ENGAGEME ENT PLAN AND RISK ASSESSMENT FISCAL YEAR 2016/2017 INTERNAL AUDITING STANDARD - PLANNING The Chief Audit Executive (CAE) is responsible for developing a risk-based engagement plan, taking into account the organization s risk management framework. If a framework does not exist, the CAE uses his/her own judgment of risks after consideration of input from senior management and the board. The CAE must review and adjust the plan, as necessary, in response to changes in the organization s business, risks, operations, programs, systems, and controls. OBJECTIVE A comprehensive, data-driven, and objective risk-based audit plan based on critical College risks that follows a business focused approach and allows flexibility. The key objective of the annual plan (and resulting engagements) is effectivee and efficient resource management linked with a sound business approach. RISK ASSESSMENT PROCESSS OVERVIEW Identify Objectives (START) Identify Select Audits and Develop Plan Measure Prioritize IDENTIFY OBJECTIVES College Strategic Direction: 2014-2017 Reaffirm HLC Accreditation and fully commit to HLC guiding values. Improve access and student success. Foster partnerships to strengthen educational opportunities in response to community needs. Improve responsiveness to the needs of business community and economic development opportunities. Increase diversity, inclusion, and global education. Develop a culture of organizational learning, employee accountability, and employee development. OBJECTIVES General Operating Goals Achievement of the organization s strategic objectives. Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations and programs. Safeguarding of assets. Compliance with laws, regulations, policies, procedures, and contracts.
Page 2 of 4 IDENTIFY RISKS TOP 3 HIGHER EDUCATION & ORGANIZATIONAL RISKS 2016* Collaboration and Change Management Compliance, Legislative, & Regulatory Landscape Information Security & Data Privacy * See Appendix A for sources of information. PCC SPECIFIC RISKS & CONCERNS Additional information utilized to identify risks included: Chancellor s Goals, Objectives, & Timelines 2015 2016 College Budget 2016 2017 College Mission, Vision, and Values Compliance and Ethics Hotline Complaints & Grievances Comprehensive Annual Financial Report, June 30, 2015 Inter-Campus Council Interviews Meeting Minutes (BOG, Faculty Senate, & All College Council) PCC Employee Exit Interview Documentation PCC Employee Interviews & Surveys PCC Notice Report PCCCD Expenditure Limitation Report, OAG, June 30, 2015 PCCCD Single Audit (Including Compliance and Internal Controls), OAG, June 30, 2015 PCC Specific & Concerns** Area/Function/Risk Compliance & Regulatory Employee Performance Management Governance Advising & Academic Support Employee Recruiting & Retention Enrollment Management Information Security Safety & Security Strategy Purchasing & Contracting Accounting & Finances Training Employee Development Employee Classification & Pay Administration Marketing & Communications Equipment/Resources Curriculum Attendance Tracking Student Code of Conduct Occupational Programs Facilities Management & Usage % Response (230 Responses) 7.4% 5.7% 5.2% 4.8% 3.5% 1.3% 12.6% 1 16.5% ** Includes risk areas identified by more than one source.
Page 3 of 4 MEASURING RISKS The significance of risks is assessed based on impact, probability, and velocity. Impact (I): The effect on the College, and stakeholders, if a risk event occurs or if the area is not functioning as intended. Impact can include lost revenue, increased expenses, declining enrollment, fines, adverse publicity, sanctions, reputational damage, and reduced employee morale. Probability (P): The likelihood that a risk event occurs or that the area is not functioning as intended. Probability factors can include prior audit results, turnover, management and staff concerns, lack of internal monitoring and/or governance, operational and control weaknesses, and poor training. Velocity (V): The pace the organization is expected to experience the impact of risk. The speed of regulatory enforcement action is an example of velocity. Probability Almost Certain Likely Possible Unlikely Area/Function/Risk GOVERNANCE 1 Employee Development Equipment & Resources Facilities Management & Usage Occupational Programs Training ADVISING & ACADEMIC SUPPORT Attendance Tracking Curriculum Employee Performance Management 4 Employee Recruitment & Retention ENROLLMENT MANAGEMENT Purchasing & Contracting Student Code of Conduct Employee Classification & Pay Administration Safety & Security Marketing & Communications COMPLIANCE & REGULATORY 2 INFORMATION SECURITY 3 Accounting & Finance Rare VELOCITY 5 Insignificant Minor Moderate Major Catastrophic Impact 1 Includes Higher Education and Organizational Risk Collaboration and Change Management 2 Includes Higher Ed and Organizational Risk - Compliance, Legislative, & Regulatory Landscape 3 Includes Higher Education and Organizational Risk Information Security & Data Privacy 4 Includes Employee Performance Evaluation System and Step Progression Planning 5 Only areas of rapid velocity were included; areas of rapid velocity are in bold and all capitals.
Page 4 of 4 PRIORITIZING RISKS AND PLAN DEVELOPMENT Factors used to prioritize risks and build the engagement plan include: College Strategic Direction ( pg. 1) Overlapping (Top 3) Higher Education and Organizational (pg. 2) PCC Specific Risk & Concerns rated as: - Major or Catastrophic Impact - Likely or Almost Certain Probability - Rapid Velocity Additional audit planning considerations include: Internal Audit resources Current or upcoming operational and system changes Special requests DETAILED PLAN INTERNAL AUDIT ENGAGEMENT PLAN 2016/2017 6 ENGAGEMENT TYPE DESCRIPTION TIMING OPERATIONAL Attendance Tracking Fall 2016 AUDITS Enrollment Management Spring 2017 CONTINUOUS AUDITING PROJECTS Purchasing and Contacting Spring 2017 Compliance and Regulatory Fall 2016 and - CLERY Act Spring 2017 - Financial Aid/Title IV - Governance 7 - Health Insurance Portability and Accountability Act (HIPAA) - Title IX Governance Information Technology: Data Privacy and Security FOLLOW-UP AUDITS Aviation Controls Fall 2016 International Students Fall 2016 OTHER SERVICES, DUTIES, AND SPECIAL PROJECTS Fiscal Year 2015/2016 Carry Over: Accessibility and Disabled Resources Athletics Follow-up Audit Automotive Veteran s Special Projects and Reviews (as needed) Advising & Academic Support Investigations (as needed) 6 Due to the dynamic environment of the College and risk environment, the plan will be reviewed quarterly and updated as necessary. Any changes or updates to the plan will be reviewed with the Finance and Audit Committee and the Board. 7 Governance encompasses the policies, processes, and structures used by the College to direct and control its activities, to achieve its objectives, and to protect the interest of its diverse stakeholder groups in an ethical manner.
Pima County Community College District Office of the Internal Auditor Appendix A APPENDIX A INFORMATION SOURCES Allianz Global Corporate and Specialty, Allianz Risk Barometer 2016 Association of Governing Boards of Universities and Colleges, Top Public Policy Issues for Higher Education, 2015-2016 Baseline, The Top 5 Cyber-Risk Trends in 2016 EduVentures, EduVentures Announces Higher Education Predictions for 2016 Grant Thornton, The State of Higher Education in 2016 Huron Consulting Group, Identifying and Responses for Higher Education Institutions in Transition Inside Counsel, Prediction 2016: Privacy remains a top risk Protiviti, Executive Perspectives on Top for 2016 The Center for Digital Education, The Top Higher Ed IT Issues of 2016 Urban Institute, Higher Education 2016: Evaluating Campaign Proposals