MAC INTERNAL AUDIT DEPARTMENT 2017 PROPOSED ANNUAL AUDIT PLAN

Transcription

1 MEMORANDUM Page 1 of 20 TO: Finance and Administration Committee FROM: Mike Willis, Director Internal Audit ( ) Alan Sasse, IT Audit Coordinator ( ) SUBJECT: MAC INTERNAL AUDIT DEPARTMENT 2017 PROPOSED ANNUAL AUDIT PLAN DATE: October 26, 2016 Attached for your review are the following: 2017 MAC Internal Audit Department Annual Audit Plan 2017 MAC Risk Assessment Detail Report In accordance with the MAC Internal Audit Charter and the Standards for the Professional Practice of Internal Auditing, the MAC Internal Audit Department is directed to develop an annual audit plan and present it to the Commission for approval. The plan is developed based on the attached assessment of current organization financial risk levels. COMMITTEE ACTION REQUESTED: RECOMMEND TO THE FULL COMMISSION APPROVAL OF THE 2017 MAC INTERNAL AUDIT DEPARTMENT ANNUAL AUDIT PLAN.

2 MAC INTERNAL AUDIT DEPARTMENT 2017 Annual Audit Plan Page 2 of 20 The mission of the MAC Internal Audit Department is to provide reasonable assurance that the organization has an effective internal control structure in place and to furnish Commissioners and Management Staff with independent analysis, appraisals, recommendations, and relevant comments regarding the Commission s compliance with financial and internal control policies and procedures. In addition, the Internal Audit Department performs analysis and testing of the financial performance of the Commission s revenue and expense contracts and other activities to provide assurance of adequate compliance with key finance related contract provisions. Department Structure, Independence and Responsibilities: The Internal Audit Department s structure as well as its role and responsibilities were formalized by the Commission in the Internal Audit Charter. The department reports functionally to the Finance and Administration Committee of the Commission and reports administratively to the Executive Director/CEO. This reporting structure allows the Internal Audit Function to operate with sufficient independence from senior management to provide objective analysis and conclusions. Internal Audit staff has full and unrestricted access to all MAC properties, information and personnel. Audit selection and planning is accomplished by department staff under the direction of the Commission. Audit results are reported directly to the Commission and to senior management. Department roles and responsibilities are laid out in the Internal Audit Charter that was approved by the Commission in 2007 and revised in The audit charter addresses the issues of auditor professionalism through adherence to the internal audit professional standards, assigns department responsibilities, requires the reporting of significant audit issues to the Commission and requires that the Commission approve the annual audit plan. Audit Professional Standards: The MAC Internal Audit Department follows the Standards for the Professional Practice of Internal Auditing as prescribed by the Institute of Internal Auditors. The audit standards provide guidance to professional auditors in the areas of independence, objectivity, proficiency, due professional care, continuing professional development, quality assurance, engagement planning, management and supervision, and communication of audit results. MAC Internal Audit is required to perform annual selfassessments of the compliance of its work with applicable professional standards with periodic independent validation of those assessments required at five year intervals. Representatives of the Institute of Internal Auditors completed a five year Internal Audit Quality Assessment of the MAC Internal Audit Department in 2013 and a report of results was provided to the Commission. It was found by the independent reviewers that the MAC Internal Audit Department is in full compliance with the Standards for the Professional Practice of Internal Auditing. 1

3 Internal Audit Staffing Resources: Page 3 of 20 The Internal Audit Department is staffed with a Director, an Information Systems Audit Coordinator, and two Senior Internal Auditors. Current staff is well qualified and has extensive audit experience both with MAC and with other governmental and private entities. Two staff members are Certified Public Accountants, one is a Certified Information Systems Auditor, three are Certified Fraud Examiners and one is a Certified Internal Auditor. Auditor Training: MAC has annually invested in the training of audit staff and in developing and maintaining staff professional certifications. Training is focused in the areas of technology, fraud detection, audit methodology and professional ethics. Auditors attend regular training sessions to gain new knowledge that can be applied to the implementation of the annual audit plan. Regular training is also accomplished so that staff can maintain professional certifications by meeting applicable training requirements. Internal Audit Planning Process: With limited resources and staffing, the Internal Audit Department assigns auditors and develops audit testing based on the assessed risk of errors, non-compliance or misstatement in each business area. The business areas within MAC vary greatly in the levels of financial risk that they present to the organization. The following factors are considered and were used in the development of the attached risk assessment which is used as a guide in determining the levels and types of audit procedures that will be used. 1. Inherent Risks Different types of transactions vary significantly in the level of inherent risk associated with those transactions. For example, revenue that is obtained through the collection of fixed rental amounts or revenues that are calculated by MAC using Commission approved rates to recover certain costs (i.e. Airline Rates and Charges) would present a much lower risk of misstatement or error to MAC than rent obtained as a percentage of variable revenue collected by tenants or revenue obtained through variable collections made by staff or external parties such as parking revenues. The level, complexity and frequency of audit testing varies significantly based on the assessment of risks that are inherent in each type of transaction. 2. Control Testing A review of existing controls and related processes is significant in determining what level of audit testing is needed to reduce risks of errors or misstatements to an acceptable level. Controls over cash collections or disbursements can take many forms and vary greatly in their overall effectiveness. Determining the effectiveness of controls and the residual risk that remains after the controls are applied is key to developing effective and well-focused audit procedures. Key considerations include determining whether controls are preventive or detective. 2

