FY 2014 Annual Audit Report

Transcription

1 FY 2014 Annual Audit Report

2 TABLE OF CONTENTS I. Compliance with House Bill 16 (Texas Government Code, Section ): Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web site..3 II. III. IV. Planned Work Related to the Proportionality of Higher Education Benefits..4 Internal Audit Plan for Fiscal Year Consulting Services and Nonaudit Services Completed.9 V. External Quality Assurance Review (Peer Review).. 12 VI. VII. VIII. Internal Audit Plan for Fiscal Year External Audit Services Procured in Fiscal Year Reporting Suspected Fraud and Abuse TxDOT Annual Audit Report 2

3 I. Compliance with House Bill 16 (Texas Government Code, Section ): Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web site House Bill 16 (83 rd Legislature, Regular Session) signed by Governor Perry on June 14, 2013, amended the Internal Auditing Act to require state agencies and institutions of higher education, as defined in the bill, to post internal audit plans, internal audit annual reports, and any weaknesses or concerns resulting from the audit plan or annual report on the entities internet web site within 30 days after the audit plan and annual report are approved by an entity s governing board or chief executive. The requirements are met by posting the approved documents at the following link: A detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns raised by the audit plan or annual report and a summary of actions taken by TxDOT to address concerns, if any, that are raised by the audit plan or annual report is included in the fiscal year 2014 Annual Audit Report. TxDOT Annual Audit Report 3

4 II. Planned Work Related to the Proportionality of Higher Education Benefits Not applicable TxDOT Annual Audit Report 4

5 III. Audit Plan for Fiscal Year 2014 PHASES OF THE AUDIT/CONSULTING SERVICES CYCLE Reports Issued Report Number Report Date Report Name Audit Service RD /07/2014 Advance Funding Agreements Internal Audit FS /21/2014 Bid Estimation Internal Audit FS /26/2014 Bridge Program Internal Audit FS /07/2014 Bond Covenants Internal Audit RD /19/2014 COMPASS Internal Audit RD /26/2014 Electronic Bidding and Letting Management Internal Audit FS /19/2014 Encumbrance Review Internal Audit FS /25/2013 FIN Penalties/Mitigation Internal Audit RD /25/2014 Highway Condition Reporting Internal Audit FS /26/2014 Highway Performance Monitoring System Reporting Internal Audit FS /25/2014 HR Procedures Management Internal Audit FS /25/2014 IT Service Level Contract Management/Billing Internal Audit RD /27/2014 Metropolitan Planning Organization Internal Audit RD /21/2014 Plan Review Process Internal Audit Procurement Cycle: Efficiency/Effectiveness of RD /08/2014 Performance Monitoring, Data Reliability, and System Access Internal Audit RD /25/2014 Public Transportation Grant Management Internal Audit FS /25/2014 Rail Project Management Internal Audit FS /17/2014 Receivables Management Statement of Cost Internal Audit FS /25/2014 Records Management Internal Audit FS /29/2014 Revenue Accounting Internal Audit FS /17/2014 ROW Acquisition Internal Audit RD /25/2014 ROW Governance and Internal Controls Internal Audit RD /27/2014 RTI Billing/Accounts Payable Internal Audit FS /07/2014 Toll Operations Internal Audit TxDOT Annual Audit Report 5

6 FS /29/2014 Toll Operations: FHWA Reporting Internal Audit RD /08/2014 Traffic Logo Program Internal Audit RD /11/2014 Travel Information Center Safety Internal Audit RD /27/2014 Unified Transportation Program Internal Audit RD /08/2014 Vegetation Management Internal Audit FS /21/2014 Work Zone Safety Internal Audit MP /29/2014 Communication of Policies and Guidance MP /27/2014 Disaster Recovery IT MP /19/2014 Equipment Maintenance and Repair MP /17/2014 Ferry Operations MP /27/2014 General Controls IT MP /08/2014 Local Government Project Monitoring MP /25/2014 Multiple Use Agreements MP /29/2014 Office of Civil Rights Program Management MP /08/2014 Physical Security MP /27/2014 Purchase of Service MP /07/2014 Safety Program MP /29/2014 Toll Operations CT /29/2014 Environmental National Environmental Policy Act Consulting CT /25/2014 Payment Card Process Facilitation Consulting CT /07/2014 Sarbanes-Oxley (SOX) Disclosure Consulting CT /29/2014 Sarbanes-Oxley (SOX) Key Controls Testing Consulting CT /10/2014 Traffic Safety Grant Pre-Award FY 2014 Review Consulting CT /26/2014 Traffic Safety Grant Pre-Award FY 2015 Review Consulting SP /25/2014 Regional Mobility Authority (RMA) Financial Audit Cameron County RMA External Audit SP /25/2014 Regional Mobility Authority (RMA) Financial Audit Camino Real RMA External Audit SP /25/2014 Regional Mobility Authority (RMA) Financial Audit North East Texas RMA External Audit TxDOT Annual Audit Report 6

