2016 Internal Audit Annual Report
Table of Contents I.
Compliance with Texas Government Code, Section 2102.015
3
II.
Benefits Proportionality Audit Requirements for Higher Education Institutions
4
III. Internal Audit Plan for Fiscal Year 2016
5
IV. Consulting and Nonaudit Services Completed
8
V.
External Quality Assurance Review
9
VI. Internal Audit Plan for Fiscal Year 2017
17
VII. External Audit Services Procured in Fiscal Year 2016
28
VIII. Reporting Suspected Fraud and Abuse
29
Note: The outline of the annual report as listed above is prescribed by the Texas State Auditors Office per the Texas Internal Auditing Act.
I. Compliance with House Bill 16 (Texas Government Code, Section 2102.015) Requirements: • Within 30 days of approval, an entity should post the following information on its Internet Web site: –
An approved fiscal year 2017 audit plan, as provided by Texas Government Code, Section 2102.008.
–
A fiscal year 2016 internal audit annual report, as required by Texas Government Code, Section 2102.009.
• 2102.015.Required Updates –
Detailed summary of weaknesses, deficiencies, wrongdoings, or other concerns, if any raised by the audit plan or annual report
–
Summary of action taken by the agency to address concerns, if any, that are raised by the audit plan or annual report
Compliance: The information required above will be included in this annual report and, once approved by the Alamo Colleges Board of Trustees, will be posted to the Internal Audit page on the Alamo Colleges Web site at Alamo.edu.
3
II. Benefits Proportionality Audit Requirements for Higher Education Institutions Note: The requirements in this section of the annual report are not applicable for community colleges
4
Internal Audit Plan for Fiscal Year 2016 #
1 2 3 4 5 6 7 8 9
FY 2016 Audit Plan Projects Student Financial Aid State and Compliance Reporting Grants and Grant-Related Contracts Review Admissions and Enrollment Review IT Network Security Review HR Employment / Onboarding / Exiting Software Acquisition, Implementation & Management Disbursement Audit Analytics (Continuous Audit) Issue Follow-Up
Status
Phase
In Progress On-Hold In Progress On-Hold Deferred to ’17 On-Hold
Reporting Fieldwork Fieldwork Fieldwork Planning -
Deferred to ‘17
-
In Progress
Reporting
Planned Process Reviews / Consulting Projects 10 11 12
Procure-to-Pay (Purchasing, Accounts Payable) Emergency Management Curriculum Coordination, International Programs, Bursar, Facilities, & ERM
Investigations/Special Requests 13 14 15
Management Request Ethics Hotline Complaint Employee Complaint
5
2016 Summary of Results Project
Description
Results/Findings
Remediation
Student Financial Aid Review
Review whether key compliance risks related to Student Financial Aid were addressed by external auditors.
• Recommendation to evaluate the process for reviewing “C” or Completed flag notifications in the system to ensure the process is efficient and effective for prompt Direct Loan award processing.
Management agreed to review all “C“ flags immediately following receiving the application from the U.S. Department of Education.
State Reporting Review
Review enrollment data validation processes, timeliness, accuracy of reports, and Banner access.
• Internal controls related to Banner system functionality and access needed improvement. • Recommendation made to consider establishing a data warehouse.
Management will improve internal controls and consider establishing a data warehouse.
Procure-to-Pay Process Review (Consulting Engagement)
Review Procure-to-Pay processes, risks, and internal control design.
• Adequate internal control design, yet highly manual. • Well designed contract bid process; risk of circumventing process exists.
Management agreed with the key process maturity levels and will evaluate recommendations.
Emergency Management Process Review (Consulting Engagement)
Review emergency management processes, risks, and internal control design.
• Adequate emergency operation plans. • No formal review of vulnerabilities and threats since 2012. • Risk of potential delay in timely notification of incidents.
Management agreed with the key process maturity levels and will evaluate recommendations.
