The URL can be used to link to this page

Home My WebLink About10. Receive 2024 Internal Audit WorkshopItem 10. F ebruary 22, 2024 T O: HO NO R A B L E B O A R D O F D I R E C TO R S F RO M :B E NJ A MI N J O HNS O N, I NT E R NA L A UD I TO R RE V IE WE D B Y:P HI L I P L E I B E R , D E P UT Y G E NE R A L MA NA G E R-A D MI NI S T R AT I O N G R E G NO R B Y, D E P UT Y G E NE R A L MA NA G E R -O P E R AT I O NS & E NG I NE E R I NG R O G E R S. B A I L E Y, G E NE R A L MA NA G E R S UB J E C T: R E C E I V E 2024 I NT E R NA L A UD I T W O R K S HO P I nternal A udit will facilitate the 2024 I nternal A udit Workshop to engage with members of the Board and create space f or meaningf ul conversation around the ef f ort. K ey items we plan to cover include the 2024 Audit P lan, core principles and definitions, role delineation, and the biannual f indings report. We view this workshop as an opportunity to f urther strengthen the partnership between the Board and I nternal Audit by creating a unique space f or questions, comments, and discussion around key topics that impact operations, staff, and our customers. Strategic Plan Tie-I n G O A L FO U R : G overnance and Fiscal R esponsibility Strategy 1 - Promote and uphold ethical behavior, openness, and accessibility, Strategy 3 - Maintain financial stability and sustainability AT TAC HM E NT S : D escription 1. I nternal Audit B iannual F indings R eport as of 02.05.24 2. P resentation February 22, 2024 Special Board Meeting Agenda Packet - Page 85 of 128 Page 1 of 11 Internal Audit Findings Report Current as of: 02.05.24 Prepared by: Benjamin Johnson, Internal Auditor General Category of Observations Total Risk Rating Total Need for documentation of procedures or updates 4 1 - High Risk 7 Segregation of duties 2 2 - Moderate Risk 8 IT-related controls 0 3 - Low Risk 3 General process and/or control improvements 10 Total 18 Automation opportunities 2 Finding Title Audit Name Finding Number Finding Description Risk Rating (Residual) Observation Category Division Owner Executive Manager Report Date Due Date Date Closed Open 1 Engineering procedural documentation is not current 2023 Capital Projects Design-only Audit 1 There is a need to update the procedural documentation surrounding Capital’s contract/agreement origination and project management processes. 1 Need for documentation of procedures or updates Capital Projects Norby Norby 11.03.23 06.30.24 2 There is a need to standardize Capital Projects’ reporting to key stakeholders 2023 Capital Projects Design-only Audit 2 There is an opportunity for Capital to formalize and enhance reporting of capital project activity so that there is a formal source of project-related reporting flowing through the Division to management and executive management. 1 Segregation of duties Capital Projects Norby Norby 11.03.23 06.30.24 3 Agreement/contract drafts are edited and shared internally via email, which may lead to version control issues 2023 Capital Projects Design-only Audit 3 Capital shares and edits contract/agreement drafts internally through email, which may cause version control issues. 2 General process and/or control improvements Capital Projects Norby Norby 11.03.23 06.30.24 4 Key stakeholders do not receive regular contract/agreement processing status updates 2023 Capital Projects Design-only Audit 4 Purchasing does not regularly report details surrounding the status of contract/agreement processing efforts to stakeholders across the District, which may impact projects that have more compressed timelines such as District emergencies and special needs. 2 Automation opportunities Finance Mizuno Leiber 11.03.23 06.30.24 (Follow-up) * Highlight Legend * Past Due High Risk Closed Attachment 1 1 February 22, 2024 Special Board Meeting Agenda Packet - Page 86 of 128 Page 2 of 11 Closed 1 Consistent and timely notification to the P-Card administrators of the Finance Division when a cardholder’s employment is terminated 2023 Procurement Card Audit 1 Prior to this review, Finance’s P-Card administration staff did not receive formal notifications when a cardholder has left the organization. Timely deactivation of a purchasing card account when a cardholder leaves the District is essential to reducing the risk of inappropriate charges made. 1 General process and/or control improvements Finance Mizuno Leiber 05.26.23 05.26.23 05.26.23 2 Regular cardholder reviews to determine if maintaining a P-Card remains appropriate for existing cardholders 2023 Procurement Card Audit 2 Cardholder reviews to determine if maintaining a P-Card remains appropriate for existing cardholders are currently only performed on an ad-hoc basis. 3 General process and/or control improvements Finance Mizuno Leiber 05.26.23 05.26.23 05.26.23 3 Maintaining an independent inventory of cardholders 2023 Procurement Card Audit 6 The District does not maintain an inventory of cardholders independent of online banking records. Although banking records may be helpful in determining which District employees currently have active procurement cards, these records do not indicate status of employment nor when a cardholder leaves the District. 