7 Carryovers to FY 2015 Audit Plan Report Number FS1415 CT1408 Report Name Professional Engineering Procurement Service Contracts and CCO Work Authorization Process (two audits combined into one audit) (Closing Phase) Maintenance Operations Receivables Management Statement of Cost Toll Operations Contract Management Texas Municipal Police Association Indirect Cost Rates (Closing Phase) Audit Service Internal Audit Internal Audit Internal Audit Consulting CT1406 Traffic Safety Grant Monitoring (Closing Phase) Consulting Detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns raised by the Audit Plan or Annual Audit Report are as follows: 39 internal/external audits and consulting engagements were completed o 50 findings were identified with control design and operating effectiveness deficiencies as noted below 45 control design 50 operating effectiveness 12 management action plan (MAP) follow-up engagements were completed to address high risk(s) identified. The following details were noted: o 35 closed MAPS corrective actions have been completed o 27 open MAPS corrective actions require completion to address identified risk from the original audit o 13 new MAPS corrective actions that were newly identified and further actions are necessary to properly address the remaining risk TxDOT Annual Audit Report 7

8 Deviations from FY 2014 Planned Audits Continuous evaluation of the audit plan, based on risks identified, resulted in the modification of the FY 2014 Audit Plan. Modifications were presented to the Chief Audit and Compliance Officer for review and approval and subsequently communicated to the Audit Subcommittee for review. The following audits were added to the FY 2014 Audit Plan: Report Number Report Title Approved RD1411 ROW Governance and Internal Controls Internal Audit 07/31/2014 FS1417 Toll Operations: FHWA Reporting Internal Audit 07/11/2014 MP1412 Toll Operations Internal Engagement 07/09/2014 CT1408 Texas Municipal Police Association Indirect Cost Rates Consulting Engagement 08/15/2014 CT1407 Traffic Safety Grant Pre-Award FY 2015 Review Consulting Engagement 06/09/2014 SP1402 Regional Mobility Authority (RMA) Financial Audit Cameron County RMA External Audit 03/26/2014 SP1402 Regional Mobility Authority (RMA) Financial Audit Camino Real RMA External Audit 03/26/2014 SP1402 Regional Mobility Authority (RMA) Financial Audit North East Texas RMA External Audit 03/26/2014 The following audit engagements were removed from the FY 2014 Audit Plan and will be included in Fiscal Year 2015 planned engagements: Report Title Approved CDA South and Central Texas 7/11/2014 FIN Project Ledger and Federal Receivables 7/11/2014 Material Quality of Non-Bid Items 7/11/2014 ROW Maps, Survey and Utilities 7/11/2014 The following consulting engagement was removed from the FY 2014 Audit Plan at the request of the client: Report Title Approved Project Health Management Information System (PHMIS with focus on Primavera 06/09/2014 6) Consulting Engagement TxDOT Annual Audit Report 8

9 IV. Consulting Services and Nonaudit Services Completed 1. Environmental National Environmental Policy Act (CT1405) Objective Assist the Environmental Affairs Division (ENV) in determining whether processes are appropriate and complete to assume the Federal Highway Administration s (FHWA) responsibilities for the National Environmental Policy Act (NEPA) and assist in preparing ENV staff for upcoming FHWA audits. Results All deliverables specified in the Statement of Work (see below) were completed and accepted by ENV. Provide input and recommendations on whether the processes as defined in the Application are auditable. Identify gaps and inconsistencies between the Application and control points in ENV s approval process tables (Environmental Impact Statement and Environmental Assessments). Report Date: 08/29/ Payment Card Process Facilitation (CT1401) Objective To facilitate a discussion and provide recommendations in coordination with the Finance Division and the Procurement Division regarding review and timing of Payment Card (i.e., PCard) transactions. Results The Finance Division and the Procurement Division have put into place a process that requires the cardholder to match each transaction in the system within 7 business days after the transaction date. In addition, GSD has made available all PCard reports on their website to allow supervisors to review the employee s transaction. The Internal Audit Office has not verified these actions for control design or operating effectiveness. Report Date: 08/25/2014 TxDOT Annual Audit Report 9

