MANATEE COUNTY SCHOOL DISTRICT RISK ASSESSMENT UPDATE PROCESS REPORT

Similar documents
Internal Audit. Sonoma County

September 2010 Report No

Periodic risk assessment by internal audit

COSO Internal Control Integrated Framework (2013)

Bond Funds Compliance Monitoring Internal Audit

The PNC Financial Services Group, Inc. Business Continuity Program

Louisiana Department of Education 2013 Common District Charter Request for Applications

MEMORANDUM Risk Assessment, 2015 Audit Plan, and 2014 Audit Plan

EPA Needs to Improve Its. Information Technology. Audit Follow-Up Processes

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT

Detroit School District Office of Talent Management

Blue Cross and Blue Shield of North Carolina Corporate Governance Guidelines

HOPE ACADEMY Performance Analysis

Department of Audit and Compliance. Quality Self-Assessment

An Appointment Policy for New Brunswick Agencies, Boards and Commissions. Preamble

Chapter 3 Office of Human Resources Absenteeism Management

State University of New York Charter Renewal Benchmarks Version 5.0, May 2012

Internal Audit Checklist

How To Plan A University Budget

October 20, Sincerely. Anthony Chavez, CIA, CGAP, CRMA Director, Internal Audit Division

Table of Contents: Chapter 2 Internal Control

Internal Audit. Sonoma County

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

2012 Audit Plan. Finance, Audit and Facilities Committee Board of Regents. November 2011 ATTACHMENT

Project Management for Process Improvement Efforts. Jeanette M Lynch CLSSBB Missouri Quality Award Examiner Certified Facilitator

Executive Summary. Baker County High School

REQUEST FOR PROPOSALS

Construction Bond Audit Report. Office of Auditor General

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

Guideline on risk management and other aspects of internal control in stock exchange

A Risk-Based Audit Strategy November 2006 Internal Audit Department

October 21, Ms. Joan A. Cusack Chairwoman NYS Crime Victims Board 845 Central Avenue, Room 107 Albany, New York

March 21, Dear Ranking Member Costello:

IMMUNOGEN, INC. CORPORATE GOVERNANCE GUIDELINES OF THE BOARD OF DIRECTORS

Major IT Projects: Continue Expanding Oversight and Strengthen Accountability

Fraud Risk Management Program Review

State Board of Equalization 2015 SLAA REPORT

75% On the Record. Is Your Organization s Records Management Program Providing High Value or High Risk?

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

BUSINESS PLAN Florida Virtual School Academy. 14. Facilities If the site is not secured.

The Commonwealth of Massachusetts AUDITOR OF THE COMMONWEALTH

Privacy Management Program Toolkit Health Custodians Personal Health Information Act

Seized Assets Program. Division of State Police

March 2010 Report No

ursouthwestern Medical Center The University of Texas Southwestern Medical Center HIPAA Privacy Program Audit Internal Audit Report 15:20 July 6, 2015

Department of Motor Vehicles

PORTLAND DEVELOPMENT COMMISSION: Human resources and payroll practices functioning effectively

U.S. Postal Service s DRIVE 25 Improve Customer Experience

Housing Finance Agency Innovation Fund for the Hardest Hit Housing Markets ( HFA Hardest-Hit Fund ) Guidelines for HFA Proposal Submission

Data Quality Policy. Effective from April 2010

Henkel s Compliance Management System (CMS)

Property Room. Records Management System

Roadmap for the Development of a Human Resources Management Information System for the Ukrainian civil service

Lauren Sundararajan, CFE, Internal Audit Manager

Change Management. Tools and Techniques for Change Management Success

GAO DEPARTMENT OF HOMELAND SECURITY. Actions Taken Toward Management Integration, but a Comprehensive Strategy Is Still Needed

Fraud Prevention and Deterrence

MISSION STATEMENT OBJECTIVES IN ACCOMPLISHING OUR MISSION

Audit of the Disaster Recovery Plan

Code of Conduct for Directors Electricity Generating Public Company Limited Group

Surviving an IRS Audit of Your 403(b) Plan. Part I

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

SAFE Credit Underwriting Guidelines for Non-Profit Lending. Organization Type: NON-PROFIT ORGANIZATIONS. Bridge Loan Guidelines.