1 General process and/or control improvements Finance Mizuno Leiber 05.26.23 05.26.23 05.26.23 4 Payroll data review by an employee with no payroll duties FY 2020-21 Payroll Design-only Review 3 HR and Finance do not have the ability to produce detailed reporting within Oracle that provide staff and management critical data elements necessary to perform a robust accuracy review. Payroll data is manually reviewed for accuracy by HR staff during the bi- weekly payroll process, however, it is not subsequently reviewed by an employee with no payroll processing responsibilities prior to key processes. 1 Segregation of duties Human Resources; Finance O'Malley; Mizuno Bailey; Leiber 09.21.21 HR - 08.01.21 Finance - 11.01.21 (Original) 12.31.22 (Extended) HR - 08.01.21 Finance - 06.22.23 5 Physical check payment runs FY 2021-22 Accounts Payable Audit 2 Given the strong internal controls in place prior to the County’s involvement in the payment process, the County’s countersignature process appears duplicative and inefficient. 3 Automation opportunities Finance Mizuno Leiber 03.25.22 12.31.23 08.17.23 6 Regular reviews and updates to applicable policies and procedures 2023 Procurement Card Audit 4 The Procurement Card User Guide, a key District employee-facing guidance document developed by Finance (previously Purchasing), is dated September 29, 2020. Not establishing a formal, regular review process of this document may lead to inaccurate written guidance when compared with current operational expectations. 2 Need for documentation of procedures or updates Finance Mizuno Leiber 05.26.23 09.29.23 09.15.23 7 Inclusion of escalation language in applicable policies and procedures for violations 2023 Procurement Card Audit 5 The District does not have escalation language identified in the Procurement Card User Guide to address policy violations. 1 Need for documentation of procedures or updates Finance Mizuno Leiber 05.26.23 09.29.23 09.15.23 8 Uncovered mobile equipment FY 2021-22 Miscellaneous Assets Review 3 Certain high-value mobile equipment (i.e., generators, bypass pumps, etc.) are not stored in a covered area due to a lack of space in existing storage facilities, increasing the risk of theft. This equipment is currently stored in an open field area of the Treatment Plant site. 2 General process and/or control improvements Capital Projects Lopez Lopez (Interim) 07.08.22 09.30.23 12.31.23 (Extended) 09.28.23 Attachment 1 2 February 22, 2024 Special Board Meeting Agenda Packet - Page 87 of 128 Page 3 of 11 9 Enhancing visibility to high- value tools and equipment FY 2021-22 Miscellaneous Assets Review 4 There are opportunities to further reduce the risk of theft by enhancing visibility within the B&G Garden Shop and at the Plant Operations main gate. 2 General process and/or control improvements Risk Management; Plant Maintenance Deutsch; Nicolaus Leiber; Meyer (Interim) 07.08.22 RM - 12.31.22 Original 12.31.23 (Extended) PM - 12.31.22 RM - 09.28.23 PM - 11.23.22 10 Carpet cleaner missing from the Plant Maintenance Division’s inventory 2026 Miscellaneous Assets Review, Phase II 4 A carpet cleaner with an estimated value of $500 is missing from the Plant Maintenance inventory. 1 General process and/or control improvements Plant Maintenance Meyer Norby 09.21.23 09.21.23 09.21.23 11 Regular trainings for existing cardholders to reinforce policy expectations and updates 2023 Procurement Card Audit 3 The District has not provided regular training for existing cardholders to reinforce policy expectations and updates. 2 General process and/or control improvements Finance Mizuno Leiber 05.26.23 10.31.23 10.20.23 12 CSO: Formalize policies and procedures around the safeguarding of high- value tools and equipment and the Item Loan Program 2023 Miscellaneous Assets Review, Phase II 1 Documented procedures surrounding the Item Loan Program and the safeguarding of high-value tools and equipment at CSO are informal in nature and lack guidance around some key topics. 3 Need for documentation of procedures or updates Collection System Operations Seitz Norby 09.21.23 12.31.23 12.14.23 13 CSO: High-value tools and equipment inventory reviews 2024 Miscellaneous Assets Review, Phase II 2 CSO does not have a periodic inventory review system in place to validate whether all high-value tools and equipment are properly accounted for. 2 General process and/or control improvements Collection System Operations Seitz Norby 09.21.23 12.31.23 12.14.23 14 CSO: Item Loan Program master log does not comport with supporting documentation 2025 Miscellaneous Assets Review, Phase II 3 Recordkeeping pertaining to the Item Loan Program is incomplete. 2 General process and/or control improvements Collection System Operations Seitz Norby 09.21.23 12.31.23 12.14.23 Attachment 1 3 February 22, 2024 Special Board Meeting Agenda Packet - Page 88 of 128 Page 4 of 11 Attachment 2 1 2024 Internal Audit Workshop Special Board Meeting Benjamin Johnson Internal Auditor February 22, 2024 Table of Contents 2 1.Background 2.Principles and Definitions 3.Internal Audit’s Role 4.Partnership with Risk Management 5.Approach to Projects 6.2024 Audit Plan 7.Biannual Findings Report 8.Success Highlights 9.Organizational Risks/Threats 10.Opportunities for the District 11.Next Steps for Internal Audit 1 2 February 22, 2024 Special Board Meeting Agenda Packet - Page 89 of 128 Page 5 of 11 Attachment 2 2 Background Notable Engagements in a Former Role •Public Accounting: Bay Area and SacramentoRegions •State of California •Contra Costa County •CalPERS •California Department of Education •California