Purpose & Professional Requirements

Transcription

1 INTERNAL AUDIT SERVICES PLAN FISCAL YEARS 202 & 20

2 TO: CC: FROM: Frank Fernandez Chair, Planning, Finance & Audit Committee John Langmore, Vice-Chair & Member, Planning, Finance & Audit Committee Justine Blackmore-Hlista, Member, Planning, Finance & Audit Committee Norm Chafetz, Member, Planning, Finance & Audit Committee Linda Watson, President/CEO Caroline Beyer, CPA, CISA VP, Internal Audit DATE: November 5, 20 SUBJECT: Fiscal Years Internal Audit Services Plan Purpose & Professional Requirements The Internal Audit Services Plan (the Plan) summarizes the audits and projects that Internal Audit anticipates performing during the next two fiscal years. The Institute of Internal Auditor s (IIA) International Standards for the Professional Practice of Internal Auditing require that risk-based plans be developed to determine the priorities of the internal audit activity, consistent with the organization's goals. The Capital Metro Internal Audit Charter requires that the Chief Audit Executive (CAE) present for approval to the Finance & Audit Committee a risk-based Audit Plan which documents the priorities of the internal audit function and is consistent with the Authority s strategic goals and objectives. IIA Standard 0 requires that the CAE confirm to the board, at least annually, the organizational independence of the internal audit activity. Capital Metro Internal Audit is organizationally independent of management and, as such, remains objective when conducting audits. Internal Audit Services Plan Development & Update Projects in the Plan are identified by using a risk assessment process which considers input and requests from Capital Metro management/staff as well as the Authority s external financial auditor. Input from the Capital Metro Board members was also solicited. In addition, prior external consulting and audit reports, operating and capital budgets, organizational charts, and the Strategic Plan were all reviewed to help ensure all potential risk and opportunity areas were identified. The Control Objectives for Information and related Technology (COBIT ) Framework was also used to identify Capital Metropolitan Transportation Authority FY202-FY20 Internal Audit Services Plan Page of 9

3 potential technology audits. The factors used to evaluate risks and opportunities for the Capital Metro audit universe are listed in Appendix A. The Internal Audit Services Plan is reviewed and updated at least annually, or as needed. In accordance with the approved Internal Audit Charter, Proposed plan revisions will be presented to the Finance & Audit Committee. The Committee has the authority to approve plan modifications. The intent is to provide flexibility to ensure that the most significant risks/opportunities can be addressed in a timely fashion. Internal Audit Resources / Acceptable Level of Risk Approximately 7,700 hours are estimated to be available during fiscal years for audit and consulting projects. 2 The proposed Plan is designed to provide coverage of key business process over a two-year period, given existing staff resources. It is the governing board s responsibility to conclude whether internal audit resources are adequate to address identified risks. The approved FY202 operating budget ($286,890) is essentially the same as in the prior year. This budget continues to fund the same staffing level as in FY20 - three full time auditor positions. Ultimately, Internal Audit is limited in scope by finite audit resources and cannot address every known risk area. It is important for the Board of Directors to recognize and accept limitations on audit coverage and attendant risks for areas not audited. For FY202-FY20, our budgeted resources will allow Internal Audit to address some, but not all, areas identified with highest risk (e.g., cumulative risk assessment score of six or more). We believe that the proposed Plan allocates available resources to the most important priorities and risks of the agency while allowing flexibility to address other risk areas that may become known during the year. The proposed audit projects for the FY202-FY20 period along with the estimated number of required hours are summarized in the following table. Please note the estimated required resources are more that than available resources (by 245 hours). To partially offset this overage and provide flexibility in scheduling or substituting projects, one audit (Ethics & Governance) has been classified as an alternate project and may be performed if time is available. The Board s input and direction regarding the Internal Audit resources, funding and proposed projects are critical to ensuring your comfort with existing governance, control, and accountability practices. The proposed FY202-FY20 Internal Audit Services Plan is shown on pages -5. The COBIT control model, promulgated by the IT Governance Institute, organizes IT activities into a generally accepted process model. It is the most widely used model employed by audit organizations. For further information see: 2 Three auditors x 2,080hrs x 2 years = 2,480 hrs-- less: paid time off/leave (2,282 hrs), Mandatory CPE (00 hrs), 5% administrative (,872 hrs), Board related (2 hrs) = 7,74 hrs. Internal Audit s FY202 operating budget represents.7% of the Authority s total operating budget, also consistent with FY20. Capital Metropolitan Transportation Authority FY202-FY20 Internal Audit Services Plan Page 2 of 9

