Report to the Audit Committee

Similar documents
Proposed Audit Plan for Fiscal Year and Preliminary Audit Plan for Fiscal Year

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s

Maryland Health Insurance Plan

The Procter & Gamble Company Board of Directors Audit Committee Charter

Los Angeles County Metropolitan Transportation Authority Office of the Inspector General Medicare Part B Reimbursements to Retirees

Compliance Department No. COMP Title: EFFECTIVE SYSTEM FOR ROUTINE MONITORING, AUDITING, AND IDENTIFICATION OF COMPLIANCE RISKS (ELEMENT 6)

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

Internal Audit and Advisory Services DRAFT

Mecklenburg County Department of Internal Audit. Park and Recreation Department Contract Management Investigation Report 1401

LOCAL GOVERNMENT MANAGEMENT ASSESSMENT OVERVIEW AND QUESTIONNAIRE

FIRST CITIZENS BANCSHARES, INC. FIRST-CITIZENS BANK & TRUST COMPANY CHARTER OF THE JOINT AUDIT COMMITTEE

OUTSOURCING DUE DILIGENCE FORM

SCOPE OF WORK FOR PERFORMING INTERNAL CONTROL AND STATUTORY/REGULATORY COMPLIANCE AUDITS FOR RECIPIENTS OF SPECIAL MUNICIPAL AID

THE STRATEGIC PLAN OF THE INDIANA PUBLIC RETIREMENT SYSTEM FOR THE PERIOD OF FISCAL YEARS

BOARD OF EDUCATION OF BALTIMORE COUNTY OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL INTERNAL AUDIT OPERATIONS MANUAL

Annual Risk Assessment and Audit Plan Fiscal Year 2015/2016

The ADT Corporation. Audit Committee Charter. December 2014

Charter of the Audit Committee of the Board of Directors of Woodward, Inc.

June 2008 Report No An Audit Report on The Department of Information Resources and the Consolidation of the State s Data Centers

Operational Risk Management Policy

Sample Financial institution Risk Management Policy 2011

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

ERM Program. Enterprise Risk Management Guideline

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

October 20, Sincerely. Anthony Chavez, CIA, CGAP, CRMA Director, Internal Audit Division

December 2014 Report No An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission

NORTHERN TRUST CORPORATION BUSINESS RISK COMMITTEE CHARTER

AGA Kansas City Chapter Data Analytics & Continuous Monitoring

Domain 1 The Process of Auditing Information Systems

815 CMR 9.00: DEBT COLLECTION AND INTERCEPT. Section

KANSAS CITY, MISSOURI RESPONSES TO THE FISCAL YEAR 2013 AUDIT MANAGEMENT LETTER

AUDIT REPORT. The Energy Information Administration s Information Technology Program

Internal Audit RFP 2013 Questions and Answers

How To Set Up A Committee To Check On Cit

815 CMR: COMPTROLLER'S DIVISION 815 CMR 9.00: DEBT COLLECTION AND INTERCEPT. Section

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

Adding Value to the UK Community

UNIVERSAL AMERICAN CORP. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

The principal purposes of the Audit Committee ( Committee ) of the Board of Directors ( Board ) of CSRA Inc. (the Company ) are to:

Insurance Administration

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

Performance Audit City s Payment Process

Subject Area Descriptions

Table of Contents. Transmittal Letter Executive Summary Background Objectives and Approach Issues Matrix...

Operational Risk Publication Date: May Operational Risk... 3

8/12/2013. Then. Now. Managing risk and compliance. August 14, 2013

ATTACHMENT A - STATEMENT OF WORK REQUEST FOR PROPOSALS FOR INDEPENDENT BENEFIT CONSULTING, ACTUARIAL AND AUDITING SERVICES DMS-13/14-018

中 國 通 信 服 務 股 份 有 限 公 司

Financial Statements. Nova Scotia Association of Health Organizations (Group Insurance Fund) March 31, 2015

Audit of Employee Health and Pension Benefits:

Questionnaire/Compliance Form for COBRA Administration

Revenue Cycle Assessment

PENSION FUND OF THE PENSION PLAN FOR NON-PROFESSIONAL STAFF OF THE UNIVERSITY OF GUELPH. For the Year Ended September 30, 2011

Federal Spending Data Quality Plan

Final Report. Audit of the Project Management Framework. December 2014

Board of Directors and Senior Management 2. Audit Management 4. Internal IT Audit Staff 5. Operating Management 5. External Auditors 5.

