Audit Plan Update. Percentage of Total Budgeted Hours. Adjusted Budgeted Hours. Actual YTD. Audit & MAS 8,066 8,366 38% 7, % 2012 Carry Over

Transcription

1 AUDIT COMMITTEE UPDATE DECEMBER 13, 2013 EXECUTIVE SUMMARY Office of the Internal Auditor Update Since the last Audit Committee meeting, the OIA has focused on finalizing the execution of the 2013 Audit Plan and the development of the 2014 Proposed Audit Strategy and Plan Audit Plan Execution OIA provided an update on key activities completed since the last reporting period including 2013 audit plan execution and departmental activities. The update also included a review of the 2013 Q4 OIA Dashboard as of November 1. (A copy of the detailed OIA Dashboard is included later in the Board materials.) Audit Plan Update Type Original Budget Adjusted Budgeted Percentage of Total Budgeted Actual YTD Percentage of Total Actual 2013 Audit Plan Audits & MAS Audit & MAS 8,066 8,366 38% 7, % 2012 Carry Over Direct Audit Support 3,520 3,520 16% 1,604 10% Planned Forensic Audit Activity 3,368 3,368 15% 2,127 14% Unplanned Investigation % 931 6% Completed Financial Statement Audit Support % 521 3% Draft Issued 0 Professional Development** % 678 4% In Progress Client Assistance/Continuous Monitoring 1,085 1,085 5% 136 1% Deferred / Combined General Administration* 3,255 3,255 15% 2,238 15% Total Remaining TOTAL 21,700 22, % 15, % Tell Citizens OIA Performance Actual Target ** Caution Urgent OIA Productivity Percentage 77% 70-75% 60-70% < 60% * Does not include travel and sick time. ** Professional Development includes 80 hours of core training for the Auditors on an annual basis. ** Based on Institute of the Internal Auditors recommended productivity ratios (average of government sector and all other sectors) Progress Against Plan as of November 30, % Completed Draft Issued In Progress 0% 16% 0% To Do 1

2 The OIA issued twelve audit and advisory reports and completed three Investigations since the last Audit Committee meeting: Core Suite Project : Commercial Policy Renewal Migration Production Support Risk Management Clearing House - Governance and Project Management Forensic Audit (named vendor) Litigation and Disputed Claims Depopulation Procurement & Contract Administration General Computer Controls Copies of the finalized reports were presented to the Audit Committee. The following represents short summaries of audit reports presented since the last Audit Committee meeting: Core Project (Satisfactory) During the period OIA presented deliverables (audit report, MAS and progress memorandums) to management and the Project Steering Committee. The purpose of this audit work was to provide assurance in respect of the overall project governance and management and provide assistance to project management in the identification of specific solutions. Two separate reports were issued. The first focused upon specific procedures followed for ensuring that Commercial Lines renewals are successfully migrated to PolicyCenter, are adequate and generally operating effectively. In general, we found that the migrations processes were appropriately developed and a significant portion of the legacy system data clean up has been completed. Minor issues noted were discussed with management and are being addressed. The second report focused upon the effective management of project risks. Our work confirmed that, apart from a few minor suggestions, the process used to identify, document, monitor and communicate project risks is appropriate. Clearinghouse Project Progress (Satisfactory) Our primary focus on this project is to actively participate in the planning, development and implementation phases in order to provide independent project assurance and support. Our objective is to assess the efficiency and effectiveness of the project methodology and the project s implementation on an ongoing basis. The result of our work to date is based upon interviews performed with management, direct observation, and review of applicable documents and testing of certain controls. Our work to date has confirmed that the Clearinghouse Project has no major issues for implementation and that the project is managed well given the delivery date and associated time constraints. It is worth noting that OIA finds it difficult to ascertain, with complete certainty, if the Project is operationally ready to proceed with the required 'Go Live' date of January 2, 2014, as the project s overall status is Yellow which means that some critical delivery tasks may not be completed. Due to the fast speed of development and the simultaneous work stream development methodology used to meet the regulatory implementation deadline, project management has not produced a fully developed project plan to address all items overdue. We continue to monitor progress and highlight concerns or issues as they arise to management. Depopulation (Needs Improvement) Citizens Property Insurance Corporation is required by Florida law to create programs to help return Citizens policies to the private property insurance market with the goal of reducing the risk of additional assessments 2

