TEACHERS RETIREMENT BOARD. AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 8 CONSENT: ATTACHMENT(S): 1. DATE OF MEETING: November 2, 2017/ 15 mins

Transcription

1 TEACHERS RETIREMENT BOARD AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 8 SUBJECT: 2018 Internal Audit Plan CONSENT: ATTACHMENT(S): 1 ACTION: X INFORMATION: DATE OF MEETING: / 15 mins PRESENTER: Larry Jensen ARM 345 PURPOSE This item presents the Audit Services proposed 2018 Internal Audit Plan covering the period January 1, 2018, through December 31, Due to the change of the Audit and Risk Management (ARM) Committee scheduled meeting dates, Audit Services changed its annual Audit Plan from a fiscal year to a calendar year to better align with ARM Committee meeting dates. DISCUSSION/SUMMARY As required by the International Standards for the Professional Practice of Internal Auditing (IIA Standards), Audit Services Annual Audit Plan is presented to the ARM Committee. Audit Services conducted risk assessments of CalSTRS operations and employer payroll reporting to identify significant risks to the achievement of strategic objectives (Agenda Item 7). A key requirement of the IIA Standards is that a periodic risk-based plan should be prepared which is sufficiently flexible to reflect the changing risks and priorities of the organization. Best practices suggest the risk-based plan should outline the assignments to be carried out and their respective priorities as well as the estimated resources needed. Utilizing the audit plan, Audit Services optimizes audit resources to address critical risk coverage. Audit Services also utilizes the planning process to increase the ability to plan around business areas peak workload periods, focus on longer-term audit planning and emerging business risks, and provide greater flexibility to accommodate immediate needs of CalSTRS management and the ARM Committee. Audit Services is independent of management and provides objective assurance and consulting services designed to add value and improve CalSTRS operations. Assurance activities certainly include the traditional internal audit but also include other services. The glossary to the IIA Standards defines an assurance engagement as an objective examination of evidence for providing an independent assessment on risk management, control, or governance processes for the organization. Consistent with the IIA Standards and Audit Services Charter, the Audit Plan includes the following types of audit activities:

2 Page 2 AUDIT SERVICES INTERNAL AUDITS Conducts internal audits to assist in the accomplishment of CalSTRS objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. CONTRACT/CO-SOURCED AUDITS Contracts for the independent financial statement audit and specialized audits (e.g., investment and information technology). Services provided include facilitating the audit and assisting with development of the audit scope and objectives. EMPLOYER AUDITS Conducts audits of employer payroll reporting for compliance with Teachers' Retirement Law and the Public Employee s Pension Reform Act regarding eligible membership and creditable compensation reported to CalSTRS CONSULTING / ADVISORY SERVICES Provides advisory and related client service activities, the nature and scope of services which are agreed upon by the client and which are intended to add value and improve operations. OTHER AUDIT ACTIVITIES Conducts internal projects, such as training, risk assessments, requests for proposals, and quality improvement programs. Highlights of the Annual Audit Plan Employer Audits: MANAGEMENT & ADMINISTRATION Manages and administers Audit Services including recruitment and staff resource adjustments Based on available staff resources, Audit Services plans to conduct a total of 75 audits comprised of 55 full-scope and 20 limited scope audits, which includes five full-scope audits of charter schools. ARM 346

