INTERNAL AUDIT PLAN OF ACTIVITIES

Transcription

1 SDCERA INTERNAL AUDIT PLAN OF ACTIVITIES Fiscal Years CHRISTINA MCGOUGH, INTERNAL AUDIT MANAGER 12

2 Table of Contents Executive Summary... 1 Overview... 2 Risk assessment... 2 The audit plan... 4 The audit process... 8 Appendix A Internal audit budget...10

3 Executive Summary To assist the Audit, Finance, and Budget Committee in fulfilling its duties, internal audit has prepared and is proposing the following audit plan to outline and prioritize planned activities for the fiscal years Internal audit performed its first risk assessment during the 2012 fiscal year, the results of which served as a basis for development of the audit plan documented below. This report will be presented at the March 1 Audit, Finance, and Budget Committee meeting for your review and approval. The following audit activities have been identified as a result of these procedures: Planned Audit Activities FY Activities related to the implementation of CPAS Data integrity and security audit Policy and procedure compliance audit External manager oversight audit Activities related to fraud, waste and abuse Actuarial data audit Investment policy compliance audit Potential Audit Activities FY Continued activities related to the implementation of CPAS Member data maintenance audit Due diligence audit Service provider oversight audit Information privacy and security audit Conflicts of interest audit Completeness and accuracy of management reporting audit Contract management audit Security of Member s personally identifiable information audit End user computing applications audit Activities related to succession planning In addition to the engagements noted above, the multi-year audit plan includes consideration of ongoing activities required of the function. Activities considered include an annual risk assessment, development and maintenance of internal audit policies and procedures, quality assurance and improvement programs for compliance with International Standards for the Professional Practice of Internal Auditing, and time allotted for special projects, investigations, or requests from management and the Audit, Finance, and Budget Committee. 1

4 Internal Audit Plan of Activities Fiscal Years Overview The San Diego County Employee s Retirement Association (SDCERA) Internal Audit function is currently comprised of one audit professional, Christina McGough, who holds the title of Internal Audit Manager. Ms. McGough is a Certified Public Accountant in good standing and has held her current position since July Ms. McGough joined SDCERA for the purpose of establishing an independent internal audit function focused on objective assurance and consulting activities designed to add value and improve the organization s operations. The goal of the internal audit function is to assist the organization in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of SDCERA s risk management, control, and governance processes. Internal audit reports functionally to the SDCERA Audit, Finance, and Budget Committee (the Committee) which is charged with fulfilling the Board of Retirement s (the Board) oversight responsibilities related to the review of the internal audit function and activities. To assist the Audit, Finance, and Budget Committee in fulfilling its duties, internal audit has prepared and is proposing the following audit plan which outlines and prioritizes planned activities for the fiscal years Risk assessment Performing the assessment Risk assessment is the systematic process of identifying, understanding, and evaluating the presence of risks to achieving the organization s business objectives. SDCERA objectives are outlined in the organization s mission statement and strategic plan. The degree and complexity of the assessment can vary in nature based on the size of the entity, its operations, and the intended use of the information. Management is responsible for establishing and operating the risk management framework on behalf of the Board. Internal audit performs a risk assessment, considering the impact of risks to stakeholder value and the organization s goals, for the purpose of defining an audit plan and the monitoring of key risks. Key stakeholders include SDCERA s members, the County of San Diego and four participating employer agencies, the media and the general public. The Chief Audit Executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization s goals. The internal audit activity's plan of engagements must be based on a documented risk assessment, undertaken at least 2

