INTERNAL AUDIT SERVICES PLAN FY2011

Transcription

1 INTERNAL AUDIT SERVICES PLAN FY20 Capital Metropolitan Transportation Authority FY20 Audit Services Plan Page of 9

2 MEMORANDUM TO: CC: FROM: Frank Fernandez Chair, Planning, Finance & Audit Committee Ann Stafford, Member, Planning, Finance & Audit Committee John Langmore, Member, Planning, Finance & Audit Committee Justine Blackmore-Hlista, Member, Planning, Finance & Audit Committee Linda Watson, President/CEO Caroline Beyer, CPA, CISA VP, Internal Audit DATE: December 7, 200 SUBJECT: FY20 Capital Metro Internal Audit Services Plan Audit Services Plan Development & Update Internal Audit Plan projects are identified by using a risk assessment process which considers input received from Capital Metro management/staff as well as the Authority s external financial auditor. Input from the Capital Metro Board members is also being solicited. In addition, prior external consultant / audit reports, operating, and capital budgets were reviewed to help ensure potential risk and opportunity areas were identified. Leading practices used by the audit team when developing the FY20 Internal Audit plan include the following: o Link auditable areas to Capital Metro organizational structure, budget, and strategic plan o Normalize diverse auditable areas using pre-defined common risk and success factors o Utilize participation and consensus of the internal audit team to identify auditable areas and relative risks o Obtain input on risks from selected management and staff while maintaining ownership of the risk assessment o Compile an integrated risk assessment for functional and IT-related auditable units A formal risk-opportunity assessment of potential audit activities was performed using available information and feedback received from key stakeholders. The factors used to evaluate risks and opportunities for the Capital Metro audit universe are listed in Appendix A. The Internal Audit Services Plan is reviewed and updated at least annually, or as needed. All proposed future revisions to the Audit Services Plan are presented first to the Finance & Audit Committee, then to the full Board for its approval. Given that FY20 will likely be a year of significant change, it is likely that the FY20 plan will be modified to reflect changes in organizational risk. Alternatively (or in addition to amendments) substitute projects have also been identified which can be performed in lieu of the originally approved audits. These are Capital Metropolitan Transportation Authority FY20 Audit Services Plan Page 2 of 9

3 shown on page 6. Alternate projects are included as they provide flexibility in scheduling and substituting projects, e.g., as risk factors change. Details of Audit Time Approximately 2,400 hours are estimated to be available during FY20 for new audit projects. This estimate is based upon actual time previously spent on direct audit projects, management assistance projects, less release and administrative time (e.g., recurring Capital Metro meetings, employee professional education, training, etc.). In addition to new projects, the plan highlights some of the other direct audit or client-related projects which are estimated (based upon historical averages) to require at least,850 hours of Internal Audit time during FY20. Internal Audit Resources / Acceptable Level of Risk It is the governing board s responsibility to conclude whether internal audit resources are adequate to address identified risks. The approved FY20 operating budget is $280,005, which is percent less than the FY200 department operational budget. 2 This budget continues to fund the same staffing level as FY200 - three full time auditor positions. In addition (depending upon availability), it is Internal Audit s goal to continue to sponsor a team of accounting interns from the UT McCombs School Master s of Accounting program during their spring semester. Ultimately, Internal Audit cannot address every known risk area. It is important for the Board of Directors to recognize and accept limitations on audit coverage and attendant risks for areas not audited. For FY20, our budgeted resources will allow Internal Audit to address some, but not all, areas identified with highest risk (e.g., cumulative risk assessment score of six or more). We believe that the proposed FY20 projects allocates available resources to the most important priorities and risks of the agency while allowing flexibility to address other risk areas that may become known during the year, e.g., by identifying alternate projects. The proposed audit projects for the FY20 period along with the estimated number of required hours are summarized in the following table. Please note although the estimated required resources is slightly more that than available resources, it is a close match. The Board s input and direction regarding the Internal Audit resources, funding and proposed projects are critical to ensuring your comfort with existing governance, control, and accountability practices. auditors x 2,080hrs = 6,240 hrs-- less: leave (766 hrs), CPE (50 hrs), 5% admin (96 hrs), Board related (40 hrs) = 4,248 hrs. Reconcile: New audit projects (2,400) + other direct audit / client related project (,850) = 4,250 hrs. 2 However, Internal Audit s operating budget represents.7% of the Authority s FY20 approved operating budget which is materially consistent with FY200 (.9%). Capital Metropolitan Transportation Authority FY20 Audit Services Plan Page of 9

