FY 2014 Annual Audit Report
TABLE OF CONTENTS
I.
Compliance with House Bill 16 (Texas Government Code, Section 2102.015): Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web site ……………………………………………………………………………..3
II.
Planned Work Related to the Proportionality of Higher Education Benefits ………………..4
III.
Internal Audit Plan for Fiscal Year 2014 …………………………………………………………………..5
IV.
Consulting Services and Nonaudit Services Completed …………………………………………….9
V.
External Quality Assurance Review (Peer Review) ………………………………………………..…12
VI.
Internal Audit Plan for Fiscal Year 2015 …………………………………………………………………15
VII.
External Audit Services Procured in Fiscal Year 2014 ……………………………………………..19
VIII.
Reporting Suspected Fraud and Abuse ……………………………………………..…………………..20
TxDOT Annual Audit Report
2
I.
Compliance with House Bill 16 (Texas Government Code, Section 2102.015): Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web site
House Bill 16 (83rd Legislature, Regular Session) signed by Governor Perry on June 14, 2013, amended the Internal Auditing Act to require state agencies and institutions of higher education, as defined in the bill, to post internal audit plans, internal audit annual reports, and any weaknesses or concerns resulting from the audit plan or annual report on the entities’ internet web site within 30 days after the audit plan and annual report are approved by an entity’s governing board or chief executive. The requirements are met by posting the approved documents at the following link: http://www.txdot.gov/inside-txdot/administration/commission/subcommittee-meetings.html A detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns raised by the audit plan or annual report and a summary of actions taken by TxDOT to address concerns, if any, that are raised by the audit plan or annual report is included in the fiscal year 2014 Annual Audit Report.
TxDOT Annual Audit Report
3
II.
Planned Work Related to the Proportionality of Higher Education Benefits
Not applicable
TxDOT Annual Audit Report
4
III. Audit Plan for Fiscal Year 2014
PHASES OF THE AUDIT/CONSULTING SERVICES CYCLE
Reports Issued Report Number RD1307 FS1401 FS1407 FS1308 RD1402 RD1408 FS1401 FS1404 RD1412 FS1414 FS1406 FS1411 RD1401 RD1409
Report Date
Report Name
02/07/2014 08/21/2014 08/26/2014 02/07/2014 06/19/2014 08/26/2014 06/19/2014 11/25/2013 08/25/2014 08/26/2014 07/25/2014 08/25/2014 02/27/2014 08/21/2014
RD1406
08/08/2014
RD1407 FS1405 FS1306 FS1408 FS1416 FS1403 RD1411 RD1403 FS1312
08/25/2014 07/25/2014 04/17/2014 07/25/2014 08/29/2014 04/17/2014 08/25/2014 02/27/2014 02/07/2014
Advance Funding Agreements Bid Estimation Bridge Program Bond Covenants COMPASS Electronic Bidding and Letting Management Encumbrance Review FIN Penalties/Mitigation Highway Condition Reporting Highway Performance Monitoring System Reporting HR Procedures Management IT Service Level Contract Management/Billing Metropolitan Planning Organization Plan Review Process Procurement Cycle: Efficiency/Effectiveness of Performance Monitoring, Data Reliability, and System Access Public Transportation Grant Management Rail Project Management Receivables Management – Statement of Cost Records Management Revenue Accounting ROW Acquisition ROW Governance and Internal Controls RTI Billing/Accounts Payable Toll Operations
Audit Service Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit
TxDOT Annual Audit Report
5
FS1417 RD1410 RD1405 RD1413 RD1404 FS1413 MP1407 MP1409 MP1406 MP1404 MP1411 MP1408 MP1405 MP1410 MP1403 MP1401 MP1402 MP1412 CT1405 CT1401 CT1403 CT1404 CT1402 CT1407 SP1402 SP1402 SP1402
08/29/2014 08/08/2014 07/11/2014 08/27/2014 08/08/2014 08/21/2014 08/29/2014 08/27/2014 06/19/2014 04/17/2014 08/27/2014 08/08/2014 07/25/2014 08/29/2014 08/08/2014 02/27/2014 02/07/2014 08/29/2014 08/29/2014 08/25/2014 03/07/2014 08/29/2014 01/10/2014 08/26/2014
Toll Operations: FHWA Reporting Traffic Logo Program Travel Information Center Safety Unified Transportation Program Vegetation Management Work Zone Safety Communication of Policies and Guidance Disaster Recovery – IT Equipment Maintenance and Repair Ferry Operations General Controls – IT Local Government Project Monitoring Multiple Use Agreements Office of Civil Rights Program Management Physical Security Purchase of Service Safety Program Toll Operations MAP Follow-Up Environmental – National Environmental Policy Act Payment Card Process Facilitation Sarbanes-Oxley (SOX) Disclosure Sarbanes-Oxley (SOX) Key Controls Testing Traffic Safety Grant Pre-Award FY 2014 Review Traffic Safety Grant Pre-Award FY 2015 Review Regional Mobility Authority (RMA) Financial Audit – 08/25/2014 Cameron County RMA Regional Mobility Authority (RMA) Financial Audit – 08/25/2014 Camino Real RMA Regional Mobility Authority (RMA) Financial Audit – 08/25/2014 North East Texas RMA
Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit Internal Audit MAP Follow-Up MAP Follow-Up MAP Follow-Up MAP Follow-Up MAP Follow-Up MAP Follow-Up MAP Follow-Up MAP Follow-Up MAP Follow-Up MAP Follow-Up MAP Follow-Up MAP Follow-Up Consulting Consulting Consulting Consulting Consulting Consulting External Audit External Audit External Audit
TxDOT Annual Audit Report
6
Carryovers to FY 2015 Audit Plan Report Number FS1415
CT1408 CT1406
Report Name
Audit Service
Professional Engineering Procurement Service Contracts and CCO Work Authorization Process (two audits combined into one audit) (Closing Phase) Maintenance Operations Receivables Management – Statement of Cost MAP Follow-Up Toll Operations Contract Management Texas Municipal Police Association Indirect Cost Rates (Closing Phase) Traffic Safety Grant Monitoring (Closing Phase)
Internal Audit Internal Audit MAP Follow-Up Internal Audit Consulting Consulting
Detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns raised by the Audit Plan or Annual Audit Report are as follows: 39 internal/external audits and consulting engagements were completed o 50 findings were identified with control design and operating effectiveness deficiencies as noted below 45 control design 50 operating effectiveness 12 management action plan (MAP) follow-up engagements were completed to address high risk(s) identified. The following details were noted: o 35 closed MAPS – corrective actions have been completed o 27 open MAPS – corrective actions require completion to address identified risk from the original audit o 13 new MAPS – corrective actions that were newly identified and further actions are necessary to properly address the remaining risk
TxDOT Annual Audit Report
7
Deviations from FY 2014 Planned Audits Continuous evaluation of the audit plan, based on risks identified, resulted in the modification of the FY 2014 Audit Plan. Modifications were presented to the Chief Audit and Compliance Officer for review and approval and subsequently communicated to the Audit Subcommittee for review. The following audits were added to the FY 2014 Audit Plan: Report Report Title Number RD1411 ROW Governance and Internal Controls Internal Audit FS1417 Toll Operations: FHWA Reporting Internal Audit MP1412 Toll Operations MAP Follow-Up Internal Engagement Texas Municipal Police Association Indirect Cost Rates Consulting CT1408 Engagement Traffic Safety Grant Pre-Award FY 2015 Review Consulting CT1407 Engagement Regional Mobility Authority (RMA) Financial Audit – Cameron County SP1402 RMA External Audit Regional Mobility Authority (RMA) Financial Audit – Camino Real SP1402 RMA External Audit Regional Mobility Authority (RMA) Financial Audit – North East Texas SP1402 RMA External Audit
Approved 07/31/2014 07/11/2014 07/09/2014 08/15/2014 06/09/2014 03/26/2014 03/26/2014 03/26/2014
The following audit engagements were removed from the FY 2014 Audit Plan and will be included in Fiscal Year 2015 planned engagements: Report Title Approved CDA South and Central Texas 7/11/2014 FIN Project Ledger and Federal Receivables 7/11/2014 Material Quality of Non-Bid Items 7/11/2014 ROW Maps, Survey and Utilities 7/11/2014 The following consulting engagement was removed from the FY 2014 Audit Plan at the request of the client: Report Title Approved Project Health Management Information System (PHMIS with focus on Primavera 06/09/2014 6) Consulting Engagement
TxDOT Annual Audit Report
8
IV.
Consulting Services and Nonaudit Services Completed
1. Environmental – National Environmental Policy Act (CT1405) Objective Assist the Environmental Affairs Division (ENV) in determining whether processes are appropriate and complete to assume the Federal Highway Administration’s (FHWA) responsibilities for the National Environmental Policy Act (NEPA) and assist in preparing ENV staff for upcoming FHWA audits. Results All deliverables specified in the Statement of Work (see below) were completed and accepted by ENV.
Provide input and recommendations on whether the processes as defined in the Application are auditable.
