2016 Internal Audit Annual Report

Table of Contents I.

Compliance with Texas Government Code, Section 2102.015

3

II.

Benefits Proportionality Audit Requirements for Higher Education Institutions

4

III. Internal Audit Plan for Fiscal Year 2016

5

IV. Consulting and Nonaudit Services Completed

8

V.

External Quality Assurance Review

9

VI. Internal Audit Plan for Fiscal Year 2017

17

VII. External Audit Services Procured in Fiscal Year 2016

28

VIII. Reporting Suspected Fraud and Abuse

29

Note: The outline of the annual report as listed above is prescribed by the Texas State Auditors Office per the Texas Internal Auditing Act.

I. Compliance with House Bill 16 (Texas Government Code, Section 2102.015) Requirements: • Within 30 days of approval, an entity should post the following information on its Internet Web site: –

An approved fiscal year 2017 audit plan, as provided by Texas Government Code, Section 2102.008.

–

A fiscal year 2016 internal audit annual report, as required by Texas Government Code, Section 2102.009.

• 2102.015.Required Updates –

Detailed summary of weaknesses, deficiencies, wrongdoings, or other concerns, if any raised by the audit plan or annual report

–

Summary of action taken by the agency to address concerns, if any, that are raised by the audit plan or annual report

Compliance: The information required above will be included in this annual report and, once approved by the Alamo Colleges Board of Trustees, will be posted to the Internal Audit page on the Alamo Colleges Web site at Alamo.edu.

3

II. Benefits Proportionality Audit Requirements for Higher Education Institutions Note: The requirements in this section of the annual report are not applicable for community colleges

4

Internal Audit Plan for Fiscal Year 2016 #

1 2 3 4 5 6 7 8 9

FY 2016 Audit Plan Projects Student Financial Aid State and Compliance Reporting Grants and Grant-Related Contracts Review Admissions and Enrollment Review IT Network Security Review HR Employment / Onboarding / Exiting Software Acquisition, Implementation & Management Disbursement Audit Analytics (Continuous Audit) Issue Follow-Up

Status

Phase

  In Progress On-Hold In Progress On-Hold Deferred to ’17 On-Hold 

Reporting Fieldwork Fieldwork Fieldwork Planning -

  Deferred to ‘17

-

  In Progress

Reporting

Planned Process Reviews / Consulting Projects 10 11 12

Procure-to-Pay (Purchasing, Accounts Payable) Emergency Management Curriculum Coordination, International Programs, Bursar, Facilities, & ERM

Investigations/Special Requests 13 14 15

Management Request Ethics Hotline Complaint Employee Complaint

5

2016 Summary of Results Project

Description

Results/Findings

Remediation

Student Financial Aid Review

Review whether key compliance risks related to Student Financial Aid were addressed by external auditors.

• Recommendation to evaluate the process for reviewing “C” or Completed flag notifications in the system to ensure the process is efficient and effective for prompt Direct Loan award processing.

Management agreed to review all “C“ flags immediately following receiving the application from the U.S. Department of Education.

State Reporting Review

Review enrollment data validation processes, timeliness, accuracy of reports, and Banner access.

• Internal controls related to Banner system functionality and access needed improvement. • Recommendation made to consider establishing a data warehouse.

Management will improve internal controls and consider establishing a data warehouse.

Procure-to-Pay Process Review (Consulting Engagement)

Review Procure-to-Pay processes, risks, and internal control design.

• Adequate internal control design, yet highly manual. • Well designed contract bid process; risk of circumventing process exists.

Management agreed with the key process maturity levels and will evaluate recommendations.

Emergency Management Process Review (Consulting Engagement)

Review emergency management processes, risks, and internal control design.

• Adequate emergency operation plans. • No formal review of vulnerabilities and threats since 2012. • Risk of potential delay in timely notification of incidents.

Management agreed with the key process maturity levels and will evaluate recommendations.