5 annually. The input of senior management and the board must be considered in this process. 1 Internal audit performed its first risk assessment during the 2012 fiscal year. The assessment was a top-down process which began with the identification of both external and internal risk factors to SDCERA objectives. Sources for identification of risks included management interviews and self assessments, the organization's written policies and procedures, external auditor management letter comments and feedback, board presentations, the Comprehensive Annual Financial Report (CAFR), industry trainings and hot topics. Events identified as potentially impeding the achievement of SDCERA s objectives were then deemed to be risks and were further evaluated based on the likelihood of occurrence and the significance of their impact on the objectives. It was considered important to first evaluate such risks on an inherent basis that is to say, without consideration of existing risk responses and control activities. To do so, impact and likelihood were initially measured independently in two separate processes with the objective of bringing these individual risk ratings together in the form of a risk heat map. Input of management and the Board were critical to the process of evaluation of likelihood and impact. To measure impact, an organization-wide questionnaire was developed and circulated to staff and the Board to obtain input on the significance of each individual risk s impact on SDCERA objectives. The impact was weighted by those surveyed as high, medium, or low. Although surveys of this nature are generally focused on the responses of management and the Board, the survey was circulated to all levels of the organization to obtain additional data and perspective for analysis by internal audit during the process. Results of the impact survey were accumulated, filtered and an average weighting was assigned for further review. The likelihood of occurrence of each risk was preliminarily assessed based on the professional judgment of internal audit with further input and discussion requested from management. The presence of controls was factored into the measurement of likelihood for those limited circumstances where audits and the results of such audits are known, documented, and have been reported to management and the Board. Evaluating the results The weighted results were brought together in the form of a risk heat map. The purpose of the heat map was to add additional focus to those risk events or areas with the highest combined likelihood and impact as represented by the red quadrants of the chart. The results were shared and discussed with management, emphasizing that those risks which fell into a high risk or impact classification do not indicate poor management performance or reflect ineffective controls. The overall results represent opportunities for internal audit and management to give attention to high priority risks which represent barriers to achievement of the organization s objectives and served as a basis for development of the audit plan documented below. 1 International Standards for the Professional Practice of Internal Auditing, Performance Standard

6 It is important to note that process of assessing and evaluating risk is dynamic, should be flexible, and will be reevaluated on an ongoing basis by internal audit throughout the execution of the multi-year audit plan. The audit plan Internal audit resources An audit plan is developed based on the results of the risk assessment process and is also highly dependent upon the nature of the risks identified and the availability of internal audit resources. Such availability is identified through the budgeting process and review of audit resources. For the first full year of the plan, fiscal year 2013, internal audit has estimated anticipated available audit hours to be approximately 2,455 hours as detailed at Appendix A Internal Audit Budget. The anticipated available audit hours assume the hiring of an additional internal audit professional during the April 2012 timeframe and will be monitored based on actual hiring dates. Estimated hours are based on the preliminary understanding of the complexity of the activities selected for audit. The budget also factors time necessary for regular staff activities such as staff meetings, continuing professional education, holidays, annual and sick leave prior to calculating available audit hours. Considerations made in allocating internal audit resources to assigned tasks will also include the skill sets and level of effort required to meet audit requirements. The budget will be reviewed and reassessed periodically as audits are planned and executed taking into account that actual hours required may vary based on determined scope and any delays encountered. Identifying opportunities for the use of external service providers to support or complement the internal audit activity in the execution of more specialized audit activities, subject to available funding and approval, will also be contemplated. Co-sourcing advantages include: (1) access to a professionals specialized skills, knowledge and expertise; (2) a new point of view that may improve the internal audit function; and (3) the ability to accomplish more audits than could be performed by internal staff alone during a given plan year. Actual audit hours incurred will be monitored for the purpose of budgeting future audit activities. In the event that all planned audits are completed, additional potential audits can be initiated based on the results of the audit risk assessment and professional judgment. Planned audit activities In developing the audit plan, internal audit focused on prioritization of audit resources with particular attention to the outcome of the 2012 risk assessment. The table below provides a summary overview of planned audit activities, also referred to as engagements. For each planned engagement a more in depth assessment of risks will be performed to ensure that the audit objectives align with the highest risks related to activities under audit and planned resources and hours will be adjusted accordingly. Considerations in designing audit procedures, examples of potential audit activities, and opportunities for use of external service providers related to each engagement are included below and are presented by fiscal audit year (July 1, XX June 30, XX). 4

