Internal Audit Report. Highway Condition Reporting TxDOT Office of Internal Audit



Similar documents
Internal Audit Report. Right of Way Acquisition TxDOT Office of Internal Audit

Internal Audit Report. Toll Operations Contract Management TxDOT Office of Internal Audit

TxDOT Internal Audit Report Equipment Maintenance and Repair

Internal Audit Report. Receivables Management Statement of Cost TxDOT Office of Internal Audit

Internal Audit Follow-Up Report. Equipment Maintenance and Repair. TxDOT Office of Internal Audit. Jan J

TxDOT Internal Audit Report Disaster Recovery - IT

Table of Contents: Chapter 2 Internal Control

Business Management System Manual. Context, Scope and Responsibilities

COSO Internal Control Integrated Framework (2013)

TransAlta Corporation Energy Trading Compliance Program Assessment

Our comments concerning internal control and other significant matters are presented as follows:

October 2007 Report No An Audit Report on The Medical Transportation Program at the Texas Department of Transportation

Internal Control Questionnaire and Assessment

ISO :2005 Requirements Summary

Information Technology Internal Audit Report

SESSION 3 AUDIT PLANNING

Audit of the Test of Design of Entity-Level Controls

Chapter 5. Planning the Audit Engagement

Internal Audit Framework

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

Internal Audit. Audit of the Inventory Control Framework

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

SUBJECT: Audit Report Compliance with Occupational Safety and Health Administration Recordkeeping Requirements (Report Number HR-AR )

Information Technology Internal Audit Report

European Investment Bank. Charter for Internal Audit

GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES

REPORT 2014/078 INTERNAL AUDIT DIVISION

INTERNAL AUDIT DIVISION AUDIT REPORT 2013/073

State and District Monitoring of School Improvement Grant Contractors in California FINAL AUDIT REPORT

Division of Insurance Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL. March 01, 2016

MISSION STATEMENT OBJECTIVES IN ACCOMPLISHING OUR MISSION

Abu Dhabi EHSMS Regulatory Framework (AD EHSMS RF)

OFFICE OF INSPECTOR GENERAL. Audit Report

J-SOX Compliance Approach Best Practices for Foreign Subsidiaries November 8, 2007

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

FY 2015 Annual Audit Report

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

Using COSO Small Business Guidance for Assessing Internal Financial Controls

Initial Professional Development Technical Competence (Revised)

Continuous auditing: the audit of the future

Final Report. Audit of the Project Management Framework. December 2014

Sarbanes-Oxley Section 404: Management s Assessment Process

Internal Audit Division

Office of Inspector General Evaluation of the Consumer Financial Protection Bureau s Consumer Response Unit

KAREN E. RUSHING. Audit of Purchasing Card Program

Risk and Audit Committee Terms of Reference. 16 June 2016

Section 000 Organization of an Engineering District (Construction)

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Internal Audit. Audit of HRIS: A Human Resources Management Enabler

CITY OF BURLINGTON COSO FRAMEWORK & COMPLIANCE

Lauren Sundararajan, CFE, Internal Audit Manager

Compliance. Group Standard

PORTLAND DEVELOPMENT COMMISSION: Human resources and payroll practices functioning effectively

DISTINGUISHING CHARACTERISTICS:

COMMUNICATION INTERNSHIP GUIDELINES GAINING PRACTICAL EXPERIENCE

Audit of Financial Reporting Controls

GAO DATA CENTER CONSOLIDATION. Strengthened Oversight Needed to Achieve Cost Savings Goal. Report to Congressional Requesters

September 28, Audit s Role in Governance, Risk Management and Internal Control

INTERNAL AUDIT DIVISION AUDIT REPORT 2013/064. Audit of air transportation management in the United Nations Mission in South Sudan

M-IC. Comptroller of the Currency Administrator of National Banks. Internal Control. Comptroller s Handbook. January 2001.

MARLIN MIDSTREAM GP, LLC AUDIT COMMITTEE CHARTER


Sample Financial institution Risk Management Policy 2011

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL 400 MARYLAND AVENUE, S.W. WASHINGTON, DC

Information. Security Series. Evaluate Your. Information. Security Program. Survey to find out if you are making progress

Achieve. Performance objectives

Common Internal Audit Findings and How to Avoid Them

Preparing for Unannounced Inspections from Notified Bodies

The Role of the Board in Enterprise Risk Management

Checklist. Standard for Medical Laboratory

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE

GAO DEFENSE CONTRACT AUDITS. Actions Needed to Improve DCAA's Access to and Use of Defense Company Internal Audit Reports

Audit Committee Charter

SunTrust Banks, Inc. Audit Committee of the Board of Directors Charter

ALLEGIANT TRAVEL COMPANY AUDIT COMMITTEE CHARTER

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

B408 Human Resource Management MTCU code Program Learning Outcomes

Audit Report. General Liability and Auto, Property, and Crime Insurance. March Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT DEPARTMENT

WEATHERFORD INTERNATIONAL plc AUDIT COMMITTEE CHARTER Approved: September 25, 2015