Annual Risk Assessment and Audit Plan Fiscal Year 2015/2016

Internal Audit. Sonoma County

fmswhitepaper Why community-based financial institutions should practice enterprise risk management.

10 Reasons Why Project Managers Need Project Portfolio Management (PPM)

REPORT 2016/066 INTERNAL AUDIT DIVISION. Audit of management of technical cooperation projects in the Economic Commission for Africa

Setting the Expectation for Success: Performance Management & Appraisal System

CALIFORNIA ALTERNATIVE ENERGY AND ADVANCED TRANSPORTATION FINANCING AUTHORITY Meeting Date: February 18, 2014

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

Organizational Capacity Assessment for Community-Based Organizations. New Partners Initiative Technical Assistance (NuPITA) Project

AD-AUDIT BRANCH MANAGER

The New England College of Optometry Identity Theft Prevention Program October 30, 2009 _

Office of the Chief Information Officer

NCR Corporation Board of Directors Corporate Governance Guidelines Revised January 20, 2016

WORKERS COMPENSATION CLAIMS ADMINISTRATION GUIDELINES (ADDENDUM A) AND WORKERS COMPENSATION CLAIMS AUDIT PHILOSOPHY AND EXPECTATIONS

Practical Experience Requirements Initial Professional Development for Professional Accountants

July 2013 Report No

REGULATION ON RISK MANAGEMENT AND OTHER ASPECTS OF INTERNAL CONTROL IN INVESTMENT FIRMS

Implementing ISO 9001

PERFORMANCE EVALUATIONS POLICY. Purpose: To provide feedback, coaching and development plans for employees on a regularly scheduled basis.

CHARTER OF THE BOARD OF DIRECTORS

Chapter 5. Planning the Audit Engagement

How To Run A City Hall Program

Interpretation of Regulatory Guidance on Dodd Frank Investment Grade Due Diligence

D.C. Department of Human Resources

Managing A Leadership Transition

This page intentionally left blank.

MISSION VALUES. The guide has been printed by:

2016-AP-0001 Fiscal Year 2016 Annual Risk Assessment and Audit Plan

A Risk Assessment Checklist for Medicaid State Agencies

Water Utility Strategic Planning From Concept to Implementation

SB 1420, Report to Sunset Office of Compliance and Ethics

Succession Plan. Planning Information and Plan Template December Succession Planning 2010

Applicants for administrative staff employment with Debevoise & Plimpton LLP

Internal Audit. Audit of HRIS: A Human Resources Management Enabler

INTERNAL AUDITING POLICIES AND PROCEDURES MANUAL

INSPECTOR GENERAL UNITED STATES POSTAL SERVICE

Transcription:

MANATEE COUNTY SCHOOL DISTRICT RISK ASSESSMENT UPDATE PROCESS REPORT Shinn & Company LLC was contracted by the Manatee County School Board (the Board ) to update the current risk assessment. The initial engagement indicated that a full risk assessment and cost to complete that risk assessment was wanted. However, after further discussion with the Board and their evaluation of the current environment, it was decided that given the current tasks at hand they wanted an update of the prior auditors risk assessment and an estimate of what it would take to complete a full new risk assessment. RISK ASSESSMENT UPDATE METHODOLOGY The following procedures were performed to update the prior Internal Auditor s risk assessment: We obtained what limited documentation of the prior internal auditor s risk assessment that we could. This documentation included a summary scoring worksheet, a risk level analysis, and an annual audit plan. We performed an additional search with staff who contacted one of the prior auditors to ask if there was any more documentation to be found. While the risk assessment scoring worksheet noted above indicated that certain audits had been completed by internal audit in the past, we were only able to locate audits performed on the schools, not any of the other audits indicated. This will be discussed for applicability later in the memo. We conducted a series of interviews of individual members within each of the following groups*: - Key management with oversight responsibilities - Executive team including all Directors, Deputy Directors, & the Superintendent - Each Board member on the School Board *Note the Board attorney at the time of the risk assessment update is a contracted attorney, the staff attorney position was vacant, and only filled one week ago, therefore no interview was conducted for this position. A review of the three Auditor General s ( AG ) reports for fiscal year ending 2013 and the related findings and recommendations. A review of the District s Management responses to the AG reports and the Action Plans to implement those recommendations. Additionally, the audit and management letters of the schools current year internal audits were taken into consideration when updating this risk assessment. Based on the procedures detailed above we then updated the following worksheets to determine the overall risk assessment: 1. The risk assessment scoring worksheet. 2. The risk assessment level worksheet. March 7, 2014 Page 1