4 Potential FY20 Internal Audit Projects MetroRapid (aka Bus Rapid Transit or BRT) Implementation Project Monitoring (Strategic Objectives: 2, 9, 0, 2) Est. Hours 200 o Largest ($48 million), most visible capital project. Project cuts across multiple departments, which increases inherent risk. First Transit FRS Services Contract Administration and Oversight (Strategic Objectives: 7, 8, 0, 5) 400 o Contract Mgmt Plans (CMPs) are a key control to monitor compliance and ensure contractor accountability. IT Governance Review (Strategic Objectives: 8, 0,, 2) 600 o IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization s IT sustains and extends the organization s strategies and objectives. o Professional IIA auditing standard 20.A: The internal audit activity must asses whether the information technology governance of the organization supports the organization s strategies and objectives. Small & Micro purchases (including procurement-cards) (Strategic Objectives: 4, 8) 600 o Estimated over $7 million in FY20 on small/micro purchases. In FY200, these accounted for about 6% of all contract spending. Space Planning & Property Management (Strategic Objectives: 4, 8) 700 o Property Management (PM) includes processes associated with managing buildings and land allotments owned, rented or leased by the organization, and of acquiring, constructing, fittingout, managing, maintaining, protecting and disposing of real property. It also includes energy and environmental management controls. The Property Management Department serves as the central area for maintenance, repair, general upkeep and overall management responsibilities for all Capital Metro bus stops, Park and Rides, Transit Centers, and Rail Stations. Subtotal Recommended FY20 audit projects 2,500 Capital Metropolitan Transportation Authority FY20 Audit Services Plan Page 4 of 9

5 Other direct audit-/client-related projects and initiatives:,850+ o Two (Fall /Spring) semi-annual implementation status reports (400+ hrs.) At the Audit Committee s request, this would include expanded procedures for monitoring the implementation status of Metro Access policy changes. o Mandatory external Quality Assurance Review (QAR) and possible participation on reciprocal QAR team (American Public Transportation Association or State Agency Internal Audit Forum) A QAR represents an audit of the auditors. (20 hrs.) o Client assistance and consultation (e.g., Policy Committee, technical advisor on contract procurements, petty cash audits, etc.) (425 hrs.) o Sunset Steering Committee and implementation status monitoring (50+ hours) o Enhanced governance role: Interim Ethics Officer, responding to Fraud Hotline and ethics system complaints, develop and present annual ethics/fraud-prevention training to Capital Metro and StarTran staff, Management inquiries or reviews/fraud investigations, overall governance assessment (90 hrs.) o McCombs School of Business intern guidance and oversight (60 hrs.) o Completion of FY200 Rail and Revenue Audits (450 hrs.) o FY20 Audit Services Plan interim adjustments & development of FY202 Audit Services Plan (55 hrs.) Total estimated direct audit/client related hours 4,50+ Total estimated available hours 4,250 Alternate / Substitute Audit Projects: Est. Hours Due to potential for significant organizational changes (which can impact risk) the Audit Services plan can be amended. Also, alternate projects may be substituted or performed with the approval of the Finance & Audit Committee. Proposed alternate projects include: Organizational risk monitoring & management (Strategic Objectives: 4, 8) o Professional auditing standards requirement (IIA Std 220): Internal Audit must evaluate the effectiveness and contribute to the improvement of the risk management process. Veolia FRS Services Contract Audit (Strategic Objectives: 7, 8, 0, 5) o Stand-alone audit for oversight of purchased service providers, including compliance and effectiveness of the Contract Management Plan (CMP) plan. General Contract Management Plan (CMP) compliance & effectiveness (Strategic Objectives: 8, 5) o An audit of a judgmental sample of contract CMPs for smaller contracts with less financial risk. Purpose would be to obtain coverage in contracts that, due to size/scope/risk, would not be individually audited. Project size would be impacted by the number of contracts reviewed Capital Metropolitan Transportation Authority FY20 Audit Services Plan Page 5 of 9