4 Page 4 of 20 Preventive controls are set up to prevent errors and fraud from occurring. These can take the form of controls built into accounting systems that simply won t allow certain entries to the system or greatly restrict which staff can make certain entries and adjustments. Examining system access to determine whether it is restricted to the lowest reasonable level and reviewing transactions that are produced in business areas impacted by the controls is key to determining the effectiveness of controls and the levels of further audit testing that are needed. Detective controls do not restrict actions but rather provide a way for management to effectively monitor the actions of staff and identify inaccurate or inappropriate transactions. Detective controls can be very effective if used properly but are reliant on the diligence of managers in reviewing information and making judgments about the appropriateness of staff activities and then acting on those judgements. In general, preventive controls are much more effective than detective controls. When preventive controls are in place, the auditor s responsibility is to periodically review the preventive controls to ensure that they have not been altered in a way that would weaken them. When a financial process is reliant on detective controls, it becomes the auditor s responsibility to review the effectiveness of those controls at appropriate intervals to ensure that supervisory staff is performing the steps needed to retain the effectiveness of the controls. 3. Past History MAC Auditors have a wealth of experience in the working with various MAC business areas and use that knowledge in determining which areas to test and how to properly design those tests. In addition, many of the types of risks that MAC faces are not unique to MAC but exist in other organizations including other airports across North America and around the world. MAC Auditors often receive information and input through training opportunities, professional conferences and through peers in other organizations. Knowledge and experience derived from many sources has been used to develop and refine MAC audit procedures. 4. Materiality Assessing the dollar amounts of resources related to a particular business area and the impact to MAC if those resources were compromised is an important consideration. 5. Reputation While dollar amounts and related materiality are important, MAC Auditors must also consider the potential impact of loss or misstatement regardless of the dollars involved. As a public entity, it is critical to MAC to be viewed by the public as a reliable and ethical custodian of important public assets. Situations involving fraud or misstatement related to public funds or other assets, regardless of the dollar amount involved, can have a very detrimental impact on MAC s reputation. MAC Auditors often examine activities and transactions that have elevated risk levels even if the dollar amounts involved are relatively small. 3

5 6. External Audit Coverage MAC is required to hire independent auditors to perform an annual financial statement audit along with single audit procedures related to federal programs. In addition, MAC falls under the jurisdiction of the Minnesota Office of the Legislative Auditor. In developing and implementing our internal audit procedures, it is important to gain an understanding of and consider the work of these independent auditors in developing our own internal audit procedures. The independent auditor s objectives in performing their audits vary significantly from Internal Audit s objectives, but in some areas our objectives could overlap. It is important to consider and coordinate our work with the external auditors to avoid duplication of efforts in order to provide maximum value to MAC. These external audit professionals are a valuable resource for Internal Audit in refining our audit scope. Internal Audit Approach: Starting in 2013, the Commission authorized the MAC Internal Audit Department to implement a continuous audit approach in order to develop a more comprehensive and efficient internal audit activity. Continuous auditing is a departure from conventional audit activities that had been used in the past in that it involves frequent audit analysis and testing over a wide range of financial activities. Testing is accomplished at regular frequent intervals in each area within the selected audit scope. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities. The following are key elements in the Continuous audit approach: Page 5 of Understanding the Audit Universe Every organization has a unique set of risks and controls which must be thoroughly understood in order to perform effective internal audit procedures. MAC s key risks and controls are outlined in the attached 2017 MAC Risk Assessment. Audit resources need to be focused primarily in areas that present elevated risks of financial errors or misstatement. 2. Data Access The continuous audit approach became possible with the availability of large volumes of financial data generated by various business systems and with the use of sophisticated analytical software that is capable of analyzing large volumes of data. MAC auditors can directly link to various MAC business systems and download all relevant transactions in each business area. In addition to MAC generated data, auditors obtain reports and data files for testing from a wide range of MAC business partners. 3. Understand compliance criteria -- Review key compliance criteria including policies, procedures, contracts and laws. Determine Commission and management directives and expectations. Determine what types of substantive testing will best serve to identify compliance issues. 4