Identify gaps and inconsistencies between the Application and control points in ENV’s approval process tables (Environmental Impact Statement and Environmental Assessments). Report Date: 08/29/2014 2. Payment Card Process Facilitation (CT1401) Objective To facilitate a discussion and provide recommendations in coordination with the Finance Division and the Procurement Division regarding review and timing of Payment Card (i.e., PCard) transactions. Results The Finance Division and the Procurement Division have put into place a process that requires the cardholder to match each transaction in the system within 7 business days after the transaction date. In addition, GSD has made available all PCard reports on their website to allow supervisors to review the employee’s transaction. The Internal Audit Office has not verified these actions for control design or operating effectiveness. Report Date: 08/25/2014
TxDOT Annual Audit Report
9
3. Sarbanes-Oxley (SOX) Disclosure (CT1403) Objective: Work collaboratively with the Finance Division (FIN) and the Chief Financial Officer to further develop the plan and assist in the implementation of the next phase of “Spirit of SOX” at TxDOT. Results All deliverables specified in the Statement of Work (see below) were completed jointly with and accepted by Finance.
The development of a flexible scheduling tool Identification of roles and responsibilities across FIN and External Audit for the various phases of the project Development of a methodology to rank and rate key controls for testing Assistance in the development of communication to the Audit Subcommittee and Texas Transportation Commission to provide an update on current activities, and A proposal to adopt certain amendments to the “Spirit of SOX” requirements.
Report Date: 03/07/2014 4. Sarbanes-Oxley (SOX) Key Controls Testing (CT1404) Objective Determine the operating effectiveness of the selected key controls over financial reporting for FY 2014. Results The operating effectiveness testing of the 25 selected key controls over financial reporting has been completed. Of the 25 key controls tested, one (1) control was found to be ineffective and required remediation. Upon follow-up testing, the control was determined to be effective. Report Date: 08/29/2014 5. Traffic Safety Grant Pre-Award FY 2014 Review (CT1402) Objective Provide information to the Traffic Operations Division’s Traffic Safety Section (TRF) to assist in deciding whether to award grants to selected non-profits. Results Relevant information for the non-profit entities was provided to TRF in individual internal memos as work on each entity was completed. Report Date: 01/10/2014
TxDOT Annual Audit Report
10
6. Traffic Safety Grant Pre-Award FY 2015 Review (CT1407) Objective Provide information to the Traffic Operations Division’s Traffic Safety Section (TRF) to assist in deciding whether to award grants to selected non-profits. Results Relevant information for the non-profit entities was provided to TRF in individual internal memos as work on each entity was completed. Report Date: 08/29/2014
TxDOT Annual Audit Report
11
V.
External Quality Assurance Review (Peer Review)
TxDOT Annual Audit Report
12
TxDOT Annual Audit Report
13
TxDOT Annual Audit Report
14
VI.
Internal Audit Plan for Fiscal Year 2015
Risk Assessment The Chief Audit and Compliance Officer performs a department-wide risk assessment to develop the annual internal audit plan. The risk assessment process is conducted to assign the audit resources and includes: • Performing an evaluation of department functions based on objective criteria and professional judgment • Review and consideration of prior audit results • Obtaining input from members of the Commission, Administration, and Management team • Obtaining input from federal law enforcement • Review and consideration of the Federal Highway Administration (FHWA) risk assessment • Review and consideration of the Office of Compliance, Ethics, and Investigation risk assessment • Review and consideration of investigative trends • Review and consideration of professional/industry standards • Review and consideration of TxDOT’s 2015-2019 Strategic Plan The Chief Audit and Compliance Officer will provide quarterly status reports on audit activities to the Commission and will present the results of completed audits at quarterly Audit Subcommittee meetings. Audit Plan The plan consists of 52 risk-based internal/external audits and consulting engagements. The audit engagements (including FY2014 audits carried over) are divided into six areas of focus and coverage, as follows: • Third Party – provide assurance of reporting and operational reliability to stakeholders • Governance/Comptrollership – provide assurance that business activities of the organization are optimized toward achievement of objectives • Information Technology – focus on the integrity and security of information assets • District Operations – provide assurance and insight of distributed activities • Management Action Plan (MAP) Follow Up – assess remediation and risk management regarding previously identified organizational high risks • External Audit and Consulting Engagements - use of grant funds and allowable costs - management consulting services The internal audit plan includes consideration and coverage of contract management and information technology risks. None of the engagements in the plan relate to expenditure transfers, capital budget controls, or any other limitation or restriction in the General Appropriations Act. A contingency list of four engagements is also included in the plan. This provides for additional coverage if the planned engagements are completed prior to the conclusion of the fiscal year.
