Blue Sky Initiatives January 25, 2019

Transcription

1 1 Blue Sky Initiatives January 25, 2019 Presented by: Robert Smythe, CIA, CISA County of Los Angeles Department of Auditor- Controller Audit Division Countywide Contract Monitoring Division Office of County Investigations

2 2 A catch-all phrase for a re-engineering process of our internal audit, compliance, and investigative services. Faster - Cheaper - Better

3 3 Topics for Today s Presentation I. The Legacy II. New Audit Approach III. Preliminary Audit Findings IV. Assigning Priorities to Recommendations V. Report Format Enhancements VI. New Recommendation Follow-Up Process VII.Management s Responsibility for Internal Controls VIII.Surveys

4 4 I. The Legacy From: That s the way we ve always done it to That s the way we used to do it.

5 5 Legacy - SMEs Extensive research in client operations Auditors become subject matter experts Audits involving substantial sampling Costly: +1,000 hours Time consuming stale findings Client intrusive Subjected to client debate

6 6 Legacy Management s Role Doing management s job for them: Building performance information from client s data management should already have the information In the weeds designing details of client control processes, systems, and monitoring methods

7 7 Legacy - Editing Lengthy gold plated narrative reports Extensive layers of review and editing Bullet-proof findings Editing and negotiating draft reports drags on for months

8 8 Legacy Follow-ups Infrequent follow-ups: Untimely: 5+ years later, and only 5-10% Original audit team long gone new learning curve Effectively re-audits Rate of implementation relatively low Often discovering new findings 1,000+ hours again.

9 9 IV. New Audit Approach Purpose: Faster: Maximize limited resources Cheaper: Less hours reduces cost Better: Greater audit coverage

10 10 Key to revised focus: Old process: Sampling for compliance Example: Test computers for encryption. New process: What management does to monitor their controls DO: Assess management s methods of ensuring encryption. DON T: Test a sample of computers for encryption No longer doing management s job for them.

11 11 Subject Matter Expertise Auditors: Internal Controls SMEs Management: Process SMEs Conduct walk-throughs of a process to gain consensus and understanding

12 12 V. Management s Responsibility for Internal Controls

13 13 Internal Control is a process, effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. (source: Institute of Internal Auditors)

14 14 Audit Scopes/Objectives Management responsible for internal controls, thus audit objectives will be relatively narrow. Limiting scope creep. No more doing management s job for them: Compiling data into useful management reports. Designing procedures to address control weaknesses.

15 15 New Report Language (continued) Management must monitor internal controls on an ongoing basis to ensure that any weaknesses or non-compliance are promptly identified and corrected. The Auditor-Controller s role is to assist management by performing periodic assessments of the effectiveness of the department s internal control systems. These assessments complement, but do not in any way replace, management s responsibilities over internal controls.

16 16 Limitations of Internal Controls internal controls provide reasonable but not absolute assurance that an organization s goals and objectives will be achieved.

17 17 VI. Preliminary Audit Finding (Finding Abstract)

18 18 Preliminary Audit Findings (PAF) Standardized Finding Abstract form Give to management during fieldwork as soon as possible after an issue is identified Will contain condition and criteria Ask management to provide the cause, if known

19 19 Purpose of PAF Obtain management s sign-off of the PAF s condition and criteria Management can: Provide additional information. Initiate corrective action(s). Paves the path for the exit conference.

20 20 I. Assigning Priorities to Audit Recommendations

21 21 Priority Rankings Purpose: Improve the Board s awareness of the most critical audit findings and recommendations. Highlight relative importance of some recommendations. Assist management in prioritizing corrective actions.

22 22 Priority Ranking Titles [Based on seriousness and likelihood of adverse impact] Priority 1 Requires immediate corrective action (90 days) Priority 2 Requires prompt corrective action (120 days) Priority 3 Requires timely corrective action (180 days)

23 23 Ranking Criteria: Seriousness of the Adverse Impact Health and safety Quality of services Achievement of program objectives Reputational risk Dollar loss Legal / regulatory penalty Financial reporting impact

24 24 Ranking Criteria Likelihood of Adverse Impact a. Policies and procedures b. Strength of internal controls c. Prior findings / regulatory compliance

25 High Low Likelihood of Adverse Impact Very High High Moderate Low Very Low 25 Priority Ranking Heat Map Priority 3 Priority 2 Priority 1 Priority 1 Priority 1 Priority 3 Priority 3 Priority 2 Priority 1 Priority 1 Management Discussion Priority 3 Priority 2 Priority 2 Priority 1 Management Discussion Management Discussion Priority 3 Priority 2 Priority 2 Management Discussion Management Discussion Management Discussion Priority 3 Priority 3 Very Low Low Moderate High Very High Seriousness of Actual or Potential Impact Low High

26 26 Prioritizing recommendations: Determined by the Auditor-Controller with the consideration of input from the auditee. Not a score or letter grade.

