FY 2016 Annual Audit Report

Transcription

1 FY 2016 Annual Audit Report

2 TABLE OF CONTENTS I. Compliance with Texas Government Code, Section : Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web site...3 II. III. IV. Internal Audit Plan for Fiscal Year Consulting Services and Non-Audit Services Completed... 9 External Quality Assurance Review (Peer Review).. 10 V. Internal Audit Plan for Fiscal Year VI. VII. External Audit Services Procured in Fiscal Year Reporting Suspected Fraud and Abuse TxDOT Annual Audit Report 2

3 I. Compliance with Texas Government Code, Section : Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web site House Bill 16 (83 rd Legislature, Regular Session) signed by Governor Perry on June 14, 2013, amended the Internal Auditing Act to require state agencies and institutions of higher education, as defined in the bill, to post internal audit plans, internal audit annual reports, and any weaknesses or concerns resulting from the audit plan or annual report on the entities internet web site within 30 days after the audit plan and annual report are approved by an entity s governing board or chief executive. The requirements are met by posting the approved documents at the following link: A detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns raised by the audit plan or annual report and a summary of actions taken by TxDOT to address concerns, if any, that are raised by the audit plan or annual report is included in the fiscal year (FY) 2016 Annual Audit Report. TxDOT Annual Audit Report 3

4 II. Internal Audit Plan for Fiscal Year 2016 PHASES OF THE AUDIT/CONSULTING SERVICES CYCLE Reports Issued Report Number Report Date Report Name Audit Service FS1607 8/2016 Budget Development, Allocation, and Monitoring Internal Audit LS1603 8/2016 Bulk Fuel Management and Reporting Internal Audit FS1608 5/2016 Business Continuity (Restricted Distribution) Internal Audit FS /2015 Change Order Process Internal Audit LS1605 8/2016 Cloud: Data Access and Contract Management (Restricted Distribution) Internal Audit LS1505 4/2016 Commission Vetting Internal Audit FS /2015 Contract Administration Internal Audit FS1601 5/2016 Contract Administration - Closeout Phase Internal Audit FS1602 8/2016 Contract Administration - 601CT Contracts Internal Audit FS1604 3/2016 Fair Labor Standards Act (FLSA) Overtime Internal Audit FS1605 3/2016 Fleet Operations Rental Equipment Internal Audit FS1502 8/2016 Fuel Consumption Oversight and Coordination Internal Audit LS1602 8/2016 Information Management Division Contract Management - Transformation Internal Audit FS /2015 Local Letting Process Internal Audit FS /2015 Maintenance Operations Internal Audit FS /2015 Materials Testing Internal Audit FS1606 5/2016 Performance Based Maintenance Contracts Internal Audit FS1603 4/2016 Post Implementation Review PeopleSoft - Accounts Payable Internal Audit FS1611 6/2016 Post Implementation Review PeopleSoft - Inventory Internal Audit FS1514 3/2016 Post Implementation Review PeopleSoft - Payroll and Recruiting Internal Audit LS1608 8/2016 Post Implementation Review PeopleSoft - Project Costing Internal Audit FS1610 6/2016 Post Implementation Review PeopleSoft - Purchasing Internal Audit TxDOT Annual Audit Report 4

5 LS1601 1/2016 Public Funds Investment Act Internal Audit LS1609 8/2016 Right of Way Acquisition - Appraisal Oversight Internal Audit FS1613 8/2016 Routine Maintenance Contracts (Restricted Distribution) Internal Audit FS /2015 Software License Management (Restricted Distribution) Internal Audit LS1604 8/2016 TAC 202 Reporting Internal Audit FS1612 8/2016 Toll Facilities Compliance with Federal Highway Administration (FHWA) Reporting Internal Audit FS1612 8/2016 Toll Operations Division Back Office Operations Internal Audit LS1607 8/2016 Toll Operations Division Customer Service Operations Internal Audit LS /2015 Toll Operations Federal Reporting Internal Audit MP1604 6/2016 Accounts Payable MAP Follow-Up MP1601 8/2016 Bid Estimation MAP Follow-Up MP1605 8/2016 Bond Covenant MAP Follow-Up MP1605 8/2016 Bridge Program MAP Follow-Up MP1606 8/2016 Change Order Process MAP Follow-Up MP1604 6/2016 Compass MAP Follow-Up MP1603 2/2016 Construction Operations MAP Follow-Up MP1603 2/2016 Construction/Maintenance Inspection MAP Follow-Up MP1604 8/2016 Data Classification (Restricted Distribution) MAP Follow-Up MP1605 8/2016 Disaster Recovery - IT MAP Follow-Up MP1603 6/2016 Electronic Bidding and Contract Letting MAP Follow-Up MP1606 8/2016 Encumbrance Review MAP Follow-Up MP1605 8/2016 Equipment Maintenance and Repair MAP Follow-Up MP1605 8/2016 General Controls Review - IT MAP Follow-Up MP1603 6/2016 Grant Reimbursement County Transportation Infrastructure Fund MAP Follow-Up MP1606 8/2016 Grant Reimbursement - Traffic Safety MAP Follow-Up MP1606 8/2016 Highway Performance Monitoring System (HPMS) - Pavement Condition Data Collection Resources MAP Follow-Up MP1603 2/2016 Human Resources Procedures Management MAP Follow-Up MP1606 8/2016 Incident Response - IT MAP Follow-Up MP1603 8/2016 Inventory Management MAP Follow-Up MP1603 6/2016 Local Government Project Oversight MAP Follow-Up MP1605 8/2016 Metropolitan Planning Organization MAP Follow-Up MP1605 8/2016 Multiple Use Agreements MAP Follow-Up MP1604 8/2016 Physical Security (Restricted Distribution) MAP Follow-Up MP1606 8/2016 Privacy MAP Follow-Up TxDOT Annual Audit Report 5