6 Appendix A: Risk/Opportunity Factor Definitions & Weighting RISK FACTORS: Service Delivery Risk: 0% (Impact on customers/community, stakeholders - public, internal, legislature, degree of reliance on vendors, etc. Alignment with / ability to impact on CapMetro Route 2025 strategic goals.) 4 Significant citizen/customer hardship such as a delay in / poor quality / inconsistent / no services or loss of significant assets, such as large amounts of cash; or significant loss potential. Has ability to impact multiple Route 2025 strategic objectives 2 Erroneous management decision; lost opportunities for efficiency and effectiveness; not aligned with CapMetro s strategies, goals and/or objectives 0 Nominal, if any, impact on any Route 2025 strategic objectives Sensitivity Risk: 25% (Degree of interest exhibited by public, legislature, press, industry, and/or Executive Management, Potential for customer dissatisfaction, negative publicity, and/or damage to CapMetro reputation / public image.) 4 Significant issue sensitivity by the Board, Community, Industry, and/or oversight entities. 2 Moderate issue sensitivity by Board, Community, Industry, and/or oversight entities. 0 Little or no issue sensitivity exists Change Risk: 5% (Volatility of operations; degree of pioneering or newness; organizational, operational, and/or technical changes; e.g., a division or operation that experiences a significant change in staff size, turnover, funding, and/or responsibility is potentially vulnerable to problems) 4 Significant changes in staff, funding, systems, and/or responsibilities within last 8 months 2 Moderate changes within past 8 months 0 No significant changes in past 8 months Capital Metropolitan Transportation Authority FY20 Audit Services Plan Page 6 of 9

7 Coverage Risk / Quality of Known Controls / Fraud Risk: 20% (Knowledge of existing risk mitigation controls. [For IS/data systems, controls should exist to ensure data integrity (e.g. (accuracy / completeness. Information/data systems should process information in a secure, reliable and accurate manner.] This factor also considers prior audits or reviews by Internal Audit and External Groups (KPMG, consultants, FTA, FRA, etc). 4 No review or very limited reviews performed and/or Insignificant or no assurance that existing controls for the specific operation aid in mitigating business/ operational risk and/or high risk of fraudulent or inappropriate activity. 2 Reviewed within last two years, no significant recommendations and/or Moderate assurance that existing controls for the specific operation aid in mitigating business risk and/or moderate risk of fraudulent or inappropriate activity. 0 Reviewed within last 2 months and/or significant assurance that existing controls for the specific operation aid in mitigating business risk and/or low risk of fraudulent or inappropriate activity. Financial Risk: 0% (Thresholds based on FY budgeted operating expenses of $68,22,46. However, if more significant, based on transaction volume (expenditures / revenues), liquidity, and/or capital expenditures): 4 > 4% of CapMetro Operating Budget expenses ($6,728,857) 2 2% of CapMetro Operating Budget ($,64,429) 0 <.5% of CapMetro Operating Budget ($84,07) SUCCESS FACTORS: Opportunities to Achieve Potential Operating Benefits / Improvements: 55% 4 Excellent potential for recommendations and their implementation 2 Moderate potential for recommendations and implementation 0 Minimal or no potential for recommendations or their implementation. Audit Skill/Resources/Hours: 45% (Level of expertise and estimated hours for project) 4 Audit procedures well known / small project 2 Project will require technical analysis / moderately extensive audit project 0 Outside resources must be recruited / large project Capital Metropolitan Transportation Authority FY20 Audit Services Plan Page 7 of 9

