Transcription
2018 Internal Audit Annual Report2018 Internal Audit Annual ReportOctober 9, 2018October 9, 20181
Table of ContentsI.Compliance with Texas Government Code, Section 2102.0153II.Benefits Proportionality Audit Requirements for Higher Education Institutions4III. Internal Audit Plan for Fiscal Year 20185IV. Consulting and Nonaudit Services Completed11V.12Quality Assurance ReviewVI. Approved Internal Audit Plan for Fiscal Year 201928VII. External Audit Services Procured in Fiscal Year 201839VIII. Reporting Suspected Fraud and Abuse40Note: The outline of the annual report as listed above is prescribed by the Texas State Auditors Office per the Texas Internal Auditing Act.2
I. Compliance with House Bill 16(Texas Government Code, Section 2102.015)Requirements: Within 30 days of approval, an entity should post the following information on its Internet Web site:–An approved fiscal year 2019 audit plan, as provided by Texas Government Code, Section 2102.008.–A fiscal year 2018 internal audit annual report, as required by Texas Government Code, Section 2102.009. 2102.015.Required Updates–Detailed summary of weaknesses, deficiencies, wrongdoings, or other concerns, if any raised by the audit plan orannual report–Summary of action taken by the agency to address concerns, if any, that are raised by the audit plan or annual reportCompliance:The information required above will be included in this annual report and, once approved by the Alamo Colleges Board ofTrustees, will be posted to the Board of Trustees page on the Alamo Colleges Web site at Alamo.edu.333
II. Benefits Proportionality Audit Requirementsfor Higher Education InstitutionsNote: The requirements in this section of the annual report are not applicable for communitycolleges44
III. Internal Audit Plan for Fiscal Year 2018(Status as of August 31, 2018)FY 2018 Audit Plan ProjectsStatusPhase1Enterprise Risk Management and Safety (full scope audit) -2Tobin Lofts – (Public-Private Housing Partnership)(Confidential & Privileged Attorney Work Product) -3Full-Time Temporary Faculty Utilization (targeted review) -4Software Acquisition, Implementation, and Management (full scope audit) -5Construction Contracts and Project Management – DSO (full scope audit)In ProgressFieldwork6Software Licensing Compliance (full scope audit) -7District Institutional Research - Internal Reporting (Performance Mgmt.) (full scope) -8Procurement and Contract Management (full scope audit)In ProgressFieldwork9Independent Contract Workers (Joint Employer Liability Risks) (full scope audit)In ProgressPlanning10 Title IX Compliance (scope TBD)Deferred-11 Issues Follow-UpOngoing-5
Internal Audit Plan for Fiscal Year 2018 (Continued)(Status as of August 31, 2018)FY 2018 Audit Plan ProjectsStatusPhase--13 Business Office (Bursar) (Process Review) -14 International Programs (Process Review) -15 External Quality Assessment Review (Independent Quality Review of Internal Audit) -16 Internal Quality Assessment Review (Annual Self Assessment of Internal Audit) -FY 2018 Special Requests12 No Special Requests Received as of August 31, 2018.FY 2018 Process Reviews and Consulting Engagements3 6
Internal Audit Plan for Fiscal Year 2018 (Continued)(Status as of August 31, 2018)FY 2018 Audit Plan ProjectsStatusPhase-FY 2018 Investigations17 EthicsPoint (Case #542) Investigation (Case Received August 15, 2017) -18 EthicsPoint (Case #557) Investigation (Case Received January 5, 2018) -19 EthicsPoint (Case #577) Investigation (Case Received April 5, 2018) -20 EthicsPoint (Case #586) Investigation (Case Received May 3, 2018) -21 EthicsPoint (Case #587) Investigation (Case Received May 9, 2018) -22 Allegation of Misappropriation of Assets (Case Received October 31, 2017) -3 7
III. FY 2018 Summary of on Recommendations related to emergencyexercises, training, and outdated rosters. Internal controls related to safety andemergency information improvements.Management will continue toschedule exercises, supportmembers, provide training,and improve communications.SoftwareReview projectAcquisition,management methodologyImplementation, and processes and controls.Management Project management guidelines andtemplates were developed and updatedannually.NoneFull-Time Temporary Assess the use of full-timeFaculty Utilizationtemporary faculty (FTTs). The number of FTTs was increasing andseveral had been employed for more thantwo years.Management will consideramending hiring practicesprocedure.Business Office(Bursar) ProcessReview Recommendations related to inconsistentprocesses and additional security devices. Internal controls related to procedures andcash counts.Management will improveprocesses for safeguardingassets, consider additionalsecurity devices, and developwritten procedures.Enterprise RiskManagement andSafetyReview emergencyresponse andcommunications.Review physical security,internal controls, and cashhandling functions.88
