TEACHERS RETIREMENT BOARD

Transcription

1 TEACHERS RETIREMENT BOARD AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 3 SUBJECT: Progress on the External Financial Auditor s Report on Internal Control - Corrective Actions CONSENT: X ATTACHMENT(S): 2 ACTION: DATE OF MEETING: INFORMATION: X PRESENTER: Larry Jensen PURPOSE The purpose of this item is to provide a status report on management s progress towards implementing the recommendations included in Independent Auditor s Report on Internal Control over Financial Reporting and the Management Letter dated October 8, DISCUSSION In connection with the audit of CalSTRS financial statements for the year ended June 30, 2015, Crowe Horwath LLP (Crowe) presented an Independent Auditor s Report on Internal Control over Financial Reporting and the Management Letter to the Committee in November During the presentation, the committee requested periodic status reports of implementing Crowe s recommendations. The Independent Auditor s Report on Internal Control over Financial Reporting cited one finding along with three recommendations to strengthen internal controls over member data. Management reports fully implementing two of the three recommendations and continues to implement controls over the completeness of member census data and contributions received from employers. Management s actions towards implementing the recommendations between December 2015 and August 2016 are contained in Attachment 1. Additionally, Crowe presented a Management Letter citing two findings and recommendations to enhance monitoring of financial reporting systems. Management reports fully implementing one of the recommendations and progress towards implementing the monitoring recommendations (Attachment 2). As part of the financial statement audit for fiscal year ending June 30, 2016, Crowe will validate management s implementation of the recommendations and report on the status of any unresolved findings at the November 2016 committee meeting. ARM 10

2 Recommendation 1a Finalize a comprehensive risk/control matrix over member data which addresses both completeness and accuracy of such data. Matrix to include type of control; such as preventative, detective, segregation of duties, etc. Matrix to separately identify the applicable risk of error related to each member classification; active, inactive, or retired. Identify and, if necessary, implement internal controls which address the risk of material misstatement to the financial statements for each member classification. Crowe Financial Statement Audit Recommendations Attachment 1 Page 1 Recommendation Management response to recommendation Change in condition between Financial Services - Management developed a risk/control Financial Services Resolved. The ERM matrix to document the current entity control framework and program team was able to complete all the facilitate a process of continuous improvement. Over the next updates mentioned in our previous update. year, management will focus on enhancements that address (We feel this finding has been resolved.) the noted concerns around completeness and accuracy of member data. The responsibility for the continued update of Since then, design of further the tool to reflect the changes in the entity control framework enhancements has begun to increase the will reside with Enterprise Risk Management (ERM). This usefulness of this tool for management. group will work with business areas to update the risk/control These enhancements focus on matrix to track the implementation of the recommended standardizing the characterization of the enhancements. For example, ERM will work with relevant risks and controls to provide a tool that business units to align the internal controls for different types will assist in identifying any gaps in of members, (i.e. active, inactive, or retired, etc.). Executive internal controls and recognizing the oversight of enhancement of the controls and documentation effectiveness of the internal controls in within the tool will be provided through the quarterly ERM reducing the inherent risk. This tool will meeting. continue to evolve as the program matures. The anticipated date to complete the recommended changes to the risk/control matrix is March 31, ARM 11

3 Recommendation 1b Expand the structure of CalSTRS internal controls to include internal controls over the completeness of member census data received from employers. Perform timely updates to internal controls for changes in legislation, as a result of the data cleanse project and upon migration to a new pension administration solution. Crowe Financial Statement Audit Recommendations Attachment 1 Page 2 Recommendation Management response to recommendation Change in condition between Benefit and Services and Financial Services - Management Benefit and Services and Financial continues to expand its efforts to strengthen internal controls Services Unresolved. CalSTRS over the completeness of member census data independently contracted with a consultant to assist in of employers' internal control mechanisms by pursuing the creation of new analytical tools. We several major initiatives. Management is preparing legislative have received a tool to support calculating proposals to provide access to employer data submitted for contributions accruals to address state tax reporting and streamline employer reporting to seasonality. In addition, CalSTRS is CalSTRS. Access to employer state tax reporting information pursuing a legislative change to provide would allow CalSTRS to test for completeness of reported access to EDD payroll data for compensation and contributions based on historical data while specifically identified reporting entities to not imposing additional reporting requirements on employers. ensure we are receive all contributions Further, consolidating or simplifying employer contributions due the System. CalSTRS is also working and reporting to incorporate all programs in one submission on a new mechanism to collect process should facilitate improved accuracy in contribution contributions for excess sick leave, accruals, reducing the number of files that must be assessed to establish reporting for hires and determine the completeness of the information received. terminations and align payroll fill due dates across programs. Management will also continue to enhance current data analyses of compensation and contribution reporting using tools recently implemented in BusinessDirect. These tools are designed to identify anomalies while reporting trends against which to compare the identified variances. Based on identified anomalies, management will work with employers to determine if reporting updates are required and develop other tools (i.e. training and communications) to address possible systemic issues already occurring as a result of employer audit findings. The data preparation project is developing recommendations to cleanse data prior to or during conversion to the new Pension Solution. Enterprise information management (ElM) program activities continue to define strategies for ongoing maintenance of data quality. Target Date: ongoing ARM 12

4 Crowe Financial Statement Audit Recommendations Attachment 1 Page 3 Recommendation Management response to recommendation Change in condition between To address historical data anomalies, management is pursuing a data quality strategy and recently procured external data strategy consulting services to develop a set of data conversion policies as a companion to current ElM initiatives. Together, the data conversion policies and ElM initiative will provide a foundation for how CalSTRS treats member data now and going forward in our new pension administration system. ARM 13

