FY 2019 Internal Audit Program Semi-Annual Update

Transcription

1 1/18/2019 FY 2019 Internal Audit Program Semi-Annual Update Audit Committee Item 6 January 11, 2019 Overview The SANDAG Internal Audit Program performs a variety of audit services to assist management with the evaluation and improvement of the effectiveness of its risk management, control, and governance processes The Internal Audit Staff consists of a Principal Management Internal Auditor and a part-time Senior Management Internal Auditor 2 Audit Committee Item 6 January 11,

2 1/18/2019 Key Considerations During the first six months of FY 2019, the internal auditors completed two performance audits, one follow-up to a prior audit, and currently are working on nine assignments The completed audits identified areas for operational improvements The completed follow up shows that management has made progress with corrective actions 3 Completed Assignments South Bay Expressway Toll Violations Report: August 17, 2018 Purpose Assess and validate whether SBX complies with the applicable California toll evasion violation vehicle codes; and if internal procedures are adequate to process violations in a fair and consistent manner. Overall Results The audit revealed that SBX generally complies with the applicable California vehicle codes and has adequate internal procedures in place to handle toll violation processing; however, we also noted areas for improvements. Findings SBX experienced lost revenue from its inability to process all trip transactions because of several operational factors. A significant number of out-of-state vehicles were not pursued as violators. SBX experienced a significant delay in its collection process resulting in missed opportunities for tax intercept refunds for delinquent violators. 4 Audit Committee Item 6 January 11,

3 1/18/2019 Completed Assignments South Bay Expressway Toll Violations Report: August 17, 2018 Recommendations Consider performing a comprehensive review of its overall program; Review its FTB Tax Intercept participation to determine whether current and past practices complied with applicable requirements; and Work with the Contracts team to issue a contract with a vendor to obtain outof-state registration information. Management s Response SBX agreed with our recommendations and has already implemented actions to address some of the noted issues. SBX plans to take additional actions to further strengthen its business practices. 5 Completed Assignments As-Built Plans Report: September 17, 2018 Purpose The audit assessed whether Mobility Management and Project Implementation Department was complying with applicable policies and procedures. Overall Results The audit revealed that staff and consultants did not consistently follow the applicable as-built procedures. Findings Untimely completion of final as-built plans; Lack of complete documentation; Inconsistent storage of hard and electronic copies; and No evidence that staff reviewed as-built plans to determine whether any portion of the plans should be classified as Sensitive Security Information (SSI). 6 Audit Committee Item 6 January 11,

4 1/18/2019 Completed Assignments As-Built Plans Report: September 17, 2018 Recommendations Take steps to ensure its staff understand and fully comply with the as-built procedures included in the Manual; Review and revise the Manual accordingly; and Develop a process for staff to review and document SSI as it relates to as-built plans. Management s Response MMPI agreed with our recommendations and has already implemented action to address one of the noted issues. MMPI plans to take additional actions to address the remaining issues. 7 Completed Assignments Information Technology Security Controls Follow up Audit Report: March 23, 2018 Follow-up: November 15, 2018 Purpose Follow up of actions taken by the SANDAG Operations and Administration Departments to address the recommendations contained in the performance audit Audit Results The audit revealed that SANDAG has many elements of an adequate IT security environment, but also lacks vital components that should be included in an effective agency-wide IT security program. Findings SANDAG lacks a comprehensive risk assessment program; Necessary business continuity plans are not in place; SANDAG has been slow to finalize important deliverables from a recent agency-wide privacy assessment; and The integration of SANDAG s IT governance structure can be better coordinated. 8 Audit Committee Item 6 January 11,

5 1/18/2019 Completed Assignments Information Technology Security Controls Follow up Audit Report: March 23, 2018 Follow-up: November 15, 2018 Recommendations Implement a comprehensive IT security risk assessment program; Develop necessary business continuity processes that include business continuity plans for critical IT systems; Take necessary steps to address the 16 action items; and Consider a centralized IT security governance structure. Management s Response Operations agreed with our recommendations and has already implemented actions to address some of the noted issues. Involvement of SANDAG Executive Management will be needed for the successful implementation of additional corrective actions. Follow-up Results Overall, we concluded SANDAG has made progress with implementing many of its corrective actions and should be able to implement the remaining actions by June 30, Work in Progress Performance Audits NCTD Bombardier Flagging Payments Job Order Contracting (JOC) Procurement Card/Travel Reimbursement MuniServices Cash Liquidity Collection of Receivables Follow Up Small Business Program and Labor Compliance Non-Audit Service External Peer Review (California Department of Education) Mid-Coast Project Review of DBE Payment Compliance 10 Audit Committee Item 6 January 11,

6 An action plan committed to listening to stakeholders, learning from experience, and leading continual improvement Final Report Audit Committee Item 7 January 11, 2019 An action plan committed to listening to stakeholders, learning from experience, and leading continual improvement 2 Audit Committee Item 7 January 11,

7 Implementation timeline 3 Data governance Develop and implement practices to ensure the management, accuracy, and reliability of SANDAG data Data accuracy Process transparency Department reorganization 4 Audit Committee Item 7 January 11,

8 Regional forecasting practices Implement tools and practices to improve the accuracy, reliability, dissemination, and transparency of SANDAG forecasts Develop simplified forecasting tools Use ranges to express inherent uncertainty Involve outside experts in development and review 5 Cost and revenue plans Improve communication of funding capacity, revenue projections, and project cost estimates Cost estimating and Regional Plan cost and revenue presentations Program and project status Plan of Finance for Major Corridors and Transit Operations Funding Plan 6 Audit Committee Item 7 January 11,

9 Independent performance audits Enhance operational oversight and review by establishing a Board-level audit program Board Policy No. 039: Audit Policy Advisory Committee and Audit Activities Initial meetings of the Audit Committee Recruitment of the Independent Performance Auditor 7 Records management Prepare policies, procedures, and training for SANDAG employees regarding the creation, maintenance, and retention of public records Policies revised, developed, and implemented All employees trained annually on public records management 8 Audit Committee Item 7 January 11,

10 Transparency initiatives Enhance internal and external information sharing by ensuring SANDAG communications are straightforward, easy to understand, and reach a variety of audiences Updated Board Policy No. 025: Public Participation Plan Policy Updated ethics training content Making information simpler and more accessible 9 Stakeholder communication Proactively inform member agencies, stakeholders, and the public to increase awareness of SANDAG programs and projects Report to Legislature on public transit Emphasis on outreach with/to local jurisdictions Providing more information to Board members/jurisdictions 10 Audit Committee Item 7 January 11,

11 Organization structure Conduct an independent review of department structure and staffing resources necessary for success Management consultant to start work in spring Next steps Complete implementation of final action items Continue to incorporate improvements and effective practices into SANDAG operations 12 Audit Committee Item 7 January 11,

12 An action plan committed to listening to stakeholders, learning from experience, and leading continual improvement Final Report Audit Committee Item 7 January 11, 2019 Audit Committee Item 7 January 11,