INTERNAL CONTROL MATRIX FOR AUDIT OF ESTIMATING SYSTEM CONTROLS Version No. 3.2 June d Page 1 of 7

Transcription:

Internal Audit Report Highway Condition Reporting TxDOT Office of Internal Audit

Objective To evaluate data integrity in the Highway Condition Report. Opinion Based on the audit scope areas reviewed, control mechanisms are effective and substantially address risk factors and exposures considered significant relative to impacting financial reporting reliability, operational execution, and compliance. The organization's system of internal controls provides reasonable assurance that most key goals and objectives will be achieved despite significant control gap corrections and improvement opportunities identified. Control gap corrections and improvement opportunities identified are likely to impact the achievement of the organization's business/control objectives, but management has agreed to corrective action plans to address the relevant risks within 6 months. Overall Engagement Assessment Satisfactory Title Findings Control Design Operating Effectiveness Finding 1 User Access Reviews and Update x x Needs Improvement Finding 2 Incomplete DriveTexas Map x x Satisfactory Rating Management concurs with the above findings and prepared management action plans to address deficiencies. Control Environment Overall there is a positive tone relating to the Highway Conditions Reporting System (HCRS) from both the Travel Information Division (TRV) and the Districts. The TRV makes available an up-to-date procedural manual, as well as, training for HCRS users. Both the TRV and the Districts recognize the importance of data integrity in maintaining an accurate system and its impact to the traveling public. Summary Results Finding Scope Area Evidence 1 Access Controls 2 Input Validation 100 of 590 (17%) HCRS users reviewed no longer required edit access 7 of 60 (12%) maintenance and construction projects reviewed, which had current lane closures, were not included in HCRS August 15, 2014 2

Audit Scope The scope of the audit work was focused on the HCRS activities during July 2014, including testing proper edit access to the tool, as well as, the accuracy of both construction and maintenance projects reported. Audit coverage included project and user access reviews for 6 districts: Beaumont, Corpus Christi, Dallas, Houston, Lubbock, and Yoakum. The audit was performed by Keith Laird, Anuradha Masand, and Lindsay Bibeau (Engagement Lead). The audit was conducted during the period from June 11, 2014 to August 8, 2014. Methodology The methodology used to complete the objectives of this audit included: Reviewing TxDOT internal documents including manuals, organizational charts, and process maps Interviewing key personnel including Information Technology (IT) and District Highway Conditions Reporting Coordinators (Coordinators) Conducting judgmental sampling of reportable road conditions and access to the HCRS Observing personnel performing data entry and other key functions in the HCRS These procedures were applied as necessary to perform the audit fieldwork. Background This report is prepared for the Texas Transportation Commission, TxDOT Administration, and Management. The report presents the results of the Highway Condition Reporting Audit which was conducted as part of the Fiscal Year 2014 Audit Plan. The Highway Conditions Reporting System (HCRS) is a web-based tool to inform the traveling public of lane closures due to weather events or construction or maintenance. Travel Information Division is responsible for overseeing and maintaining the system; however, actual road conditions are updated by the respective Districts. HCRS was first implemented in 2006 and had its most recent upgrade in June 2014. This upgrade has moved HCRS data to the cloud for faster processing, as well as, allowing for a significant increase to simultaneous users of the public-facing portion of HCRS, known as DriveTexas.org. Analytics performed by IT demonstrated that the website obtained approximately 1.6 million hits between April 2013 and May 2014, however, no more than 100,000 hits at any given time. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Recommendations to mitigate risks identified were provided to management during the engagement to assist in the formulation of the management action plans included in this report. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The Office of Internal Audit transitioned to Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework version 2013 in December 2013. August 15, 2014 3

A defined set of control objectives was utilized to focus on reporting, operational, and compliance goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of the enterprise risk management activities throughout the audit period and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against reporting misstatement and reliability, operational sub-optimization, or non-compliance, particularly in areas not included in the scope of this audit. August 15, 2014 4

Detailed Findings and Management Action Plans (MAP) Finding No. 1: User Access Reviews and Update Condition Districts evaluated are not performing user access reviews of the Highway Conditions Reporting System (HCRS) to assess if edit access is needed and appropriate for their individual job responsibilities. Effect/Potential Impact Users who no longer require edit access may make entries that impact the integrity of the data. Criteria Texas Administrative Code Title 1 Part 10 Chapter 202 subchapter B Rule 202.25 (3) (B) regarding information resources security safeguards states that a user s access authorization shall be appropriately modified or removed when the user s employment or job responsibilities within the state agency change. Cause The Highway Conditions Reporting System Manual currently addresses that it is the Coordinator s responsibility to add users to HCRS; however, it does not address removal of user edit access to HCRS when it is no longer required. Currently emails are sent by the Travel Information Division (TRV) to Coordinators with instructions to add/delete users. Evidence Of the 1,839 users that have edit access to HCRS, 590 users in 6 districts were assessed and the following was noted: 100 of 590 (17%) users were not reviewed by the Districts to verify their need for edit access o 71 users no longer require edit access in current role o 29 users are no longer employed at TxDOT and these employees did not have access to TxDOT s network Management Action Plan (MAP): MAP Owner: Martha Martin, Special Projects Supervisor, Travel Services Section MAP 1.1: Highway Conditions Reporting System (HCRS) Manual will be updated to: o reflect within the duties of a Coordinator the need to review access to HCRS at least semi-annually, and remove edit access when it becomes unnecessary o include instructions for granting and removing edit access to users Completion Date: October 15, 2014 August 15, 2014 5

