W MIMI Vvim February 1, 2024 Regular Board Meeting Agenda Packet - Page 100 of 130 2 Page 11 of 11 Attachment 2 February 1, 2024 Regular Board Meeting Agenda Packet - Page 101 of 130