6 Page 6 of Analytical Procedures Review the population of transactions and gain an overall understanding of the elements that make up account balances. Run tests to summarize, stratify and classify data in various ways to determine the reasonableness of account balances in the current period against similar balances in prior periods or other relevant information. Break down and summarize transaction groups into their basic elements and assess the reasonableness of subgroup balances in relation to established norms. Develop historical data and analysis for comparison with future periods. 5. Substantive testing Account and Report Balance Reconciliation Summarize, organize, and compare data from various sources to relevant account balances, reports, payments and disbursement to test for accuracy. Account Adjustments Review adjustments to account balances for reasonableness, documentary support and management approval. Sample testing develop the means through data analytics or other methods to identify outlying transactions for further testing. Ensure that samples represent all material transaction types. Review test results with relevant management and staff to better understand the reasons for outlier transactions. Trend analysis review data trends and compare to historical data and other established criteria. Exception testing identify unusual or high risk transactions for separate testing and analysis. Benford analysis use analysis of transaction dollar amounts to identify sample groups of transactions that fall outside of normal numeric distributions. Review representative samples of outliers to identify reasons behind variances. 6. Audit Documentation Audit testing results and evidence must be fully documented by each auditor. For this purpose, audit results are organized and stored electronically. Audit documents are reviewed by audit supervisors for accuracy and proper documentation. 7. Audit Reporting When audit testing is completed, fully documented, reviewed and approved an audit report is drafted for review by management and affected staff. A final report is submitted to the Commission for their review and approval. 8. Audit Issues Follow-up The continuous audit process is repeated on a quarterly cycle. The majority of audit testing is completed on a monthly basis. Auditors consider past audit issues and concerns in developing audit testing in succeeding periods. Audit issues are reexamined and changes in processes that were made in response to past issues are reviewed. 5

7 Audit Testing Areas: Page 7 of 20 TRANSACTION TYPE CONTINUOUS AUDIT CATEGORY AUDIT TESTING PROCEDURES Accounts Receivable Public Parking Analytical review by account and revenue source Sample compliance testing Benford analysis of dollar amounts Analyze trends and compare to prior periods Reconcile collections to revenue recorded on the parking system Reconcile parking system revenue to primary accounting system Test exception and reduction transactions Compare rates charged to authorized rates Test accuracy of charges to customers Test parking system sales reports for accuracy Test parking sales adjustments for accuracy and authorization Investigate differences and unusual trends Reconcile collections to revenue recorded on the MAVIS system RECEIPTS Reconcile MAVIS system revenue to primary accounting system Ground Transportation Review no charge employee parking for compliance Review system access rights Investigate differences and unusual trends Reconcile detailed transaction data to summarized revenue reports Review daily sales reported by location and Review transaction data for reasonableness and compare to prior periods Inspect sales categories and transaction totals from each location for reasonableness Auto Rental Review facilities charges reported and paid and compare to raw sales data Review space rent and other payments required under each lease Review sales reductions and adjustments Investigate differences and unusual trends Summarize and review sales data obtained from each operator Reconcile summarized data to monthly operator sales reports Reconcile subtenant sales reports to primary tenant sales reports and data Food and Beverage Review sales totals by date and location and compare to prior periods Review rent calculations for compliance with lease terms Review space rent, utilities and consortium fees for lease compliance Investigate differences and unusual trends Summarize and review sales data obtained from each operator Reconcile summarized data to monthly operator sales reports Reconcile subtenant sales reports to primary tenant sales reports and data Retail Review sales totals by date and location and compare to prior periods Review rent calculations for compliance with lease terms Review space rent, utilities and consortium fees for lease compliance Investigate differences and unusual trends 6