3 Page 3 Internal Audits: Based on available staff resources, Internal Audits plans to conduct 13 internal audits and facilitate eight external reviews related to Investments and Information Technology from January 1, 2018 through December 31, In addition, Internal Audits will utilize resources on other audit activities that include performing a comprehensive annual risk assessment, developing the annual audit plan, performing an internal quality improvement assessment, and finalizing the audit software tool upgrade and expansion. Internal audits are designed to assist the organization in achievement of its strategic goals and objectives. Thirteen specific operational areas of focus during the 2018 one-year period include the following: 1. Enterprise Risk Management 2. Internal Controls over Member Data: Employer Adjustments 3. Internal Controls over Member Data: Employer Reporting 4. Internal Controls over Member Data: Actuarial Data 5. Internal Controls over Member Data: Service Retirement Benefits 6. Internal Controls over Member Data: Creditable Compensation 7. Pension Solution Budget 8. Pension Solution Bridging Controls 9. Pension2 Review of Third-Party 10. Tax Compliance and Reporting 11. Member Service Centers 12. IRC 415 Replacement Benefit Program 13. Global Reporting Initiative - Sustainability Contract Audits: Audit Services facilitates audits conducted by external auditors for the following audits: Annual Financial Statement Audit Investment Audit Investment Performance Reporting Investment Audit Currency Management Program Investment Audit Inflation Sensitive/Infrastructure Investment Audit Securities Lending Program Investment Audit Pension Program Allocation Investment Audit Trading System Compliance Information Technology Audit Pension Solution - Data Conversion Validation Information Technology Audit Information Security Information Technology Audit BusinessDirect Consulting/Advisory Services: Audit Services provides consulting services to assist management by performing evaluations, completing audit follow up, participating in special projects, serving as witness in audit appeals, and by participating on project steering committees. Specific areas of focus include: ARM 347

4 Page 4 Appeal analysis and witness services Projects Pension Solution Steering Committee, Employer Audits Corrective Action Committee Employer Direct Reporting audits Special Projects and Management Requests External Financial Audit Management Letter Follow Up Other Audit Activities: Audit Services performs non-audit activities that support improvement and management of the office. Specific activities include: Legislative proposal review and analysis Quality improvement program Annual risk assessment and development of audit plan Audit Services Follow Up Audit Manual Updates Training on upgraded teammate audit software Continuing professional education The proposed 2018 Audit Plan will set the direction and priorities of the internal audit activities for the period beginning January 1, 2018 through December 31, 2018 consistent with the organization s goals. Implementation of this Audit Plan will result in compliance with the IIA Standards while providing executive management and the committee objective and independent assurance that appropriate controls are in place and working as intended, and employer payroll reporting complies with the Teachers Retirement Law. RECOMMENDATION Staff recommends the ARM Committee approve the 2018 Audit Plan. ATTACHMENTS Attachment Audit Plan ARM 348

5 Attachment 1 Page 1 Audit Services Audit Plan Calendar Year 2018 ARM 349

6 Professional Standards Attachment 1 Page 2 Introduction As required by Audit Services Charter and the International Standards for the Professional Practice of Internal Auditing (IIA Standards), Audit Services presents the 2018 Audit Plan to the Audits and Risk Management (ARM) Committee for approval. Audit Services Mission The mission of Audit Services is to provide independent, objective assurance and consulting services designed to add value and improve CalSTRS operations. Audit Services assists CalSTRS in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. To do so, Audit Services: Provides a wide range of quality, independent internal auditing services for the ARM Committee and executive management and provides consulting services for management; Performs independent assessments of the systems of risk management, internal controls, and operating efficiency guided by professional standards and using innovative approaches; Supports CalSTRS efforts to achieve its objectives through independent auditing services and consulting services; and Maintains a dynamic, team-oriented environment which encourages personal and professional growth, and challenges and rewards audit staff for reaching their full potential and excelling. Audit Organization and Charter Audit Services is independent of management and provides objective assurance and consulting services designed to add value and improve CalSTRS operations. The chief auditor reports functionally to the ARM Committee and administratively to the chief operating officer. The Internal Audit Charter authorizes Audit Services to perform auditing and consulting services, including audits of school districts and county offices of education and any employer that has employees who may perform creditable service subject to coverage by CalSTRS. It defines reporting relationships, objective and scope of audit work, and roles and responsibilities of the chief auditor. Audit Plan Scope and Development This Internal Audit Plan covers the period from January 1, 2018 through December 31, ARM 350

