PROPOSED RISK ASSESSMENT AND INTERNAL AUDIT PLAN … of Tarpon Springs... · ·...

PROPOSED RISK ASSESSMENT AND INTERNAL AUDIT PLAN

FOR THE CITY OF TARPON SPRINGS, FLORIDA

December 5, 2017 1

RISK ASSESSMENT / INTERNAL AUDIT PLAN OBJECTIVE

To help the City Commission put into place an internal audit plan to address those areas deemed to possess the most risk or otherwise require internal audit focus for various other factors or reasons.

2

RISK ASSESSMENT APPROACH IMPROVEMENT AREAS / CONCERNS / THREATS

• Business / Operations / Culture • Annual Budget • Specific Budgets by Department • CAFR / Previous Audits • Interviews - City Commissioners (various),

Mayor, City Manager, Police Chief, Fire Chief, and the Department Heads; use of a standard risk assessment questionnaire (Appendix A)

3

RISK ASSESSMENT KEY FACTORS

• Control Environment – overall tone of the organization (“tone at the top”)

• Change – impact or expected impact on Department / Program / Function (turnover, IT infrastructure)

• Process risk – the probability of loss/failure inherent in the processes (continuity, technical, judgment)

• External Factors - risks that arise outside the entity (regulatory, the users - the public)

• Revenue Source – revenues outside the standardized tax base; enterprise funds, etc.

4

PROPOSED TOP FIVE INTERNAL AUDITS FIVE YEAR PLAN

• Year 1 - Public Works - Osmosis construction project

• Year 2 - Procurement – purchasing card function • Year 3 - Follow-up Audits – previous internal

audits • Year 4 - Finance – payroll / timekeeping functions • Year 5 - Asset Management – various departments

5

TOP FIVE INTERNAL AUDITS RISK RATIONALE

Department/Program Risk Rating

Risk Rationale

Public Works- Osmosis Project – Construction Contract Compliance Audit

H Rated high due to the following: • Financial significance of the project ($45M) • Contract included a cost reimbursable with

a Guaranteed Maximum Price portion which puts the City at risk for contractor overbillings or other quantifiable contract non-compliance

• Close-out contract compliance audit has not been performed

6

TOP FIVE INTERNAL AUDITS RISK RATIONALE - CONTINUED


Risk Rationale

Procurement -Purchasing Card

H/M Rated as high/moderate due to the following: • Volume of cards issued City-wide (100+) • Relatively significant magnitude • Moderate likelihood of a misappropriation

of assets • Not previously audited by internal auditors

7



Risk Rationale

Follow-up – Previous Internal Audits

H/M Rated high/moderate due to following: • Follow-up procedures were not performed to

determine if previous internal audit recommended actions (for previous internal auditors) were implemented

• Management team needs to know that a follow-up process is in place and therefore findings need to be fixed.

• Follow-up audits are necessary to monitor management implementation of recommended actions for CRI internal audits (scheduled for Year 1 and Year 2)

8



Risk Rationale

Finance – Payroll/Timekeeping

H/M Rated high/moderate due to following: • Payroll makes up the largest expenditure • Parts of the process are manual, including

the timekeeping process; and • Not previously audited by internal auditors

9



Risk Rationale

Asset Management – Various departments

H/M Rated as high/moderate due the following: • Dollar significance of the population • Reputation risk associated with the

misappropriation of assets • Not previously audited by internal auditors

10

ADDITIONAL INTERNAL AUDITS RISK RATIONALE

Department / Program

Risk Rating

Risk Rationale

Clerk-Utilities Review

H/M Rated as high/moderate due to significant level of financial impact, complexity of the process, transaction volume; however, internal audit was performed in January 2013.

Fleet M Rated as moderate since moderate level of financial impact; potential for misappropriation of assets, not previously audited by internal auditors.

Procurement M Rated as moderate due to significant level of financial impact, importance of compliance with statutory requirements and internal audit was performed for the period 2012-2013.

11

ADDITIONAL INTERNAL AUDITS RISK RATIONALE (CONTINUED)

Department / Program

Risk Rating

Risk Rationale

Accounts Payable M Rated as moderate since moderate level of financial impact and reputation risk associated with duplicate payments; misappropriation of assets; not previously audited by internal auditors.

