2018 internal audit annual report - alamo.edu · tobin lofts operations audit 11/22/2017 4 1 3 25%...
TRANSCRIPT
1
2018 Internal Audit Annual Report
October 9, 20182018 Internal Audit Annual Report
October 9, 2018
Table of Contents I. Compliance with Texas Government Code, Section 2102.015 3
II. Benefits Proportionality Audit Requirements for Higher Education Institutions 4
III. Internal Audit Plan for Fiscal Year 2018 5
IV. Consulting and Nonaudit Services Completed 11
V. Quality Assurance Review 12
VI. Approved Internal Audit Plan for Fiscal Year 2019 28
VII. External Audit Services Procured in Fiscal Year 2018 39
VIII. Reporting Suspected Fraud and Abuse 40
Note: The outline of the annual report as listed above is prescribed by the Texas State Auditors Office per the Texas Internal Auditing Act.
2
I. Compliance with House Bill 16 (Texas Government Code, Section 2102.015)
Requirements:
• Within 30 days of approval, an entity should post the following information on its Internet Web site:
– An approved fiscal year 2019 audit plan, as provided by Texas Government Code, Section 2102.008.
– A fiscal year 2018 internal audit annual report, as required by Texas Government Code, Section 2102.009.
• 2102.015.Required Updates
– Detailed summary of weaknesses, deficiencies, wrongdoings, or other concerns, if any raised by the audit plan or
annual report
– Summary of action taken by the agency to address concerns, if any, that are raised by the audit plan or annual report
Compliance:
The information required above will be included in this annual report and, once approved by the Alamo Colleges Board of
Trustees, will be posted to the Board of Trustees page on the Alamo Colleges Web site at Alamo.edu.
3
3
3
II. Benefits Proportionality Audit Requirements
for Higher Education Institutions
Note: The requirements in this section of the annual report are not applicable for community
colleges
44
III. Internal Audit Plan for Fiscal Year 2018(Status as of August 31, 2018)
FY 2018 Audit Plan Projects Status Phase
1 Enterprise Risk Management and Safety (full scope audit) -
2Tobin Lofts – (Public-Private Housing Partnership)
(Confidential & Privileged Attorney Work Product) -
3 Full-Time Temporary Faculty Utilization (targeted review) -
4 Software Acquisition, Implementation, and Management (full scope audit) -
5 Construction Contracts and Project Management – DSO (full scope audit) In Progress Fieldwork
6 Software Licensing Compliance (full scope audit) -
7 District Institutional Research - Internal Reporting (Performance Mgmt.) (full scope) -
8 Procurement and Contract Management (full scope audit) In Progress Fieldwork
9 Independent Contract Workers (Joint Employer Liability Risks) (full scope audit) In Progress Planning
10 Title IX Compliance (scope TBD) Deferred -
11 Issues Follow-Up Ongoing -
5
Internal Audit Plan for Fiscal Year 2018 (Continued)(Status as of August 31, 2018)
FY 2018 Audit Plan Projects Status Phase
FY 2018 Special Requests
12 No Special Requests Received as of August 31, 2018. - -
FY 2018 Process Reviews and Consulting Engagements
13 Business Office (Bursar) (Process Review) -
14 International Programs (Process Review) -
15 External Quality Assessment Review (Independent Quality Review of Internal Audit) -
16 Internal Quality Assessment Review (Annual Self Assessment of Internal Audit) -
3 6
Internal Audit Plan for Fiscal Year 2018 (Continued)(Status as of August 31, 2018)
FY 2018 Audit Plan Projects Status Phase
FY 2018 Investigations -
17 EthicsPoint (Case #542) Investigation (Case Received August 15, 2017) -
18 EthicsPoint (Case #557) Investigation (Case Received January 5, 2018) -
19 EthicsPoint (Case #577) Investigation (Case Received April 5, 2018) -
20 EthicsPoint (Case #586) Investigation (Case Received May 3, 2018) -
21 EthicsPoint (Case #587) Investigation (Case Received May 9, 2018) -
22 Allegation of Misappropriation of Assets (Case Received October 31, 2017) -
3 7
III. FY 2018 Summary of Results
8
Project Description Results/Findings Remediation
Enterprise Risk
Management and
Safety
Review emergency
response and
communications.
• Recommendations related to emergency
exercises, training, and outdated rosters.
• Internal controls related to safety and
emergency information improvements.
Management will continue to
schedule exercises, support
members, provide training,
and improve communications.
Software
Acquisition,
Implementation, and
Management
Review project
management methodology
processes and controls.