6
2016 Summary of Corrective Action New Issues
Closed through 8/31/2016
Open Issues as of 9/27/2016
% Closed
Project
Report Date
Issue Count as of 9/1/2015
Payroll and Related Business Processes Follow-up Review
1/15/2014
62
0
61
1
98%
PAC Natatorium Operations Follow-up Review
7/9/2014
3
-
2
1
67%
Institutional Advancement Donation Processes and Controls Review
12/11/2014
9
-
6
3
67%
Campus Continuing Education Review
7/20/2015
7
-
1
6
14%
Student Grade Processes and Controls Review
7/20/2015
6
-
3
3
50%
Student Financial Aid Review
11/3/2015
-
1
-
1
0%
State Reporting Review
3/23/2016
-
4
2
2
50%
87
5
75
17
82%
Total
7
IV. Consulting and Nonaudit Services Completed • Three consulting, investigative or nonaudit engagements were performed in 2016 • Procure-to-Pay Process Review • Emergency Management Process Review • Hotline case – Review of college department timekeeping process
• Consulting services provided to management included: • Review of executive PCard, direct pay expenses, and supporting documentation
8
V. External Quality Assurance Review (Next review scheduled for fiscal year 2018)
9
Quality Assurance and Improvement Program (QAIP)
10
FY 2016 Accomplishments • Updated the internal audit methodology and procedures • • • •
Risk-based approach (enterprise risk assessments performed in-house) Developed process for consulting review Streamlined audit follow-up process Updated manuals supporting compliance with the Standards and the Board-approved Internal Audit Protocols
• Restructured salary levels for Internal Audit staff to align with the competitive marketplace • Overhauled and streamlined job descriptions for Internal Audit staff positions • Enhanced employee development and continuing professional education opportunities • Expanded support for Internal Audit staff to obtain additional professional certifications 11
FY 2016 Accomplishments (continued) • Results: • 25 percent increase in the number of projects completed versus FY 2015 • FY 2016 metrics compared to the average of FY 2012-2015: • • • •
Reduced the average hours per full scope project by 61 percent Reduced the average length of full scope audit reports by 79 percent Reduced the average number of recommendations by 82 percent Increased the total number of projects completed from the average of 3 to 5
• Average audit process owner satisfaction rating – 5.0 of 5.0 • Reduced the number of open management corrective action plans from 92 to 17 (82 percent reduction) • Increased the percentage of staff holding professional certifications from 66 percent to 100 percent 12
FY 2016 Accomplishments (continued) Average Hours Per Full Scope Audit
Total Projects Completed
2,000
16 14
1,500
12 10
1,000
8 6
500
4 2
-
0 2012
2013
2014
Average Hours
2015
2012
2016
2013
Planned Hours
Total Projects Completed
Internal Audit Reports - Full Scope Audits 30
25
25
20
20
15
15
10
10
5
5
-
2013 Issues
2014 Recommendations
2015
2015
2016
Planned Projects
FY 2016 Project Allocation
30
2012
2014
2016
Consulting 11% Investigations 8%
Operational 63%
IT 9% Compliance 9%
# pages in Report
13
Balanced Scorecard PROCESS Enterprise Risk Assessment - Audit Plan - Board/Mgmt Input - Audit Manuals -
PEOPLE
PROGRESS % Plan Completed - 40 % # Unplanned Projects - 3 (241 hrs) % Time Spent on Consulting/ Management Assistance - 4%
IIA Standards Govt. Auditing Standards Department Goals
Staff Experience - Average of 15 years Training Hours / Auditor - 36 hrs % Staff Certified - 100%
PROJECTS Full Scope Project Hours Avg. - 459 Audit Cycle Time - 5 months Project Survey Average - 5 of 5 Open Issues Aging - 18% Overdue
14
FY 2016 Priorities • Internal Audit Projects • Consulting – increase overall percentage of time spent on consulting / management assistance projects • IT Audit – perform two full scope IT audits
• Internal Audit Administration • Recruiting – Hire additional Internal auditors as approved by the Board of Trustees • Issue Monitoring • Clean up backlog of outstanding issues • Establish a process to automate the management of corrective action responses
• Audit Cycle Time – reduce the overall audit cycle time • Streamline engagement planning process • Reduce audit report cycle times 15
FY 2017 Priorities • Internal Audit Projects • IT Audits – increase IT audit coverage with increased bench strength • Consulting – increase consulting/management assistance through audit projects and process reviews • Audit Analytics – develop a data analytics program for continuous auditing
• Internal Audit Administration • Recruiting – Hire three new Internal Auditors to fill current staff vacancies, with one new hire having extensive IT auditing experience • Increase IT auditing bench strength in Internal Audit through the hiring of an additional Senior IT Auditor • Audit Cycle Time – reduce the overall audit cycle time • Streamline planning process • Reduce audit report cycle times 16
VI. Internal Audit Plan for Fiscal Year 2017 Audit Planning Cycle
Risk Assessment
AC Approval
Draft Annual Audit Plan
Stakeholder Input
Stakeholder Input
External Benchmarking/ Best Practices in Internal Audit
Stakeholder Input
Assessment of Internal Audit Resources (Staff Skill Sets, Budget, etc.)
