TEACHERS RETIREMENT BOARD. SUBJECT: Fiscal Year Audit Services External Quality Assessment Review CONSENT: ATTACHMENT(S): 1

Transcription

1 TEACHERS RETIREMENT BOARD AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 8 SUBJECT: Fiscal Year Audit Services External Quality Assessment Review CONSENT: ATTACHMENT(S): 1 ACTION: INFORMATION: X DATE OF MEETING: / 30 mins PRESENTER: Larry Jensen/ Matthew Snyder, & Jill Sylwester, KPMG PURPOSE The purpose of this item is to present the results of Audit Services external Quality Assurance Review (QAR) report dated August 18, BACKGROUND The objectives of the QAR are to assess Audit Services' conformity to the Institute of Internal Auditors (IIA), International Standards for the Professional Practice of Internal Auditing (Standards); evaluate Audit Services' efficiency and effectiveness in carrying out its mission; and identify opportunities to enhance its management and work processes, as well as its value to CalSTRS. The last QAR of Audit Services was performed in March 2011 and Audit Services received a Partial Conformance rating with IIA Standards. The following IIA Standards pertain to quality assurance and improvement programs: External Assessments "External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board: The form and frequency of external assessment; and The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest Reporting on the Quality Assurance and Improvement Program "The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board Use of Conforms with the International Standards for the Professional Practice of Internal Auditing ARM 116

2 Audits and Risk Management Committee Item 8 Page 2 The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board. DISCUSSION The approved Audit Plan for FY included an externally contracted QAR. KPMG was engaged to perform a QAR of Audit Services to determine the extent of conformance with IIA Standards and alignment with internal audit leading practices. KPMG has determined that Based on the work performed and the information obtained, we believe that Audit Services generally conforms with the IIA Standards promulgated by the Institute of Internal Auditors. Significant improvements have been made to address areas of deficiency noted in the 2011 Quality Assessment Review. While this report recommends areas of improvement, items noted do not rise to the level of non-conformance with the IIA standards. Audit Services Response: Audit Services appreciates the thorough review conducted by KPMG and concurs with the areas of improvement noted in the QAR. Audit Services will develop a plan to implement the opportunities for improvement outlined in the QAR. The plan will be brought back to the committee for approval at a subsequent meeting along with periodic updates on progress towards implementing the recommendations. Members of the KPMG team will present the Quality Assurance Review of CalSTRS Audit Services Report () to the committee. ARM 117

3 Page 1 Quality Assurance Review of CalSTRS Audit Services Final Report August 18, 2016 ARM 118

4 Page 2 Project Overview Scope and Approach KPMG s Quality Assurance Review Methodology Executive Summary Appendices 1. List of Documents Reviewed 2. Listing of Workpapers Reviewed 3. Audit Services Team Members and Stakeholders Interviewed 4. Status of 2011 QAR Observations Conformity with IIA Standards Alignment with Internal Audit Leading Practices Detailed Report Conformity with IIA Standards Summary of Conformity with IIA Standards Recommended Enhancements to Better Conform to IIA Standards Leading Practice Observations and Recommendations Positioning People Process ARM 119

5 Page 3 Scope and Approach KPMG LLP ( KPMG ) was engaged to perform an assessment of California State Teachers Retirement System s (CalSTRS) Audit Services conformity with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing ( IIA Standards ). The scope also included an assessment of the positioning, people, and processes of Audit Services within CalSTRS against leading practices. KPMG conducted on-site fieldwork at the Audit Services West Sacramento location. Our approach included the following procedures: Data Collection and Review Interviews with Audit Services leadership we interviewed the Chief Auditor as well as the Chief Operating Officer, and the Manager of Audit Services. Refer to Appendix 3 for a listing of interviewees. Stakeholder interviews we conducted interviews with 12 business stakeholders, including members of the Audits and Risk Committee, select members of executive management, and CalSTRS external auditors. Refer to Appendix 3 for a listing of stakeholder interviewees. Policy and practices review - we reviewed information made available by Audit Services, including policies and procedures, risk assessment, and audit methodology documentation and the quality assurance (QA) program. Audit workpaper review we reviewed a sample of employer and internal audit workpapers and reports. Refer to Appendix 2 for a listing of audit workpapers reviewed. Reporting Final report we summarized the results of our assessment, including detailed observations and recommendations with respect to the IIA Standards and internal audit leading practices. KPMG s Strategic Performance Review of Internal Audit Methodology In performing the external assessment of AS, we have utilized our proprietary methodology, referred to as K SPRint KPMG s Strategic Performance Review of Internal Audit. Our methodology goes beyond a checklist review and involves comparing an Internal Audit Department s operations to the IIA Standards and internal audit leading practices. These leading practices have been derived from our extensive knowledge and experience across various industries and in certain cases our experience working with various regulatory bodies. These practices are not static and evolve as the environment changes and as our own experience and perception of the requirements advance. Our leading practices are categorized by the three components of an effective Internal Audit function: the positioning of the Internal Audit Department within the organization and with its stakeholders; people aspects, including competencies and development, and process, including risk assessment, planning, execution of audits, and reporting and follow up. It is our belief that the leading practices against which we have assessed AS are appropriate, realistic and achievable for your Company. Assessment IIA Standards we compared Audit Services practices to the IIA Standards. Internal Audit leading practice we compared Audit Services practices against our understanding of other leading practices in Internal Audit functions. ARM 120