RISK MANAGEMENT SYSTEM

SCHOOL DISTRICT BUSINESS LEADER

Audit of the Test of Design of Entity-Level Controls

Maryland Automobile Insurance Fund

DATA ANALYSIS: THE CORNERSTONE OF EFFECTIVE INTERNAL AUDITING. A CaseWare IDEA Research Report

ALAMOS GOLD INC. AUDIT COMMITTEE CHARTER

Commonwealth of Pennsylvania Governor's Office

Executive Summary of the Defined Benefit Plan Engineering Financial and Economic Security for Multiple Generations

Chapter 11 ALLOWANCE FOR LOAN AND LEASE LOSSES TABLE OF CONTENTS

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Credit Union Liability with Third-Party Processors

SCHEDULE NO. 30 FINANCIAL RECORDS

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

Transcription:

Report to the Audit Committee Agenda of: JANUARY 14, 2014 From: Rahoof Wally Oyewole, Departmental Audit Manager ITEM: V SUBJECT: INTERNAL AUDIT WORKPLAN THROUGH FISCAL YEAR 2014-15 AND POSSIBLE COMMITTEE ACTION Recommendation: That the Audit Committee consider the proposed Internal Audit workplan through Fiscal Year (FY) 2014-15; and recommend the workplan to the Board for approval. Discussion: Internal Audit is responsible for developing, for Audit Committee consideration, a flexible audit plan using an appropriate risk based methodology. In order to meet the International Standards for the Professional Practice of Internal Auditing (IIA Standards), Internal Audit s Workplan is required to be approved by LACERS s Audit Committee and/or the Board. The workplan is intended to remain flexible to allow necessary changes as a result of ongoing changes to risk factors, organizational needs, resource limitations or a request from management and/or the Board. Updates information regarding changes to the plan will be provided to the Committee at each Committee meeting during the Fiscal Year. Internal Audit Risk Assessment Process To assess the relative importance of potential audit subjects, the IAS prepares an annual risk assessment (Attachment 1) covering all divisions and functions performed by LACERS. This department-wide risk assessment focuses on comparisons between different programs and functions, with the primary purpose of identifying high impact audit areas. Risk is measured through an analysis of various information sources on each critical process/function/unit. Internal Audit has established a methodology to evaluate the relative importance of potential audit projects. Individual project priority ranking is based on risk factors of impact and likelihood. Internal Audit has identified key processes or programs and the following five risk criteria: 1. Strategic & Operational - The significance of the process or area to LACERS strategic success, or impact of process disruption. 2. Financial Materiality - The magnitude of financial exposure, the degree of regulatory oversight, or possible financial penalties. The higher the financial exposure of an area, the higher the risk. Committee Report 1 January 14, 2014

3. Complexity of Operations/Regulations - Considers the complexity of programs, activities, and/or functions. The number of individuals, entities, and processes involved, and the degree to which professional judgment or technical expertise is applied. The more complex the operations, the higher the risk. 4. Organizational and System Change Risk Considers changes in the control environment. How much the process has been altered and the change of personnel carrying out the process. The more recent changes, the higher the risk. 5. Political/Reputation (including impact to Members) - The degree of public interest and awareness, the visibility of the process to the media. The higher the interest, the higher the risk. The following three steps were used to score each potential audit project. Step 1 s For each potential audit area, Internal Audit assign an impact risk score relative to each of the above five factors, as follows: High 4 5 3 1-2 Step 2 Probability or Likelihood s In assigning probability scores, Internal Audit considers inputs provided by senior staff and Board Members, as summarized in Attachment 2, interviews with staff and LACERS external auditors, review of policies, and the Internal Control Self-Assessment completed by division management. Internal Audit then assigns a probability score for each potential audit area, as follows: Probability of Risk High probability or likelihood of significant problems occurring 0.8-1.0 Moderate probability of significant problems and/or high probability of improvements needed 0.4 0.7 probability of significant problems and/or low probability of improvement needed 0.1 0.3 Step 3 Final Risk s To determine final risk scores, impact scores were sub-totaled for each potential audit area and multiplied by the estimated probability of an adverse event occurring in each audit project area. Committee Report 2 January 14, 2014