7 ARM 351 Attachment 1 Page 3 Our annual Audit Plan is designed to provide coverage of key risks, given the existing staff and approved budget. Audit Services completed a risk assessment for the purpose of developing this Audit Plan of CalSTRS operations and for employers, as required by the IIA Standards. The Audit Plan aligns with the CalSTRS Strategic Plan and incorporates management input, risk assessment results, and the enterprise risk management report. Proposed audits and audit objectives are designed to provide assurance that management has identified key risks, and that management is sufficiently mitigating those risks to an acceptable level. Acceptable Level of Risk Although this Internal Audit Plan contemplates a wide-ranging scope of activities, it does not provide coverage for all of CalSTRS operations or systems. Audit Services has tried to maximize the limited resources to provide reasonable coverage to the activities believed to require the most attention based on the risk assessment results. Management is responsible for determining an acceptable level of risk. Audit Plan Modification Interim changes to the Audit Plan will occur from time to time due to changes in business risks, timing of CalSTRS initiatives, and staff availability. We will report Audit Plan changes to executive management and to the ARM Committee. Amendments to the approved Audit Plan deemed to be significant (based on discussions with the executive staff and committee chair) will be submitted to the ARM Committee for approval in advance. Quality Assurance Audit Services is required to comply with the IIA Standards. The IIA Standards require an external quality assurance review every five years. The last external quality assurance review of Audit Services was performed in The audit plan provides a provision for conducting an internal quality assessment review. Reporting All audit reports are reviewed by the audit clients, CalSTRS program management (as applicable), and executive management prior to official release. This procedure helps ensure that the report is factual, accurate, and free of bias. In addition, a self-review checklist is used by Audit Services to ensure the audit reports are properly supported by sufficient audit evidence. The final audit report is signed by the chief auditor and distributed to the audit client and members if they are impacted by an audit finding. A summary of the audit report is provided to the ARM Committee. Follow-Up The IIA Standards require follow-up as part of each audit. The Internal Audit Plan includes time necessary to determine the status of resolving previous audit findings. Professional Organizations Audit Services staff are members of several professional auditing and accounting organizations. These groups are excellent sources for obtaining information on auditing, accounting, business management, and other professional issues and concerns. The audit plan anticipates staff training provided by the following organizations:

8 Association of Public Pension Fund Auditors (APPFA) Institute of Internal Auditors (IIA) American Institute of Certified Public Accountants (AICPA) Association of Government Accountants (AGA) Information Systems Audit and Control Association (ISACA) Certifications Attachment 1 Page 4 Audit Services staff have multiple certifications and/or licenses issued by sponsoring professional organizations. Audit Services staff are required to obtain Continuing Professional Education (CPE) each year to maintain their certifications and/or licenses. The CPE hours provide the audit staff with new and/or updated skills for performing audits. The audit plan anticipates staff obtaining required CPE and training. Calendar Year 2018 Audit Plan The tables on the following pages summarize the name of each project, type of project, and describe the preliminary scope of work and objectives to be performed. The scope of work and objectives will be finalized as part of each project s formal planning phase. Audit Services allocates staff resources to accomplish the following types of audit services: Audit Services Resource Allocation Project Areas Resources in hours Resources in dollars Contract Audits $3,309,000 Employer Audits 23,255 Internal Audits 7,225 Consulting / Advisory Services 2,000 Other Audit Activities 3,170 Management and Supervision of Audits and Office Administration 12,450 Total Hours 48,100 ARM 352

9 Attachment 1 Page 5 Employer Audits Title Description / Objective Hours Employer Audits 55 full-scope audits Limited Scope Audits 20 Evaluate employer payroll reporting for compliance with Teachers Retirement Law regarding eligible membership and creditable compensation reported to CalSTRS. Utilize Data Analytics to select employers that reported a high dollar amount of lump sum payments. 21,255 2,000 Internal Audits ARM 353 Title Description / Objective Hours Enterprise Risk Management Internal Controls over Member Data: Employer Adjustments Internal Controls over Member Data: Employer Reporting Internal Controls over Member Data: Actuarial Data Internal Controls over Member Data: Service Retirement Benefits Internal Controls over Member Data: Creditable Compensation Pension Solution - Budget Pension Solution Bridging Controls Assess the adequacy and effectiveness of enterprise risk management Evaluate the adequacy and effectiveness of controls over member data in employer adjustments Evaluate the adequacy and effectiveness of controls over member data in employer reporting Evaluate the adequacy and effectiveness of controls over member data used for actuarial valuations Assess the adequacy and effectiveness of controls over member data in the service retirement benefit payment process Assess the adequacy and effectiveness of controls over member data in creditable compensation Evaluate the adequacy of internal controls over the Pension Solution budget Evaluate the adequacy of controls in the bridging of Pension Solution Pension2 - Review of Assess whether Voya complies with