Governor's Office of Emergency Services Certification •Certified Internal Auditor (CIA) •Issued by the Institute of Internal Auditors •Three-part exam: Essentials, Practice, and Business Knowledge •Annual requirement to complete 40 hours of CPE 3 Principles and Definitions The Institute of Internal Auditors’ Definition of Internal Audit: Internal audit helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Key Definitions: •Internal control: A process that ensures the organization's objectivesare met •Segregation of duties: A specific control that involves splitting up jobfunctions among multiple employees •Key man risk: Placing knowledge, skills, and important relationships inthe hands of one or a few staff members •Design-only audit approach: Review of overall program design •Operational review: Traditional review which includes transactionaltesting and verification that controls are working as intended 4 3 4 February 22, 2024 Special Board Meeting Agenda Packet - Page 90 of 128 Page 6 of 11 Attachment 2 3 First Line of Defense - Management •Maintains effective internal controls and executes risk and control procedures on aday-to-day basis Second Line of Defense - Risk Management and Compliance •Supports management to help ensure risk and controls are effectively managed Third Line of Defense - Internal Audit •Provides assurance to ExecutiveManagement and the Board that the first-and second-lines’ efforts are consistent withexpectations 5 Internal Audit’s Role Enterprise Risk Management: An organization- wide strategy to identify and prepare for hazards related to finances, operations, and objectives •Internal Audit partners with Risk Management to evaluate related efforts and may provide assurance to stakeholders •There are several coordination and assistance efforts in which Internal Audit can participate on a limited basis •Internal Audit may not assume the role of Management with respect to governance and ownership of risk management processes 6 Partnership with Risk Management 5 6 February 22, 2024 Special Board Meeting Agenda Packet - Page 91 of 128 Page 7 of 11 Attachment 2 4 Approach to Projects Key focus areas as we continue to reimagine what this function can be: 2023 •Developing partnerships with business lines •Communicating out a complete story •Challenging stereotypes surrounding this function 2024 •Identifying historically gray areas in processes andfocusing on clarity •Process efficiency •Formalization and reporting 7 2024 Audit Plan The following audit plan is based on the input from management and the Board in addition to Internal Audit’s assessment of risk: •Permitting – First half of 2024 •Business structure efficiency •Oracle rollout successes and challenges •Segregation of duties •Capital Projects – Second half of 2024 •Follow-up to last year’s review of this process •Will review the project management process with respect to policies and procedures •Process efficiency will be an area of focus 8 7 8 February 22, 2024 Special Board Meeting Agenda Packet - Page 92 of 128 Page 8 of 11 Attachment 2 5 Biannual Findings Report Overview •18 findings tracked in 2023 •7 high-risk findings •8 moderate-risk findings •3 low-risk findings •Most of these items (10) called for generalprocess and/or control improvements •Only 4 findings are currently open •Management has been proactive and responsivein remediating audit findings •Executive Management and Internal Audit meetquarterly with finding owners to trackremediation progress and create space for opendialog 9 Since bringing this function in-house in Q1 2021: •8 large audit projects completed •41 findings issued •37 have been closed •Closed 14 findings in 2023 alone •4 findings are currently open and not late •Notable efforts related to reports •Treasury in-house agreement •Automated District tracking of items issued to employees •More robust and frequently reviewed procedural documentation across Divisions 10 Success Highlights 9 10 February 22, 2024 Special Board Meeting Agenda Packet - Page 93 of 128 Page 9 of 11 Attachment 2 6 Organizational Risks/Threats Internal Audit prioritizes the following risks/threats: •Stale operational policies and procedures •Non-compliance with regulatoryexpectations •Mismanagement of District funds •Silos •Lack of governance over key processes •Negative public perception •Inefficiency due to resource limitationsand/or embrace of legacy processes 11 Opportunities for the District Key items to highlight in 2024: •Transformation •Efficiency •Formality •Enhancement of key internal controls •Creativity •Achievement of organizational goals •Organizational culture enhancement 12 11 12 February 22, 2024 Special Board Meeting Agenda Packet - Page 94 of 128 Page 10 of 11 Attachment 2 7 Next Steps for Internal Audit As we look ahead to the rest of 2024 and into 2025, Internal Audit would like to: •Partner with Risk Management to issue arisk inventory survey to District leadership •Provides input to future audits as well as theenterprise risk management (ERM) matrix •Opportunity to extend reach to more lines ofbusiness •Continue to engage in the ERM effort •Complete 2024 Audit Plan timely •Continuously gather input from the Boardto enhance craftmanship of audit projectsso that they meet the unique needs of theDistrict 13 Let's chat. 14 13 14 February 22, 2024 Special Board Meeting Agenda Packet - Page 95 of 128 Page 11 of 11