MANATEE COUNTY SCHOOL DISTRICT RISK ASSESSMENT UPDATE PROCESS REPORT Shinn & Company LLC was contracted by the Manatee County School Board (the Board ) to update the current risk assessment. The initial engagement indicated that a full risk assessment and cost to complete that risk assessment was wanted. However, after further discussion with the Board and their evaluation of the current environment, it was decided that given the current tasks at hand they wanted an update of the prior auditors risk assessment and an estimate of what it would take to complete a full new risk assessment. RISK ASSESSMENT UPDATE METHODOLOGY The following procedures were performed to update the prior Internal Auditor s risk assessment: We obtained what limited documentation of the prior internal auditor s risk assessment that we could. This documentation included a summary scoring worksheet, a risk level analysis, and an annual audit plan. We performed an additional search with staff who contacted one of the prior auditors to ask if there was any more documentation to be found. While the risk assessment scoring worksheet noted above indicated that certain audits had been completed by internal audit in the past, we were only able to locate audits performed on the schools, not any of the other audits indicated. This will be discussed for applicability later in the memo. We conducted a series of interviews of individual members within each of the following groups*: - Key management with oversight responsibilities - Executive team including all Directors, Deputy Directors, & the Superintendent - Each Board member on the School Board *Note the Board attorney at the time of the risk assessment update is a contracted attorney, the staff attorney position was vacant, and only filled one week ago, therefore no interview was conducted for this position. A review of the three Auditor General s ( AG ) reports for fiscal year ending 2013 and the related findings and recommendations. A review of the District s Management responses to the AG reports and the Action Plans to implement those recommendations. Additionally, the audit and management letters of the schools current year internal audits were taken into consideration when updating this risk assessment. Based on the procedures detailed above we then updated the following worksheets to determine the overall risk assessment: 1. The risk assessment scoring worksheet. 2. The risk assessment level worksheet. March 7, 2014 Page 1
Risk Assessment Scoring worksheet: This document is used to take the Audit Universe (all identifiable auditable entities, which are usually processes or departments) per the auditor s judgment, based on procedures performed and rank them based on a scoring system. The scoring is developed by assessing certain attributes (an attribute is a qualitative characteristic that a unit of a population either possesses or does not possess) assigned a scoring number for each attribute within that category. The scores are totaled, the highest score, from the scoring document, being the largest risk at the time of the assessment. Risk Assessment Level worksheet: This document is used to take the Audit Universe and assign a risk based on three categories with a risk level of Low, Moderate, or High. This risk is also derived based on procedures performed and auditor judgment. The goal of these two worksheets are to provide a foundation for defining the highest risks to the organization at the time of the assessment and using them as a tool in tandem with other items further described below to develop priorities. The worksheets are attached to the report as supporting schedules. Other factors that were considered in the risk assessment development: Areas that were described as areas of concern by those interviewed in the process that may not be a direct auditable entity; however, may be an issue or obstacle that is preventing the achievement of the organizations objectives and mission. External risks that the organization may have no control over; however, may present a risk to the organization. The overall goal for the risk assessment as a whole is to provide a guide, a sense of direction, and way to prioritize what items should or could be addressed to eliminate or at least mitigate those risks. The Board and/or Management may decide for some of the risks defined to accept the risk based on the risk tolerance of the organization. March 7, 2014 Page 2
RESULTS OF PROCEDURES TOP THREE CATEGORIES BASED ON INTERVIEWS: 1. Organizational culture 2. Financial stability 3. Staffing TOP THREE CATEGORIES BASED ON RISK ASSESSMENT SCORING WORKSHEET: 1. Risk Management Insurance budgeting/variances/monitoring (score average of 42.8/95) 2. Information Technology Systems business processes and systems (score average of 41.33/95) 3. Human Resources staffing/training, etc. (score average of 39.27/95) POTENTIAL EXTERNAL RISK FACTORS (District may have some or no control over): Reputational risk Reduced Bond Rating Reduced Funding Economy ex. Current eroding of property tax base Weather events ex. Hurricanes, Flooding, etc. TOP THREE RISK AREAS OVERALL: 1. Human Resources: Staffing need the proper experienced staff, even if some only temporary to complete the tasks at hand. 2. Information Systems either modified or replaced based on a business documentation process first to determine what is needed. Once systems are modified or replaced, changes in staff and structure can be reconsidered for efficiencies gained. 3. Finance & Budgeting: Financial stability working through expected shortfalls, the questioned costs and potential amounts due from the AG reports, having the proper budgeting process and monitoring in place for the upcoming budget, and reducing the affect of any additional potential shortfalls. RECOMMENDED NEXT STEPS - AUDIT PHASES Ideally, under stable conditions, the next step would be to develop a formalized Audit Plan. Under the current environment, we have proposed the following steps in a five phase process to get the District to the level of an Annual Audit Plan. Depending on many circumstances, staffing, budgeting, and potentially others, the time for the phase development can vary. 1. The Post Audit Reviews (PARS) for the Auditor General Findings and management s actions plans and the Internal Accounts. (See project 1, 2, 3). 2. Addressing key areas of concern that were raised during interviews (See project 4). 3. The top 3 areas of risk based on overall assessment (Audit Plan 2015). 4. Developing a multi-year audit plan for the remaining areas (Future). 5. Completing a new full risk assessment after the first four phases are completed. (Future) March 7, 2014 Page 3