TxDOT Annual Audit Report
15
Audit Plan FY 2015 Internal Audit Section Third Party (3) Construction Project Performance Measures Grant Reimbursement Monitoring/Oversight SH 183 Management Lanes Project
Budgeted Hours 1100 1835 1100
Governance/Comptrollership (5) Advisory Service Engineering and Inspection (CEI) Contracts Contract Administration Emergency Equipment Requisition Process Fuel Consumption Toll Operations Federal Reporting
Budgeted Hours 1100 1835 1835 1835 1100
Information Technology (7) Data Classification Mobile Security Post-Implementation Review – ERP Project Costing Post-Implementation Review – ERP Payroll and Recruiting Post-Implementation Review – ERP Purchasing and Inventory Post-Implementation Review – ERP Accounts Payable Software License Management
Budgeted Hours 1100 1835 1100 1100 1100 1100 1835
District Operations (3) Change Order Process Local Let Projects Materials Testing
Budgeted Hours 1835 1100 1835
Management Action Plan (MAP) Follow-Up (15) Specific engagements will be selected based on risk. Will include Receivables Management – Statement of Cost MAP Follow-Up that is carried over from the FY 2014 Audit Plan.
Budgeted Hours
FY 2014 Audits Carried Over (3) Maintenance Operations Toll Operations Contract Management Professional Engineering and Procurement Service Contracts and CCO Work Authorization Process (two audits combined into one audit)
Budgeted Hours 1835 1835
7335
40
TxDOT Annual Audit Report
16
Summary – Internal Audit Section Third Party Audits Governance/Comptrollership Audits Information Technology Audits District Operations Audits Management Action Plan (MAP) Follow-Up FY 2014 Audits Carried Over Total Hours:
Budgeted Hours 4035 7705 9170 4770 7335 3710 36725
External Audit and Advisory Services Section External Audits (4) Construction Donations Metropolitan Planning Organization Operations Public Transportation Grant Recipients Regional Mobility Authorities Limited Scope Financial Audit
Budgeted Hours 400 1500 1500 1500
Consulting Engagements (11) Cybersecurity – Network Vulnerability/Penetration Program Metropolitan Planning Organization Credit Swap Program Multiple Use Agreements NEPA Application Program, Phase 2 NEPA Application Program, Phase 3 Office of Civil Rights Commercially Useful Function Review Database Rail Contracts – Federal Railroad Administration Grants Sarbanes-Oxley (SOX) Key Controls Testing (2014 Annual Controls) Sarbanes-Oxley (SOX) Key Controls Testing (2015 Annual Controls) Single Audit Report Review and Monitoring Traffic Safety 2016 Grant Pre-Award Review
Budgeted Hours 1000 400 1000 1000 250 1000 750 600 1000 250 450
FY 2014 Consulting Engagements Carried Over (1) Texas Municipal Police Association Indirect Cost Review Traffic Safety Grant Monitoring
Budgeted Hours 100 200
Summary – External Audit and Advisory Services Section External Audits Consulting Engagements FY 2014 Consulting Engagements Carried Over Total Hours:
Budgeted Hours 4900 7700 300 12900
TxDOT Annual Audit Report
17
High Risks not included in FY 2015 Plan Four high-risk engagements were included in a contingency list in the FY 2015 Audit Plan. This provides for additional coverage if the above engagements are completed prior to the conclusion of the fiscal year. Contingency List Audits (4) Travel Reimbursement Unified Transportation Program – Finance Application Controls Federal Receivables/Revenue
TxDOT Annual Audit Report
18
VII.
External Audit Services Procured in Fiscal Year 2014
Not applicable
TxDOT Annual Audit Report
19
VIII.
Reporting Suspected Fraud and Abuse
Actions taken to implement the requirements of: Fraud Reporting Article IX, Section 7.09 General Appropriations Act (83rd Legislature, Conference Committee Report) o A link to SAO’s Fraud Hotline was added to TxDOT’s internet site under the TxDOT Watch Hotline and TxDOT’s Recovery Act site at http://www.txdot.gov/insidetxdot/office/compliance-ethics/reporting-fraud.html o Information was added to TxDOT’s policies on how to report suspected fraud involving state funds to SAO. Call the State Auditor’s Office fraud hotline at 1-800-TXAUDIT (892-8348) or report it online at http://sao.fraud.state.tx.us o Office of Compliance, Ethics and Investigations (CEI) has created and maintains an external hotline number (877-769-8936) and website (txdotwatch.com) o TxDOT Human Resource Manual specifically addresses CEI as being the clearing house of all allegations of fraud, waste and abuse. o TxDOT External website directs to the Office of Compliance, Ethics and Investigations webpage with the TxDOT watch link.
Coordination of Investigations Texas Government Code, Section 321.022 o Reasonable Cause to Believe report will be completed by the Office of Compliance, Ethics, and Investigations and sent to SAO. SAO Hotline Complaint coordination with Nicole Guerrero, Audit Manager, SAO Special Investigations Section o Information was sent on 05/05/2014 specifying the report number, category, conclusion, closing memo or report, and additional information supporting conclusion. Going forward, with the formation of the Office of Compliance, Ethics, and Investigations, Reasonable Cause to Believe reports will be sent semi-annually (May and October), at minimum.
TxDOT Annual Audit Report
20