6

2016 Summary of Corrective Action New Issues

Closed through 8/31/2016

Open Issues as of 9/27/2016

% Closed

Project

Report Date

Issue Count as of 9/1/2015

Payroll and Related Business Processes Follow-up Review

1/15/2014

62

0

61

1

98%

PAC Natatorium Operations Follow-up Review

7/9/2014

3

-

2

1

67%

Institutional Advancement Donation Processes and Controls Review

12/11/2014

9

-

6

3

67%

Campus Continuing Education Review

7/20/2015

7

-

1

6

14%

Student Grade Processes and Controls Review

7/20/2015

6

-

3

3

50%

Student Financial Aid Review

11/3/2015

-

1

-

1

0%

State Reporting Review

3/23/2016

-

4

2

2

50%

87

5

75

17

82%

Total

7

IV. Consulting and Nonaudit Services Completed • Three consulting, investigative or nonaudit engagements were performed in 2016 • Procure-to-Pay Process Review • Emergency Management Process Review • Hotline case – Review of college department timekeeping process

• Consulting services provided to management included: • Review of executive PCard, direct pay expenses, and supporting documentation

8

V. External Quality Assurance Review (Next review scheduled for fiscal year 2018)

9

Quality Assurance and Improvement Program (QAIP)

10

FY 2016 Accomplishments • Updated the internal audit methodology and procedures • • • •

Risk-based approach (enterprise risk assessments performed in-house) Developed process for consulting review Streamlined audit follow-up process Updated manuals supporting compliance with the Standards and the Board-approved Internal Audit Protocols

• Restructured salary levels for Internal Audit staff to align with the competitive marketplace • Overhauled and streamlined job descriptions for Internal Audit staff positions • Enhanced employee development and continuing professional education opportunities • Expanded support for Internal Audit staff to obtain additional professional certifications 11

FY 2016 Accomplishments (continued) • Results: • 25 percent increase in the number of projects completed versus FY 2015 • FY 2016 metrics compared to the average of FY 2012-2015: • • • •

Reduced the average hours per full scope project by 61 percent Reduced the average length of full scope audit reports by 79 percent Reduced the average number of recommendations by 82 percent Increased the total number of projects completed from the average of 3 to 5

• Average audit process owner satisfaction rating – 5.0 of 5.0 • Reduced the number of open management corrective action plans from 92 to 17 (82 percent reduction) • Increased the percentage of staff holding professional certifications from 66 percent to 100 percent 12

FY 2016 Accomplishments (continued) Average Hours Per Full Scope Audit

Total Projects Completed

2,000

16 14

1,500

12 10

1,000

8 6

500

4 2

-

0 2012

2013

2014

Average Hours

2015

2012

2016

2013

Planned Hours

Total Projects Completed

Internal Audit Reports - Full Scope Audits 30

25

25

20

20

15

15

10

10

5

5

-

2013 Issues

2014 Recommendations

2015

2015

2016

Planned Projects

FY 2016 Project Allocation

30

2012

2014

2016

Consulting 11% Investigations 8%

Operational 63%

IT 9% Compliance 9%

# pages in Report

13

Balanced Scorecard PROCESS Enterprise Risk Assessment -  Audit Plan -  Board/Mgmt Input -  Audit Manuals - 

PEOPLE

PROGRESS % Plan Completed - 40 % # Unplanned Projects - 3 (241 hrs) % Time Spent on Consulting/ Management Assistance - 4%

IIA Standards Govt. Auditing Standards Department Goals

Staff Experience - Average of 15 years Training Hours / Auditor - 36 hrs % Staff Certified - 100%

PROJECTS Full Scope Project Hours Avg. - 459 Audit Cycle Time - 5 months Project Survey Average - 5 of 5 Open Issues Aging - 18% Overdue

14

FY 2016 Priorities • Internal Audit Projects • Consulting – increase overall percentage of time spent on consulting / management assistance projects • IT Audit – perform two full scope IT audits

• Internal Audit Administration • Recruiting – Hire additional Internal auditors as approved by the Board of Trustees • Issue Monitoring • Clean up backlog of outstanding issues • Establish a process to automate the management of corrective action responses

• Audit Cycle Time – reduce the overall audit cycle time • Streamline engagement planning process • Reduce audit report cycle times 15

FY 2017 Priorities • Internal Audit Projects • IT Audits – increase IT audit coverage with increased bench strength • Consulting – increase consulting/management assistance through audit projects and process reviews • Audit Analytics – develop a data analytics program for continuous auditing

• Internal Audit Administration • Recruiting – Hire three new Internal Auditors to fill current staff vacancies, with one new hire having extensive IT auditing experience • Increase IT auditing bench strength in Internal Audit through the hiring of an additional Senior IT Auditor • Audit Cycle Time – reduce the overall audit cycle time • Streamline planning process • Reduce audit report cycle times 16

VI. Internal Audit Plan for Fiscal Year 2017 Audit Planning Cycle

Risk Assessment

AC Approval

Draft Annual Audit Plan

Stakeholder Input

Stakeholder Input

External Benchmarking/ Best Practices in Internal Audit

Stakeholder Input

Assessment of Internal Audit Resources (Staff Skill Sets, Budget, etc.)