5 Recommendation 1c Audit Services to incorporate into their Audit Plan testing of internal controls, especially when controls apply to multiple business units. Testing to be prioritized based upon the assessed level of risk of error for each member classification and of the participating employers. Crowe Financial Statement Audit Recommendations Attachment 1 Page 4 Recommendation Management response to recommendation Change in condition between Audit Services and Financial Services - Finally, as various business units identify areas of risk on the risk/control matrix and through the enterprise risk management process, management will share that information with audit services so that the audit plan may be adjusted to address additional areas if appropriate. Audit Services Resolved. Audit Services developed their annual Audit Plan by incorporating risks identified in our Enterprise Risk Management report and Strategic Plan. The Audit Plan includes an audit of internal controls over member data. ARM 14

6 Crowe Management Letter Recommendations Attachment 2 Page 1 Recommendations Management response to recommendation Change in condition between 1) Log and Account Monitoring (Repeat Finding) Log and access monitoring should be implemented as either a manual process performed on a periodic basis or using a realtime automated alerting mechanism. General Counsel / Information Security Office - 1a) SAP Database Security logs CalSTRS has an active initiative to obtain and deploy a database monitoring tool to perform real-time automated alerting. Dedicated resources for maintenance, monitoring, analysis, and response are required. General Counsel / Information Security Office Unresolved. The database monitoring tool was implemented on June 10, A database monitoring tool has been identified for purchase pending final architecture standards approval. A request has been submitted for an additional resource to assist with the ongoing monitoring, analysis, and response workload. A resource has been identified and hired to complete the analysis of the SAP Database Security logs and implement the database monitoring tool. An additional resource is being identified to assist with the daily monitoring, analysis, and response. Target Date: November 30, 2016 Target Date: June 30, 2016 ARM 15

7 Crowe Management Letter Recommendations Attachment 2 Page 2 Recommendations Management response to recommendation Change in condition between 1) Log and Account Monitoring (Repeat Finding) Log and access monitoring should be implemented as either a manual process performed on a periodic basis or using a realtime automated alerting mechanism. (continued) General Counsel / Information Security Office - 1b) SAP Applications Security logs CalSTRS has an active initiative to obtain and deploy an application security tool to perform application security assessments and real time automated alerting. Dedicated resources for maintenance, monitoring, analysis, and response are required. A potential application security tool was identified, but failed our proof of concept evaluation. General Counsel / Information Security Office Unresolved. An application security tool has been identified and a request has been submitted for purchase. A resource has been identified to complete the analysis of the SAP Application Security logs and continue the effort to identify an application security tool. The hiring process has been initiated. The SAP Application Security logs will be manually reviewed during the interim until the application security tool is in place. A ledger will be maintained along with periodic archiving of the logs to provide supporting evidence of the review activities. Target Date: June 30, 2016 The SAP Application Security logs will be manually reviewed during the interim until the application security tool is in place. A ledger will be maintained along with periodic archiving of the logs to provide supporting evidence of the review activities. Target Date: September 30, 2016 ARM 16

8 Crowe Management Letter Recommendations Attachment 2 Page 3 Recommendations Management response to recommendation Change in condition between 1) Log and Account Monitoring (Repeat Finding) Log and access monitoring should be implemented as either a manual process performed on a periodic basis or using a realtime automated alerting mechanism. (continued) General Counsel / Information Security Office - 1c) START and SEW Monitoring 1. START CalSTRS operating system Administrator accounts and security logs of account activity 2. SEW account administrator access for CalSTRS employees 3. START Program Change Event logs CalSTRS has an active initiative to utilize our enterprise log management solution to process various mainframe security, activity, and program change event logs to establish automated analysis and alerting for START and SEW. General Counsel / Information Security Office Resolved. The efforts to process mainframe logs has been productive and automated reports and alerting have been implemented. Staff continues fine tune the reporting and alerting to achieve the best possible results. Completed: May 31, 2016 Target Date: April 30, 2016 ARM 17

9 Crowe Management Letter Recommendations Attachment 2 Page 4 Recommendations Management response to recommendation Change in condition between 2) Unfunded Commitments The potential effect of these errors result in a misstatement of unfunded commitments in the footnotes to the financial statements, however, have no impact on the recorded fair values of the investments or investment income. Investments - Due to the lack of a reasonably priced tracking system, the compilation of the unfunded commitment schedule is a manual process. As a part of continuous improvement efforts, senior staff within the Investments Office will conduct an additional review of the unfunded commitment schedule to ensure that all unfunded commitment balances have been reconciled and included. This change is effective immediately and will be reflected in the September 30, 2015 unfunded commitment schedule. Investments Resolved in September Additionally, CalSTRS is in the process of implementing GASB 72- Fair Value Measurement and Application. As a part of this implementation, staff will review and update controls around unfunded commitments and capital calls. Target Date: Full implementation by March 31, 2016 Investments and Investment Accounting Resolved. With the assistance of Deloitte Consulting, CalSTRS implemented GASB 72 for its March 31, 2016 financial reporting and will incorporate these changes in the June 30, 2016 financial statements. As part of the implementation, Investment Accounting went through a process of reviewing and documenting each limited partnership agreement to support the required disclosures. In addition, Investment Accounting implemented an unfunded commitment roll forward analysis in September 2015 to assist in validating that the unfunded commitments as presented in the note disclosures are accurate and complete. Any variances noted are researched with assistance from Investment staff. The unfunded commitment roll forward analysis will be completed again to support the June 30, 2016 note disclosures and quarterly thereafter. ARM 18