10 3. Sarbanes-Oxley (SOX) Disclosure (CT1403) Objective: Work collaboratively with the Finance Division (FIN) and the Chief Financial Officer to further develop the plan and assist in the implementation of the next phase of Spirit of SOX at TxDOT. Results All deliverables specified in the Statement of Work (see below) were completed jointly with and accepted by Finance. The development of a flexible scheduling tool Identification of roles and responsibilities across FIN and External Audit for the various phases of the project Development of a methodology to rank and rate key controls for testing Assistance in the development of communication to the Audit Subcommittee and Texas Transportation Commission to provide an update on current activities, and A proposal to adopt certain amendments to the Spirit of SOX requirements. Report Date: 03/07/ Sarbanes-Oxley (SOX) Key Controls Testing (CT1404) Objective Determine the operating effectiveness of the selected key controls over financial reporting for FY Results The operating effectiveness testing of the 25 selected key controls over financial reporting has been completed. Of the 25 key controls tested, one (1) control was found to be ineffective and required remediation. Upon follow-up testing, the control was determined to be effective. Report Date: 08/29/ Traffic Safety Grant Pre-Award FY 2014 Review (CT1402) Objective Provide information to the Traffic Operations Division s Traffic Safety Section (TRF) to assist in deciding whether to award grants to selected non-profits. Results Relevant information for the non-profit entities was provided to TRF in individual internal memos as work on each entity was completed. Report Date: 01/10/2014 TxDOT Annual Audit Report 10

11 6. Traffic Safety Grant Pre-Award FY 2015 Review (CT1407) Objective Provide information to the Traffic Operations Division s Traffic Safety Section (TRF) to assist in deciding whether to award grants to selected non-profits. Results Relevant information for the non-profit entities was provided to TRF in individual internal memos as work on each entity was completed. Report Date: 08/29/2014 TxDOT Annual Audit Report 11

12 V. External Quality Assurance Review (Peer Review) TxDOT Annual Audit Report 12

13 TxDOT Annual Audit Report 13

14 TxDOT Annual Audit Report 14

15 VI. Internal Audit Plan for Fiscal Year 2015 Risk Assessment The Chief Audit and Compliance Officer performs a department-wide risk assessment to develop the annual internal audit plan. The risk assessment process is conducted to assign the audit resources and includes: Performing an evaluation of department functions based on objective criteria and professional judgment Review and consideration of prior audit results Obtaining input from members of the Commission, Administration, and Management team Obtaining input from federal law enforcement Review and consideration of the Federal Highway Administration (FHWA) risk assessment Review and consideration of the Office of Compliance, Ethics, and Investigation risk assessment Review and consideration of investigative trends Review and consideration of professional/industry standards Review and consideration of TxDOT s Strategic Plan The Chief Audit and Compliance Officer will provide quarterly status reports on audit activities to the Commission and will present the results of completed audits at quarterly Audit Subcommittee meetings. Audit Plan The plan consists of 52 risk-based internal/external audits and consulting engagements. The audit engagements (including FY2014 audits carried over) are divided into six areas of focus and coverage, as follows: Third Party provide assurance of reporting and operational reliability to stakeholders Governance/Comptrollership provide assurance that business activities of the organization are optimized toward achievement of objectives Information Technology focus on the integrity and security of information assets District Operations provide assurance and insight of distributed activities Management Action Plan (MAP) Follow Up assess remediation and risk management regarding previously identified organizational high risks External Audit and Consulting Engagements - use of grant funds and allowable costs - management consulting services The internal audit plan includes consideration and coverage of contract management and information technology risks. None of the engagements in the plan relate to expenditure transfers, capital budget controls, or any other limitation or restriction in the General Appropriations Act. A contingency list of four engagements is also included in the plan. This provides for additional coverage if the planned engagements are completed prior to the conclusion of the fiscal year. TxDOT Annual Audit Report 15