7 Fiscal years 2012 and 2013 have been combined for presentation purposes due to the timing of the proposed audit plan falling between fiscal years. A short-list of audit engagements proposed for the coming 2014 to 2015 planning horizon was also identified. Planned Audit Activities FY Implementation of CPAS Review completeness of operational requirements and planned scenarios Consultation on design and documentation of operational process and policy Review segregation of duties rules and system access authorization plans Assessment of plan for full integration of pension administration system Post implementation review Data Integrity and Security Opportunity for use of external service provider Assess network and security including data reliability, business continuity and recovery Network and system penetration test Vulnerability assessment Critical process and control review Policy and Procedure Compliance Assess policy and procedure completeness Review process and program management Operating effectiveness of compliance activities External Manager Oversight Review third party relationship inventory and ownership and delegation of duties External manager control evaluation Fraud, Waste and Abuse Coordination of management brainstorming session Evaluation of design and implementation of controls to address fraud, waste and abuse Facilitation of awareness trainings Coordination of fraud hotline policy and procedures Review ethics compliance program Actuarial Data Audit Follow up to FY 2012 audit procedures Evaluation of policy design and implementation Operating effectiveness of policy and procedure remediation efforts Investment Policy Compliance 5

8 Compliance audit of activities identified as monitored by staff Review compliance reporting and business processes Potential Audit Activities FY Implementation of CPAS Assessment of implemented aspects of pension system Phase 2 implementation activities review of completeness of operational requirements and planned scenarios Review continuous monitoring activities for system access and authorization Post implementation review Member Data Maintenance Change management policy review and procedural walkthrough Evaluate process optimization Due Diligence Opportunity for use of external service provider Review continuous monitoring and oversight activities Site visits Compliance testing Best practice benchmarking Service Provider Oversight Review third party relationship inventory and ownership and delegation of duties Information Privacy and Security Inventory of areas susceptible to manual error and mitigants Compliance with standards, laws, and regulations Conflicts of Interest Compliance with standards, laws, and regulations Management Reporting Inventory of management reporting activities and departmental consistency Reporting packet supporting documentation and review procedures 6

9 Contract Management Inventory of contracts and consistency of management activities Compliance with standards, laws, and regulations Security of Member s Personally Identifiable Information (PII) Inventory of areas where PII is used to identify members, assessment of necessity End User (EU) Computing Applications (Excel, Access) Inventory of EU application activities and suggestions for management development of program framework Succession planning Identification of areas for cross-functional training Review of roles and responsibilities documentation Ongoing audit activities In addition to the planned engagements noted above, allocation of resources to ongoing audit activities was also considered. Ongoing audit activities are those activities which are necessary to maintain an effective internal audit function and include, but are not limited to, the following: Annual internal audit risk assessment Internal audit plans to update its internal audit risk assessment at least annually. Additional procedures will be conducted as deemed appropriate to facilitate engagement planning and prioritization and to ensure that planned activities continue to align with the organization s objectives. This assessment will build upon the foundation developed during the 2012 internal audit risk assessment. External audit co-sourcing External Audit s reliance on the internal audit function can be viewed as a viable strategic cosourcing option in the future. Co-sourcing could result in potential savings for SDCERA on external audit services due to higher reliance on the internal audit function, and additional benefits to the internal audit function due to knowledge sharing and continued access to technical expertise. Evaluation of co-sourcing opportunities will be considered on an ongoing basis subject to external audit s extent of acceptable reliance to be placed on the internal audit function. Internal Audit Professional Practice Standards The International Professional Practices Framework (IPPF) and underlying International Standards for the Professional Practice of Internal Auditing (Standards) provide internal audit leadership a 7