8 Appendix B: Route 2025 Strategic Objectives Request hb doc /25/08 vidurri/timbes Capital Metropolitan Transportation Authority FY20 Audit Services Plan Page 8 of 9

9 Perspective: Customers & Community Perspective: Stewardship & Sustainability Perspective: Internal Processes Perspective: People & Tools Objectives Performance Measures Strategic Initiatives Increase Value to the Community Stakeholder Survey Index Develop a Survey Task Force 2 Improve Customer Satisfaction & Loyalty Improve Environmental Stewardship 4 Improve Cost-Effectiveness 5 Increase Revenue Customer Satisfaction Survey Customer Comments via phone, web or mail, excluding comment card Comment Card available on vehicle and at other points of sale Ridership Fleet - Fuel consumption/ridership Facilities -Water usage per facility Recycle Facilities -Energy consumption per facility Cost/Revenue Hour Cost/Passenger Subsidy Per Passenger Cost per rider Sales Tax Growth Transit Operating Margin Freight Rail Cost Recovery 6 Improve Communications Internal Index 7 8 Build & Sustain Effective Strategic Partnerships Improve & Integrate Business Practices & Accountability 9 Improve Design & Allocation of Services 0 Improve Service Delivery Improve Organization Alignment 2 Improve Tools, Technology & Vehicles Increase Employee Empowerment & Ownership 4 Improve Knowledge, Skills & Abilities 5 Improve Management and Coordination of Service Providers Dollars generated and saved from new opportunities Partners' perception of CMTA Percent of work completed to plan Percentage of key/critical processes mapped Percentage of CBA's achieved desired results Percentage of Audit Recommendations implemented within the established timeframe Boardings per capita Retention of riders Service Delivery Index Customer Experience Index Employee Satisfaction Completed Initiatives Utilization of tools Value of tools Efficiency of existing tools Quality of the product Ownership Index Employee initiated changes Employee and managers' satisfaction with their own and their co-workers' KSA, training (will include all service providers) Career Growth Index Responsiveness to Customer Complaints Performance to budget/contract dollars Consistency of service delivery Create Customer Loyalty Systems Create Annual Customer Satisfaction Survey Create Customer Comment System Phase One Market Segmentation Study Create/improve a CMTA wide recycling program Identify, form and implement key environmental partnerships Develop corporate environmental policies, as well as corporate environmental strategy Implement fuel price hedging Revise Capital Budgeting process Increase fares Establish Freight Rail Business Plan Develop a strategy for sales tax growth Create Corporate Communications Plan and Policies Update Capital Metro Brand Identity Revenue Opportunities and Incentives Index Identify and map critical business processes - including project management methodology Establish project management standards and templates. Market Segmentation Study Phase II Comprehensive operational analysis Commuter Rail Activation BRT ITS Bus stop signage and information project Define standards for cleanliness, comfort, safety, security and accessibility for buses and stops Review and Improve Recognition Programs Create a forum to share, discuss, test, implement programs to increase employee satisfaction Ensure that Route 2025 System Map is implemented Develop a strategic vehicle plan Develop a strategic facilities plan Including amenities Develop a strategic technology plan Implement suggestions from Dr. Manning Human Side of Metro Training Revise New Employee Orientation Training needs and effectiveness assessment Implement tools to support "hiring for attitude Clarify Capital Metro role in operations oversight and quality assurance Operations standards development and implementation Procure and implement a process for third party performance evaluation across all providers Capital Metropolitan Transportation Authority FY20 Audit Services Plan Page 9 of 9