16 Audit Plan FY 2015 Internal Audit Section Third Party (3) Budgeted Hours Construction Project Performance Measures 1100 Grant Reimbursement Monitoring/Oversight 1835 SH 183 Management Lanes Project 1100 Governance/Comptrollership (5) Budgeted Hours Advisory Service Engineering and Inspection (CEI) Contracts 1100 Contract Administration 1835 Emergency Equipment Requisition Process 1835 Fuel Consumption 1835 Toll Operations Federal Reporting 1100 Information Technology (7) Budgeted Hours Data Classification 1100 Mobile Security 1835 Post-Implementation Review ERP Project Costing 1100 Post-Implementation Review ERP Payroll and Recruiting 1100 Post-Implementation Review ERP Purchasing and Inventory 1100 Post-Implementation Review ERP Accounts Payable 1100 Software License Management 1835 District Operations (3) Budgeted Hours Change Order Process 1835 Local Let Projects 1100 Materials Testing 1835 Management Action Plan (MAP) Follow-Up (15) Specific engagements will be selected based on risk. Will include Receivables Management Statement of Cost that is carried over from the FY 2014 Audit Plan. Budgeted Hours 7335 FY 2014 Audits Carried Over (3) Budgeted Hours Maintenance Operations 1835 Toll Operations Contract Management 1835 Professional Engineering and Procurement Service Contracts and CCO Work Authorization Process (two audits combined into one audit) 40 TxDOT Annual Audit Report 16

17 Summary Internal Audit Section Budgeted Hours Third Party Audits 4035 Governance/Comptrollership Audits 7705 Information Technology Audits 9170 District Operations Audits 4770 Management Action Plan (MAP) Follow-Up 7335 FY 2014 Audits Carried Over 3710 Total Hours: External Audit and Advisory Services Section External Audits (4) Budgeted Hours Construction Donations 400 Metropolitan Planning Organization Operations 1500 Public Transportation Grant Recipients 1500 Regional Mobility Authorities Limited Scope Financial Audit 1500 Consulting Engagements (11) Budgeted Hours Cybersecurity Network Vulnerability/Penetration Program 1000 Metropolitan Planning Organization Credit Swap Program 400 Multiple Use Agreements 1000 NEPA Application Program, Phase NEPA Application Program, Phase Office of Civil Rights Commercially Useful Function Review Database 1000 Rail Contracts Federal Railroad Administration Grants 750 Sarbanes-Oxley (SOX) Key Controls Testing (2014 Annual Controls) 600 Sarbanes-Oxley (SOX) Key Controls Testing (2015 Annual Controls) 1000 Single Audit Report Review and Monitoring 250 Traffic Safety 2016 Grant Pre-Award Review 450 FY 2014 Consulting Engagements Carried Over (1) Budgeted Hours Texas Municipal Police Association Indirect Cost Review 100 Traffic Safety Grant Monitoring 200 Summary External Audit and Advisory Services Section Budgeted Hours External Audits 4900 Consulting Engagements 7700 FY 2014 Consulting Engagements Carried Over 300 Total Hours: TxDOT Annual Audit Report 17

18 High Risks not included in FY 2015 Plan Four high-risk engagements were included in a contingency list in the FY 2015 Audit Plan. This provides for additional coverage if the above engagements are completed prior to the conclusion of the fiscal year. Contingency List Audits (4) Travel Reimbursement Unified Transportation Program Finance Application Controls Federal Receivables/Revenue TxDOT Annual Audit Report 18

19 VII. External Audit Services Procured in Fiscal Year 2014 Not applicable TxDOT Annual Audit Report 19

20 VIII. Reporting Suspected Fraud and Abuse Actions taken to implement the requirements of: Fraud Reporting Article IX, Section 7.09 General Appropriations Act (83 rd Legislature, Conference Committee Report) o A link to SAO s Fraud Hotline was added to TxDOT s internet site under the TxDOT Watch Hotline and TxDOT s Recovery Act site at o Information was added to TxDOT s policies on how to report suspected fraud involving state funds to SAO. Call the State Auditor s Office fraud hotline at TX- AUDIT ( ) or report it online at o Office of Compliance, Ethics and Investigations (CEI) has created and maintains an external hotline number ( ) and website (txdotwatch.com) o TxDOT Human Resource Manual specifically addresses CEI as being the clearing house of all allegations of fraud, waste and abuse. o TxDOT External website directs to the Office of Compliance, Ethics and Investigations webpage with the TxDOT watch link. Coordination of Investigations Texas Government Code, Section o Reasonable Cause to Believe report will be completed by the Office of Compliance, Ethics, and Investigations and sent to SAO. SAO Hotline Complaint coordination with Nicole Guerrero, Audit Manager, SAO Special Investigations Section o Information was sent on 05/05/2014 specifying the report number, category, conclusion, closing memo or report, and additional information supporting conclusion. Going forward, with the formation of the Office of Compliance, Ethics, and Investigations, Reasonable Cause to Believe reports will be sent semi-annually (May and October), at minimum. TxDOT Annual Audit Report 20