Report to the Audit Committee

Transcription

1 Report to the Audit Committee Agenda of: JANUARY 14, 2014 From: Rahoof Wally Oyewole, Departmental Audit Manager ITEM: V SUBJECT: INTERNAL AUDIT WORKPLAN THROUGH FISCAL YEAR AND POSSIBLE COMMITTEE ACTION Recommendation: That the Audit Committee consider the proposed Internal Audit workplan through Fiscal Year (FY) ; and recommend the workplan to the Board for approval. Discussion: Internal Audit is responsible for developing, for Audit Committee consideration, a flexible audit plan using an appropriate risk based methodology. In order to meet the International Standards for the Professional Practice of Internal Auditing (IIA Standards), Internal Audit s Workplan is required to be approved by LACERS s Audit Committee and/or the Board. The workplan is intended to remain flexible to allow necessary changes as a result of ongoing changes to risk factors, organizational needs, resource limitations or a request from management and/or the Board. Updates information regarding changes to the plan will be provided to the Committee at each Committee meeting during the Fiscal Year. Internal Audit Risk Assessment Process To assess the relative importance of potential audit subjects, the IAS prepares an annual risk assessment (Attachment 1) covering all divisions and functions performed by LACERS. This department-wide risk assessment focuses on comparisons between different programs and functions, with the primary purpose of identifying high impact audit areas. Risk is measured through an analysis of various information sources on each critical process/function/unit. Internal Audit has established a methodology to evaluate the relative importance of potential audit projects. Individual project priority ranking is based on risk factors of impact and likelihood. Internal Audit has identified key processes or programs and the following five risk criteria: 1. Strategic & Operational - The significance of the process or area to LACERS strategic success, or impact of process disruption. 2. Financial Materiality - The magnitude of financial exposure, the degree of regulatory oversight, or possible financial penalties. The higher the financial exposure of an area, the higher the risk. Committee Report 1 January 14, 2014

2 3. Complexity of Operations/Regulations - Considers the complexity of programs, activities, and/or functions. The number of individuals, entities, and processes involved, and the degree to which professional judgment or technical expertise is applied. The more complex the operations, the higher the risk. 4. Organizational and System Change Risk Considers changes in the control environment. How much the process has been altered and the change of personnel carrying out the process. The more recent changes, the higher the risk. 5. Political/Reputation (including impact to Members) - The degree of public interest and awareness, the visibility of the process to the media. The higher the interest, the higher the risk. The following three steps were used to score each potential audit project. Step 1 s For each potential audit area, Internal Audit assign an impact risk score relative to each of the above five factors, as follows: High Step 2 Probability or Likelihood s In assigning probability scores, Internal Audit considers inputs provided by senior staff and Board Members, as summarized in Attachment 2, interviews with staff and LACERS external auditors, review of policies, and the Internal Control Self-Assessment completed by division management. Internal Audit then assigns a probability score for each potential audit area, as follows: Probability of Risk High probability or likelihood of significant problems occurring Moderate probability of significant problems and/or high probability of improvements needed probability of significant problems and/or low probability of improvement needed Step 3 Final Risk s To determine final risk scores, impact scores were sub-totaled for each potential audit area and multiplied by the estimated probability of an adverse event occurring in each audit project area. Committee Report 2 January 14, 2014

3 Proposed Audit Projects for the Audit Workplan (Attachment 3) Based on the result of the risk assessment and final risk scores, Internal Audit recommends scheduling the following audit projects: 1. Business Continuity/Disaster Recovery Plan (Final Risk 17.7) - The purpose of a business continuity/disaster recovery is to enable an organization to continue operation in the event of a disruption and to survive a disastrous interruption to its information systems. The objective of an audit of Business Continuity Plan (BCP) will be to evaluate LACERS BCP to determine its adequacy and currency in comparison to appropriate standards; verify the plan is effective by reviewing previous test results; and evaluate the ability of the System and user personnel to respond effectively in emergency situations. 2. Investment Manager Fees (Final Risk 16.8) In FY , LACERS paid approximately $48 million in investment management fees, with $27 million (56%) of this amount attributed to real estate and alternative investments. It is has become increasingly difficult for Fiscal staff and LACERS external auditors to validate the accuracy of fees paid, particularly for real estate and private equity investments. This is primarily because of the limited supporting documentation submitted with invoices. The objective of an audit of fees will be to recalculate fees that LACERS paid to a sample of investment managers during FY , to ensure they are accurate and in accordance with contract terms approved by the Board. It should be noted that a few months ago, LAFPP Board approved an appropriation for the Department to engage a CPA firm to re-calculate fees paid for alternative investments management. 3. Employer Audit (Final Risk 16.8) The objective of this audit will be to evaluate the accuracy of enrollment information, and deductions remitted to LACERS for employees. The focus will be to evaluate procedures in place to ensure individuals are placed in correct tier and/or plan. The audit will also assess procedures to ensure accurate deductions are remitted, particularly for employees who receive non-traditional lump sum payments that are subject to retirement contributions. 4. Benefit Determination and Payments (Final Risk 14.7) - The objective of this audit will be to determine the efficiency of benefit setup process and whether benefits calculations are accurate and properly supported. The audit will also assess the accuracy and timeliness of ongoing payments after the initial setup to determine whether the process is efficient, effective and in accordance with the Administrative Codes. 5. System Access, Change Control & Data Security (Final Risk 14.4) - The objective of this audit will be to evaluate whether employees access to various systems are appropriate based on their duties. This audit will also evaluate procedures to ensure adequate data security and change control procedures. 6. Network Vulnerability and Penetration Testing (Final Risk 17.5) Penetration testing is often referred to as ethical hacking and is intended to mimic an experienced hacker attacking a live site. Many organizations engage security professionals to perform penetration testing to find vulnerabilities so that they can fix them before an attack. Penetration testing should only be performed by experienced and qualified professionals who are aware of the risks and can limit any damage resulting from a successful break-in. This project is contingent on the Board s appropriating necessary funds in the FY Budget to engage an outside security firm with expertise in penetration testing to complete the project. Committee Report 3 January 14, 2014