4 Assurance Services Approved FY202-FY20 Capital Metro Internal Audit Services Plan Estimated Hours Project Rationale FY202 FY20 Commuter Rail Contractor Operations & Oversight Evaluate the contract administration and management processes. This review would address commuter rail service delivery and, as appropriate, execution of related programs such as MOW and bridge safety. 60 Fixed Route Service Contractor Monitoring & Oversight MetroAccess Service - Contract monitoring & oversight Supports: Strategic Goals -Provide a Great Customer Experience, and 2-Improve Business Evaluate the contract administration and management process. By FY the contract management plans (CMPs) for overseeing the new fixed route service contractor will be formalized and documented. Supports: Strategic Goals -Provide a Great Customer Experience, and 2-Improve Business Evaluate the contract administration and management process. By FY the contract management plans (CMPs) for overseeing the new paratransit service contractor will be formalized and documented MetroAccess Eligibility Assessment Supports: Strategic Goals -Provide a Great Customer Experience, and 2-Improve Business Evaluate the process and controls for performing biennial recertifications of existing MetroAccess customers. 450 Fuel controls Evaluate the controls over fuel ordering, receipt and payment for diesel fuel. 525 Enterprise Risk Management Operating Budget Development & Management Evaluate controls designed to identify and manage threats within a defined risk appetite. This would include evaluating risk transfer strategies such as insurance. Professional auditing standard 20 requires auditors to "communicate risk and control information" to appropriate areas of the organization. Assess the financial planning and budgeting processes and structures are adequate and effective in directing resources to where they are most needed Capital Metropolitan Transportation Authority FY202-FY20 Internal Audit Services Plan Page of 9

5 Approved FY202-FY20 Capital Metro Internal Audit Services Plan Ethics / Governance & Compliance (ALTERNATE Project) Evaluate the design, implementation, and effectiveness of the organization's ethicsrelated objectives, programs, and activities. This review is required by professional auditing standard 20-Governance. 200 Semiannual Implementation Status Updates Monitor and report on implementation status of previously agreed-upon corrective action plans (CAPs). Status updates are performed twice each year (Spring & Fall.) Assurance Hours / % of Total Hours 5,85 68% Advisory & Consulting Services Estimated Hours Project Rationale FY202 - FY20 MetroRapid Project Implementation Monitoring Continue ongoing monitoring of largest ($48 million), most visible capital project. 400 Labor Transition - Contract Management Plan (CMP) Development & Review Labor Transition Implementation Project Monitoring Basic Transportation Needs Fund Program Development Project Management for FY202 FTA Triennial Review Annual Ethics & Fraud Prevention Training Management Requests & Assistance Capital Metro is changing its business model from a direct service provider to mgmt of outsourced services. Provide proactive input and assistance as Contract Management Plans 00 are developed and implemented for outsourced service providers. Continue participation on Labor Transition Implementation Team 00 Provide input on design and implementation of controls to ensure transparency and 40 accountability for funds managed by Austin Community Foundation for the Basic Transportation Needs Fund. Serve as the overall project manager for the FTA's desk and on-site review of 24 federal 40 compliance areas. Internal Audit has previously performed this responsibility in fiscal years 200, 2006, and Develop and present annual Ethics & Fraud Prevention training in cooperation with Legal 50 and Human Resources. Continued coordination with the Chief Counsel regarding reviewing and responding to allegations of potential fraud and abuse including responding to calls from the Capital Metro Fraud Hotline. Internal auditing best practices include allocating undesignated time for management 900 requests and other unanticipated special projects. Examples of other activates included in this category include: * Oracle system re-implementation Team (if funded) * Grants management & administration workgroup / process analysis * Ongoing participation on Policy Committee Advisory Hours / % of Total Hours 2,20 28% Capital Metropolitan Transportation Authority FY202-FY20 Internal Audit Services Plan Page 4 of 9

6 Approved FY202-FY20 Capital Metro Internal Audit Services Plan Continuous Improvement Estimated Hours Project Rationale FY202 FY20 Upgrade TeamMate audit software TeamMate, industry-recognized audit project 50 management software, recently issued Version 0, the most comprehensive and significant software release to date. Quality control & assurance Perform annual (FY202 & FY20) quality 20 reviews conducted in-house as required by GAGAS FY20 Interim Plan Update & FY204 Audit Plan Development Develop and update the risk-based internal audit services plan to identify audit and nonaudit projects and effectively allocate resources 60 Improvement Hours / % of Total Hours 0 4% Capital Metropolitan Transportation Authority FY202-FY20 Internal Audit Services Plan Page 5 of 9

