1 January 14, 2014 Committee Report
Report to the Audit Committee
From: Rahoof “Wally” Oyewole, Departmental Audit Manager
Agenda of: JANUARY 14, 2014
ITEM: V
SUBJECT: INTERNAL AUDIT WORKPLAN THROUGH FISCAL YEAR 2014-15 AND POSSIBLE COMMITTEE ACTION
Recommendation:
That the Audit Committee consider the proposed Internal Audit workplan through Fiscal Year (FY) 2014-15; and recommend the workplan to the Board for approval.
Discussion:
Internal Audit is responsible for developing, for Audit Committee consideration, a flexible audit plan using an appropriate risk‐based methodology. In order to meet the International Standards for the Professional Practice of Internal Auditing (IIA Standards), Internal Audit’s Workplan is required to be approved by LACERS’s Audit Committee and/or the Board. The workplan is intended to remain flexible to allow necessary changes as a result of ongoing changes to risk factors, organizational needs, resource limitations or a request from management and/or the Board. Updates information regarding changes to the plan will be provided to the Committee at each Committee meeting during the Fiscal Year.
Internal Audit Risk Assessment Process
To assess the relative importance of potential audit subjects, the IAS prepares an annual risk assessment (Attachment 1) covering all divisions and functions performed by LACERS. This department-wide risk assessment focuses on comparisons between different programs and functions, with the primary purpose of identifying high impact audit areas. Risk is measured through an analysis of various information sources on each critical process/function/unit.
Internal Audit has established a methodology to evaluate the relative importance of potential audit projects. Individual project priority ranking is based on risk factors of impact and likelihood. Internal Audit has identified key processes or programs and the following five risk criteria:
1. Strategic & Operational Impact - The significance of the process or area to LACERS strategic success, or impact of process disruption.
2. Financial Materiality - The magnitude of financial exposure, the degree of regulatory oversight, or possible financial penalties. The higher the financial exposure of an area, the higher the risk.
2 January 14, 2014 Committee Report
3. Complexity of Operations/Regulations - Considers the complexity of programs, activities, and/or functions. The number of individuals, entities, and processes involved, and the degree to which professional judgment or technical expertise is applied. The more complex the operations, the higher the risk.
4. Organizational and System Change Risk – Considers changes in the control environment. How much the process has been altered and the change of personnel carrying out the process. The more recent changes, the higher the risk.
5. Political/Reputation (including impact to Members) - The degree of public interest and awareness, the visibility of the process to the media. The higher the interest, the higher the risk. The following three steps were used to score each potential audit project.
Step 1 – Impact Scores
For each potential audit area, Internal Audit assign an impact risk score relative to each of the above five factors, as follows:
High Medium Low
4 – 5 3 1-2
Step 2 – Probability or Likelihood Scores
In assigning probability scores, Internal Audit considers inputs provided by senior staff and Board Members, as summarized in Attachment 2, interviews with staff and LACERS’ external auditors, review of policies, and the Internal Control Self-Assessment completed by division management. Internal Audit then assigns a probability score for each potential audit area, as follows:
Probability of Risk
High probability or likelihood of significant problems occurring
0.8 - 1.0
Moderate probability of significant problems and/or high
probability of improvements needed 0.4 – 0.7
Low probability of significant problems and/or low probability of improvement needed
0.1 – 0.3
Step 3 – Final Risk Scores
To determine final risk scores, impact scores were sub-totaled for each potential audit area and multiplied by the estimated probability of an adverse event occurring in each audit project area.
3 January 14, 2014 Committee Report
Proposed Audit Projects for the Audit Workplan (Attachment 3)
Based on the result of the risk assessment and final risk scores, Internal Audit recommends scheduling the following audit projects:
1. Business Continuity/Disaster Recovery Plan (Final Risk Score 17.7) - The purpose of a business continuity/disaster recovery is to enable an organization to continue operation in the event of a disruption and to survive a disastrous interruption to its information systems. The objective of an audit of Business Continuity Plan (BCP) will be to evaluate LACERS’ BCP to determine its adequacy and currency in comparison to appropriate standards; verify the plan is effective by reviewing previous test results; and evaluate the ability of the System and user personnel to respond effectively in emergency situations.
2. Investment Manager Fees (Final Risk Score 16.8) – In FY 2012-13, LACERS paid approximately $48 million in investment management fees, with $27 million (56%) of this amount attributed to real estate and alternative investments. It is has become increasingly difficult for Fiscal staff and LACERS external auditors to validate the accuracy of fees paid, particularly for real estate and private equity investments. This is primarily because of the limited supporting documentation submitted with invoices. The objective of an audit of fees will be to recalculate fees that LACERS paid to a sample of investment managers during FY 2012-13, to ensure they are accurate and in accordance with contract terms approved by the Board. It should be noted that a few months ago, LAFPP Board approved an appropriation for the Department to engage a CPA firm to re-calculate fees paid for alternative investments management.