4 In accordance with the Internal Audit Charter, the workplan also set aside some hours for consulting activities to assist management during the Fiscal Year. Staff will also take active roles in managing the external audit contract as well as the upcoming implementation of the new GASB 67. As LACERS needs and priorities change, Internal Audit will use professional judgment as to determine the order in which audit projects are completed. Staff will focus on efficiency and effectiveness in performing work and will make effort to review all areas identified in this workplan. Staff will provide Audit Committee a quarterly update on the workplan. At the end of FY , any remaining projects will be re evaluated during the Annual Risk Assessment process for consideration in the next Fiscal Year audit plan. This report was prepared by Rahoof Wally Oyewole, Departmental Audit Manager, Internal Audit Section. RWO Attachments: 1) LACERS Internal Audit s Universe Risk Assessment January ) Risk Assessment Survey Results 3) LACERS Internal Audit Proposed Workplan Through FY Committee Report 4 January 14, 2014

5 LACERS Internal Audit Section Universe Risk Assessment - January 2014 ATTACHMENT 1 Risk Rankings High High to to Definitions Factors Division Systems Systems Auditable Unit/Process Materiality / Financial / Compliance Strategic / Operational Change / Stability Complexity of Operations or Regulations Political / Reputation (Including to Members) Subtotal Probability Final Risk Business Continuity / Disaster Recovery Plan Web-Based Network Vulnerabilities, Penetration Test Rank Order Investments Investment Manager Fees Plan Sponsor Services Systems City - Accuracy of Enrollment & Deductions Remitted to LACERS Benefits Determination, Setup & Payments System Access,Change Control & Data Security Process Services Reciprocity & Service Purchase Process Services Disability Process Services Health Admin Death Comparison/Member Status Verification Process Account Reconciliation, Billing and Invoices Health Admin Medical Subsidy Process Services Survivor Claims/Family Death Benefits Services Privacy of Member Data Health Admin Medial Premium Reimbursement Program (for members out of regular coverage area) - MPRP Services Member Refunds/Lump Sum Payments Page 1 of 3

6 LACERS Internal Audit Section Universe Risk Assessment - January 2014 ATTACHMENT 1 Risk Rankings High High to to Definitions Factors Division Auditable Unit/Process Materiality / Financial / Compliance Strategic / Operational Change / Stability Complexity of Operations or Regulations Political / Reputation (Including to Members) Subtotal Probability Final Risk Rank Order Investments Risk Management Program & Investment Compliance Monitoring Process Investments Due Diligence Process Member Support Services- Health Admin Communication Investments Investment RFP Process (manager selection, reporting, renewal, and termination) Health Admin Enrollment & Dependent Eligibility Verification Process Health Admin Medicare Enrollment and Medicare Part B premium reimbursements Services Larger Annuity Porgram Review Accounting Investment Accounting and Valuation Systems Wire Transfer and Check Receipt Process Office Services RFP and Procurement Process, and Contracting Practices Investments Investment Reconciliations Services Stale Dated Checks Human Resources Temporary Employees - Recruitment and Monitoring Process Office Services Budgets Systems/Fiscal Actuarial/Member Demographic Data Page 2 of 3