7 Appendix A: Risk/Opportunity Factor Definitions & Weighting RISK FACTORS: Service Delivery Risk: 0% (Impact on customers/community, stakeholders - public, internal, legislature, etc. Alignment with / ability to impact on Capital Metro strategic goals.) 4 Significant citizen/customer hardship such as a delay in / poor quality / inconsistent / no services or loss of significant assets, such as large amounts of cash; or significant loss potential. Has ability to impact multiple strategic objectives 2 Erroneous management decision; lost opportunities for efficiency and effectiveness; not aligned with CapMetro s strategies, goals and/or objectives 0 Nominal, if any, impact on strategic objectives Sensitivity Risk: 25% (Degree of interest exhibited by public, legislature, press, industry, and/or Executive Management, Potential for customer dissatisfaction, negative publicity, and/or damage to CapMetro reputation / public image.) 4 Significant issue sensitivity by the Board, Community, Industry, and/or oversight entities. 2 Moderate issue sensitivity by Board, Community, Industry, and/or oversight entities. 0 Little or no issue sensitivity exists Change Risk: 5% (Volatility of operations; organizational, operational, and/or technical changes; e.g., a division or operation that experiences a significant change in staff size, turnover, funding, and/or responsibility is potentially vulnerable to problems) 4 Significant changes in staff, funding, systems, and/or responsibilities within last 8 months 2 Moderate changes within past 8 months 0 No significant changes in past 8 months Capital Metropolitan Transportation Authority FY202-FY20 Internal Audit Services Plan Page 6 of 9

8 Coverage Risk / Quality of Known Controls: 20% (Knowledge of existing risk mitigation controls. [For IS/data systems, controls should exist to ensure data integrity (e.g. (accuracy / completeness. Information/data systems should process information in a secure, reliable and accurate manner.] This factor also considers potential/risk of fraud & misappropriations and prior audits or reviews by Internal Audit and External Groups (KPMG, consultants, FTA, FRA, etc). 4 No review or very limited reviews performed and/or Insignificant or no assurance that existing controls for the specific operation aid in mitigating business/ operational risk. 2 Reviewed within last two years, no significant recommendations and/or Moderate assurance that existing controls for the specific operation aid in mitigating business risk. 0 Reviewed within last 2 months and/or significant assurance that existing controls for the specific operation aid in mitigating business risk. Financial Risk: 0% (Thresholds based on FY2 proposed budget operating expenses ($72,98,887.) However, if more significant, based on transaction volume (expenditures / revenues), liquidity, and/or capital expenditures): 4 > 4% of CapMetro Operating Budget expenses ($6,99,275) 2 2% of CapMetro Operating Budget ($,459,67) 0 <.5% of CapMetro Operating Budget ($864,909) SUCCESS FACTORS: Opportunities to Achieve Potential Operating Benefits / Improvements: 55% 4 Excellent potential for recommendations and their implementation 2 Moderate potential for recommendations and implementation 0 Minimal or no potential for recommendations or their implementation. Audit Skill/Resources/Hours: 45% (Level of expertise and estimated hours for project) 4 Audit procedures well known / small project 2 Project will require technical analysis / moderately extensive audit project 0 Outside resources must be recruited / large project Capital Metropolitan Transportation Authority FY202-FY20 Internal Audit Services Plan Page 7 of 9

9 Appendix B: Capital Metro Strategic Plan Overview MISSION STATEMENT: Capital Metro connects people, jobs and communities by providing quality transportation choices VISION: A driving force for quality of life in our community Strategic Goal Provide a Great Customer Experience Build a culture of exceptional customer service that is responsive to the diverse needs of the community Strategic Goal 2 Improve Business Capital Metro will exhibit good stewardship of public funds through the efficient use of available resources. Institute productivity and efficiency strategies that ensure resources are allocated in a manner that optimizes Capital Metro's ability to meet community transportation needs Strategic Goal Demonstrate the Value of Public Transportation in an Active Community Demonstrating Capital Metro's value to the community will lead to a positive public image through improved service delivery, safety, increased customer satisfaction and increased ridership. Be a leader responsible for making innovative and good decisions. Strategic Goal 4 Be a Regional Leader Capital Metro will play a major role in addressing the congestion challenges in central Texas by increasing its market share and influencing future land development. Capital Metropolitan Transportation Authority FY202-FY20 Internal Audit Services Plan Page 8 of 9