IT - Vulnerability M/L Rated moderate/low due to the positive report received by previous internal auditors in January 2017; however, penetration risk and testing should be updated periodically.

Procurement M/L Rated moderate/low due to level of financial impact not materially concentrated in any one location; internal audit was performed for 2014-2015.

12

TOP FIVE INTERNAL AUDITS OBJECTIVE AND PROCEDURES

Year Audit Unit Objectives/Procedures

1 Osmosis Plant

Objective: To perform a construction contract compliance review of the construction contract to identify overbillings/cost recovery and potential improvements to the contract terms and conditions for future projects. Procedures include, but are not limited to: • Review the contract economic terms and conditions for

compliance requirements. • Obtain job cost and perform sample testing related to

the following areas: general conditions, general requirements, labor and labor burden, subcontractor costs, change orders, contingency fund.

13

TOP FIVE INTERNAL AUDITS OBJECTIVE AND PROCEDURES (CONTINUED)

Year Audit Unit Objective/Procedures

2 Purchasing Card

Objective: To assess whether the system of internal controls is adequate and appropriate for promoting and encouraging consistent application of management’s objectives for compliance with policies and procedures, and local and Florida Statutes, as applicable. Procedures include, but are not limited to: • Assess cardholder set-up and maintenance. • Review of monthly reconciliations and related support. • Analyze general monitoring of the program. • Perform data analysis using CRI computer assisted

techniques to identify potential split transactions and other significant spending patterns and anomalies.

14



3 Follow-up Audits

Objective: To assess whether management properly implemented the agreed-upon action plan for previous audits (by previous internal auditors, and internal audits performed by CRI). Procedures include, but are not limited to: • Conduct interviews of relevant management and staff. • Perform sample testing – controls, compliance and

substantive. • Review relevant source documentation to ensure

recommendations were properly implemented.

15



4 Payroll / Timekeeping

Objective: To assess whether the system of internal controls is adequate and appropriate for promoting and encouraging consistent application of management’s objectives for compliance with policies and procedures, and local and Florida Statutes, as applicable. Procedures include, but are not limited to: • Validate employee pay rates and deductions. • Review timesheet processing – including proper

review and approval, especially overtime.

16



5 Asset Management

Objective: To assess whether the system of internal controls is adequate and appropriate for promoting and encouraging consistent application of management’s objectives for compliance with policies and procedures, and local and Florida Statutes, as applicable. Procedures include, but are not limited to: • Validate proper maintenance of property records. • Review for proper tagging and capitalization of

additions. • Review for proper tracking and recording of

dispositions, (including surplus property). • Verify performance of annual physical inventories.

17

INTERNAL AUDIT APPROACH INDIVIDUAL AUDITS

Phase Description of Purpose / Key Steps Phase 1: Understanding and documenting the process

Purpose: To document our understanding of the process to identity risk, compliance or other concerns that would affect the timing and extent of our testing in phase 2. Key steps, include, but are not limited to: • Hold entrance conference with key management and

personnel to discuss the scope and objectives, obtain preliminary data, and establish working arrangements.

• Request any relevant City policies and procedures, organization charts, federal and state statues etc.

• Conduct facilitated sessions / interviews with key personnel, document the process, the internal controls and process owners’ respective roles.

18


Phase Description of Purpose / Key Steps Phase 2: Detailed Testing

Purpose: To perform testing procedures based on our understanding of the processes and internal control structure, City policies and procedures, ordinances, Federal and Florida Statutes, as applicable. Key steps, include, but are not limited to: • Determine the extent of our detailed testing based on the

overall risk assessment and our specific understanding of the processes and related controls identified during phase 1

• Perform various types of sampling techniques and data analytics in our internal controls and compliance testing

• Vet the preliminary results with the process owners and management to verify accuracy and completeness of results

19


Phase Description of Purpose / Key Steps Phase 3: Reporting

Purpose: To report the results of our procedures to management and ultimately to the Board of Commissioners for their review, approval and implementation. Key steps, include, but are not limited to: • Draft report to document our understanding of the process /

function being audited and summarize our findings • Conduct an exit conference with management as the final

vetting process to confirm the accuracy and completeness of our observations and recommended actions

• Incorporate management’s responses into our report • Prepare our report and related findings and provide copies

to appropriate City personnel • Bind and present report to the Board of City Commissioners

20

Appendix A Risk Assessment Questionnaire

Department/Area Name:__________________________________ This Department Reports to:_______________________________ Person completing survey:_________________________________

Briefly describe the department or area, its major activities and functions.