10 Third-Party Administrator (Voya) Tax Compliance and Reporting Member Service Centers IRC 415 Replacement Benefit Program Global Reporting Initiative - Sustainability ARM Committee and Management Requests Attachment 1 Page 6 specific provisions of the Teachers' Retirement Law and the agreement with CalSTRS. Assess compliance to Federal tax requirements and the accuracy of reporting Evaluate the adequacy of member service center operations Assess the adequacy of program administration and reporting Independent verification of value and statements in CalSTRS Sustainability Report Respond to ARM Committee and management requests for audit services Consulting / Advisory Services Title Description / Objective Hours Appeals - Audit Services Analysis and Audit Witness Services Pension Solution Special Projects and Management Requests Internal Audit and External Contracted Audit-Follow Up Develop Contract Audits External Financial Statement Audit - Corrective Action Plan Follow Up CalSTRS Project Monitoring Prepare material for administrative hearings and act as subject matter witness in audit appeals. Participate in the Pension Solutions work group as Subject Matter Expert. Direct Reporting audit requests, process improvements; assist Compensation Review Unit, and other requests. Data mining/analytics. Follow up on internal audit and external contract audit recommendations Develop project scope, evaluate requests, and manage investment and information technology audit contracts. Follow up on CalSTRS progress on the External Financial Audit Management Letter corrective action plans. Audit Services participates on various project committees and reviews project status reports ARM 354

11 Attachment 1 Page 7 Contract Audits Title Financial Statement Audit Currency Management Program Inflation Sensitive/ Infrastructure Securities Lending Program Investment Performance Reporting Trading System Compliance Pension Program Allocation Information Security BusinessDirect Functionality Pension Solution - Data Conversion Validation Description / Objective Annual audit of CalSTRS financial statements, including GASB 67 workload for the year ended June 30, 2018 Evaluate whether adequate internal controls are in place for the currency management program Evaluate whether adequate internal controls are in place for the inflation sensitive/infrastructure Evaluate whether adequate internal controls are in place for the securities lending program Evaluate State Street Bank s controls over performance, analytics, pricing, and accounting Evaluate the trading system compliance with investment policies Evaluate the adequacy and effectiveness of the pension program allocation Evaluate and verify internal controls over the information security Evaluate and verify the adequacy and effectiveness of internal controls to ensure BusinessDirect functionality Evaluate and verify internal controls over the conversion of data used in Pension Solution. Other Audit Activities Title Description / Objective Hours Legislative Analysis and Review Quality Improvement Program Audit Plan and Risk Assessment Participate on CalSTRS legislation team and provide consultation and analysis on pending legislation. Continue to conduct a Quality Improvement Program to ensure conformity with IIA Standards. Annual risk assessment for developing annual audit plan ,200 Board Document Analytics, design and review of Board 100 ARM 355

12 Development Audit Manual Update and TeamMate Champion Continuing Professional Education / Training Attachment 1 Page 8 agenda items. Audit Manual updates. Subject matter expert for TeamMate updates and issues. Obtain 40 required hours of continuing professional education per year Audit Services and Administration Title Description / Objective Hours Management and Supervision Workpaper/Audit Report Review Appeals Administrative Support Management and supervision of internal and employer audit functions and personnel. First and second management quality review of audits Prepare and review administrative hearing documents and act as subject matter witness in audit process Provide administrative support services (budget, contracts, personnel, Board documentation, report distribution, etc.). 8,302 2, ,200 Audit Staff Recruitment Staff recruitment and on-the-job training. 150 Leave Plans Staff with excess leave over maximum accrual, accrued CTO and approved leave. 180 ARM 356