• Project management guidelines and
templates were developed and updated
annually.
None
Full-Time Temporary
Faculty Utilization
Assess the use of full-time
temporary faculty (FTTs).
• The number of FTTs was increasing and
several had been employed for more than
two years.
Management will consider
amending hiring practices
procedure.
Business Office
(Bursar) Process
Review
Review physical security,
internal controls, and cash
handling functions.
• Recommendations related to inconsistent
processes and additional security devices.
• Internal controls related to procedures and
cash counts.
Management will improve
processes for safeguarding
assets, consider additional
security devices, and develop
written procedures.
8
III. FY 2018 Summary of Results (continued)
9
Project Description Results/Findings Remediation
Software License
Compliance
Evaluate software license
processes and compliance
with licensing requirements.
• Recommendations related to improving
monitoring processes, licensing
procedures, and training.
Management will enhance the
software management
program, develop procedures,
and provide training.
Institutional
Research
Ensure communication and
reports are accurate,
complete, and timely.
• Internal controls related to formal
procedures, tracking system, and
monitoring access to data.
Management will improve
documentation for report
requests and receive training
related to monitoring access to
their server.
International
Programs Process
Review
Review the policies,
procedures, and processes
used to manage and
operate the program.
• Recommendations related to clarifying
details of the business plan, updating
travel warnings, and improving expense
and wire transfers.
Management will document
business plan projections,
revise board policy, and
improve compliance with
policies and procedures
related to reimbursement and
wire transfer requests.
Tobin Lofts – (Public-Private Housing Partnership) - Confidential & Privileged Attorney Work Product
9
III. FY 2018 Summary of Corrective Action
10
Project Report DateIssue Count
as of 9/1/2017
New Issues
Closed through
8/31/2018
Open Issues as of
9/1/2018% Closed
FY 2016 and Prior Year Projects
(Six Audit Reports)Various 12 5 7 42%
Enterprise Risk Management and Safety Audit 11/22/2017 7 7 100%
Tobin Lofts Operations Audit 11/22/2017 4 1 3 25%
Software Acquisition, Implementation and
Management Audit3/29/2018 1 1 100%
Business Office (Bursar) Process Review 6/28/2018 6 2 4 33%
Software License Compliance Audit 7/19/2018 3 3 0%
Institutional Research Audit 8/27/2018 3 3 100%
International Programs Process Review 8/27/2018 4 4 0%
Total 12 28 19 21 48%
10
Note: Verbal recommendations communicated with management during audits are not included in the issue count above.
IV. Consulting and Nonaudit Services Completed• Ten consulting, investigative, or nonaudit engagements were performed in FY
2018• Business Office (Bursar) Process Review
• International Programs Process Review
• Six Investigations Completed – Five of the six were EthicsPoint Hotline Cases
• Tobin Lofts - Advisory Services to Legal Department
• Full-Time Temporary Faculty Utilization Targeted Review
• Consulting services provided to management included:• Tobin Lofts (Public–Private Housing Partnership) – Internal Audit provided services to the
Alamo Colleges District Legal Department (Confidential & Privileged Attorney Work Product)
• Management Special Requests for Services• At the request of the Chancellor, the Internal Audit Department performed a targeted review of
Full-Time Temporary Faculty Utilization. Based on the Chancellor’s request he submitted to
Internal Audit in 2017, this review was included on the Approved FY 2018 Internal Audit Plan.
1111
V. Quality Assurance and Improvement Program
13
• Internal Audit maintains an ongoing Quality Assurance and Improvement
Program (QAIP).
• Periodic reviews are performed through self and external assessments.
• Annual self-assessment was conducted during March and April of 2018.
• Last external quality assessment was completed in May 2018.
• Next external quality assessment is scheduled for Spring 2021.
• Overall ratings were “Generally Conforms” on both internal and external
assessments.
• “Generally Conforms” means structures, polices, and procedures, as well as
processes applied, comply with the requirements of the IIA Standards, the
IIA Code of Ethics, and Generally Accepted Government Auditing Standards.
13
• Continued to update and refine the internal audit methodology and procedures• Developed preparation materials for the May 2018 External Qualify Assessment Review
of the Internal Audit Department. Internal Audit received the highest rating of “Generally Conforms.”
• Updated the Internal Audit Department Procedures Manual supporting compliance with the IIA Standards and the Board-approved Internal Audit Protocols.
• The Internal Audit Department is fully staffed and did not have any staff turnover during FY 2018.