Critical Measures: Current Number of FTEs employed in the department:______ Last Three Years Total Budget Amount (All Accounts):

Total Budget Operating Budget (Total Budget minus Payroll)

FY 2015-16FY 2016-17* FY 2017-18

Revenues and Assets Does the Department/Area have revenues (Funds or receipts not provided as part of the budget appropriation process -cash, check, credit card, etc.)? If so, please give the approximate yearly amount: _____Yes. Description:

Approximate Amount: _____No.

* Actual to date

22

rbroline

Text Box

Total Actual

rbroline

Text Box

rbroline

Text Box

Does the Department/Area have a Petty Cash Fund? If so, what is the amount and purpose of the fund? _____Yes. Amount: Purpose: _____No.

Does the Department/Area have inventories of any kind? If so, please describe the inventory in general terms and give an approximate value. _____Yes. Description:

Approximate Amount: _____No.

Does the Department currently have grants? _____Yes. List of Grants: _____No.

***********************************

For the remainder of the questions, please check whichever alternative best describes your department (1,2, or 3).

Growth of Auditable Unit Indicate the whether there has been growth in your department in numbers of activities or budget during the past 12 months.

_____ 1. The unit has experienced no growth or has shrunk in size. _____ 2. The unit has experienced less than 10% growth. _____ 3. The unit has experienced more than 10% growth.

Policies and Procedures In regard to departmental policies and detailed procedures to support the policies, indicate whether:

_____ 1. Policies have been in place for over three years, with no major changes made. Written procedures which support the policies are in place.

_____ 2. Policies are in place; however, employees are not always familiar with the policies and adherence to procedures is not always enforced.

_____ 3. No written policies are in place.

Regulation/Compliance To what extent is your department/area governed or impacted by Federal or State regulation?

_____ 1. Department is not affected or is minimally affected by Federal and/or State regulations.

_____ 2. Department moderately affected by Federal and/or State regulations. _____ 3. Department is heavily regulated by Federal and/or State regulations.

23

Information Technology Changes What level of impact does Information Technology (IT) have on your department?

_____ 1. There have been no new IT changes during the past 12 months and/or IT has little impact on this department.

_____ 2. Some changes have been made to the IT environment and/or IT significantly affects this function.

_____ 3. The IT environment has changed or been replaced. The IT environment affects nearly all aspects of this function.

Departmental Changes Have there been any significant changes in staff size, funding, functions, systems, key positions and/or responsibilities of the department which might created problems?

_____ 1. No significant changes have occurred during the last 3 years. _____ 2. Funding, staffing and/or responsibilities have changed moderately during the

last 3 years. _____ 3. Continuous and large-scale changes have been made to the department.

Management/Employee Turnover Regarding management or employment turnover in your department during the past 3 years:

_____ 1. No turnover in key management or staff. _____ 2. Limited turnover in key management or staff. _____ 3. Major turnover in key management or staff.

Quality of Management How would you rate your department’s management skills:

_____ 1. Management is able to be responsive and copes successfully with existing and foreseeable problems. As issues arise, they are immediately addressed and

corrected. _____ 2. Management is not always able to be responsive to issues as they arise but

generally has a satisfactory record of performance. _____ 3. Management frequently is not able to be responsive to issues that arise, for whatever reason.

Management Override To what degree can management of this department supersede the policies established for this particular activity?

_____ 1. Complete inability to circumvent controls. _____ 2. Capability to override some controls without detection. _____ 3. Capability to override the majority or all of the controls without detection.

24

Training Please indicate the status of training in your department?

_____ 1. Training is provided at least annually to all applicable employees, and there are discussions with employees to confirm that training is adequate.

_____ 2. Some training is being provided to applicable employees; however, additional training is needed.

_____ 3. Very little training is being provided, and the adequacy of the training is not effective.

Date of Last Audit When was the last time that your department was reviewed by either internal audit or external auditors as part of the financial audit or A-133 audit?