3 for Floridians. These programs are known as depopulation, assumption or take-outs. The objective of this audit was to evaluate the effectiveness and adequacy of key business processes, control functions and ensure compliance with company policy related to depopulation. We found that the controls implemented for processing the assumption of Citizens policies by takeout companies were well developed and sufficient to ensure that the assumptions were efficiently processed and complied with legislative mandates. Additionally, we found well-developed accounting procedures that were adequate to ensure accurate management and financial reporting for traditional assumption activities. Moreover, depopulation management proved to be fully aware of and informed about all aspects of the depopulation process from the day-to-day processes to legislative issues. Further, management exhibited a strong desire for constant improvement of the depopulation process. One significant issue was noted with regards to the need to sufficiently safeguard customer personal identifiable information during specific portions of the depopulation process. Management is addressing this issue as well as some other minor issues identified during the audit. Procurement & Contract Administration (Needs Improvement) - OIA evaluated the adequacy and effectiveness of Procurement & Contract Administration functions and controls to ensure procurement activities were conducted in accordance with internal and regulatory guidelines. Furthermore, our work aimed to determine whether the process successfully and adequately supports the objectives of the business. During the course of our audit, management provided us with information highlighting several control gaps and process inefficiencies resulting from the CAPS procurement processing application. CAPS was implemented in 2008 with the primary objective of digitizing Purchase Orders and having an approval workflow for requisitions. As such, it has limited capabilities in serving as an end-to-end workflow system for processing (from requisition to account posting and payment) and reporting. These inefficiencies are being addressed. We found Procurement and Accounting management/staff to be knowledgeable, to embody a strong culture of ethics and control awareness, and maintain a robust document retention system for all elements of the competitive solicitation and contract negotiation process. Our work, however, indicated specific areas requiring additional attention, these include: There is one system administrator who is experienced in administering all user access requests and approval workflows in CAPs which, given the complexity of the process, raises a people dependency risk; There is concentration of services procured under one State-Term Contract (consisting of multiple pre-approved vendors) which may not reflect the purpose, intent, and/or eligible use of the contract; Purchase Order s are not consistently utilized for contracts of similar goods and/or services; The organization does not have the system capability of tracking or reporting total vendor spend by individual contract and the current decentralized design and structure of the Contract Management process may be costly and inefficient in light of new statutory requirements. By not identifying or tracking vendor spend by contract, there is a risk that spend for contract-related services may exceed contract limits and/or terms. General Computer Controls (Satisfactory) - OIA has completed General Computer Controls testing to support the 2013 financial statement attestation audit for Johnson Lambert LLP. The objective of this audit was to evaluate the adequacy and effectiveness 3

4 of the change management process and segregation of duties in the testing and stage environments where application code resides. Forensic Work Completed One Forensic Audit was completed during this reporting period: Forensic Audit (Named Vendor) - The objective of this audit was to determine whether or not undue influence was used to secure the Named Vendor contract and how the vendor contract terms and volume of business compares with similar vendors on the agreement. Based on the procedures performed by the Office of the Internal Auditor Forensics, we find that Named Vendor was offered similar contractual terms and conditions, including pricing, to those offered to the other adjusting firms reviewed. The quarterly adjuster performance scorecard indicates that their performance has been at acceptable levels not requiring any corrective action. Additionally, the adjuster firm vendor spends reviewed for the 2008 through August 2013 period indicate relatively low levels of assigned business compared to the remaining adjuster firms. We have not identified any indications that Named Vendor has received any special considerations or preferential treatment over the other contracted adjusting firms. Three investigations were completed during the period. In all three instances, the concerns raised, which led to the investigation, were unfounded. Minor process improvements resulting from the work completed were reported to management and are being addressed. Work In Process OIA has seven audit projects, including two forensic audits, which are underway in the planning and/or fieldwork testing phases: Core Suite Project Clearing House IT Security Access Executive Expenses Staff Augmentation Claims Legal Billing Johnson Lambert assistance Staffing, Development and Training The department remains fully staffed with all positions filled. During November, we appointed a qualified information technology auditor with project management experience to assist the function with its work on the CORE and Clearinghouse projects. We anticipate that this augmented staff will remain with the department until the end of the completion of both project implementations. OIA is dedicated to the professional development of audit staff to ensure continuous growth of knowledge, skills and other competencies throughout the year. During the period, members from the team participated in selected training conferences/seminars presented by the Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA) and the Insurance Internal Audit Group (IIAG). OIA Administration OIA is continuously refining its audit processes and procedures (standards) in order to ensure that its work product aligns to acceptable audit practice and it remains a credible and 4