8 Page 8 of 20 TRANSACTION TYPE CONTINUOUS AUDIT CATEGORY AUDIT TESTING PROCEDURES DISBURSEMENTS Accounts Payable Purchasing Card Payments Employee Payroll Employee Benefits Procurement Analytical review by account and payee Sample compliance testing Benford analysis of dollar amounts Analyze trends and compare to prior periods Map vendor locations to analyze payment trends Reconcile bank records with expenditures recorded on MAC's accounting system Perform analysis to detect inappropriate purchases Review transactions that exceed normal purchase limits Test for split purchases that would violate purchasing policy Summarize and review purchases by merchant, category, business unit and cardholder Review travel and business expense purchases for compliance with policies Map vendor locations to analyze payment trends Investigate unusual purchases and trends Review payroll transactions by employee and business unit Review payroll transactions by pay type Review payments to ensure that they were made to authorized employees Review payroll transactions for compliance with Human Resources policies. Review payroll transactions for compliance with Organized Labor agreements. Review payrate adjustments for proper authorization and compliance Review paid leave transactions for compliance with HR Policies and Labor Agreements. Review Workforce Director payroll subsystem. Investigate differences and unusual trends Reconcile active employee lists to benefit provider enrollment reports Reconcile employee payroll withholding to Commission authorized rates Reconcile benefit eligible retiree listings to retiree benefit enrollments Reconcile retiree benefit payments to authorized rates and investigate differences Review employee benefit enrollments for compliance with HR Policies. Review employee benefit enrollments for compliance with Organized Labor Agreements. Analyze purchase requisitions of compliance with policies Review professional service authorizations and related payments Review capital project authorizations and related payments Summarize purchase totals by business unit and account and compare to prior periods Review blanket purchase orders and compare to purchasing card transactions Investigate differences and unusual trends 7

9 Page 9 of 20 TRANSACTION TYPE CONTINUOUS AUDIT CATEGORY AUDIT TESTING PROCEDURES GENERAL ACCOUNTING Journal Entries Information Systems Operating Bank Account Investments Review adjustments for proper documentation, approval and reasonableness Review adjustments by user for reasonableness Investigate unusual transactions and trends Review employee access to business systems. This includes providing feedback to supervisors and managers when changes to access are being considered. Identify system access that does not match job duties. Review entries to various components of the main finance application by User ID to ensure users are only generating transactions relevant to their job duties. Review access changes for proper documentation, approval and testing Review employee terminations for appropriate and timely removabal of system access Review system changes for proper documentation, approval and testing. Ensure changes comply with policies and procedures. Review monthly bank reconciliationsof bank records to account balances Review reconciling items for reasonableness Ensure that reconciling items are cleared in a timely manner Investigate differences and unusual trends Review monthly investment reconciliations performed by the MAC Finance Dept. Verify that sufficient collateral pledged for MAC Investments Review compliance with MAC Investment Policy Special Audit Projects and New Audit Areas: For 2017, there are several business areas that will be considered for additional audit procedures - Point of Sale data obtained from new tenants in the first phase of the concession rebuild. Data obtained related to TNC operators on the airport Contract compliance related to the new In-Terminal Advertising Agreement MAC IS system backup and system logging processes System controls related to the MAC Parking Expansion 8

10 Page 10 of 20 Objectives, Risks, and Controls for Accounts Receivable MAC 2016 Audit Universe > Revenues > Accounts Receivable Objective: Ensure that MAC properly collects and safeguards cash assets and properly records and deposits revenue Cash receipts may be susceptible to theft or loss Impact Likelihood Impact Likelihood High High Medium Low 1. Tenants are required to send checks and electronic transfer payments directly to MAC's Bank 2. Finance Department staff monitor cash receipts at the bank through online bank data access 3. Monthly bank account reconciliations are performed by Finance Staff who are independent of the cash recording and collection process 4. Analysis of receipt trends over time is performed by financial analysis staff 5. Budgetary controls reveal significant revenue fluctuations by account Tenants may not be billed for all obligations Impact Likelihood Impact Likelihood High High Medium Low 1. Finance Department staff are aware of lease provisions and required payments. 2. Billings are prepared in accordance with lease provisions and Commission approved rates and charges. 3. Lease administrators and Finance Department Staff meet and communicate regularly 4. Finance Department management staff supervise accounts receivable accounting staff MAC may not receive and record all required Impact Likelihood Impact Likelihood revenue High High Medium Medium 1. Finance Department staff enter receivable amounts related to each lease in the accounting system receivables module. 2. Regular billings are issued to each tenant or customer 3. Unpaid bills are detected and highlighted in system account aging reports 4. Past due accounts are reported to the Commission monthly. 5. Revenue budget vs actual amounts are reported to the Commission 6. Finance Department staff perform financial analysis of each revenue category and investigate revenue fluctuations 7. Budgetary controls would reveal significant fluctuations in revenue. 1