_____ 1. Reviewed by either internal or external auditor within the last 2 years. _____ 2. Last review by internal or external auditors was conducted within 3 to 5 years ago. _____ 3. Last review by internal or external auditors was completed over 5 years ago.

Controls and Prior Exceptions If your department had either an internal audit or was part of the external audit, what kind of findings or exceptions were there?

_____ 1. Only minor exceptions were noted in the department’s activities and they have been addressed.

_____ 2. Some minor to moderate exceptions have occurred causing some control concerns.

_____ 3. Significant exceptions have been revealed during past audits/

Degree of Dependence Describe the number of organization units supported by the department:

_____ 1. The department/area does not serve other organizational units, or at most one other organization unit. Department is mostly self-contained.

_____ 2. Department serves limited informational needs of several dependent organizations within the entity.

_____ 3. Department meets full and very complex informational needs of numerous dependent organizations within the entity.

Impact of Inaccurate Data What would be the relative effect of inaccurate data to the department’s capability to provide internal or external service?

_____ 1. Incorrect or inaccurate information generated by the department would have little or no impact on the operations of the entity.

_____ 2. Incorrect or inaccurate information generated by the department has a moderate impact on the operations of the entity.

_____ 3. Incorrect or inaccurate information generated by the department activity has a serious impact on the operations of the entity.

25

Degree of Confidentiality What is the degree of confidentiality of the information produced or handled by the department?

_____ 1. Information produced by the department is not confidential and is generally available to the public, the release of which would not result in any potential loss or embarrassment to the City.

_____ 2. Information produced by the department is available to designated employees of the City in connection with their jobs. Release to the public or to

an unauthorized entity could result in minor financial loss or moderate embarrassment or violation of an individual’s privacy.

_____ 3. Information produced by the department requires protection against unauthorized or premature disclosure. Such disclosure could result in

serious loss or embarrassment or could adversely affect the department, the City or the subject of the information.

Instances of Abuse Have there been any instances of fraud, computer abuse, or data loss for this department?

_____ 1. No instances of "known" fraud, computer abuse or loss of data have occurred during the last 24 months. Internal controls are in place and effective.

_____ 2. Instances of "known" fraud, computer abuse or loss of data have occurred during the last 24 months. Internal controls that were lacking have been installed and are being monitored for effectiveness.

_____ 3. Instances of "known" fraud, computer abuse or loss of data have occurred during the last 24 months. Internal controls have not been strengthen.

Desirability of Inventory Do you have any departmental inventory (not fixed assets or equipment) or specialized inventory such as controlled substances, hazardous wastes, or precious metals?

_____ 1. Inventories are valued at low dollar amounts and do not include specialized items or no inventory.

_____ 2. Inventories are at relatively moderate dollar amounts and do not include specialized items.

_____ 3. Inventories are valued at high dollar amounts or include specialized items, such as hazardous wastes. (Please indicate which.)

Complexity of Operations Are assignments or transactions managed by your department inherently complex? Do assignments or transactions require a significant amount of time or number of steps to complete? Are work tasks difficult, requiring a high degree of interpersonal coordination and/or extensive training?

_____ 1. The department's/area's instruction's operations are relatively simple. _____ 2. Assignments or transactions require several persons or steps, are somewhat

time consuming, and require moderate training. _____ 3. Assignments or transactions require several persons or steps, are very time

consuming, and require extensive training.

26

Interest to Outside Parties Do you routinely have communication with outside parties such as: legislators, news media, citizen groups, or agency personnel?

_____ 1. Outside parties have shown no or very little interest in the area _____ 2. Outside parties have shown a moderate interest in the area. _____ 3. Outside parties have shown a major interest in the area.

Handling of Cash To what extent does your department handle cash?

_____ 1. Does not handle any cash, checks, or credit card payments. _____ 2. There is limited activity with cash, checks or credit card receipts or potential

for access to them. _____ 3. The handling of cash, checks, and credit card payments is a major part of the

department’s responsibilities.

Do you have any specific areas of issue/concern that you would like to discuss with Internal Audit?

27

PROPOSED RISK ASSESSMENT AND INTERNAL AUDIT PLAN … of Tarpon Springs... · ·...

Documents

Transcript of PROPOSED RISK ASSESSMENT AND INTERNAL AUDIT PLAN … of Tarpon Springs... · ·...