Update Universe of Audit Subjects (UAS)

17

2016 Annual Risk Assessment

18

Risk Assessment Overview How to Use Risk Assessment Results Management • Ensure that processes/internal controls are in place to mitigate significant risks • Evaluate whether current policies adequately address significant risks

Internal Audit • Prioritize audit subjects to create annual Audit Plan • Consult with Management on risk mitigation and internal controls

Board of Trustees • Understand significant risks to the organization • Hold management accountable for mitigation of significant risks

19

Alamo Colleges Audit Universe Entity Level = Alamo Colleges Auditable Entity Level NE Lakeview

NW Vista

Palo Alto

San Antonio

St. Philip’s

DSO

Auditable Function / Audit Unit Finance • • • • • • • • • •

General Acctg. Financial Rptng. Budget Mgmt. Financial Aid Treasury Payroll AP/Disbursements Fixed Assets Bursar Grants/Contracts

HR • Benefits & Compensation • Training & Development • Employment

Administration

IT • • • •

IT Operations Info. Security System Development System and Database Support • Network & Infrastructure Support • IT Governance

• • • • • •

Facilities Procurement Risk Mgmt & Sfty. Campus Police Instit. Research Strategic Initiatives & Perf. Excellence • Records Mgmt. • Communications & Public Relations

Operations • Economic & WF Development • Academic Success • Student Success • Auxiliary Locations - WFCOE - CTTC - WTEC - Kerrville/Floresville

Inst. Gov. • Ethics & Compliance • Strategic Planning • Enterprise Risk Management (ERM) • Legal Affairs

Individual Colleges NE Lakeview • Academic Programs • Student Services • College Services

NW Vista • Academic Programs • Student Services • College Services

Palo Alto • Academic Programs • Student Services • College Services

San Antonio • Academic Programs • Student Services • College Services

St. Philip’s • Academic Programs • Student Services • College Services

20

Governance

Governance

District-Wide Support Services

Audit Subjects by Risk Grouping Highest

Moderate-High

Moderate

Low

Grants/Grant-Related Contracts

State Reporting

Contract Administration

Facilities Management

Information Security

IT Systems/Database Support

IT Operations

Business Office / Bursar

IT Network & Infrastructure Support

IT Strategy & Organization

Strategic Planning

Business Outreach

HR- Compensation & Benefits

Payroll

Curriculum Coordination

Developmental Education

Admissions and Enrollment

Employment

Accounting, A/P, Budget

Community Partnerships

Institutional Governance – ERM

Purchasing

Campus Police

Off-Site Locations

SACS Accreditation / Reaffirmation

District Institutional Research

Facilities - Construction Management

Treasury

College IT and Technical Services

Student Advising

High School Programs

Facilities – Tobin Lofts

College Admissions

International Programs

Workforce Development

Student Leadership Institute

College Enrollment Management

Enterprise Risk Management Dept. & Safety

Communications & Public Relations

Inventory Control

College Grant Management

Emergency Management

Academic Partnerships

Center for Student Information (CSI)

Student and Program Development

Student Financial Aid

HR Training & Development

Alamo Colleges Online

IT Systems Development

Continuing Education

Alamo Colleges Foundation

College Contract Management

Records Management

College Institutional Research

College Student Records Management

21

2017 Proposed Internal Audit Plan

22

Internal Audit Resources District Director of Internal Audit

Lead Senior IT Auditor

Senior IT Auditor (Vacant)

Senior Internal Auditor (Vacant)

Senior Internal Auditor (Vacant)

Total Approved Headcount = 5

Academic Year Total Hours* * Based on 11/1/16, 1/1/17, and 3/1/17 start dates for three new auditors

Less Audit Director’s Time

8,320 (2,080)

Net Internal Audit Staff Time

6,240

Holidays/Vacation/Sick

(808)

Training

(400)

Staff General Admin (average of 10%)

(624)

Total Time Available for Audits, Investigations, & Consulting Engagements

4,408 23

FY 2017 Proposed Internal Audit Plan Project Type

Description

Total Hours

1

IT Network Security Review (FY 2016 Rollover)

Evaluate the IT network security program

200

2

Admissions and Enrollment Review (FY 2016 Rollover)

Review admissions and enrollment processes

300

3

HR Employment / Onboarding / Exiting (FY 2016 Rollover)

Review hiring and onboarding processes

300

4

Software Acquisition, Implementation , and Mgmt. (FY 2016 Rollover)