Risk Assessment Scoring worksheet: This document is used to take the Audit Universe (all identifiable auditable entities, which are usually processes or departments) per the auditor s judgment, based on procedures performed and rank them based on a scoring system. The scoring is developed by assessing certain attributes (an attribute is a qualitative characteristic that a unit of a population either possesses or does not possess) assigned a scoring number for each attribute within that category. The scores are totaled, the highest score, from the scoring document, being the largest risk at the time of the assessment. Risk Assessment Level worksheet: This document is used to take the Audit Universe and assign a risk based on three categories with a risk level of Low, Moderate, or High. This risk is also derived based on procedures performed and auditor judgment. The goal of these two worksheets are to provide a foundation for defining the highest risks to the organization at the time of the assessment and using them as a tool in tandem with other items further described below to develop priorities. The worksheets are attached to the report as supporting schedules. Other factors that were considered in the risk assessment development: Areas that were described as areas of concern by those interviewed in the process that may not be a direct auditable entity; however, may be an issue or obstacle that is preventing the achievement of the organizations objectives and mission. External risks that the organization may have no control over; however, may present a risk to the organization. The overall goal for the risk assessment as a whole is to provide a guide, a sense of direction, and way to prioritize what items should or could be addressed to eliminate or at least mitigate those risks. The Board and/or Management may decide for some of the risks defined to accept the risk based on the risk tolerance of the organization. March 7, 2014 Page 2

RESULTS OF PROCEDURES TOP THREE CATEGORIES BASED ON INTERVIEWS: 1. Organizational culture 2. Financial stability 3. Staffing TOP THREE CATEGORIES BASED ON RISK ASSESSMENT SCORING WORKSHEET: 1. Risk Management Insurance budgeting/variances/monitoring (score average of 42.8/95) 2. Information Technology Systems business processes and systems (score average of 41.33/95) 3. Human Resources staffing/training, etc. (score average of 39.27/95) POTENTIAL EXTERNAL RISK FACTORS (District may have some or no control over): Reputational risk Reduced Bond Rating Reduced Funding Economy ex. Current eroding of property tax base Weather events ex. Hurricanes, Flooding, etc. TOP THREE RISK AREAS OVERALL: 1. Human Resources: Staffing need the proper experienced staff, even if some only temporary to complete the tasks at hand. 2. Information Systems either modified or replaced based on a business documentation process first to determine what is needed. Once systems are modified or replaced, changes in staff and structure can be reconsidered for efficiencies gained. 3. Finance & Budgeting: Financial stability working through expected shortfalls, the questioned costs and potential amounts due from the AG reports, having the proper budgeting process and monitoring in place for the upcoming budget, and reducing the affect of any additional potential shortfalls. RECOMMENDED NEXT STEPS - AUDIT PHASES Ideally, under stable conditions, the next step would be to develop a formalized Audit Plan. Under the current environment, we have proposed the following steps in a five phase process to get the District to the level of an Annual Audit Plan. Depending on many circumstances, staffing, budgeting, and potentially others, the time for the phase development can vary. 1. The Post Audit Reviews (PARS) for the Auditor General Findings and management s actions plans and the Internal Accounts. (See project 1, 2, 3). 2. Addressing key areas of concern that were raised during interviews (See project 4). 3. The top 3 areas of risk based on overall assessment (Audit Plan 2015). 4. Developing a multi-year audit plan for the remaining areas (Future). 5. Completing a new full risk assessment after the first four phases are completed. (Future) March 7, 2014 Page 3