11 Page 11 of 20 Objectives, Risks, and Controls for Public Parking Revenue MAC 2016 Audit Universe > Revenues > Public Parking Objective: Ensure that MAC properly collects and safeguards cash assets and properly records and deposits revenue Receipts may be susceptible to theft or loss Impact Likelihood Impact Likelihood High High Medium Low 1. Audited cash receipts are deposited in a drop safe that is not accessable until picked up by the armored car service. 2. Parking Management Accounting Staff monitor and audit cash receipts 3. Finance Department staff perform daily monitoring of cash deposits 4. Finance Department staff reconcile cash and credit collections to reports generated by the Parking Revenue Control System 5. Parking cashier activity is closely monitored by parking management staff and MAC staff. 6. Over 90% of all parking revenue is paid by credit/debit cards reducing the cash and checks received 7. Budgetary controls would reveal significant revenue fluctuations MAC may not receive and record all required Impact Likelihood Impact Likelihood revenue High High Medium Low 1. E park revenue is automatically recorded on the Parking Revenue Control System as each customer swipes their payment card. 2. Entries made by parking cashiers are also recorded on the Parking Revenue Control System 3. Parking Management and MAC staff monitor bank deposits and reconcile to system generated reports 4. Reductions to parking charges require management approval. 5. Parking cashier activity is closely monitored by parking management staff and MAC staff 6. Budgetary controls would reveal significant revenue fluctuations. Parking rates and charges may be incorrectly Impact Likelihood Impact Likelihood applied or calculated. High High Medium Low 1. Parking rates are approved by the Commission and reviewed by MAC staff. 2. The parking revenue control system calculates all charges based on parking location and duration data 3. MAC staff and parking management staff monitor the Parking Revenue Control System 4. Parking rates, charges and calculations are reviewed by MAC Internal Audit 2

12 Page 12 of 20 Objectives, Risks, and Controls for Ground Transportation MAC 2016 Audit Universe > Revenues > Ground Transportation Objective: Ensure that MAC properly collects and safeguards cash assets and properly records and deposits revenue Cash receipts may be susceptible to theft or loss Impact Likelihood Impact Likelihood Medium High Medium Low 1. Automated system (MAVIS) controls employee parking, shuttle and taxi payments and controls access to facilities 2. Payments are sent to a bank lockbox or charged to credit/debit accounts electronically. 3. Cash payments are reconciled to revenue recorded on the vehicle management system MAC may not receive and record all required Impact Likelihood Impact Likelihood revenue Medium High Medium Low 1. Automated system controls employee parking, shuttle and taxi payments and controls access to facilities 2. System issues monthly billings or debits customer bank cards on a monthly basis 3. Payments are sent to a bank lockbox or charged to credit/debit accounts electronically. 4. System identifies past due accounts for collection 5. System can deny access to customers who fail to pay fees Ground Transportation rates and charges Impact Likelihood Impact Likelihood may be incorrectly calculated. High High Medium Low 1. Ground Transportation rates are approved by the Commission and reviewed by MAC staff. 2. The MAVIS system calculates all charges based on rates entered 3. MAC staff monitors the MAVIS system 4. Ground Transportation rates, charges and calculations are reviewed by MAC Internal Audit 3

13 Page 13 of 20 Objectives, Risks, and Controls for Auto Rental MAC 2016 Audit Universe > Revenues > Auto Rental Objective: Ensure that auto rental sales, rent and fees are reported and paid in accordance with lease provisions Auto Rental Operators could under report Impact Likelihood Impact Likelihood sales resulting in underpayment of rent High High Medium Medium 1. Finance Department review of operator sales reports and payments 2. Finance Department analysis of revenue trends by concession operator and type 3. Annual independent audit requirement for large revenue contracts 4. Budgetary controls would reveal significant revenue fluctuations by account Auto Rental Operators could fail to report Impact Likelihood Impact Likelihood and pass through all facilities charges Medium Medium Medium Medium required to be paid by customers 1. Finance Department review of operator sales reports and payments 2. Finance Department analysis of revenue trends by concession operator and type 3. Annual independent audit requirement for large revenue contracts 4. Budgetary controls would reveal significant revenue fluctuations by account MAC may fail to bill all rent and fees owed Impact Likelihood Impact Likelihood Medium Medium Low Low 1. Contract terms are communicated to Finance staff 2. Rental amounts are adjusted annually and entered into the receivables system 3. Finance staff bills and monitors payment of all fixed rent 4