6 MP1604 8/2016 Procurement Cycle: Efficiency/Effectiveness of Performance Monitoring, Data Reliability, and System MAP Follow-Up Access MP1605 8/2016 Professional Engineering Procurement Services Contract and Work Authorizations MAP Follow-Up MP1603 8/2016 Public Transportation Grant Management MAP Follow-Up MP1604 6/2016 Rail Project Management MAP Follow-Up MP1603 2/2016 Records Management MAP Follow-Up MP1603 2/2016 Research and Technology Implementation Billing and Accounts Payable MAP Follow-Up MP1603 8/2016 Revenue Accounting MAP Follow-Up MP1603 2/2016 Right of Way Acquisition MAP Follow-Up MP1606 8/2016 Right of Way Governance and Internal Controls MAP Follow-Up MP1603 6/2016 Safety Program (Restricted Distribution) MAP Follow-Up MP1603 2/2016 Toll Operations MAP Follow-Up MP1606 8/2016 Toll Operations Contract Management MAP Follow-Up MP1605 8/2016 Toll Operations: Federal Reporting MAP Follow-Up MP1606 8/2016 Traffic Logo Program MAP Follow-Up MP1606 6/2016 Travel Information Center Safety MAP Follow-Up MP1604 6/2016 Tuition Assistance Program MAP Follow-Up MP1602 8/2016 Unified Transportation Program (UTP) MAP Follow-Up MP1604 6/2016 Work Zone Safety (Restricted Distribution) MAP Follow-Up Carryovers to FY 2017 Internal Audit Plan Report Number Report Name Audit Service LS1610 SH 183 Managed Lanes Project (In Closing Phase) Internal Audit Non-MES Equipment / Consumables Management Internal Audit NEPA Public Involvement Process Internal Audit TxDOT Annual Audit Report 6

7 Detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns raised by the FY16 Audit Plan or Annual Audit Report are as follows: 31 internal audits were completed o 53 findings were identified with control design and operating effectiveness deficiencies as noted below 47 control design 52 operating effectiveness 43 management action plan (MAP) follow-up engagements were completed to determine whether previously communicated risks have been mitigated. The following details were noted: o 146 closed MAPs corrective actions have been completed o 21 open MAPs corrective actions require completion to address identified risk from the original audit o 2 new MAPs corrective actions that were newly identified and further actions are necessary to properly address the remaining risk Deviations from FY 2016 Planned Audits Continuous evaluation of the audit plan, based on risks identified, resulted in the modification of the FY 2016 Audit Plan. Modifications were presented to the Chief Audit and Compliance Officer for review and approval and subsequently communicated to the Audit Subcommittee for review. Report Number Report Title Deviation LS1605 FS1602 LS1602 FS1603 FS1610 FS1611 FS1514 LS1608 Cloud Storage Contract Administration - Segment 41 Contracts NTT Data Contract Management Transformation Post-Implementation Review ERP Accounts Payable Post-Implementation Review ERP Purchasing Post-Implementation Review ERP Inventory Post-Implementation Review ERP Payroll and Recruiting Post-Implementation Review ERP Project Costing LS1601 Public Funds Investment Act (PFIA) Added Name changed to Cloud: Data Access and Contract Management Name changed to Contract Administration: 601CT Contracts Named changed to Information Management Division Contract Management Transformation Name changed to Post Implementation Review PeopleSoft - Accounts Payable Name changed to Post Implementation Review PeopleSoft Purchasing Name changed to Post Implementation Review PeopleSoft Inventory Name changed to Post Implementation Review PeopleSoft Payroll and Recruiting Name changed to Post Implementation Review PeopleSoft - Project Costing TxDOT Annual Audit Report 7

8 LS1609 FS1612 LS1607 FS1612 Right of Way Acquisition - Contract Management Toll Operations Call Center and Back Office Operations Toll Operations Federal Reporting Name changed to Right of Way Acquisition - Appraisal Oversight Conducted as two engagements: Toll Operations Division Back Office Operations and Toll Operations Division Customer Service Operations Named changed to Toll Facilities Compliance with Federal Highway Administration (FHWA) Reporting TxDOT Annual Audit Report 8