III. FY 2018 Summary of Results iationSoftware LicenseComplianceEvaluate software licenseprocesses and compliancewith licensing requirements. Recommendations related to improvingmonitoring processes, licensingprocedures, and training.Management will enhance thesoftware managementprogram, develop procedures,and provide training.InstitutionalResearchEnsure communication andreports are accurate,complete, and timely. Internal controls related to formalprocedures, tracking system, andmonitoring access to data.Management will improvedocumentation for reportrequests and receive trainingrelated to monitoring access totheir server.InternationalPrograms ProcessReviewReview the policies,procedures, and processesused to manage andoperate the program. Recommendations related to clarifyingdetails of the business plan, updatingtravel warnings, and improving expenseand wire transfers.Management will documentbusiness plan projections,revise board policy, andimprove compliance withpolicies and proceduresrelated to reimbursement andwire transfer requests.Tobin Lofts – (Public-Private Housing Partnership) - Confidential & Privileged Attorney Work Product99
III. FY 2018 Summary of Corrective ActionProjectFY 2016 and Prior Year Projects(Six Audit Reports)Report DateIssue Countas Open Issuesas of9/1/2018% Closed5742%Enterprise Risk Management and Safety Audit11/22/201777Tobin Lofts Operations Audit11/22/201741Software Acquisition, Implementation andManagement Audit3/29/201811Business Office (Bursar) Process Review6/28/201862Software License Compliance Audit7/19/20183Institutional Research Audit8/27/20183International Programs Process %40%2148%Note: Verbal recommendations communicated with management during audits are not included in the issue count above .1010
IV. Consulting and Nonaudit Services Completed Ten consulting, investigative, or nonaudit engagements were performed in FY2018 Business Office (Bursar) Process ReviewInternational Programs Process ReviewSix Investigations Completed – Five of the six were EthicsPoint Hotline CasesTobin Lofts - Advisory Services to Legal DepartmentFull-Time Temporary Faculty Utilization Targeted Review Consulting services provided to management included: Tobin Lofts (Public–Private Housing Partnership) – Internal Audit provided services to theAlamo Colleges District Legal Department (Confidential & Privileged Attorney Work Product) Management Special Requests for Services At the request of the Chancellor, the Internal Audit Department performed a targeted review ofFull-Time Temporary Faculty Utilization. Based on the Chancellor’s request he submitted toInternal Audit in 2017, this review was included on the Approved FY 2018 Internal Audit Plan.1111
Quality Assurance andImprovement Program(QAIP)12
V. Quality Assurance and Improvement Program Internal Audit maintains an ongoing Quality Assurance and ImprovementProgram (QAIP). Periodic reviews are performed through self and external assessments. Annual self-assessment was conducted during March and April of 2018. Last external quality assessment was completed in May 2018. Next external quality assessment is scheduled for Spring 2021. Overall ratings were “Generally Conforms” on both internal and externalassessments. “Generally Conforms” means structures, polices, and procedures, as well asprocesses applied, comply with the requirements of the IIA Standards, theIIA Code of Ethics, and Generally Accepted Government Auditing Standards.1313
External Quality Assessment Review ofthe Internal Audit DepartmentReview Completed May 201814
15
16
17
18
19
20
21
FY 2018 Accomplishments Continued to update and refine the internal audit methodology and procedures Developed preparation materials for the May 2018 External Qualify Assessment Reviewof the Internal Audit Department. Internal Audit received the highest rating of “GenerallyConforms.” Updated the Internal Audit Department Procedures Manual supporting compliance withthe IIA Standards and the Board-approved Internal Audit Protocols. The Internal Audit Department is fully staffed and did not have any staffturnover during FY 2018. Continued enhancing employee development and continuing professionaleducation (CPE) opportunities. On track for an average of 120 hours of CPEand other training for CY 2018.2222