Because Phase 1 and 2 is so critical at this juncture, we are including additional information in this next section to aid the District in its understanding. Depending on timing and staffing areas can potentially be done in tandem. PHASE I: POST AUDIT REVIEWS (PARS) OF: Auditor General Findings and Management s Action Plans (Projects 1&2) Internal Account Audits (Project 3) POST AUDIT REVIEWS (PARS): A Post Audit Review (PAR) is performed not to re-audit an area, but to evaluate, through verification and testing whether the recommendations made have been implemented or not. The format generated will give a status on each recommendation as implemented, partially implemented, or not implemented. Management has taken significant positive steps to create well thought out, clearly defined Action Plans including detailed steps with ownership reinforcing accountability. It appears that they have properly reviewed and revised those steps as needed as the current situations have changed. Management has provided a comprehensive tracking system within the excel spreadsheets showing the progress of those action plans moving forward. The only additional improvement we would recommend for the enhancement of functionality is to make these action plans into Pivot tables so that a variety of reporting can be done from these in a more efficient manner, while maintaining the integrity of the initial action plan. Now or in the very near future, when the Action Plans are substantially complete, Internal Audit needs to perform a PAR on them. For those only partially implemented, documentation will need to be provided by Management as to why they have not been completed and when they expect them to be completed. For those not implemented, documentation will need to be provided by Management of why they have not been implemented, if they will be implemented and when. This process will provide validity and accountability of the work performed by Management, not only to the Board but also the Auditor General and the Citizens of Manatee County. March 7, 2014 Page 4

PHASE II: ADDRESS KEY AREAS OF CONCERN: (Project 4) ORGANIZATIONAL CULTURE: The framework of a good internal control system includes a sound control environment which can be created by the District through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities. Some of the comments that were indicative of a deficiency in this factor include: A balance between oversight/monitoring with accomplishing tasks needs to happen. The District is one organization. Open communication needs to be a two way street. All communication needs to be on the same dimension. This District has one goal, to fulfill its mission using the staff and resources it has and developing future resources to meet those needs. Understanding and acceptance that it took a period of time to get into this situation and it will take time to correct it, develop procedures to prevent it, and to move forward with establishing a solid foundation for the future. The Board and Management must function as they are set up to: with the Board establishing policy and management executing the day-to-day functions while adhering to those established policies. STAFFING: District management needs to consider filling the Finance Director position immediately, even if a temporary agency is used. This position is critical to establishing continuity in the Finance Department and developing a system for financial recording, reporting, and budgeting. It is also critical, even through a temporary person, that the skill set be clearly defined to handle all the needs of a District s finance issues, especially in light of the AG s report. The Board, in its desire to correct and prevent future findings, should support this with whatever resources are necessary to make this happen now. Management needs to provide the Board with a current staff assessment and recommendations of what reorganization needs to be done, how this will help the organization, and what if any additional costs may be incurred. The Board must review and evaluate this assessment and decide if they will trust the judgment of the Executive team they hired to know what is best to manage the District s needs now. Key positions were eliminated in the most recent cuts; some which may have resulted in the findings/recommendations of the AG, but could result in gaps in proper segregation of duties. Management needs to provide the Board with an analysis of critical vacancies that must be filled, even if only for the development of the current structure, this can always be changed in the future once the organization is more stable. This analysis should indicate why it is critical and what duties they would fulfill now to meet the needs with an March 7, 2014 Page 5

associated cost. The Board must review the data provided and understand the potential risks of not filling these key positions and make a decision to support all, some, or none of management s recommendations. While the scoring on the Purchasing Audit Area was not significant, there is a critical staffing position, the Purchasing Manager, which is currently vacant. Prior to this year, this position was a Director position. It has been changed to a Manager position reporting to the Finance Director, which is also currently vacant. While it does not appear that there are overreaching problems in this Department, this is a critical function in the District and can at times have significant activities occurring. The District should consider filling this position either on with a temporary agency or qualified candidate immediately. INFORMATION TECHNOLOGY SYSTEMS: In our review of the financial process during the Financial Process Review and the overall Risk Assessment procedures, the following limitations of the current systems were observed: The current systems across all areas of the organization, especially the JD Edwards system are very limited in functionality and reporting capabilities. These limitations, as a result, require multiple layers of manual processes and reiterations of data to come up with the limited current reporting that the District has at this point. The Information Technology Department is working to build bridges to adjust for the gaps in the system capability whenever possible; however, they are limited by staffing, resources, and simply the ability to modify this system. The risk of the system as it is now, due to the inherent required manual processes, leaves room for potential errors and excessive inefficiencies, taxing an already strapped staff. It also limits the ability of management to expand on the reporting to the Board and other stakeholders. In light of our information above and the IT Review recommendations, we not only support the IT Review recommendations, but also state that even given the financial limitations something must be done to provide the resources needed to fix this now. FINANCIAL STABILITY: Management and the Board have already made steps in the right direction by the following: Developing the detailed Action Plans to address the Auditor General findings and recommendations and a plan on how to handle. Funding for the recommendations made for staffing and systems. The Budget process for the upcoming year has been modified to have more input at the various levels by those who actually understand their needs within their department. Training in the Budget process has been done and will continue through this new phase and we noted that many felt that this training was immensely helpful. This process alone has opened new doors of two way communication. Strategic meetings have been held to help develop the Districts Strategic Plan. March 7, 2014 Page 6