Update Universe of Audit Subjects (UAS)
17
2016 Annual Risk Assessment
18
Risk Assessment Overview How to Use Risk Assessment Results Management • Ensure that processes/internal controls are in place to mitigate significant risks • Evaluate whether current policies adequately address significant risks
Internal Audit • Prioritize audit subjects to create annual Audit Plan • Consult with Management on risk mitigation and internal controls
Board of Trustees • Understand significant risks to the organization • Hold management accountable for mitigation of significant risks
19
Alamo Colleges Audit Universe Entity Level = Alamo Colleges Auditable Entity Level NE Lakeview
NW Vista
Palo Alto
San Antonio
St. Philip’s
DSO
Auditable Function / Audit Unit Finance • • • • • • • • • •
General Acctg. Financial Rptng. Budget Mgmt. Financial Aid Treasury Payroll AP/Disbursements Fixed Assets Bursar Grants/Contracts
HR • Benefits & Compensation • Training & Development • Employment
Administration
IT • • • •
IT Operations Info. Security System Development System and Database Support • Network & Infrastructure Support • IT Governance
• • • • • •
Facilities Procurement Risk Mgmt & Sfty. Campus Police Instit. Research Strategic Initiatives & Perf. Excellence • Records Mgmt. • Communications & Public Relations
Operations • Economic & WF Development • Academic Success • Student Success • Auxiliary Locations - WFCOE - CTTC - WTEC - Kerrville/Floresville
Inst. Gov. • Ethics & Compliance • Strategic Planning • Enterprise Risk Management (ERM) • Legal Affairs
Individual Colleges NE Lakeview • Academic Programs • Student Services • College Services
NW Vista • Academic Programs • Student Services • College Services
Palo Alto • Academic Programs • Student Services • College Services
San Antonio • Academic Programs • Student Services • College Services
St. Philip’s • Academic Programs • Student Services • College Services
20
Governance
Governance
District-Wide Support Services
Audit Subjects by Risk Grouping Highest
Moderate-High
Moderate
Low
Grants/Grant-Related Contracts
State Reporting
Contract Administration
Facilities Management
Information Security
IT Systems/Database Support
IT Operations
Business Office / Bursar
IT Network & Infrastructure Support
IT Strategy & Organization
Strategic Planning
Business Outreach
HR- Compensation & Benefits
Payroll
Curriculum Coordination
Developmental Education
Admissions and Enrollment
Employment
Accounting, A/P, Budget
Community Partnerships
Institutional Governance – ERM
Purchasing
Campus Police
Off-Site Locations
SACS Accreditation / Reaffirmation
District Institutional Research
Facilities - Construction Management
Treasury
College IT and Technical Services
Student Advising
High School Programs
Facilities – Tobin Lofts
College Admissions
International Programs
Workforce Development
Student Leadership Institute
College Enrollment Management
Enterprise Risk Management Dept. & Safety
Communications & Public Relations
Inventory Control
College Grant Management
Emergency Management
Academic Partnerships
Center for Student Information (CSI)
Student and Program Development
Student Financial Aid
HR Training & Development
Alamo Colleges Online
IT Systems Development
Continuing Education
Alamo Colleges Foundation
College Contract Management
Records Management
College Institutional Research
College Student Records Management
21
2017 Proposed Internal Audit Plan
22
Internal Audit Resources District Director of Internal Audit
Lead Senior IT Auditor
Senior IT Auditor (Vacant)
Senior Internal Auditor (Vacant)
Senior Internal Auditor (Vacant)
Total Approved Headcount = 5
Academic Year Total Hours* * Based on 11/1/16, 1/1/17, and 3/1/17 start dates for three new auditors
Less Audit Director’s Time
8,320 (2,080)
Net Internal Audit Staff Time
6,240
Holidays/Vacation/Sick
(808)
Training
(400)
Staff General Admin (average of 10%)
(624)
Total Time Available for Audits, Investigations, & Consulting Engagements
4,408 23
FY 2017 Proposed Internal Audit Plan Project Type
Description
Total Hours
1
IT Network Security Review (FY 2016 Rollover)
Evaluate the IT network security program
200
2
Admissions and Enrollment Review (FY 2016 Rollover)
Review admissions and enrollment processes
300
3
HR Employment / Onboarding / Exiting (FY 2016 Rollover)
Review hiring and onboarding processes
300
4
Software Acquisition, Implementation , and Mgmt. (FY 2016 Rollover)
Review of SDLC and software management processes
400
5
Enterprise Risk Management and Safety
Review of Risk Management and Safety processes
400
6
Grant Review – Health Profession Opportunity Grant (HPOG) Program Review
Review program controls and processes effectiveness
400
7
Institutional Research – Internal Reporting (Performance Management)
Review reporting accuracy/data integrity
500
8
Curriculum Coordination
Review curriculum design, controls, and processes
500
9
Process Reviews/Consulting
Document risks/controls for five processes
750
10
Disbursement Audit Analytics (Continuous Audit)
Data analysis to identify cost recovery/avoidance
300
11
Investigations/Special Requests
Investigations and requests as necessary
358
Total
Budgeted Expense
4,408
TBD
24
FY 2017 Proposed Process Reviews Project Type
Total Hours
1
Business Office (Bursar) *
150
2
Facilities Management *
150
3
International Programs *
150
4
Student Transcript Processing
150
5
Employee Expense Reporting and PCards
150
Total
750
* Carryover from the FY 2016 Process Review List Note: The purpose of the Process Reviews is to document key processes along with relevant risks and controls, and to provide input related to potential improvements to internal control design and/or process efficiencies and effectiveness.