Because Phase 1 and 2 is so critical at this juncture, we are including additional information in this next section to aid the District in its understanding. Depending on timing and staffing areas can potentially be done in tandem. PHASE I: POST AUDIT REVIEWS (PARS) OF: Auditor General Findings and Management s Action Plans (Projects 1&2) Internal Account Audits (Project 3) POST AUDIT REVIEWS (PARS): A Post Audit Review (PAR) is performed not to re-audit an area, but to evaluate, through verification and testing whether the recommendations made have been implemented or not. The format generated will give a status on each recommendation as implemented, partially implemented, or not implemented. Management has taken significant positive steps to create well thought out, clearly defined Action Plans including detailed steps with ownership reinforcing accountability. It appears that they have properly reviewed and revised those steps as needed as the current situations have changed. Management has provided a comprehensive tracking system within the excel spreadsheets showing the progress of those action plans moving forward. The only additional improvement we would recommend for the enhancement of functionality is to make these action plans into Pivot tables so that a variety of reporting can be done from these in a more efficient manner, while maintaining the integrity of the initial action plan. Now or in the very near future, when the Action Plans are substantially complete, Internal Audit needs to perform a PAR on them. For those only partially implemented, documentation will need to be provided by Management as to why they have not been completed and when they expect them to be completed. For those not implemented, documentation will need to be provided by Management of why they have not been implemented, if they will be implemented and when. This process will provide validity and accountability of the work performed by Management, not only to the Board but also the Auditor General and the Citizens of Manatee County. March 7, 2014 Page 4
PHASE II: ADDRESS KEY AREAS OF CONCERN: (Project 4) ORGANIZATIONAL CULTURE: The framework of a good internal control system includes a sound control environment which can be created by the District through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities. Some of the comments that were indicative of a deficiency in this factor include: A balance between oversight/monitoring with accomplishing tasks needs to happen. The District is one organization. Open communication needs to be a two way street. All communication needs to be on the same dimension. This District has one goal, to fulfill its mission using the staff and resources it has and developing future resources to meet those needs. Understanding and acceptance that it took a period of time to get into this situation and it will take time to correct it, develop procedures to prevent it, and to move forward with establishing a solid foundation for the future. The Board and Management must function as they are set up to: with the Board establishing policy and management executing the day-to-day functions while adhering to those established policies. STAFFING: District management needs to consider filling the Finance Director position immediately, even if a temporary agency is used. This position is critical to establishing continuity in the Finance Department and developing a system for financial recording, reporting, and budgeting. It is also critical, even through a temporary person, that the skill set be clearly defined to handle all the needs of a District s finance issues, especially in light of the AG s report. The Board, in its desire to correct and prevent future findings, should support this with whatever resources are necessary to make this happen now. Management needs to provide the Board with a current staff assessment and recommendations of what reorganization needs to be done, how this will help the organization, and what if any additional costs may be incurred. The Board must review and evaluate this assessment and decide if they will trust the judgment of the Executive team they hired to know what is best to manage the District s needs now. Key positions were eliminated in the most recent cuts; some which may have resulted in the findings/recommendations of the AG, but could result in gaps in proper segregation of duties. Management needs to provide the Board with an analysis of critical vacancies that must be filled, even if only for the development of the current structure, this can always be changed in the future once the organization is more stable. This analysis should indicate why it is critical and what duties they would fulfill now to meet the needs with an March 7, 2014 Page 5