MAP Owners: Michelle Releford, Public Information Officer Dallas District Jennifer Malinovsky, Yoakum Maintenance Operations David Barrera, Lubbock Maintenance Administration Rickey Dailey, Public Information Officer Corpus Christi MAP 1.2: At least twice annually, the Coordinator will send out an email to District Highway Conditions Reporting System (HCRS) users asking who no longer uses the system. Updates will be made to remove access for users no longer needing edit access to the system. Completion Date: February 15, 2015 August 15, 2014 6

Finding No. 2: Incomplete DriveTexas Map Condition The DriveTexas.org map did not include all state maintained road closure updates as of July 2014. Effect/Potential Impact Without incorporating all updates to the DriveTexas.org map, the traveling public would be relying on incomplete roadway information. In addition, in an emergency situation (such as an evacuation, hurricane, etc.), not having complete information within Highway Conditions Reporting System (HCRS) could affect the alternate routes shown in the DriveTexas.org map and offered by the media. Criteria The Highway Conditions Reporting System Manual states that the goal of HCRS is to provide highway condition information that is as accurate and as timely as possible. It also states that it is the Coordinator s responsibility to review conditions for quality control purposes and to work with the HCRS users as to when they should be entering/updating/removing conditions. Cause The process at the districts is not sufficient to provide support during employee transition and to provide input verification. This process relies mainly on the districts, which have firsthand project knowledge to ensure that maintenance and construction projects are entered into the system timely. Division monitoring of the DriveTexas map is a reactive process based on requests by the districts and the public. Evidence The evidence obtained in the review noted that during July 2014: 7 of 60 (12%) maintenance and construction projects reviewed, which also had current lane closures, were not included in HCRS o 6 projects were in metro districts and 1 project was in an urban district Management Action Plan (MAP): MAP Owner: Martha Martin, Special Projects Supervisor, Travel Services Section MAP 2.1: Establish a rotating schedule of Districts that the Travel Information Division (TRV) will review for compliance with entering/updating/removing conditions into Highway Conditions Reporting System (HCRS) for display on DriveTexas.org. Work with a District contact person (i.e., Area Offices and Maintenance Sections), who will obtain roads with current lanes closures that should be entered into HCRS per HCRS manual guidelines for an agreed upon date. District will appoint contact person. Compare information obtained from the District contact with conditions that were actually entered into HCRS for the agreed upon date. Obtain feedback from District August 15, 2014 7

contact about any missing conditions and work with them to ensure the condition is corrected as necessary. Provide feedback to district reviewed with results of TRV activity. Include best practice tips, if any patterns of missing conditions are discovered. Completion Date: January 15, 2015 MAP Owner: Karen Othon, Public Information Officer Houston MAP 2.2: A new full-time employee will take over HCRS entry for the Houston District Public Information Office, upon completion of HCRS training. The training will include procedures to ensure transfer of data from TranStar to HCRS. Completion Date: September 15, 2014 August 15, 2014 8

Observations and Recommendations Observation (a): Duplicate Conditions Are Not Prevented within the Highway Conditions Reporting System The Highway Conditions Reporting System (HCRS) allows for the same road condition to be posted more than once to the DriveTexas.org map within the same mile marker. Effect/Potential Impact Multiple entries can result in instability of the data reported. In addition, multiple or duplicated conditions in the system could cause a slower response time. Recommendation: Travel Information Division (TRV) HCRS staff in Austin should continue to monitor the site daily and contact the district when they encounter a duplicate condition TRV should coordinate with IT to obtain a best cost benefit solution TRV should ensure district coordinator awareness to reporting and edit screens available that can be used to identify duplicated conditions August 15, 2014 9

Summary Results Based on Enterprise Risk Management Framework Audit Results Dashboard Highway Condition Reporting Audit Scope Areas Evaluated Business Objectives (Reporting, Operational, Compliance) R,O,C R,O,C ERM Component Control Activities Input Validation Access Controls Organizational Tone Control Environment Planning Forecasting Goal-Setting Cost-Benefit Analysis Business Continuity Risk Assessment Evaluations/Analysis Management Action Plans Policies/Procedure Development & Maintenance Approvals/Authorizations 2 1 Control Activities Supporting Evidence/Records Availability Segregation of Duties Safeguarding Assets Information Classification Information & Communication Monitoring Information Input Information Processing Output/Reporting and Messaging Exception Reporting Review Reconciliations/Root-Cause Analysis Peer Reviews 2, a 2 1 Management Representations Scope Area Assessment Rating Assessment Grid Exemplary Satisfactory Needs Improvement Unsatisfactory Closing Comments The results of this audit were discussed with Travel Information Division (TRV) management and the districts. We appreciate the assistance and cooperation received from the TRV and the various districts contacted during this audit. August 15, 2014 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information