14 Page 14 of 20 Objectives, Risks, and Controls for Food and Beverage MAC 2016 Audit Universe > Revenues > Food and Beverage Objective: Ensure that food and beverage sales, rent and fees are reported and paid in accordance with lease provisions Food and Beverage Operators could under Impact Likelihood Impact Likelihood report sales resulting in underpayment of High High Medium Medium rent 1. Finance Department issues revenue report templates that are set up to calculate required rents and fees based on reported gross sales 2. Finance Department review of operator sales reports and payments 3. Finance Department analysis of revenue trends by concession operator and type 4. Annual independent audit requirement for large revenue contracts 5. Budgetary controls would reveal revenue significant revenue fluctuations by account MAC may fail to bill all rent and fees owed Impact Likelihood Impact Likelihood Medium Medium Low Low 1. Contract terms are communicated to Finance staff 2. Rental amounts are adjusted as appropriate and entered into the receivables system 3. Finance staff bills and monitors payment of all fixed rent Objectives, Risks, and Controls for Retail and News MAC 2016 Audit Universe > Revenues > Retail and News Objective: Ensure that retail and news sales, rent and fees are reported and paid in accordance with lease provisions Retail and News Operators could under Impact Likelihood Impact Likelihood report sales resulting in underpayment of High High Medium Medium rent 1. Finance Department issues revenue report templates that are set up to calculate required rents and fees based on reported gross sales 2. Finance Department review of operator sales reports and payments 3. Finance Department analysis of revenue trends by concession operator and type 4. Annual independent audit requirement for large revenue contracts 5. Budgetary controls would reveal revenue significant revenue fluctuations by account MAC may fail to bill all rent and fees owed Impact Likelihood Impact Likelihood Medium Medium Low Low 1. Contract terms are communicated to Finance staff 2. Rental amounts are adjusted as appropriate and entered into the receivables system 3. Finance staff bills and monitors payment of all fixed rent 5

15 Page 15 of 20 Objectives, Risks, and Controls for Passenger Services MAC 2016 Audit Universe > Revenues > Passenger Services Objective: Ensure that rents and fees are paid in accordance with lease provisions Concession Operators could under report Impact Likelihood Impact Likelihood sales in an attempt to reduce rental Low Medium Low Medium charges and fees 1. Finance Department review of sales reports and payments 2. Finance Department analysis of revenue trends by concession type 3. Budgetary controls would reveal revenue significant revenue fluctuations by account Objectives, Risks, and Controls for Airline Rates and Charges MAC 2016 Audit Universe > Revenues > Airline Rates and Charges Objective: Airline Rates and Charges - Ensure that MAC recovers all airside costs in compliance with the airline agreement MAC could fail to recover all costs relateted Impact Likelihood Impact Likelihood 1.00 to the airline agreement High Medium Low Low 1. Rates are set to approximately recover MAC's airline costs 2. Costs are calculated and charges are billed in accordance with calculated rates 3. Year end reconciliation to ensure recovery of unpaid costs or refund of overcharges 4. Analyticals compare airline payments to prior years Objectives, Risks, and Controls for Utility Fees and Miscellaneous Revenues MAC 2016 Audit Universe > Revenues > Utilities Fees and Miscellaneous Revenues Objective: Other Revenue - Ensure that other revenue is billed and collected where appropriate MAC could fail to collect other revenue such as Impact Likelihood Impact Likelihood utility fees, permit fees, badging fees, etc. Low Medium Low Low 1. Utility fees are calculted and billed on the accounts receivable system. Missing payments would be detected. 2. Badging and Permit fees are charged when the item is picked up or are set up for billing 3. Concession utiltity fees are calculated and billed based on square footage of rental space and concession type 6