FY 2018 Accomplishments (continued) One Internal Audit staff member obtained Quality Texas Foundation ExaminerTraining (using the Baldrige Model) and was a member of the site review teamof an organization in Houston for the Texas Award for Performance Excellence(TAPE). Continued expanded support for Internal Audit staff to obtain additionalprofessional certifications. One Internal Audit staff member obtained theCertified Internal Auditor (CIA) professional certification in April of 2018. Twoother Internal Audit staff members are currently working on obtaining the CIAcertification.2323
FY 2018 Accomplishments (continued) Results: 75 percent (FY 2018) and 50 percent (FY 2017) increase in the number ofaudits completed versus the average completed FY 2013-2016. FY 2018 and FY 2017 metrics compared to the average of FY 2013-2016: Reduced the average hours per full scope project by 53 percent and 45 percent,respectively. Increased the total number of audits completed from the average of 4 to 7 and 6,respectively. Average audit process owner satisfaction rating – 4.75 of 5.0 (scale of 0 to 5) Reduced the number of open management corrective action plans from 38 inFY 2016 to 12 in FY 2017 and 21 in FY 2018. Percentage of staff holding professional certifications at 100 percent.2424
FY 2018 Accomplishments (continued)Average Hours Per Full Scope Audit1,5001,3961,200FY 2018 Audit Plan Target Average of 475 hours1,00890020165174958423300161317131094-0FY 2013FY 2014FY 2015FY 2016Average HoursFY 2017FY 2018Planned HoursFY 2013FY 2014AuditsOverall Customer SatisfactionFY 2015InvestigationsFY 2016Leadership SurveyBoard Survey PendingNo Board SurveyProcess Owner SurveyFY 2015Survey Sent;none returnedFY 2014No Board SurveyNo Board SurveyFY 2013FY 2016FY 2017Process ReviewsFY 2018Planned Engagements2018 Internal Audit Activity Time AllocationCompliance5%No Board Survey54.543.532.521.510.50FY 2018 Audit Plan Target 1312707600Total Audits, Process Reviews,and Investigations CompletedFY 2017Board SurveyFY 6%Target 4.72525
Balanced Scorecard2626
FY 2019 Priorities Internal Audit Projects Complete an audit of Budget and Budget Processes.Complete an audit of Accounts Payable.Complete a construction contracts and project management CIP audit.Complete a construction contracts and project management “close out” audit ofthe new DSO facility. Respond to the increased demand for the performance of investigations. Co-Sourced Internal Audit Services – IT Governance Audit Internal Audit will manage the co-source audit services performed by a third partyfirm having specialized expertise in this area. Budget funds for outside serviceswere requested by Internal Audit for this effort and are included in the approvedFY 2019 Internal Audit budget. An IIA Implementation Standard requires that ITgovernance be evaluated as part of the assessment of governance activities.2727
VI. Internal Audit Plan for Fiscal Year 2019Audit PlanningCycleRiskAssessmentAC ApprovalDraft AnnualAudit arking/Best Practicesin Internal AuditStakeholderInputAssessment ofInternal AuditResources(Staff SkillSets, Budget,etc.)UpdateUniverse ofAudit Subjects(UAS)2828
2018 Annual Risk Assessment29
Risk Assessment Identifies Key Areas of Risk andAssists in Developing the Internal Audit PlanRisk AssessmentInterviews withLeadershipValidate:RiskUniversePrioritizeAudit Areas &Draft PlanInternal AuditGroup RiskAssessmentINPUTProcessUniversePlanning ProcessApproval BySeniorLeadership2018 / 2019AuditPlanBoardof TrusteesApprovalOUTPUT30
Risk AssessmentWhat Internal Audit’s Risk Assessment is An assessment of inherent risks and residual risks associated with environmental,operational (process), financial, and information technology areas. A mechanism for identifying control improvement opportunities. An identification of key regulatory and compliance requirements (e.g., ADA, Title IX,FERPA, PCI, etc.).What the Risk Assessment is not An assessment of control design adequacy. A replacement for audit work performed by the Internal Audit Department. A detailed assessment of key processes and activities performed at the individualcolleges and the District.31