27 27 Prioritizing recommendations - Examples: (SEE SLIDE #40) Department management: 1. Priority 1 - Immediately secure the $3,000 petty cash fund by keeping it in a locked location. 2. Priority 2 - Ensure staff verify and document eligibility prior to providing clients with gift cards or event tickets. 3. Priority 3 Document supervisory approval of changes to computer disposal forms.

28 28 II. Recommendation Follow-up a. Take less time b. Provide more timely feedback c. Follow up on more audit recommendations

29 29 Corrective Action Implementation Report (CAiR) Introduce CAiR at entrance. CAiR template to departments when report is issued. Department must submit completed CAiR to the A-C within six months after report is issued.

30 30 Example of CAiR Recommendations and Original Departmental Responses to Audit Report Department's Response Auditor-Controller Review Target or Actual Agree/ Implementation Date Supporting Documentation No. Recommendation Priority Disagree Date Corrective Action Status (1) Implemented Details of Corrective Action Taken Attached A-C Comment Status (1) 1 Modify ecaps users' access profiles to 2 Agree 12/15/2016 The Department will review ecaps user roles and I 12/15/2016 1) On 12/1/16, sent memo to managers that assign ecaps 1) (pg 1a) Copy of memo Confirmed that 1) memo issued I ensure no one user can approve both purchase orders and payments. modify profiles to ensure no one user can approve both purchase orders and payments roles reminding them of incompatible duties. 2) Modified ecaps roles so that no one person has the ability to approve both invoices and purchase orders. 2) (pg 1b) Copy of ecaps security report for all procurement staff showing 12/1/16 reminded managers not to assign incompatible duties, and 2) that no department users currently no staff have roles that allow have roles that allow them to them to approve both invoices and purchase approve both invoices and purchase orders. orders. Footnotes (1) Indicate the status of the recommendation as follows: "I" if the department has fully implemented the recommendation "PI" if the department has partially implemented the recommendation "NI" if the department has not implemented the recommendation

31 31 Information Provided on CAiR Departments indicate: Recommendation status Description of corrective action Date of corrective action Department attaches documentation that demonstrates corrective action.

32 32 Examples of Documentation A new policy or procedure is recommended: Copy of new or revised policy or procedure Copy of memo to staff outlining expectation of adherence. Copy of training or meeting attendance

33 33 Notes on Corrective Action CAiR is due six months after report is issued Implementation timelines still apply (90, 120, or 180 days). Departments submit CAiR whether or not recommendation is implemented. No exceptions.

34 34 Acceptable justifications for not implemented: a. No longer applicable b. Alternative corrective action. c. Corrective action requires a longer-term timeframe (e.g., additional funding, new technology, etc.) a. Dependent on an entity outside the department s control. (e.g., legislation) b. Cost of corrective action exceeds benefits Department accepts resulting risk.

35 35 A-C Performs Desk Follow-up Review CAiR and accompanying documentation, Possibly conduct limited fieldwork, Possibly request additional documentation, and/or make inquiries, Conclude if corrective action is responsive to the audit recommendation

36 36 A-C Report to Board of Supervisors Brief transmittal letter Table of Auditor s assessment of each recommendation s status Reason department gave for not implementing recommendation timely and Proposed timeline for implementing, if applicable

37 Mock-up of Follow-up Report 37

38 38

39 39

40 40

41 41 Subsequent CAiR Applicable for any not implemented recommendations 2 nd CAiR is due 6 months after 1 st CAiR was submitted

42 III. Report Format Enhancements 42

43 43

44 44

45 45

46 46

47 This is what we showed you last time as our proposed report format. 47

48 This is the format we implemented. 48

49 49

50 50

51 VII. Client Satisfaction Surveys 51

52 52 Surveys Give client management a copy at the entrance conference. Provide link to complete the survey at the end of each audit. We appreciate your feedback!

53 53 Blue Sky Initiatives (Audit, CCMD, and OCI) Faster: Sample of two IT audits "Old" Methodology Blue Sky 50%+ quicker turnaround time. Issue audit reports more timely, A comparison of old method v. Blues Sky for two IT audits 62% decrease in time from the start of the audit to report issuance.

54 54 Blue Sky Initiatives (Audit, CCMD, and OCI) Cheaper: Sample of two IT audits Cut audit cost 50%+ "Old" Methodology Blue Sky Cut follow-up cost 87%. A comparison of two IT audits conducted using old versus Blue Sky methodology shows cost reduction of 67%, a savings of $300,000.

55 55 Blue Sky Initiatives (Audit, CCMD, and OCI) 100 Better: Client-Centric One-page fact sheet All reports Prioritizing recommendations Forecast Provide more audit coverage. Timely follow-up on 100% of recommendations. 80

56 56 Audit Committee Feedback Audit Committee members have stated that they love the new report format because it makes it easy to focus on the most important issues.

57 57 Thank you! probation.lacounty.gov