Proposed Audit Projects for the Audit Workplan (Attachment 3) Based on the result of the risk assessment and final risk scores, Internal Audit recommends scheduling the following audit projects: 1. Business Continuity/Disaster Recovery Plan (Final Risk 17.7) - The purpose of a business continuity/disaster recovery is to enable an organization to continue operation in the event of a disruption and to survive a disastrous interruption to its information systems. The objective of an audit of Business Continuity Plan (BCP) will be to evaluate LACERS BCP to determine its adequacy and currency in comparison to appropriate standards; verify the plan is effective by reviewing previous test results; and evaluate the ability of the System and user personnel to respond effectively in emergency situations. 2. Investment Manager Fees (Final Risk 16.8) In FY 2012-13, LACERS paid approximately $48 million in investment management fees, with $27 million (56%) of this amount attributed to real estate and alternative investments. It is has become increasingly difficult for Fiscal staff and LACERS external auditors to validate the accuracy of fees paid, particularly for real estate and private equity investments. This is primarily because of the limited supporting documentation submitted with invoices. The objective of an audit of fees will be to recalculate fees that LACERS paid to a sample of investment managers during FY 2012-13, to ensure they are accurate and in accordance with contract terms approved by the Board. It should be noted that a few months ago, LAFPP Board approved an appropriation for the Department to engage a CPA firm to re-calculate fees paid for alternative investments management. 3. Employer Audit (Final Risk 16.8) The objective of this audit will be to evaluate the accuracy of enrollment information, and deductions remitted to LACERS for employees. The focus will be to evaluate procedures in place to ensure individuals are placed in correct tier and/or plan. The audit will also assess procedures to ensure accurate deductions are remitted, particularly for employees who receive non-traditional lump sum payments that are subject to retirement contributions. 4. Benefit Determination and Payments (Final Risk 14.7) - The objective of this audit will be to determine the efficiency of benefit setup process and whether benefits calculations are accurate and properly supported. The audit will also assess the accuracy and timeliness of ongoing payments after the initial setup to determine whether the process is efficient, effective and in accordance with the Administrative Codes. 5. System Access, Change Control & Data Security (Final Risk 14.4) - The objective of this audit will be to evaluate whether employees access to various systems are appropriate based on their duties. This audit will also evaluate procedures to ensure adequate data security and change control procedures. 6. Network Vulnerability and Penetration Testing (Final Risk 17.5) Penetration testing is often referred to as ethical hacking and is intended to mimic an experienced hacker attacking a live site. Many organizations engage security professionals to perform penetration testing to find vulnerabilities so that they can fix them before an attack. Penetration testing should only be performed by experienced and qualified professionals who are aware of the risks and can limit any damage resulting from a successful break-in. This project is contingent on the Board s appropriating necessary funds in the FY 2014-15 Budget to engage an outside security firm with expertise in penetration testing to complete the project. Committee Report 3 January 14, 2014

In accordance with the Internal Audit Charter, the workplan also set aside some hours for consulting activities to assist management during the Fiscal Year. Staff will also take active roles in managing the external audit contract as well as the upcoming implementation of the new GASB 67. As LACERS needs and priorities change, Internal Audit will use professional judgment as to determine the order in which audit projects are completed. Staff will focus on efficiency and effectiveness in performing work and will make effort to review all areas identified in this workplan. Staff will provide Audit Committee a quarterly update on the workplan. At the end of FY 2014-15, any remaining projects will be re evaluated during the Annual Risk Assessment process for consideration in the next Fiscal Year audit plan. This report was prepared by Rahoof Wally Oyewole, Departmental Audit Manager, Internal Audit Section. RWO Attachments: 1) LACERS Internal Audit s Universe Risk Assessment January 2014 2) Risk Assessment Survey Results 3) LACERS Internal Audit Proposed Workplan Through FY 2014-15 Committee Report 4 January 14, 2014

LACERS Internal Audit Section Universe Risk Assessment - January 2014 ATTACHMENT 1 Risk Rankings High High to to Definitions 5 4 3 2 1 Factors Division Systems Systems Auditable Unit/Process Materiality / Financial / Compliance Strategic / Operational Change / Stability Complexity of Operations or Regulations Political / Reputation (Including to Members) Subtotal Probability Final Risk Business Continuity / Disaster Recovery Plan 5 5 3 4 5 22 0.8 17.6 1 Web-Based Network Vulnerabilities, Penetration Test 5 5 5 5 5 25 0.7 17.5 2 Rank Order Investments Investment Manager Fees 4 4 3 5 5 21 0.8 16.8 3 Plan Sponsor Services Systems City - Accuracy of Enrollment & Deductions Remitted to LACERS 5 4 4 4 4 21 0.8 16.8 3 Benefits Determination, Setup & Payments 5 5 3 3 5 21 0.7 14.7 5 System Access,Change Control & Data Security Process 5 4 5 5 5 24 0.6 14.4 6 Services Reciprocity & Service Purchase Process 5 4 4 5 5 23 0.6 13.8 7 Services Disability Process 5 5 3 5 5 23 0.6 13.8 7 Services Health Admin Death Comparison/Member Status Verification Process 5 4 4 5 5 23 0.6 13.8 7 Account Reconciliation, Billing and Invoices 5 4 4 5 4 22 0.6 13.2 10 Health Admin Medical Subsidy Process 5 4 3 5 5 22 0.6 13.2 10 Services Survivor Claims/Family Death Benefits 5 4 4 4 5 22 0.6 13.2 10 Services Privacy of Member Data 4 4 3 5 5 21 0.6 12.6 13 Health Admin Medial Premium Reimbursement Program (for members out of regular coverage area) - MPRP 4 3 3 3 5 18 0.7 12.6 13 Services Member Refunds/Lump Sum Payments 5 4 3 4 5 21 0.6 12.6 13 Page 1 of 3