Continued monitoring by Executive team where cost savings can be achieved in other areas and any potential other revenue sources. Additionally, as part of the financial stability goal, the Insurance area needs to be a focus as there appears changes in the trending over the past year compared to the budgeted areas. While this area as an Auditable Entity can stand alone, it, like many others, has a direct and possibly significant impact on the District s financial stability as a whole. Red Flags (Auditable Area) It was noted in the Risk Assessment Scoring worksheet that the prior Internal Auditor had an Auditable Area titled Red Flags. Red Flags is essentially, in laymen s terms, is essentially a statutory requirement for lending institutions to implement certain security features in certain areas to prevent and deter identity theft. A school can be a quasi lender depending on the type of financing or financial aid they offer or potentially with deferment of tuition. We have no documentation to determine where specifically the prior internal auditor determined this was applicable. Our assessment is that it is associated with Manatee Technical Institute given the nature of their services. While the Director stated that they do not offer loan services through the Pell Program, only grants, we recommend that this be further researched by the Board and Staff Attorney together to determine if this area is still applicable and document the findings. PHASE III: AUDIT TOP 3 RISK AREAS DEFINED (Audit Plan 2015): 1. Human Resources: Build upon knowledge of areas of concern addressed and audit the Human Resource areas specifically to address Staff development and retention; staff training; staff hiring/termination; and general operations. 2. Information Systems: Build upon knowledge of areas of concern addressed and determine if changes have been made in updating the software, a bridge, if that is adequate for the interim; if business processes have been reviewed and documented; if a plan to further upgrade or replace the system has been developed and costs associated with it determined. 3. Finance and Budget: Build upon knowledge of areas of concern addressed and the post audit reviews of the Auditor General Findings. Prepare performance audits on the Finance and Budget Areas March 7, 2014 Page 7

CONCLUSION AND PLAN: 1. PARS will need to be completed by Internal Audit for the following: a. Auditor General findings/recommendations and management s action plans to implement them. (Project 1- FY 2014) Estimated hours: 200 Estimated Budget: $ 35,000 b. Audit of schools internal funds. (Project 2 and 3 FY 2014) Estimate hours: 75 Estimated Budget: $ 13,000 2. Evaluate the changes since the updated Risk Assessment in the Areas of Concern. (Project 4 FY 2015) Estimated Hours: 50 Estimated Budget: $ 8,750 3. Audit Plan for 2015: a. Audit the top 3 areas identified in the updated Risk Assessment. Estimated Hours: 1,200 (400 hours/area) Estimated Budget: $ 210,000 b. Plan hours for Areas that arise during year: Estimated Hours: 400 hours total Estimated Budget: $ 70,000 c. Address Hotline issues as they occur: Estimated Hours: 150 hours total Estimated Budget: $ 26,250 Total Estimated Hours: 1,750 Estimated Budget: $ 306,250 4. Develop Audit Plan for 2016 a. Planning & updating Risk Assessment b. Written Audit Plan Hours to be determined after 2015 Audit Plan substantially complete. These plans require that the District s Board and Management work in a cohesive manner to address and implement the noted Areas of Concern and Recommendations; that Management and staff actively participate and respond in a timely fashion to the audit process and requests in order to meet the deadlines; and that an open line of communication is maintained at all levels at all times. March 7, 2014 Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information