7 LACERS Internal Audit Section Universe Risk Assessment - January 2014 ATTACHMENT 1 Risk Rankings High High to to Definitions Division Auditable Unit/Process Materiality / Financial / Compliance Strategic / Operational Factors Change / Stability Complexity of Operations or Regulations Political / Reputation (Including to Members) Subtotal Probability Final Risk Accounting Contribution Accounting - Member, City Services Benefits Overpayment & Collection Process Office Services Fixed Assets Inventory Systems IT Governance Rank Order Investments Asset Allocation Services Service Counseling Process Accounting Cash Management Accounting General Ledger/Financial Reporting Office Services Vendor Contract Compliance Board Governance & Ethics Accounting Accounts Payable Human Resources HR Processes Accounting Travel/Office expenses Services Record Management and Retention Systems Pension Administration System - Data Conversion and Post Implemetation review Page 3 of 3

8 ATTACHMENT 2 Internal Audit Risk Assessment Survey Results As part of its risk assessment process, Internal Audit surveyed senior staff, executive management and Board Members. Ten responses were received (eight from senior staff and two from Board Members). The purpose of the survey was to seek inputs as to what operational areas and critical functions staff believe need improvement and/or could benefit from audit attention. The following are the areas/concerns identified by staff, along with the number of times mentioned: 1. Accuracy and timeliness of benefit processing (4 times) 2. Making sure that political pressure does not determine investments (4 times) 3. Disaster/business continuity plan (3 times) 4. Employer Audit - accuracy of employee information and contributions (3 times) 5. Inconsistent application/interpretation of policies (including HR-related) and Admin Code (special accommodation for employees at certain level) (3 times) 6. Disconnect between frontline staff and management (3 times) 7. Customer service -monitoring of outgoing communications to Members (3 times) 8. Certain Board members may be stepping out of policy making and oversight arena into operational areas (3 times) 9. System access/controls & data security (2 times) 10. IRC compliance - (2 times) 11. Accurate reporting to stakeholders (2 times) 12. Monitoring of investment managers to ensure compliance with investment policy (2 times) 13. Inability to track international deaths- Risk of continuing payments after Member's death (2 times) 14. Budget monitoring and reporting - lack of systematic data (1 time) 15. Succession planning - reliance on few subject matter experts (1 time) 16. Lack of system to promptly identify concerns (1 time) 17. Preventing & recovering benefit overpayments (1 time) 18. Authentication of external documents (1 time) 19. Untimely communication from management regarding change that impact processing or delivery of benefits (1 time) 20. Inequitable span of control (1 time) 21. LACERS should pursue legal access rights (same as LACERA and CalPERS) to Members banking information for monitoring (1 time)

9 LACERS INTERNAL AUDIT SECTION AUDIT PLAN THROUGH FY ATTACHMENT 3 Internal Audit Projects Description/Audit Objective Rank Based on Risk s Estimated Hours Business Continuity/Disaster Recovery Plan (BCP) Investment Manager Fees Employer Audit Benefit Determination & Payments System Access, Change Control & Data Security Follow -Up Program To evaluate LACERS' BCP to determine its adequacy and currency, review previous test results and evaluate staff's ability to respond effectively in emergency situations To determine whether investment management fees paid during FY are accurate in accordance with contract terms approved by the Board To evaluate the accuracy of enrollment information, and deductions remitted to LACERS on behalf of employees To determine the efficiency and effectiveness of benefit setup process, and whether benefits calculations are accurate and properly supported To evaluate employees' access rights, change control and data security procedures for reasonableness and effectiveness Establish a Follow-up Program to track and follow up on prior audit recommendations. 400 Internal Audit Subtotal 2,500 External Audits Network Vulnerability & Penetration Testing Perform vulnerability assessment and penetration testing to identify any weaknesses that need to be addressed Annual Financial Statement Audit Performed by external auditors 100 External Audit Subtotal 350 Non-Audit Projects Consulting Activities As requested by Executive Management 600 GASB 67 Implementation Task Force participation 150 (1) This workplan assumes two auditors effective April 1, 2014 (5,220 available hours from 4/1/14 to 6/30/15). Page 1 of 2

10 LACERS INTERNAL AUDIT SECTION AUDIT PLAN THROUGH FY ATTACHMENT Risk Assessment/Audit Plan Annual risk assessment and preparation of subsequent audit plan 200 Internal Control Self Assessment Provide management with internal control worksheets and review responses. 150 Non-Audit Subtotal 1,100 Administration Preparation and attendance at Audit Committee, other Committees and Board Committee and Board Meetings meetings. 200 General Administration Audit administrative duties, staff meetings & other duties 300 Lay the groundwork for acquiring and implementing electronic workpaper and computer-assisted data analysis software (research different tools, obtain quotes and Audit Software Implementation make recommendation) 80 Administration Subtotal 580 Leave/Time Off Training/Conferences Training to maintain CPA and other certifications, APPFA, IIA or ALGA Conferences 200 Leave Holidays and Time Off 490 Leave/Time Off Grand Total Hours 690 5,220 (1) This workplan assumes two auditors effective April 1, 2014 (5,220 available hours from 4/1/14 to 6/30/15). Page 2 of 2