6 Page 4 The focus of KPMG s assessment was on CalSTRS Audit Services conformance with the IIA Standards and its alignment with internal audit leading practices. Our overall conclusions and recommendations are summarized in this section and detailed in the remainder of this report. Conformity with IIA Standards Based on the work performed and the information obtained, we believe that Audit Services generally conforms with the IIA Standards promulgated by the Institute of Internal Auditors. Significant improvements have been made to address areas of deficiency noted in the 2011 Quality Assessment Review. While this report recommends several areas of improvement, items noted do not rise to the level of non-conformance with the IIA standards. This service, and our report, is not intended to and does not comply with American Institute of Certified Public Accountants (AICPA) Consulting Standards professional standards, pursuant to Statements on Auditing Standards, Statements on Standards for Accounting and Review Services or Statements on Standards for Attestation Services. Our procedures and report conform to American Institute of Certified Public Accountants (AICPA) Consulting Standards and therefore does not include an opinion as promulgated by the Institute of Internal Auditors Quality Assessment guidelines. The use of the report is solely for internal purposes by the management and Board of Directors of California State Teachers Retirement System and pursuant to the terms of the engagement, it should not be distributed outside of California State Teachers Retirement System other than to the external auditor as requested. In the lexicon of the IIA Standards, "generally conforms" means that Internal Audit activity has a charter, policies, and processes that are judged to be in accordance with the IIA Standards, with some opportunities for improvement, as discussed in Appendix 1. "Partially conforms" means deficiencies in practice are noted that are judged to deviate from the IIA Standards, but these deficiencies did not preclude the Internal Audit activity from performing its responsibilities. "Does not conform" means deficiencies in practice are judged to be so significant as to seriously impair or preclude the Internal Audit activity from performing adequately in all or in significant areas of its responsibilities. As provided in Section 1300 of the IIA Standards, this report is prepared for the use of the Chief Auditor in support of the quality assurance program for Audit Services. The quality assurance program should include periodic internal and external assessments as well as Audit Services ongoing monitoring to assist the Chief Auditor in his assessment of Audit Services conformity with the IIA Standards. This report and detailed results attached are intended solely for the information and use of management and the Board of Directors and is not intended to be and should not be used by anyone other than these specified parties. ARM 121

7 Page 5 Alignment with Internal Audit Leading Practices A leading Internal Audit function is more than a compliance function. It should: Provide quality challenge and trends in risks and controls. Be characterized by strong relationships at the highest levels and viewed as valueadded partner. Consist of highly skilled and diverse professionals who are able to think critically and provide quality coverage of business risks. Have robust processes to develop its people and the appropriate level of specialization to understand the complexities of the businesses. Have leading practice processes to support its mission and continuously assess them against the changing internal and external environment. In carrying out our assessment, we have compared Audit Services to other Internal Audit Departments of similar size and to KPMG s understanding of leading Internal Audit practices. Strengths and opportunities identified during the review are summarized below and are discussed in more detail within the body of the report: Strengths: Role in Governance - CalSTRS demonstrates a strong Governance structure and culture, including support for the role of Audit Services Experience of the Chief Auditor Audit Services stakeholders expressed confidence in the leadership and industry experience of the Chief Auditor and his understanding of the business. Additionally, stakeholders noted improvement in the number of audits completed and increased ability to complete the audit. reporting process, including enhancements to employer audit reports, ARM reporting and audit finding tracking and monitoring. Opportunities for Improvement: Audit Staff Proficiency Stakeholders of Audit Services noted increased competency of staff supporting internal audits as the primary opportunity for improvement, indicating that increased business acumen and assessment of business risk are needed to increase the value and impact of audits. Communication For internal audits, stakeholders indicated a desire for improved communications with audit staff during planning, fieldwork and the reporting process. Technology-Enabled Auditing As CalSTRS implements the new IT platform, Audit Services will have the opportunity to increase the use of data analytics to the risk assessment, planning, and audit testing processes. The following pages include the detailed results of our assessment. It is broken down into two sections: IIA Standards and Leading Practices. The Leading Practices Section is categorized by the three components of an Internal Audit function: positioning, people, and process. For each of these categories, we included the key practices of a leading Internal Audit function as well our assessment of California State Teachers Retirement System s strengths and recommendations. Reporting Management and members of the Audits and Risk Management Committee have a positive view of the audit ARM 122