16 Page 16 of 20 Objectives, Risks, and Controls for Accounts Payable MAC 2016 Audit Universe > Processes >Accounts Payable Objective: Ensure that payments for goods and services are appropriate, cost effective and meet legal and policy requirements Payment process may allow improper Impact Likelihood Impact Likelihood payments to vendors or others or could High High Medium Medium allow payments to exceed authorized limits 1. Access to Vendor Master File is restricted to staff who do not have the ability to issue payments 2. Systems in place to assure management approval of purchases prior to payment 3. Match of purchase authorization, proof or receipt of goods or services and vendor invoice are required prior to payment 4. Use of "Positive Pay" to verify that checks presented to the bank for payment are legitimate 5. Payments are reviewed by Finance Dept. management 6. Commissioners review payment listings and budget vs actual reports 7. Anonymous reporting hotline available to all employees 8. Budgetary controls reveal significant spending fluctuations by business unit and account Objectives, Risks, and Controls for Purchasing Cards MAC 2016 Audit Universe > Processes >Purchasing Cards Objective: Ensure that payments for goods and services are appropriate, cost effective and meet legal and policy requirements Cardholders may purchase items for Impact Likelihood Impact Likelihood personal use or other inappropriate purpose. Medium High Medium Medium 1. Cards have built in limits for types of purchases and dollar amounts 2. Total monthly purchases are limited 3. Supervisors required to perform a monthly review of purchasing card statements and receipts 4. Random reviews of purchases are performed by Finance Dept. staff 5. Misuse of purchasing cards can result in displinary action 6. Budgetary controls reveal significant spending fluctuations by business unit and account Cardholders may violate purchasing card Impact Likelihood Impact Likelihood policies Medium High Medium Medium 1. Cardholders receive policy training prior to issuance of a purchasing card 2. Supervisors review purchasing card statements and receipts 3. Purchasing Department staff conduct reviews of purchases to identify policy violations 4. Violation of policies can result in disciplinary action 7

17 Page 17 of 20 Objectives, Risks, and Controls for Payroll Expenses MAC 2016 Audit Universe > Expenses > Payroll Expenses Objective: Payroll - Ensure payroll disbursements are properly controlled and in compliance with policy provisions and labor agreements Employees could be paid at incorrect rates Impact Likelihood Impact Likelihood Medium High Medium Medium 1. Payrates can only be adjusted by authorized HR staff who do not have access to issue payments. 2. Employees have access to payrate schedules and could question rates paid 3. Payrate adjustments are reviewed and approved by supervisors 4. Payrate adjustments are reviewed for accuracy by a second HR staff person. 5. Finance Department staff runs exception reports for review of payroll entries Employees could be paid for an incorrect Impact Likelihood Impact Likelihood number of hours or incorrect pay type Medium High Medium Medium 1. Employee time entries are reviewed and approved by supervisors 2. Employee time entries are reviewed for exceptions by payroll staff. 3. Budgetary controls reveal significant spending fluctuations by business unit and account Fictitious employees could receive payments Impact Likelihood Impact Likelihood Medium High Low Low 1. New employees are entered on the accounting system by HR staff who do not have access to issue payments. 2. Employee time entries are reviewed and approved by supervisors 3. Budgetary controls reveal significant spending fluctuations by business unit and account Objectives, Risks, and Controls for Employee/Retiree Benefits MAC 2016 Audit Universe > Expenses > Employee/Retiree Benefits Objective: Benefits - Ensure that benefit programs are properly administered Benefits could be awarded to persons who Impact Likelihood Impact Likelihood are not authorized to receive them Medium High Medium Medium 1. Separation of duties between HR and Risk Departments (HR staff sets up employees/retirees on system, Risk/Insurance staff administers benefits). 2. Monthly reports generated by Internal Audit and supplied to Risk/Insurance staff for follow-up 8

18 Page 18 of 20 Employees/Retirees who are authorized Impact Likelihood Impact Likelihood benefits may not be enrolled with benefit Medium High Medium Medium providers. 1. Separation of duties between HR and Risk (HR staff sets up employees/retirees on system, Risk/Insurance staff administers benefits). 2. Employee/Retiree would complain if they had a benefit claim and it was not paid 3. Monthly reports generated by Internal Audit and supplied to Risk/Insurance staff for follow-up Objectives, Risks, and Controls for Procurement MAC 2016 Audit Universe > Processes > Procurement Objective: Ensure that purchases are appropriate, cost effective and meet legal and policy requirements Items may be purchased without proper Impact Likelihood Impact Likelihood approval or purchases may not comply with High High Medium Medium state statutes and policies 1. Non Purchasing Card purchases of supplies and equipment are made through the on-line requisition system 2. Requisitions are automatically directed to supervisers for on-line approval 3. After supervisor approval, Purchasing Dept. staff reviews requisitions and supporting documents for policy compliance before final approval 4. Purchasing Dept. issues purchase order which is required for payment of invoice. 5. Anonymous reporting hotline available to all employees Purchasing process may allow purchased Impact Likelihood Impact Likelihood items to be diverted or stolen Medium High Medium Medium 1. Proper receipt of purchased items must be documented on invoice prior to payment 2. Supervisors are responsible for inventory control. 3. Capital equipment is tracked on the fixed asset system. 4. Budgetary controls reveal spending fluctuations by business unit and account 5. Anonymous reporting hotline available to all employees Consultant Contracts could be awarded Impact Likelihood Impact Likelihood through collusion or kickback schemes High High Medium Medium 1. Commission receives quarterly report on consultant authorizations. 2. Each review team must have a member who is independent of management. 3. Contracts over $50K in annual payments must be approved by the Commission 4. Professional consultant contracts are awarded through a review team process 5. Commission receives annual report of cumulative consultant payments 6. Anonymous reporting hotline available to all employees 9