Alamo Colleges Audit UniverseEntity Level Alamo CollegesAuditable Entity LevelNE LakeviewNW VistaPalo AltoSan AntonioSt. Philip’sDSOAuditable Function / Audit UnitFinance General Acctg.Financial Rptng.Budget Mgmt.Financial s OfficeGrants/ContractsHR Benefits &Compensation Training &Development EmploymentIT IT OperationsInfo. SecuritySystem DevelopmentSystem and DatabaseSupport Network &Infrastructure Support IT Governance Call CenterAdministration FacilitiesProcurementRisk Mgmt & Sfty.PoliceInstit. ResearchStrategic Initiatives &Perf. Excellence Records Mgmt. Communications &Public RelationsOperations Economic & WFDevelopment Academic Success Student Success Auxiliary Locations- WFCOE- CTTC- WETC- Kerrville/Floresville- EETCInst. Gov. Ethics & Compliance Strategic Planning Enterprise RiskManagement (ERM) Legal AffairsIndividual CollegesNE Lakeview Academic Programs Student Services College ServicesNW Vista Academic Programs Student Services College ServicesPalo Alto Academic Programs Student Services College ServicesSan Antonio Academic Programs Student Services College ServicesSt. Philip’s Academic Programs Student Services College Services3232GovernanceGovernanceDistrict-Wide Support Services
Audit Subjects by Risk GroupingHighestModerate-HighModerateLowGrants and ContractsIT GovernanceState ReportingFacilities ManagementInformation Security & ComplianceBudget and Budget ProcessesBusiness Office / BursarHR Training & DevelopmentFacilities - Construction Mgmt. – CIPPayroll (incl. Time & Attendance Rptg)Strategic PlanningBusiness OutreachFacilities - Construction Mgmt. – DSOTitle IX ComplianceTransfer ArticulationCommunity PartnershipsContinuing Education (CE)Emergency ManagementDistrict & Colleges’ Inst. ResearchPublic AlliesCollege Grant ManagementStudent AdvisingADA ComplianceNursing and Allied HealthPurchasing & Contract AdministrationAccounts PayableEmployment – Onboarding/ExitingTreasuryIT Network & Infrastructure SupportCenter for Student Information (CSI)Developmental EducationStudent Leadership ProgramsI-Best & Adult Basic EducationStudent Financial AidRecords ManagementAcademic PartnershipsInternational ProgramsPolice Dept. (Incl. Clery Act)Communications & Public RelationsAccountingEnvironment Risk ManagementAdmissions and EnrollmentAlamo Colleges FoundationInventory ControlIT Systems/Database SupportFacilities - Tobin LoftsCollege IT and Technical ServicesHigh School ProgramsOperational Risk Management & SafetyOff-Site LocationsBusiness Continuity & DisasterRecoveryAlamo Colleges Online / DistanceLearningHR - Compensation & BenefitsAdmin.(including contract workers)Blue New additions for FY2018/20193333
Approved FY 2019 Internal Audit Plan34
FY 2019 Internal Audit ResourcesDistrict Director of InternalAuditTotal ApprovedHeadcount 5Lead Senior InternalAuditor - ITLead Senior InternalAuditorSenior InternalAuditorInternal AuditorTotal HoursLess Audit Director’s TimeNet Internal Audit Staff ,320(1,384)Training(480)Staff General Admin (average of 10%)(832)Total Time Available for Audits, Investigations, & Consulting Engagements5,6243535
Approved 2019 Internal Audit Plan (9/1/18 – 8/31/19)Project TypeTotalHoursDescription1Construction Contracts and Project Management – CIPAuditAudit vendor’s compliance with contracts. This includes auditing invoices andpayments, supporting documentation, and contract administration.9002Construction Contracts and Project Management – DSOContract and Construction Close OutAudit the remaining portion of contracts and construction activity since thelast audit in FY 2018/2019 that was performed at the mid-construction stage.4003Continuing Education (CE) AuditAssess effectiveness of processes and controls including implementation ofLERN Report recommendations.5004Business Continuity & Disaster Recovery AuditEvaluate processes to ensure the continuance of key business functions.4005Independent Contract Workers Audit (including JointEmployer Liability Risks)Review practices to ensure the institution is not: 1) exposed to joint employerliability risks and 2) using employees as independent contractors.3006Police ID & Automated Badging System AuditReview processes and controls for access to facilities.4007IT Governance Review(Internal Audit will manage the co-source audit servicesperformed by a third party firm having specializedexpertise in this area. The budget hours shown at theright are for Internal Audit’s oversight of the third partyfirm. Budget funds are included in Internal Audit’sapproved FY 2019 budget to fund this effort.)Determine if IT objectives are aligned with Alamo Colleges operationalstrategies and objectives.1003636