8 Page 6 Detailed Report ARM 123

9 Page 7 Rating Standard Number Standard Rating Standard Number Standard 1000 Purpose, Authority, and Responsibility 1010 Recognition of the Definition of Internal Auditing [ in the Charter] 1100 Independence and Objectivity 1110 Organizational Independence 1111 Direct Interaction with the Board 1120 Individual Objectivity 1130 Impairments to Independence or Objectivity 1200 Proficiency and Due Professional Care 1210 Proficiency 1220 Due Professional Care 1230 Continuing Professional Development 1300 Quality Assurance and Improvement Program 1310 Requirements of the Quality Assurance and Improvement Program 1311 Internal Assessments 1312 External Assessments 1320 Reporting on the Quality Assurance and Improvement Program 1321 Use of Conforms with the [Standards] 1322 Disclosure of Nonconformance 2000 Managing the Internal Audit Activity 2010 Planning 2020 Communication and Approval 2030 Resource Management 2040 Policies and Procedures 2120 Risk Management 2130 Control 2200 Engagement Planning 2201 Planning Considerations 2210 Engagement Objectives 2220 Engagement Scope 2230 Engagement Resource Allocation 2240 Engagement Work Program 2300 Performing the Engagement 2310 Identifying Information 2320 Analysis and Evaluation 2330 Documenting Information 2340 Engagement Supervision 2400 Communicating Results 2410 Criteria for Communicating 2420 Quality of Communications 2421 Errors and Omissions 2430 Use of Conducted in Conformance with the [Standards] 2431 Engagement Disclosure of Nonconformance 2440 Disseminating Results 2450 Overall Opinions 2500 Monitoring Progress 2600 Resolution of Management's Acceptance of Risks 2050 Coordination 2060 Reporting to Senior Management and the Board 2070 External Service Provider and Organizational Responsibility [ for IA] 2100 Nature of Work 2110 Governance Rating Key N/A Generally conforms Partially conforms Does not conform Standard was not applicable to the Department or instance did not arise ARM 124

10 Page 8 The following items were noted as improvement opportunities during review of selected audit engagements. Although noted as exceptions, these items were deemed to not rise to the level of non-conformance with the IIA Standards. Recommendations are presented for management s consideration. Implementation decisions regarding the recommended course of action are the responsibility of Audit Services management. Observation 2200 Engagement Planning - During review of selected audit engagement work papers it was noted that results from the internal planning meeting(s) conducted were not formally documented. Recommendation Engagement Planning does not explicitly require an internal team planning meeting, however a meeting is recommended in order to ensure all planning considerations are addressed amongst team members. Audit Services should consider formally documenting the internal planning meeting and including the documentation in the audit work papers Engagement Planning - During review of the Audit work papers it was noted that the Planning Memo included the objectives of the audit and related risk. The Scope was defined and included all CalSTRS systems utilized by employees and contractors during that timeframe. Although scope was clearly defined, the rationale for this scope was not documented Engagement Planning - During our review of audits IA14-03, IA15-02, and IA15-05, we noted that the audit team documented "Audit Criteria" and "Background Information" which included an indication of related subjects researched (AICPA bulletins, etc.) but there was no clear mapping of impact of these criteria to the identified risks or planned procedures. We recommend including additional information related in the Planning Memo to describe how the scope aligns to and supports the audit objectives. Additionally, we recommend enhancing documentation to clearly map the audit criteria to identified risks and planned procedures Engagement Supervision - During review of the Audit work papers it was noted that supervisory review was not documented timely for three of the seven engagements reviewed Engagement Resource Allocation- During review of the Audit work papers, it was noted that four of the seven audits exceeded budgeted hours by over ten pecent without explanation documented for the overrun. We recommend that evidence of supervisory review of planning documents be timely documented on objects within the TeamMate Work Paper repository in addition to manual signoffs within the work papers themselves. We recommend the Auditors document the rationale for any overages in the original budgeted amount for each audit in order to identify opportunities to improve processes. ARM 125