• Continued enhancing employee development and continuing professional education (CPE) opportunities. On track for an average of 120 hours of CPE and other training for CY 2018.
FY 2018 Accomplishments
2222
• One Internal Audit staff member obtained Quality Texas Foundation Examiner Training (using the Baldrige Model) and was a member of the site review team of an organization in Houston for the Texas Award for Performance Excellence (TAPE).
• Continued expanded support for Internal Audit staff to obtain additional professional certifications. One Internal Audit staff member obtained the Certified Internal Auditor (CIA) professional certification in April of 2018. Two other Internal Audit staff members are currently working on obtaining the CIA certification.
FY 2018 Accomplishments (continued)
2323
• Results:• 75 percent (FY 2018) and 50 percent (FY 2017) increase in the number of
audits completed versus the average completed FY 2013-2016.
• FY 2018 and FY 2017 metrics compared to the average of FY 2013-2016:• Reduced the average hours per full scope project by 53 percent and 45 percent,
respectively.
• Increased the total number of audits completed from the average of 4 to 7 and 6, respectively.
• Average audit process owner satisfaction rating – 4.75 of 5.0 (scale of 0 to 5)
• Reduced the number of open management corrective action plans from 38 in FY 2016 to 12 in FY 2017 and 21 in FY 2018.
• Percentage of staff holding professional certifications at 100 percent.
FY 2018 Accomplishments (continued)
2424
FY 2018 Accomplishments (continued)
2525
910
1317
1613
0
4
8
12
16
20
FY 2013 FY 2014 FY 2015 FY 2016 FY 2017 FY 2018
Total Audits, Process Reviews, and Investigations Completed
Audits Investigations Process Reviews Planned Engagements
FY 2018 Audit Plan Target = 13
00.5
11.5
22.5
33.5
44.5
5
FY 2013 FY 2014 FY 2015 FY 2016 FY 2017 FY 2018
Overall Customer Satisfaction
Process Owner Survey Leadership Survey Board Survey Target = 4.7
No
Bo
ard Su
rvey
No
Bo
ard Su
rvey
No
Bo
ard Su
rvey
No
Bo
ard Su
rvey
Survey Sen
t;n
on
e return
ed
Bo
ard Su
rvey Pen
din
g
Investigations8%
IT18%
Consulting16%
Operational53%
Compliance5%
2018 Internal Audit Activity Time Allocation
1,396
1,008
517
707
495 423
-
300
600
900
1,200
1,500
FY 2013 FY 2014 FY 2015 FY 2016 FY 2017 FY 2018
Average Hours Per Full Scope Audit
Average Hours Planned Hours
FY 2018 Audit Plan Target = Average of 475 hours
• Internal Audit Projects• Complete an audit of Budget and Budget Processes.
• Complete an audit of Accounts Payable.
• Complete a construction contracts and project management CIP audit.
• Complete a construction contracts and project management “close out” audit of the new DSO facility.
• Respond to the increased demand for the performance of investigations.
• Co-Sourced Internal Audit Services – IT Governance Audit• Internal Audit will manage the co-source audit services performed by a third party
firm having specialized expertise in this area. Budget funds for outside services were requested by Internal Audit for this effort and are included in the approved FY 2019 Internal Audit budget. An IIA Implementation Standard requires that IT governance be evaluated as part of the assessment of governance activities.
FY 2019 Priorities
2727
VI. Internal Audit Plan for Fiscal Year 2019
28
Risk Assessment
External Benchmarking/ Best Practices in Internal Audit
Update Universe of
Audit Subjects (UAS)
Assessment of Internal Audit Resources (Staff Skill
Sets, Budget, etc.)
Draft Annual Audit Plan
AC Approval
Stakeholder Input
Stakeholder Input
Stakeholder Input
Audit Planning Cycle
28
Risk Assessment Identifies Key Areas of Risk and
Assists in Developing the Internal Audit Plan
30
2018 / 2019AuditPlan
Risk Assessment Interviews with
Leadership
ProcessUniverse
PrioritizeAudit Areas &
Draft Plan
Approval By Senior
Leadership
Internal Audit Group Risk Assessment
INPUT OUTPUTPlanning Process
RiskUniverse
Validate:
Board of TrusteesApproval
Risk Assessment
31
What Internal Audit’s Risk Assessment is -
• An assessment of inherent risks and residual risks associated with environmental,
operational (process), financial, and information technology areas.
• A mechanism for identifying control improvement opportunities.
• An identification of key regulatory and compliance requirements (e.g., ADA, Title IX,
FERPA, PCI, etc.).