19 Page 19 of 20 Consultant Contracts could be ineffectively Impact Likelihood Impact Likelihood monitored resulting in excess costs Medium High Medium Medium 1. Managing department assigns and monitors work and approves payments. 2. Total payments are compared to pre authorized payment amounts by MAC Finance 3. Commission receives annual report of cumulative consultant payments 4. Insurance coverage for each consultant is monitored by departments with guidance from Risk Management. 5. Management review of service provider invoices and payments 6. Anonymous reporting hotline available to all employees Consultants could collude with staff to create Impact Likelihood Impact Likelihood false billings and payments Medium High Medium Medium 1. Commission receives quarterly report on consultant authorizations. 2. Commission receives annual report of cumulative consultant payments 3. Total payments are compared to pre authorized payment limits by MAC Finance 4. Management review of service provider invoices and payments 5. Anonymous reporting hotline available to all employees Contract awards could be manipulated by Impact Likelihood Impact Likelihood staff in exchange for payments from High Medium Medium Low successful bidders 1. Project plans and estimates are developed by MAC consultants prior to project bidding. 2. Projects are publicly advertised for bids. 3. Contract awards are subject to a sealed bidding process and public bid opening. 4. Construction Budgets and contracts are subject to Commission Approval 5. Anonymous reporting hotline available to all employees Employees who award contracts could have Impact Likelihood Impact Likelihood a business interest in certain bidders. High Medium Medium Low 1. Commission approval is required for contract awards over $50K. 2. MAC Ethics Policy requires employees to disclose potential conflicts of interest 3. Projects are publically advertised for bidding. 4. Sealed bids are publically opened to determine the lowest qualified bidder. 5. Anonymous reporting hotline available to all employees 10

20 Page 20 of 20 Objectives, Risks, and Controls for Accounting System Journal Entries MAC 2016 Audit Universe > Processes > Journal Entries Objective: Information Systems - Ensure that information systems incorporate adequate financial controls Journal entries could be made for Impact Likelihood Impact Likelihood inappropriate purposes such as concealing Medium Medium Medium Low errors or irregularities 1. Journal entries are documented and reviewed by Finance Dept. supervisors who approve them in writing Journal entries could be made by employees Impact Likelihood Impact Likelihood who are not authorized to make them or they Medium Medium Medium Low could be made without proper approval 1. System access is restricted to a small group of staff who are authorized to make journal entries. 2. Journal entries are documented and reviewed by Finance Dept. supervisors who approve them in writing Objectives, Risks, and Controls for Information Systems MAC 2016 Audit Universe > Processes > Information Systems Objective: Information Systems - Ensure that information systems incorporate adequate financial controls System changes could be performed Impact Likelihood Impact Likelihood improperly or not properly authorized High Medium Medium Medium 1. System administrators monitor system changes. Inherent Risk Residual Risk Risk: Impact Likelihood Impact Likelihood Users may have inappropriate or High Medium Medium Medium incompatible access to systems 1. System edits block user actions that exceed their program roles. 2. Segregation of duties is built into predetermined access roles 3. Supervisory Approval required to gain system access Objectives, Risks, and Controls for Cash Management MAC 2016 Audit Universe > Processes > Cash Management Objective: Cash Management/Investments- Ensure that cash and investments are properly safeguarded Cash and investments could be at risk of Impact Likelihood Impact Likelihood loss High Medium Medium Low 1. MAC retains professional advisors to properly structure its investments and debt offerings. 2. State statutes regulate the degree of risk that MAC can assume in its investment portfolio 3. Commission is updated on investment status. 4. Cash on hand is regularly reconciled to the accounting records. 5. Cash and investments are subject to annual independent audits 11