11 Page 9 Creating a Leading Practices Internal Audit Function is more than policing compliance. It requires an optimum balance between positioning, people and processes. A wide range of considerations must be aligned to create an Internal Audit function that can effectively make a noticeable impact and add value across the organization. A well-developed and aligned Internal Audit function can provide an important resource and opportunity for the organization to tighten their controls, reduce risks, identify potential efficiencies and drive cost benefits. Internal Audit Perspective ARM 126

12 Page 10 Positioning Developing Leading Drivers & Mission Limited role with focus on compliance with (financial) policies and procedures Aligned with corporate goals and strategies and provides business assurance service; integral role in the overall governance structure Customers & Services Limited to finance/accounting and lacks broader operational focus Formally established to address needs of the business; able to articulate to senior management the risks of its actions Organization & Structure Reporting to Controller Truly independent with direct reporting to Audit Committee Chair Funding Cost conscious and lean IA department with no co-sourcing budget funding adequate to deliver on IA s mandate Success Criteria Ill-defined criteria and inconsistent evaluation Regularly reviewed for effectiveness and consistently evaluated against established criteria ARM 127

13 Page 11 Key Strengths Role in Governance Executive leadership and Audits and Risk Management Committee are highly supportive and understand the importance and role of an internal audit function. Audit Services has an independent and direct reporting role to the ARM Committee. Funding - Audit Services is a well-funded department and supports full time headcount of more than 30 employees. The size of Audit Services supports the achievement of the annual internal audit plan. Relationship Management The Chief Auditor regularly meets with leadership to gain an understanding of business objectives and related risks and to keep abreast of changes or emerging risks. Use of Co-Sourcing Audit Services regularly cosources with external firms to supplement existing skills sets with specialist resources to support audits, especially in technical areas where Audit Services does not possess the required skills and competencies. Key Opportunities Stature While stakeholders have a positive view of the Chief Auditor and the overall role of Audit Services in CalSTRS governance structure, there is also a view that there is a need to significantly improve competencies within Audit Services to conduct internal audits that align more closely with business risk and have more impact to business functions. ARM 128

14 Page 12 People Developing Leading Competencies Competencies limited to financial/accounting and lack broader business acumen Core competencies directly related to IA mission, role, and scope of work; recognized by the business as experts in industry, governance, risk and control Staffing Strategy Hiring reactive to employee turnover and inflexible to changes in demands Reflects IA s mission, role, and required core competencies and is sufficiently flexible to changes in demand; forward thinking Career Progression Career progression program undefined and not focused on training and competency development Established career progression program that incorporates training and competency development and rotations Culture Does not contribute to group cohesion or achievement of IA s mission; staff unwilling/unable to effectively engage with management Fosters the well-being of employees and achievement of IA s mission; characterized by a culture of challenge, probing, and continuous improvement ARM 129

15 Page 13 Key Strengths Leadership The Chief Auditor has significant industry experience and is widely viewed as an effective leader with a balanced perspective and strong credibility with the Board and executive management. Most stakeholders indicated they are comfortable discussing matters of risk and internal control with the Chief Auditor. Experience Members of Audit Services have an average of 20 years of business experience, including 4+ years of experience in CalSTRS Audit Services. Key Opportunities Audit Proficiency Stakeholders indicated increased competency for staff supporting internal audits as the primary opportunity for improvement. Specifically, business units indicated that increased business acumen in addition to conducting collaborative and meaningful discussion of business risk with the business during planning of internal audits and throughout fieldwork are needed in order for internal audits to better address risks and have a higher impact on the business. Several stakeholders noted they would welcome participation by Audit Services in selected forums (e.g., all-hands updates) so that auditors can gain a better understanding of the business. Communication Skills Stakeholders indicated a desire for improved communications with audit staff during planning, fieldwork and the reporting process for internal audits. The current view is that the audit process could be improved through higher quality and in-depth discussion about existing and emerging risks in the business, areas of highest concern to management, and regular discussion on audit inquiries, progress and results throughout the audit. Stakeholders noted the majority of communications for internal audits are conducted through . Professional Certifications Although the majority of Audit Services staff have significant business experience, a relatively low percentage of staff hold professional certifications within the field of Internal Auditing. Only ARM 130