Approved 2019 Internal Audit Plan (9/1/18 – 8/31/19)Project TypeDescriptionTotalHours8Budget and Budget Processes AuditEvaluate the process for planning and completing the annual budget.4009Accounts PayableEvaluate the controls, review transactions for accuracy, and determinecompliance with applicable laws, regulations, and policies.40010Process Review of the Payment Card Industry DataSecurity Standards (PCI DSS)Document risks/controls of the PCI processes to assess compliance withrequirements.30011Process Review of the Emergency Notifications &Communication PlansDocument risks/controls of the plans used to ensure appropriate response inthe event of an emergency.30012Investigations / Special RequestsEthicsPoint and other investigations and special requests.70013Internal Quality Assessment ReviewAnnual self-assessment required by the Institute of Internal Auditors’International Standards for the Professional Practice of Internal Auditing32414Continuous Monitoring ProgramEstablish a formal data analytics and continuous monitoring program usingACL Analytics Exchange.200Total5,6243737
Approved Alternate/Potential FY 2019 ProjectsProject TypeDescriptionTitle IX Compliance AuditReview processes utilized by Alamo Colleges in administering Title IXrequirements for compliance (complete audit no later than FY 2020).Student Advisor ServicesAssess advising processes and documentation (complete audit no laterthan FY 2020).Time and Attendance ReportingDetermine if time reporting system is operating effectively and internalcontrols have been implemented.IT Data Security AuditEvaluate the design of controls over sensitive data (e.g., studentrecords, Personally Identifiable Information, Credit Card, SSN, etc.).Compliance with The Jeanne Clery ActAssess controls and accuracy of reported information (crime andstatistical reporting).Scholarships and EndowmentsReview donor-stipulated funds use.Alamo Colleges OnlineAssess that training activities align with Alamo Colleges priorities, areadequately controlled, and are delivered efficiently and effectively.I-Best & Adult Basic Education(Full Scope Audit or Process Review)Evaluate the management practices, financial records, and delivery oftraining activities.3838
VII. External Audit Services Procured in FiscalYear 2018External audit services procured by Internal Audit: Non-IT Audit Support – Internal Audit did not procure any outside services in FY 2018 IT Audit Support – Internal Audit did not procure any outside services in FY 2018 Internal Audit engaged the services of Basil Woller and Associates, LLC to perform the ExternalQuality Assessment of the Internal Audit Department. Assessment completed May 2018. Internal Audit plans to procure outside professional services in FY 2019 to perform an Audit of ITGovernance. This audit is included on the FY 2019 Internal Audit Plan. This audit is tentativelyscheduled to begin in late 2018.External audit services procured by Finance & Administration: Financial Statement Audit – Grant Thornton Single Audit - Grant Thornton ACCD Public Facility Corporation – Weaver3939
VIII. Reporting Suspected Fraud and AbuseIn accordance with section 7.09 of the Texas General Appropriations Act, a link in the footer of the home page for the AlamoColleges external website referencing “Fraud Hotline” takes users to the Ethics site which includes instructions on how to reportfraud, waste and abuse to the State Auditor’s Office as follows:Any person who suspects fraud or financial impropriety at Alamo Colleges should report their suspicions immediately to anysupervisor, the Chancellor or designee, the Board Chairperson, the Alamo Colleges Ethics Hotline, local law enforcement,Internal Audit or the State Auditor’s Office Hotline.If you suspect fraud, waste, or abuse, and would like to file an anonymous complaint, please report the matter to one of thefollowing:Alamo Colleges Ethics orState Auditor’s Office Hotline1-800-TX-AUDIT (1-800-892-8348)http://sao.fraud.state.tx.us4040
4 Software Acquisition, Implementation, and Management (full scope audit) - 5 Construction Contracts and Project Management -DSO (full scope audit) In Progress Fieldwork 6 Software Licensing Compliance (full scope audit) - 7 District Institutional Research - Internal Reporting (Performance Mgmt.) (full scope) -