5 sustainable internal audit function for Citizens. These standards are used to deliver audit engagements efficiently, effectively and in accordance with professional standards. Our engagement standards align with The Institute of Internal Auditors (The IIA s) International Professional Practices Framework (IPPF). Control Deficiency Resolution As of October 31, 2013, there are twenty-seven remaining open items. Of the remaining issues, there are three high rated items related to 1) the need to define and establish formalized privacy governance across the organization, 2) a need to develop a comprehensive enterprise vendor management policy and governance model, and 3) the need for a contingency plan to ensure the continued processing of the payroll, by back-up individuals, in the absence of the Payroll Administrator. These issues are receiving heightened management attention. We expect all issues will be fully remediated. The detailed Open Audit Items Synopsis is included later in the Board materials Audit Plan The OIA presented, for review and approval, the 2014 Audit Strategy and Plan (Strategy). The Strategy was developed using a risk based approach to further understand Citizens Property Insurance Corporation (Citizens) and its inherent risks. Additional consideration was given for future Auditor General coverage, Market Conduct Examinations, and planned strategic initiatives including Core Insurance System and the Clearinghouse implementations. The risk-based approach included completing an independent risk assessment of Citizens. The risk assessment process was quantified and rated (high, medium or low) where possible. The rating was, however, impacted by the subjective opinion of the OIA based on judgment, client input, risk and control environment (inherent and residual risk) and date of last audit. The process was performed in two steps including personnel or client interviews and overall risk assessment. Based on the risk assessment results, the OIA developed an audit plan that will provide audit coverage to high and medium risk areas of the company through detailed internal audits or a combination of full audits and management advisory services. Citizens is best served if the plan is dynamic in nature and continually adjusting to meet the needs of the company. Therefore, the plan will be reviewed continuously and adjusted as needed. Key events that 5

6 may influence the plan include, but are not limited to, management response, operational redesigns/improvements, legislation and storm season impacts. During 2014, OIA s primary objective related to the Strategy will be to complete the scheduled audits while providing additional coverage through MAS services as a secondary objective. Approximately 58% (8659 hours) of total OIA hours are budgeted for internal audit work whether full internal audits or forensic audits, 24% (2100 hours) are allocated to project monitoring, 12% (1830 hours) will be dedicated towards data analytics (whether forensic, audit or business support), 6% (908 hours) is set aside for advisory or consulting support, 5% (715 hours) for External Audit Client Assistance, and 5% (748 hours) for Tell Citizens and Investigations. The full 2014 Audit Strategy and Plan is available on request OIA Budget The OIA provided a detailed budget analysis to the Audit Committee. The OIA financial budget was approved by the Audit Committee and is herewith presented for full ratification by the Board of Governors through the Citizens Budget approval process. The 2014 Budget for OIA is $2.356 million as compared to the $1.895 million 2013 projection at October 31, The growth in expense in the 2014 budget compared to the 2013 projection represents the recognition of the hiring of qualified forensic auditors, a data analyst as well as the on-boarding of a temporary staff member to assist in providing independent assurance over the Core and Clearinghouse project developments. In addition, for the first time we recorded a service and equipment chargeback from the IT function. This budget increase has been partially offset by a reduction in other operating expenses for the year. This budget aligns with the objective of controlling operating expenses while improving the level and quality of assurance provided. Annual Comparative Total M i l l i o n 1,127 1,844 1,895 2, Actual Results 2012 Actual Results 2013 Projections 2014 Proposed Budget Co-sourcing of Internal Audit Services (action Item) This Action Item seeks Board approval to increase the total amount of the combined awarded contracts to augment the Office of the Internal Auditor (OIA) staff on an as-needed basis. OIA established a panel of firms to provide co-sourcing services for internal audits, investigations, management advisory services and other related financial, operational, compliance, technology, or administrative projects. The original approved value of the contract, for all nineteen co-sourced agreements, was $550,000. A substantial portion of the agreed amount has been utilized during the past two years. It should be noted that a minimal amount $50,000 has been included in the budget associated to Professional Services and any substantial spend against this co-sourcing agreement will be presented to the Audit Committee for approval before the commencement of work associated with this agreement. 6

7 Enterprise Risk Management Update The Chief Risk Officer, Mr. John Rollins, presented results from the October Risk Committee meeting as well as an update on the top organizational risks and mitigation in progress. Chief Financial officer Update The Chief Financial Officer, Ms. Jennifer Montero presented the 09/30/2013 Financial Statements, MD&A and Sinkhole analysis. General Counsel Update Mr. Dan Sumner, General Counsel, provided an update on Internal Complaint Case data. 7