16 Page 14 37% of Audit Services staff hold a professional license (including CPA, CIA, or other professional designations). Audit as a Career Builder Many stakeholders view Audit Services team members predominately as career auditors and don t necessarily view Audit Services as a pool of potential leaders or skilled resources for the organization. Leading practice Audit Services departments are viewed as a source of talent for future leaders of an organization. Audit Services should consider developing a strategy to enhance the perception and view of Audit Services team members visibility and longer term opportunities throughout the Company. ARM 131

17 Page 15 Processes Developing Leading Risk Assessment, Planning & Delivery Limited methodology in place and IA delivers inconsistent or inadequate planning and project execution Strategic and forward looking risk assessment process; good planning methodology in place and IA delivers high quality planning and delivery Technology Limited technology usage Harness technology to maximize efficiencies and improve audit effectiveness; continuous auditing Administration Processes not well-defined Processes in place which facilitate the smooth operation of the function and effective action tracking and follow-up Relationship Management Limited relationship with management Valued member of the leadership team Performance Measurement Performance measurement ill-defined Defined and maintain a variety of measures of IA performance; undertake regular self-review; monitor developments in IA function of peers ARM 132

18 Page 16 Key Strengths Productivity - The productivity of Internal Audit has increased from prior years and is very high compared to the audit plan in prior years. This is noted as an area of significant improvement. Reporting - ARM Committee Members communicated satisfaction with reporting processes from Audit Services. They have noted improvement in the ability of audit services to meet the audit plan and provide meaningful content to the ARM. Administration - Audit Services has implemented a process to track, follow up and report on the status of audit finding. Stakeholder interviews identified this has been a significant improvement to Audit Services processes. Audit reports have been significantly updated to include an executive summary and be more concise. The updated report has been well received by Executive Management. Annual Risk Assessment and Audit Plan Development Significant improvements have been made to the annual audit risk assessment and annual planning process to better align to enterprise risks. Key Opportunities Planning of Individual Internal Audits Stakeholders indicated that the planning of individual internal audits does not always address the highest risks to the business. Additionally, some stakeholders expressed an interest in audits conducting more in-depth and detailed procedures. Workpaper Review and Completion Audit Services should perform regular reviews of engagement files postcloseout to ensure all and only relevant documentation supporting findings and conclusions are retained and that supervisory review has been documented. Data Analytics CalSTRS is implementing a new systems platform that will enable the use of data analytics to enhance the risk assessment, planning, and audit testing processes. Relationship Management While stakeholders indicated an effective relationship with the Chief Auditor, they noted a lack of relationships with other members of Audit Services supporting internal audits and that improvement in this area may potentially be an effective way to increase the understanding of the business and related risks. Engagement Budget Management - While there has been improvement in completing audits included in the annual plan, there is an opportunity for improved project management. For two of seven engagements reviewed by KPMG, budget overruns exceeding 10% for engagements over 500 hours were noted without explanation of the cause of the overrun to provide ARM 133

19 Page 17 information and insight in to future audit planning. ARM 134

20 Page 18 Positioning Internal Audit organization structure and reporting lines Internal Audit charter and audit committee charter Executive management reports Audit Committee materials Management information system (MIS) reports Recently issued regulatory reports People Code of conduct Audit core competency model Training program and materials Internal Audit website contents Job descriptions Head count information (e.g. average years of experience, total certifications, etc.) Processes Internal Audit methodology Internal Audit statement of audit policy Audit plan and risk assessments Strategy memos (LOB, legal entity, location) Executive management reports Continuous auditing quarterly summaries QA management reports Audit follow-up/validation process Audit committee member and Internal Audit management team biographies Sample employee profiles Performance management toolkit ARM 135