associated cost. The Board must review the data provided and understand the potential risks of not filling these key positions and make a decision to support all, some, or none of management s recommendations. While the scoring on the Purchasing Audit Area was not significant, there is a critical staffing position, the Purchasing Manager, which is currently vacant. Prior to this year, this position was a Director position. It has been changed to a Manager position reporting to the Finance Director, which is also currently vacant. While it does not appear that there are overreaching problems in this Department, this is a critical function in the District and can at times have significant activities occurring. The District should consider filling this position either on with a temporary agency or qualified candidate immediately. INFORMATION TECHNOLOGY SYSTEMS: In our review of the financial process during the Financial Process Review and the overall Risk Assessment procedures, the following limitations of the current systems were observed: The current systems across all areas of the organization, especially the JD Edwards system are very limited in functionality and reporting capabilities. These limitations, as a result, require multiple layers of manual processes and reiterations of data to come up with the limited current reporting that the District has at this point. The Information Technology Department is working to build bridges to adjust for the gaps in the system capability whenever possible; however, they are limited by staffing, resources, and simply the ability to modify this system. The risk of the system as it is now, due to the inherent required manual processes, leaves room for potential errors and excessive inefficiencies, taxing an already strapped staff. It also limits the ability of management to expand on the reporting to the Board and other stakeholders. In light of our information above and the IT Review recommendations, we not only support the IT Review recommendations, but also state that even given the financial limitations something must be done to provide the resources needed to fix this now. FINANCIAL STABILITY: Management and the Board have already made steps in the right direction by the following: Developing the detailed Action Plans to address the Auditor General findings and recommendations and a plan on how to handle. Funding for the recommendations made for staffing and systems. The Budget process for the upcoming year has been modified to have more input at the various levels by those who actually understand their needs within their department. Training in the Budget process has been done and will continue through this new phase and we noted that many felt that this training was immensely helpful. This process alone has opened new doors of two way communication. Strategic meetings have been held to help develop the Districts Strategic Plan. March 7, 2014 Page 6
Continued monitoring by Executive team where cost savings can be achieved in other areas and any potential other revenue sources. Additionally, as part of the financial stability goal, the Insurance area needs to be a focus as there appears changes in the trending over the past year compared to the budgeted areas. While this area as an Auditable Entity can stand alone, it, like many others, has a direct and possibly significant impact on the District s financial stability as a whole. Red Flags (Auditable Area) It was noted in the Risk Assessment Scoring worksheet that the prior Internal Auditor had an Auditable Area titled Red Flags. Red Flags is essentially, in laymen s terms, is essentially a statutory requirement for lending institutions to implement certain security features in certain areas to prevent and deter identity theft. A school can be a quasi lender depending on the type of financing or financial aid they offer or potentially with deferment of tuition. We have no documentation to determine where specifically the prior internal auditor determined this was applicable. Our assessment is that it is associated with Manatee Technical Institute given the nature of their services. While the Director stated that they do not offer loan services through the Pell Program, only grants, we recommend that this be further researched by the Board and Staff Attorney together to determine if this area is still applicable and document the findings. PHASE III: AUDIT TOP 3 RISK AREAS DEFINED (Audit Plan 2015): 1. Human Resources: Build upon knowledge of areas of concern addressed and audit the Human Resource areas specifically to address Staff development and retention; staff training; staff hiring/termination; and general operations. 2. Information Systems: Build upon knowledge of areas of concern addressed and determine if changes have been made in updating the software, a bridge, if that is adequate for the interim; if business processes have been reviewed and documented; if a plan to further upgrade or replace the system has been developed and costs associated with it determined. 3. Finance and Budget: Build upon knowledge of areas of concern addressed and the post audit reviews of the Auditor General Findings. Prepare performance audits on the Finance and Budget Areas March 7, 2014 Page 7
CONCLUSION AND PLAN: 1. PARS will need to be completed by Internal Audit for the following: a. Auditor General findings/recommendations and management s action plans to implement them. (Project 1- FY 2014) Estimated hours: 200 Estimated Budget: $ 35,000 b. Audit of schools internal funds. (Project 2 and 3 FY 2014) Estimate hours: 75 Estimated Budget: $ 13,000 2. Evaluate the changes since the updated Risk Assessment in the Areas of Concern. (Project 4 FY 2015) Estimated Hours: 50 Estimated Budget: $ 8,750 3. Audit Plan for 2015: a. Audit the top 3 areas identified in the updated Risk Assessment. Estimated Hours: 1,200 (400 hours/area) Estimated Budget: $ 210,000 b. Plan hours for Areas that arise during year: Estimated Hours: 400 hours total Estimated Budget: $ 70,000 c. Address Hotline issues as they occur: Estimated Hours: 150 hours total Estimated Budget: $ 26,250 Total Estimated Hours: 1,750 Estimated Budget: $ 306,250 4. Develop Audit Plan for 2016 a. Planning & updating Risk Assessment b. Written Audit Plan Hours to be determined after 2015 Audit Plan substantially complete. These plans require that the District s Board and Management work in a cohesive manner to address and implement the noted Areas of Concern and Recommendations; that Management and staff actively participate and respond in a timely fashion to the audit process and requests in order to meet the deadlines; and that an open line of communication is maintained at all levels at all times. March 7, 2014 Page 8