25
Alternate/Potential FY 2017/18 Projects Project Type
Description
IT Vendor Management Audit *
Review controls to prevent software licensing infractions
Procurement and Contract Management *
Assess effectiveness of controls to support contracting activities
Independent Contract Workers (Joint Employee Liability Risks)
Review practices for handling independent contract workers to ensure the institution is not exposed to joint employer liability risks
Time and Attendance Reporting
Determine system is operating effectively and internal controls have been implemented
Workforce Classification (Exempt vs. Non-Exempt)
Evaluate workforce classification processes to ensure the institution is not misclassifying employees
IT Data Security Audit
Network audit of sensitive data (student records, PII, CC, SSN, etc.)
Continuing Education Operations Review
Assess effectiveness of processes and controls including implementation of the LERN Report recommendations
* Carryover from the FY 2016 Alternate/Potential List 26
Audit Plan Coverage Highest
Moderate-High
2016 Actual Moderate
2017 Plan
Low
Grants/Grant-Related Contracts
State Reporting
Contract Administration
Management Facilities
Information Security
IT Systems/Database Support
IT Operations
Business Office / Bursar
IT Network & Infrastructure Support
IT Strategy & Organization
Strategic Planning
Business Outreach
HR- Compensation & Benefits
Payroll
Curriculum Coordination
Developmental Education
Admissions and Enrollment
Employment
Accounting, A/P, Budget
Community Partnerships
Institutional Governance – ERM
Purchasing
Campus Police
Off-Site Locations
SACS Accreditation / Reaffirmation
District Institutional Research
Facilities - Construction Management
Treasury
College IT and Technical Services
Student Advising
High School Programs
Facilities – Tobin Lofts
College Admissions
International Programs
Workforce Development
Student Leadership Institute
College Enrollment Management
Enterprise Risk Management Dept. & Safety
Communications & Public Relations
Inventory Control
College Grant Management
Emergency Management
Academic Partnerships
Center for Student Information (CSI)
Student and Program Development
Student Financial Aid
HR Training & Development
Alamo Colleges Online
IT Systems Development
Continuing Education
Alamo Colleges Foundation
College Contract Management
Records Management
College Institutional Research
College Student Records Mgmt.
27
VII. External Audit Services Procured in Fiscal Year 2016 External audit services procured by Internal Audit: • Non-IT Audit Support – Weaver • IT Audit Support - Weaver External audit services procured by Finance & Administration: • Financial Statement Audit – Grant Thornton • A-133 Single Audit - Grant Thornton
28
VIII. Reporting Suspected Fraud and Abuse In accordance with section 7.09 of the Texas General Appropriations Act, a link in the footer of the home page for the Alamo Colleges external website referencing “Fraud Hotline” takes users to the Ethics site which includes instructions on how to report fraud, waste and abuse to the State Auditor’s Office as follows: Any person who suspects fraud or financial impropriety at Alamo Colleges should report their suspicions immediately to any supervisor, the Chancellor or designee, the Board Chairperson, the College District Ethics Hotline, local law enforcement, Internal Audit or the State Auditor’s Office Hotline. If you suspect fraud, waste, or abuse, and would like to file an anonymous complaint, please report the matter to one of the following: Alamo Colleges Ethics Hotline 1-844-302-0425 www.alamo.edu.ethicspoint.com or State Auditor’s Office Hotline 1-800-TX-AUDIT (1-800-892-8348) http://sao.fraud.state.tx.us 29