LACERS Internal Audit Section Universe Risk Assessment - January 2014 ATTACHMENT 1 Risk Rankings High High to to Definitions 5 4 3 2 1 Factors Division Auditable Unit/Process Materiality / Financial / Compliance Strategic / Operational Change / Stability Complexity of Operations or Regulations Political / Reputation (Including to Members) Subtotal Probability Final Risk Rank Order Investments Risk Management Program & Investment Compliance Monitoring Process 5 5 5 5 5 25 0.5 12.5 16 Investments Due Diligence Process 5 5 2 3 5 20 0.6 12.0 17 Member Support Services- Health Admin Communication 3 5 3 3 5 19 0.6 11.4 18 Investments Investment RFP Process (manager selection, reporting, renewal, and termination) 5 5 3 4 4 21 0.5 10.5 19 Health Admin Enrollment & Dependent Eligibility Verification Process 4 4 2 4 5 19 0.5 9.5 20 Health Admin Medicare Enrollment and Medicare Part B premium reimbursements 4 4 3 3 5 19 0.5 9.5 20 Services Larger Annuity Porgram Review 3 3 4 5 3 18 0.5 9.0 22 Accounting Investment Accounting and Valuation 5 5 3 5 4 22 0.4 8.8 23 Systems Wire Transfer and Check Receipt Process 5 5 2 5 5 22 0.4 8.8 23 Office Services RFP and Procurement Process, and Contracting Practices 5 5 4 5 3 22 0.4 8.8 23 Investments Investment Reconciliations 5 5 4 4 4 22 0.4 8.8 23 Services Stale Dated Checks 3 3 2 2 4 14 0.6 8.4 27 Human Resources Temporary Employees - Recruitment and Monitoring Process 2 3 5 3 3 16 0.5 8.0 28 Office Services Budgets 5 4 3 2 4 18 0.4 7.2 29 Systems/Fiscal Actuarial/Member Demographic Data 4 4 5 5 5 23 0.3 6.9 30 Page 2 of 3

LACERS Internal Audit Section Universe Risk Assessment - January 2014 ATTACHMENT 1 Risk Rankings High High to to Definitions 5 4 3 2 1 Division Auditable Unit/Process Materiality / Financial / Compliance Strategic / Operational Factors Change / Stability Complexity of Operations or Regulations Political / Reputation (Including to Members) Subtotal Probability Final Risk Accounting Contribution Accounting - Member, City 3 3 1 4 4 15 0.4 6.0 31 Services Benefits Overpayment & Collection Process 3 3 3 2 3 14 0.4 5.6 32 Office Services Fixed Assets Inventory 3 3 3 1 3 13 0.4 5.2 33 Systems IT Governance 2 5 4 4 2 17 0.3 5.1 34 Rank Order Investments Asset Allocation 5 5 1 3 3 17 0.3 5.1 34 Services Service Counseling Process 3 4 3 3 4 17 0.3 5.1 34 Accounting Cash Management 4 4 3 3 3 17 0.3 5.1 37 Accounting General Ledger/Financial Reporting 4 4 2 4 3 17 0.3 5.1 34 Office Services Vendor Contract Compliance 3 4 2 2 2 13 0.3 3.9 39 Board Governance & Ethics 5 4 1 3 5 18 0.2 3.6 40 Accounting Accounts Payable 3 3 1 1 3 11 0.3 3.3 41 Human Resources HR Processes - 2 3 1 2 3 11 0.3 3.3 41 Accounting Travel/Office expenses 3 3 1 1 3 11 0.3 3.3 41 Services Record Management and Retention 3 3 3 2 3 14 0.2 2.8 44 Systems Pension Administration System - Data Conversion and Post Implemetation review 5 5 5 5 5 25 0.1 2.5 45 Page 3 of 3