What the Risk Assessment is not -
• An assessment of control design adequacy.
• A replacement for audit work performed by the Internal Audit Department.
• A detailed assessment of key processes and activities performed at the individual
colleges and the District.
Go
vern
an
ce
Alamo Colleges Audit UniverseG
ov
ern
an
ce
Entity Level = Alamo Colleges
Auditable Entity Level
NE Lakeview NW Vista Palo Alto San Antonio St. Philip’s DSO
Auditable Function / Audit Unit
District-Wide Support Services
Finance• General Acctg.
• Financial Rptng.
• Budget Mgmt.
• Financial Aid
• Treasury
• Payroll
• AP/Disbursements
• Inventory
• Business Office
• Grants/Contracts
HR• Benefits &
Compensation
• Training &
Development
• Employment
IT• IT Operations
• Info. Security
• System Development
• System and Database
Support
• Network &
Infrastructure Support
• IT Governance
• Call Center
Administration• Facilities
• Procurement
• Risk Mgmt & Sfty.
• Police
• Instit. Research
• Strategic Initiatives &
Perf. Excellence
• Records Mgmt.
• Communications &
Public Relations
Operations • Economic & WF
Development
• Academic Success
• Student Success
• Auxiliary Locations
- WFCOE
- CTTC
- WETC
- Kerrville/Floresville
- EETC
Inst. Gov. • Ethics & Compliance
• Strategic Planning
• Enterprise Risk
Management (ERM)
• Legal Affairs
Individual Colleges
NE Lakeview • Academic Programs
• Student Services
• College Services
NW Vista • Academic Programs
• Student Services
• College Services
Palo Alto • Academic Programs
• Student Services
• College Services
San Antonio • Academic Programs
• Student Services
• College Services
St. Philip’s• Academic Programs
• Student Services
• College Services
3232
Audit Subjects by Risk GroupingHighest Moderate-High Moderate Low
Grants and Contracts IT Governance State Reporting Facilities Management
Information Security & Compliance Budget and Budget Processes Business Office / Bursar HR Training & Development
Facilities - Construction Mgmt. – CIP Payroll (incl. Time & Attendance Rptg) Strategic Planning Business Outreach
Facilities - Construction Mgmt. – DSO Title IX Compliance Transfer Articulation Community Partnerships
Continuing Education (CE) Emergency Management District & Colleges’ Inst. Research Public Allies
College Grant Management Student Advising ADA Compliance Nursing and Allied Health
Purchasing & Contract Administration Accounts Payable Employment – Onboarding/Exiting Treasury
IT Network & Infrastructure Support Center for Student Information (CSI) Developmental Education Student Leadership Programs
I-Best & Adult Basic Education Student Financial Aid Records Management Academic Partnerships
International Programs Police Dept. (Incl. Clery Act) Communications & Public Relations Accounting
Environment Risk Management Admissions and Enrollment Alamo Colleges Foundation Inventory Control
IT Systems/Database Support Facilities - Tobin Lofts College IT and Technical Services
High School Programs Operational Risk Management & Safety Off-Site Locations
Business Continuity & Disaster
Recovery
Alamo Colleges Online / Distance
Learning
HR - Compensation & Benefits
Admin.(including contract workers)
Blue = New additions for FY
2018/2019
3333
FY 2019 Internal Audit Resources
3535
District Director of Internal Audit
Lead Senior Internal Auditor - IT
Lead Senior Internal Auditor
Senior Internal Auditor
Internal Auditor
Fiscal
Year
Total Hours 10,400
Less Audit Director’s Time (2,080)
Net Internal Audit Staff Time 8,320
Holidays/Vacation/Sick (1,384)
Training (480)
Staff General Admin (average of 10%) (832)
Total Time Available for Audits, Investigations, & Consulting Engagements 5,624
Total Approved Headcount = 5
Approved 2019 Internal Audit Plan (9/1/18 – 8/31/19)
Project Type DescriptionTotal
Hours
1 Construction Contracts and Project Management – CIP
Audit
Audit vendor’s compliance with contracts. This includes auditing invoices and
payments, supporting documentation, and contract administration.
900
2 Construction Contracts and Project Management – DSO
Contract and Construction Close Out
Audit the remaining portion of contracts and construction activity since the
last audit in FY 2018/2019 that was performed at the mid-construction stage.
400
3 Continuing Education (CE) Audit Assess effectiveness of processes and controls including implementation of
LERN Report recommendations.