Review of SDLC and software management processes

400

5

Enterprise Risk Management and Safety

Review of Risk Management and Safety processes

400

6

Grant Review – Health Profession Opportunity Grant (HPOG) Program Review

Review program controls and processes effectiveness

400

7

Institutional Research – Internal Reporting (Performance Management)

Review reporting accuracy/data integrity

500

8

Curriculum Coordination

Review curriculum design, controls, and processes

500

9

Process Reviews/Consulting

Document risks/controls for five processes

750

10

Disbursement Audit Analytics (Continuous Audit)

Data analysis to identify cost recovery/avoidance

300

11

Investigations/Special Requests

Investigations and requests as necessary

358

Total

Budgeted Expense

4,408

TBD

24

FY 2017 Proposed Process Reviews Project Type

Total Hours

1

Business Office (Bursar) *

150

2

Facilities Management *

150

3

International Programs *

150

4

Student Transcript Processing

150

5

Employee Expense Reporting and PCards

150

Total

750

* Carryover from the FY 2016 Process Review List Note: The purpose of the Process Reviews is to document key processes along with relevant risks and controls, and to provide input related to potential improvements to internal control design and/or process efficiencies and effectiveness.

25

Alternate/Potential FY 2017/18 Projects Project Type

Description

IT Vendor Management Audit *

Review controls to prevent software licensing infractions

Procurement and Contract Management *

Assess effectiveness of controls to support contracting activities

Independent Contract Workers (Joint Employee Liability Risks)

Review practices for handling independent contract workers to ensure the institution is not exposed to joint employer liability risks

Time and Attendance Reporting

Determine system is operating effectively and internal controls have been implemented

Workforce Classification (Exempt vs. Non-Exempt)

Evaluate workforce classification processes to ensure the institution is not misclassifying employees

IT Data Security Audit

Network audit of sensitive data (student records, PII, CC, SSN, etc.)

Continuing Education Operations Review

Assess effectiveness of processes and controls including implementation of the LERN Report recommendations

* Carryover from the FY 2016 Alternate/Potential List 26

Audit Plan Coverage Highest

Moderate-High

2016 Actual Moderate

2017 Plan

Low

Grants/Grant-Related Contracts

State Reporting

Contract Administration

Management Facilities

Information Security

IT Systems/Database Support

IT Operations

Business Office / Bursar

IT Network & Infrastructure Support

IT Strategy & Organization

Strategic Planning

Business Outreach

HR- Compensation & Benefits

Payroll

Curriculum Coordination

Developmental Education

Admissions and Enrollment

Employment

Accounting, A/P, Budget

Community Partnerships

Institutional Governance – ERM

Purchasing

Campus Police

Off-Site Locations

SACS Accreditation / Reaffirmation

District Institutional Research

Facilities - Construction Management

Treasury

College IT and Technical Services

Student Advising

High School Programs

Facilities – Tobin Lofts

College Admissions

International Programs

Workforce Development

Student Leadership Institute

College Enrollment Management

Enterprise Risk Management Dept. & Safety

Communications & Public Relations

Inventory Control

College Grant Management

Emergency Management

Academic Partnerships

Center for Student Information (CSI)

Student and Program Development

Student Financial Aid

HR Training & Development

Alamo Colleges Online

IT Systems Development

Continuing Education

Alamo Colleges Foundation

College Contract Management

Records Management

College Institutional Research

College Student Records Mgmt.

27

VII. External Audit Services Procured in Fiscal Year 2016 External audit services procured by Internal Audit: • Non-IT Audit Support – Weaver • IT Audit Support - Weaver External audit services procured by Finance & Administration: • Financial Statement Audit – Grant Thornton • A-133 Single Audit - Grant Thornton

28

VIII. Reporting Suspected Fraud and Abuse In accordance with section 7.09 of the Texas General Appropriations Act, a link in the footer of the home page for the Alamo Colleges external website referencing “Fraud Hotline” takes users to the Ethics site which includes instructions on how to report fraud, waste and abuse to the State Auditor’s Office as follows: Any person who suspects fraud or financial impropriety at Alamo Colleges should report their suspicions immediately to any supervisor, the Chancellor or designee, the Board Chairperson, the College District Ethics Hotline, local law enforcement, Internal Audit or the State Auditor’s Office Hotline. If you suspect fraud, waste, or abuse, and would like to file an anonymous complaint, please report the matter to one of the following: Alamo Colleges Ethics Hotline 1-844-302-0425 www.alamo.edu.ethicspoint.com or State Auditor’s Office Hotline 1-800-TX-AUDIT (1-800-892-8348) http://sao.fraud.state.tx.us 29