21 Page 19 Reference Number Audit Name Report Issue Date IA14-03 Service Organization Oversight Audit 07/16/2015 IA15-02 Authorized System Access 12/30/2015 IA15-05 Employee Safety 01/21/2016 IA15-06 Compensation Review Unit (CRU) 04/06/2016 EA12-09 San Juan Unified School District 05/26/2015 EA13-05 San Francisco Unified School District 05/19/2015 EA15-09 Orange County Dept. of Education 02/04/2016 ARM 136

22 Page 20 Name Position Held Larry Jensen Chief Auditor Kirk Martson Audit Manager Brian Bartow General Counsel Lisa Blatnick Chief of Administrative Services Jack Ehnes CEO Robin Madsen CFO Ashish Jain CTO Paul Rosenstiel ARM Committee Chair Ed Derman Deputy CEO Crowe Horwath External Auditors Rick Reed System Actuary Andrew Roth Benefit and Services Executive Officer Christopher Ailman Chief Investment Officer Cassandra Lichnock COO ARM 137

23 Page 21 During the 2011 QAR performed by Sjoberg Evashenk, the following quality control deficiencies were identified, resulting in an opinion of nonconformance with the IIA Standards: Standard(s) 2011 Observation 2016 Assessment 1000, 1010 Audit Services Charter does not reflect current processes; is not routinely presented to the ARM Committee, and does not mention the Mandatory Nature of the IIA Standards and Code of Ethics Individual Objectivity: Auditor Independence Statements were not signed and completed for all engagements reviewed Proficiency: Auditor knowledge of CalSTRS industry, organization, and processes was considered weak. The Audit Services Charter was updated in 2016 and presented to the ARM. The revised charter reflects current Audit Services reporting structure and includes appropriate references to the IIA Standards. Audit Services methodologies have been updated to require Auditor Independence statements. It was noted that during the 2016 QAR, Auditor Independence Statements were signed and completed for all engagements reviewed. As noted in the assessment above, significant improvements have been made to the Audit Services charter, methodologies and practices. However, stakeholders noted internal audit staff understanding of business processes and related risks as the more significant opportunity to improve the value of internal audits. 1210, 2120, , 1311, 1320 Proficiency, Risk Management, and Engagement Objectives: Staff do not consider the potential of significant errors, fraud, noncompliance, and other exposures when developing audit objectives and audit programs. Quality Assurance Program: Audit services failed to develop an appropriate internal assessment program. Fraud considerations were documented in all engagements reviewed, as applicable. Where fraud considerations are not included within the scope of the audit, the resulting audit reports do not include reference to related compliance with IIA Standard. Three internal assessments have been completed since the 2011 external QAR. These assessments were formally documented in TeamMate and included reports issued to ARM with results. 2000, 2030 Lack of budget-to-actual time tracking or accountability. Lack of formal schedules/ due dates and associated monitoring. There has been improvement in engagement project management and the average time/ hours to complete audit engagements, resulting in an increased number of completed audits. However, for two of seven engagements reviewed by KPMG, significant budget overruns (greater than 10% of planned ARM 138

24 Page 22 hours) were noted without explanation of the cause of the overrun. As noted in our assessment, Audit Services should continue to focus on this area for improvement Policies and Procedures content is substandard and out of date. Includes verbatim references to the Standards, but does not translate to actual CalSTRS Audit Services practices 2060, 2500 Reporting to Senior Management and the Board: No evidence of accountability to audit plan. No reconciliation of completed audits to planned audits. Monitoring Progress: No procedures are in place to verify completion of follow-up procedures by Auditee management, and findings and recommendations "fall off" the follow-up list after two years, whether addressed or not. 2240, 2340 Audit work programs not documented for all engagements. For those work programs that did exist, they were incomplete and not timely reviewed by management. Repeat finding from 2006 external QAR. There is little evidence to demonstrate that management provides adequate and timely oversight and involvement in audits. The Audit Services Charter, Audit Services Manual, and associated policies and procedures have been updated to reflect current department practices and application of the IIA Standards. Monitoring Progress: Audit Services has revamped their engagement follow up process to align with the quarterly ARM committee meetings. All remediation actions are tracked and reported on in conjunction with periodic Audit Plan Status reporting. For one of the seven engagements reviewed, the worksteps planned per the planning memo were not completely aligned with the audit program and the TeamMate worksteps. We also noted blank or unused worksteps within TeamMate which should be removed prior to finalizing audits. For three of the seven engagements reviewed, preparer and/or manager signoffs were completed more than three months after issuance of the audit report. ARM 139