500
4 Business Continuity & Disaster Recovery Audit Evaluate processes to ensure the continuance of key business functions. 400
5 Independent Contract Workers Audit (including Joint
Employer Liability Risks)
Review practices to ensure the institution is not: 1) exposed to joint employer
liability risks and 2) using employees as independent contractors.
300
6 Police ID & Automated Badging System Audit Review processes and controls for access to facilities. 400
7 IT Governance Review
(Internal Audit will manage the co-source audit services
performed by a third party firm having specialized
expertise in this area. The budget hours shown at the
right are for Internal Audit’s oversight of the third party
firm. Budget funds are included in Internal Audit’s
approved FY 2019 budget to fund this effort.)
Determine if IT objectives are aligned with Alamo Colleges operational
strategies and objectives.
100
3636
Approved 2019 Internal Audit Plan (9/1/18 – 8/31/19)
Project Type DescriptionTotal
Hours
8 Budget and Budget Processes Audit Evaluate the process for planning and completing the annual budget. 400
9 Accounts Payable Evaluate the controls, review transactions for accuracy, and determine
compliance with applicable laws, regulations, and policies.
400
10 Process Review of the Payment Card Industry Data
Security Standards (PCI DSS)
Document risks/controls of the PCI processes to assess compliance with
requirements.
300
11 Process Review of the Emergency Notifications &
Communication Plans
Document risks/controls of the plans used to ensure appropriate response in
the event of an emergency.
300
12 Investigations / Special Requests EthicsPoint and other investigations and special requests. 700
13 Internal Quality Assessment Review Annual self-assessment required by the Institute of Internal Auditors’
International Standards for the Professional Practice of Internal Auditing
324
14 Continuous Monitoring Program Establish a formal data analytics and continuous monitoring program using
ACL Analytics Exchange.
200
Total 5,624
3737
Approved Alternate/Potential FY 2019 Projects
Project Type Description
Title IX Compliance Audit Review processes utilized by Alamo Colleges in administering Title IX
requirements for compliance (complete audit no later than FY 2020).
Student Advisor Services Assess advising processes and documentation (complete audit no later
than FY 2020).
Time and Attendance Reporting Determine if time reporting system is operating effectively and internal
controls have been implemented.
IT Data Security Audit Evaluate the design of controls over sensitive data (e.g., student
records, Personally Identifiable Information, Credit Card, SSN, etc.).
Compliance with The Jeanne Clery Act Assess controls and accuracy of reported information (crime and
statistical reporting).
Scholarships and Endowments Review donor-stipulated funds use.
Alamo Colleges Online Assess that training activities align with Alamo Colleges priorities, are
adequately controlled, and are delivered efficiently and effectively.
I-Best & Adult Basic Education
(Full Scope Audit or Process Review)
Evaluate the management practices, financial records, and delivery of
training activities.
3838
VII. External Audit Services Procured in Fiscal
Year 2018External audit services procured by Internal Audit:
• Non-IT Audit Support – Internal Audit did not procure any outside services in FY 2018
• IT Audit Support – Internal Audit did not procure any outside services in FY 2018
• Internal Audit engaged the services of Basil Woller and Associates, LLC to perform the External
Quality Assessment of the Internal Audit Department. Assessment completed May 2018.
• Internal Audit plans to procure outside professional services in FY 2019 to perform an Audit of IT
Governance. This audit is included on the FY 2019 Internal Audit Plan. This audit is tentatively
scheduled to begin in late 2018.
External audit services procured by Finance & Administration:
• Financial Statement Audit – Grant Thornton
• Single Audit - Grant Thornton
• ACCD Public Facility Corporation – Weaver
3939
VIII. Reporting Suspected Fraud and Abuse
40
In accordance with section 7.09 of the Texas General Appropriations Act, a link in the footer of the home page for the Alamo
Colleges external website referencing “Fraud Hotline” takes users to the Ethics site which includes instructions on how to report
fraud, waste and abuse to the State Auditor’s Office as follows:
Any person who suspects fraud or financial impropriety at Alamo Colleges should report their suspicions immediately to any
supervisor, the Chancellor or designee, the Board Chairperson, the Alamo Colleges Ethics Hotline, local law enforcement,
Internal Audit or the State Auditor’s Office Hotline.
If you suspect fraud, waste, or abuse, and would like to file an anonymous complaint, please report the matter to one of the
following:
Alamo Colleges Ethics Hotline
1-844-302-0425
www.alamo.edu.ethicspoint.com
or
State Auditor’s Office Hotline
1-800-TX-AUDIT (1-800-892-8348)
http://sao.fraud.state.tx.us
40