9 III. Consulting Services and Non-Audit Services Completed Consulting Services and Non-Audit Services are completed as part of TxDOT s Compliance Division s annual plan. TxDOT Annual Audit Report 9

10 IV. External Quality Assurance Review (Peer Review) TxDOT Annual Audit Report 10

11 TxDOT Annual Audit Report 11

12 TxDOT Annual Audit Report 12

13 V. Internal Audit Plan for Fiscal Year 2017 Risk Assessment The Chief Audit and Compliance Officer conducts a department-wide risk assessment to develop the Internal Audit Plan. The risk assessment process is also conducted to assign audit resources and includes review and consideration of: Input from members of the Commission, Administration, Divisions, Districts, and staff Department functions, based on objective criteria and professional judgment Federal Highway Administration (FHWA) Risk Assessment Compliance Division Risk Assessment Relevant state and federal legislation Professional/industry standards Investigative trends Prior audit results The Chief Audit and Compliance Officer will provide quarterly status reports on audit activities to the Commission and Administration and will present the results of completed audits at quarterly Audit Subcommittee meetings. Internal Audit Plan The Internal Audit Plan consists of 73 risk-based audit engagements. The audit engagements (including FY2016 audits carried over) are divided into eight areas of focus and coverage, as follows: Governance/Program Management - provide assurance that business activities of the organization are optimized toward achievement of objectives with appropriate oversight Contracting/Third Party provide assurance of reporting and operational reliability to stakeholders District Operations provide assurance and insight of distributed activities Financial provide assurance that principles of financial accounting, stewardship, accountability, and reporting are effective and efficient Information Technology focus on the integrity and security of information assets Carryover Audits engagements not completed in FY16 which remain important to cover Management Action Plan (MAP) Follow-Up determine remediation and risk management regarding previously identified organizational risks Contingency additional area of risk that could be audited as time/resources permit TxDOT Annual Audit Report 13

14 Audit Plan FY 2017 Internal Audit Division Governance/Program Management (6) Budgeted Hours Real Estate Management Program 1,600 Grant Management and Monitoring 1,300 Performance Measurement and Programming 1,300 Design-Build Project Oversight 1,300 Civil Rights Reporting Program 1,300 NEPA Environmental Process 1,300 Contracting/Third Party (3) Budgeted Hours Construction Contract Management 1,600 Environmental Contract Management 1,600 PEPs Contractor Qualification Program 1,300 District Operations (4) Budgeted Hours Local Government Project Monitoring 1,600 Construction Inspections Program 1,600 Physical Security Design 1,600 County Assistance Program 1,600 Financial (4) Budgeted Hours Public Funds Investment Act 1,300 Purchasing Process Efficiency 1,300 Public Transportation Grants Indirect and Direct Cost Monitoring 1,300 Tolling Facilities - Federal Reporting 1,300 Information Technology (4) Budgeted Hours Server Management 1,600 Firewall/Intrusion Detection System Management 1,300 Oracle Patch Management 1,300 Telework Program Standards 1,300 Carryover Audits (3) Budgeted Hours NEPA Public Involvement Process 1,600 Non-MES Equipment / Consumables Management 1,600 SH 183 Managed Lanes Project (In Closing Phase) 400 TxDOT Annual Audit Report 14

15 Management Action Plan (MAP) Follow-Up (44) Engagements performed to determine remediation and risk management regarding previously identified organizational risks Budgeted Hours 13,508 Contingency (5) Information Technology Governance Technology Subcontractor Qualification Program Third Part District Safety Coordinator Review E-Grants Application Controls information tech SSAE16 Program Management Third Party Summary Internal Audit Budgeted Hours Governance/Program Management 8,100 Contracting/Third Party 4,500 District Operations 6,400 Financial 5,200 Information Technology 5,500 Management Action Plan Follow-Ups 13,508 Carryover Audits 3,600 Total Hours: 46,808 TxDOT Annual Audit Report 15

16 VI. External Audit Services Procured in Fiscal Year 2016 No External Audit Services were procured by the Internal Audit Division during Fiscal Year VII. Reporting Suspected Fraud and Abuse Actions taken to implement the requirements of: Fraud Reporting Article IX, Section 7.09 General Appropriations Act (83 rd Legislature, Conference Committee Report) o A link to the State Auditor s Office (SAO) Fraud Hotline is available on the TxDOT internet site: txdot.gov/inside-txdot/office/compliance-ethics/reporting-fraud.html o Information about reporting suspected fraud involving state funds to the State Auditor s Office is included in TxDOT policy. Call the State Auditor s Office fraud hotline at TX-AUDIT ( ) or report online at sao.fraud.state.tx.us o Compliance Division (CMP) maintains an external hotline number ( ) and website (txdotwatch.com) Coordination of Investigations Texas Government Code, Section o Reasonable Cause to Believe reports are completed by the Compliance Division and sent to SAO at least semi-annually o SAO Hotline Complaint coordination with Cesar Saldivar, Audit Manager TxDOT Annual Audit Report 16