10 framework and guidance to evaluate and ensure the effectiveness of the internal audit activity. The Standards also provide internal auditing stakeholders a basis for evaluating the activities effectiveness. The Standards are applicable to all internal audit departments regardless of size, level of resources, complexity, or objective and scope. Compliance with the Standards requires the development of policies and procedures for the internal audit function as well as a formal quality assurance and improvement program that covers all aspects of the internal audit activity. Internal audit efforts to develop, maintain, and monitor activities and programs to comply with the Standards have been incorporated into planned audit activities and will be considered on an ongoing basis in developing the audit plan. Other value-added activities The budget also contemplates time allotted for unscheduled projects and other value-added work, investigations, and special projects, including requests from management and the Committee. From time to time management, the Committee or Board may see opportunity for internal audit resources outside of planned activities and as such a portion of available audit hours will be set aside to address these requests. The audit process Based on the audit plan, internal audit must develop and document a plan for execution of each engagement, including the engagement s objectives, scope, timing, resource allocations and identification of a process owner. The nature of each engagement may vary and are generally categorized into two service types: Assurance services involve the internal auditor s objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility. 2 Other steps that are common during the development and execution of an audit include: Interviews of management and development of documentation that details the linkage of risks and what could go wrong s identified to control activities designed to mitigate them 2 International Standards for the Professional Practice of Internal Auditing, Standards 2011 Edition 8

11 Walkthroughs of control activities and processes to ensure they are implemented as designed Development and performance of a detailed test plan considering extent of documentation (e.g., consider use in recurring engagements) Identification and analysis of exceptions and offering feasible recommendations to mitigate the recurrence of exceptions The results of procedures for each engagement will be summarized and documented in a final report. The reporting process includes the discussion of findings and opportunities for improvement, as applicable, with management. Once agreed upon by management and supported by a plan of action, as applicable, the report is presented to the Committee for review. Results of engagements will be discussed with the Committee, to the extent necessary, at scheduled quarterly Committee meetings. 9

12 APPENDIX A - Internal Audit Budget INTERNAL AUDIT BUDGET FY Mgr w Staff FY Mgr (*) Staff (**) Total Hrs Total Available Hours 40/week ,280 Less: PTO/Holiday/Leave Professional Development Department Meetings General & Administrative Time Net Available Hours % Total W/Staff Ongoing Audit Activities % Audit Policies and Procedures % Audit Plan Documentation % Risk Assessment - Initial % Risk Assessment - Ongoing % Engagement Planning/Execution/Reporting (***) % CPAS % Audit A % Audit B % Audit C % Audit D % Other % Management and Committee Requests % Fraud Risk Brainstorming & Assessment % External Audit (MGO) Support % Additional Sup & Review/Continuous Improvement Activities/Meetings % Outsourced Outsourced Audit A Outsourced Audit B Outsourced Audit C TOTAL HOURS % Remaining Hrs * Based on weeks remaining in FY 2012 ** Assumes April 2012 start date for Staff *** Initial budget based on estimate. Actual audit hours incurred will vary due to scope and complexity of audit procedures required.

13 APPENDIX A - Internal Audit Budget INTERNAL AUDIT BUDGET FY Mgr w Staff FY Mgr (*) Staff (*) Total Hrs Total Available Hours 40/week ,080 2,080 4,160 Less: PTO/Holiday/Leave Professional Development Department Meetings General & Administrative Time Net Available Hours 1,195 1,260 2,455 % Total W/Staff Ongoing Audit Activities % Audit Policies and Procedures % Audit Plan Documentation % Risk Assessment - Initial % Risk Assessment - Ongoing % Engagement Planning/Execution/Reporting (**) ,640 67% CPAS % Audit A % Audit B % Audit C % Audit D % Audit E % Audit F % Audit G % Audit H % Audit I % Audit J % Audit K % Other % Management Requests % Fraud Risk Brainstorming & Assessment % External Audit (MGO) Support % Additional Sup & Review/Continuous Improvement Activities/Meetings % Outsourced Outsourced Audit A Outsourced Audit B Outsourced Audit C TOTAL HOURS 1,195 1,260 2, % Remaining Hrs * Assumes 52 weeks available ** Initial budget based on estimate. Actual audit hours incurred will vary due to scope and complexity of audit procedures required.