ATTACHMENT 2 Internal Audit Risk Assessment Survey Results As part of its risk assessment process, Internal Audit surveyed senior staff, executive management and Board Members. Ten responses were received (eight from senior staff and two from Board Members). The purpose of the survey was to seek inputs as to what operational areas and critical functions staff believe need improvement and/or could benefit from audit attention. The following are the areas/concerns identified by staff, along with the number of times mentioned: 1. Accuracy and timeliness of benefit processing (4 times) 2. Making sure that political pressure does not determine investments (4 times) 3. Disaster/business continuity plan (3 times) 4. Employer Audit - accuracy of employee information and contributions (3 times) 5. Inconsistent application/interpretation of policies (including HR-related) and Admin Code (special accommodation for employees at certain level) (3 times) 6. Disconnect between frontline staff and management (3 times) 7. Customer service -monitoring of outgoing communications to Members (3 times) 8. Certain Board members may be stepping out of policy making and oversight arena into operational areas (3 times) 9. System access/controls & data security (2 times) 10. IRC compliance - (2 times) 11. Accurate reporting to stakeholders (2 times) 12. Monitoring of investment managers to ensure compliance with investment policy (2 times) 13. Inability to track international deaths- Risk of continuing payments after Member's death (2 times) 14. Budget monitoring and reporting - lack of systematic data (1 time) 15. Succession planning - reliance on few subject matter experts (1 time) 16. Lack of system to promptly identify concerns (1 time) 17. Preventing & recovering benefit overpayments (1 time) 18. Authentication of external documents (1 time) 19. Untimely communication from management regarding change that impact processing or delivery of benefits (1 time) 20. Inequitable span of control (1 time) 21. LACERS should pursue legal access rights (same as LACERA and CalPERS) to Members banking information for monitoring (1 time)

LACERS INTERNAL AUDIT SECTION AUDIT PLAN THROUGH FY 2014-15 ATTACHMENT 3 Internal Audit Projects Description/Audit Objective Rank Based on Risk s Estimated Hours Business Continuity/Disaster Recovery Plan (BCP) Investment Manager Fees Employer Audit Benefit Determination & Payments System Access, Change Control & Data Security Follow -Up Program To evaluate LACERS' BCP to determine its adequacy and currency, review previous test results and evaluate staff's ability to respond effectively in emergency situations.. 1 400 To determine whether investment management fees paid during FY 2012-13 are accurate in accordance with contract terms approved by the Board. 3 400 To evaluate the accuracy of enrollment information, and deductions remitted to LACERS on behalf of employees. 3 450 To determine the efficiency and effectiveness of benefit setup process, and whether benefits calculations are accurate and properly supported. 5 450 To evaluate employees' access rights, change control and data security procedures for reasonableness and effectiveness. 6 400 Establish a Follow-up Program to track and follow up on prior audit recommendations. 400 Internal Audit Subtotal 2,500 External Audits Network Vulnerability & Penetration Testing Perform vulnerability assessment and penetration testing to identify any weaknesses that need to be addressed. 2 250 Annual Financial Statement Audit Performed by external auditors 100 External Audit Subtotal 350 Non-Audit Projects Consulting Activities As requested by Executive Management 600 GASB 67 Implementation Task Force participation 150 (1) This workplan assumes two auditors effective April 1, 2014 (5,220 available hours from 4/1/14 to 6/30/15). Page 1 of 2

LACERS INTERNAL AUDIT SECTION AUDIT PLAN THROUGH FY 2014-15 ATTACHMENT 3 2015 Risk Assessment/Audit Plan Annual risk assessment and preparation of subsequent audit plan 200 Internal Control Self Assessment Provide management with internal control worksheets and review responses. 150 Non-Audit Subtotal 1,100 Administration Preparation and attendance at Audit Committee, other Committees and Board Committee and Board Meetings meetings. 200 General Administration Audit administrative duties, staff meetings & other duties 300 Lay the groundwork for acquiring and implementing electronic workpaper and computer-assisted data analysis software (research different tools, obtain quotes and Audit Software Implementation make recommendation) 80 Administration Subtotal 580 Leave/Time Off Training/Conferences Training to maintain CPA and other certifications, APPFA, IIA or ALGA Conferences 200 Leave Holidays and Time Off 490 Leave/Time Off Grand Total Hours 690 5,220 (1) This workplan assumes two auditors effective April 1, 2014 (5,220 available hours from 4/1/14 to 6/30/15). Page 2 of 2

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information