3. Employer Audit (Final Risk Score 16.8) – The objective of this audit will be to evaluate the accuracy of enrollment information, and deductions remitted to LACERS for employees. The focus will be to evaluate procedures in place to ensure individuals are placed in correct tier and/or plan. The audit will also assess procedures to ensure accurate deductions are remitted, particularly for employees who receive non-traditional lump sum payments that are subject to retirement contributions.
4. Benefit Determination and Payments (Final Risk Score 14.7) - The objective of this audit will be to determine the efficiency of benefit setup process and whether benefits calculations are accurate and properly supported. The audit will also assess the accuracy and timeliness of ongoing payments after the initial setup to determine whether the process is efficient, effective and in accordance with the Administrative Codes.
5. System Access, Change Control & Data Security (Final Risk Score 14.4) - The objective of this audit will be to evaluate whether employees’ access to various systems are appropriate based on their duties. This audit will also evaluate procedures to ensure adequate data security and change control procedures.
6. Network Vulnerability and Penetration Testing (Final Risk Score 17.5) – Penetration testing is often referred to as ethical hacking and is intended to mimic an experienced hacker attacking a live site. Many organizations engage security professionals to perform penetration testing to find vulnerabilities so that they can fix them before an attack. Penetration testing should only be performed by experienced and qualified professionals who are aware of the risks and can limit any damage resulting from a successful break-in. This project is contingent on the Board’s appropriating necessary funds in the FY 2014-15 Budget to engage an outside security firm with expertise in penetration testing to complete the project.
4 January 14, 2014 Committee Report
In accordance with the Internal Audit Charter, the workplan also set aside some hours for consulting activities to assist management during the Fiscal Year. Staff will also take active roles in managing the external audit contract as well as the upcoming implementation of the new GASB 67.
As LACERS’ needs and priorities change, Internal Audit will use professional judgment as to determine the order in which audit projects are completed. Staff will focus on efficiency and effectiveness in performing work and will make effort to review all areas identified in this workplan. Staff will provide Audit Committee a quarterly update on the workplan. At the end of FY 2014-15, any remaining projects will be re‐evaluated during the Annual Risk Assessment process for consideration in the next Fiscal Year audit plan.
This report was prepared by Rahoof “Wally” Oyewole, Departmental Audit Manager, Internal Audit Section.
RWO
Attachments: 1) LACERS Internal Audit’s Universe Risk Assessment – January 2014 2) Risk Assessment Survey Results
3) LACERS Internal Audit Proposed Workplan Through FY 2014-15
LACERS Internal Audit Section Universe Risk Assessment - January 2014
ATTACHMENT 1
Risk Rankings High
High to
Medium Medium
Medium to
Low Low
Definitions 5 4 3 2 1
Division Auditable Unit/Process
Materiality / Financial Impact / Compliance Strategic / Operational Impact Change / Stability Complexity of Operations or Regulations Political / Reputation (Including Impact to Members) Admin Services - Systems
Business Continuity / Disaster Recovery
Plan 5 5 3 4 5 22 0.8 17.6 1
Admin Services - Systems
Web-Based Network Vulnerabilities,
Penetration Test 5 5 5 5 5 25 0.7 17.5 2
Investments Investment Manager Fees 4 4 3 5 5 21 0.8 16.8 3
Plan Sponsor
City - Accuracy of Enrollment &
Deductions Remitted to LACERS 5 4 4 4 4 21 0.8 16.8 3
Retirement Services
Benefits Determination, Setup &
Payments 5 5 3 3 5 21 0.7 14.7 5
Admin Services - Systems
System Access,Change Control & Data
Security Process 5 4 5 5 5 24 0.6 14.4 6
Retirement
Services Reciprocity & Service Purchase Process 5 4 4 5 5 23 0.6 13.8 7 Retirement
Services Disability Retirement Process 5 5 3 5 5 23 0.6 13.8 7 Retirement
Services
Death Comparison/Member Status
Verification Process 5 4 4 5 5 23 0.6 13.8 7
Health Admin
Account Reconciliation, Billing and
Invoices 5 4 4 5 4 22 0.6 13.2 10
Health Admin Medical Subsidy Process 5 4 3 5 5 22 0.6 13.2 10 Retirement
Services Survivor Claims/Family Death Benefits 5 4 4 4 5 22 0.6 13.2 10 Retirement
Services Privacy of Member Data 4 4 3 5 5 21 0.6 12.6 13
Health Admin
Medial Premium Reimbursement Program (for members out of regular
coverage area) - MPRP 4 3 3 3 5 18 0.7 12.6 13
Retirement
Services Member Refunds/Lump Sum Payments 5 4 3 4 5 21 0.6 12.6 13
Probability Score Final Risk Score Rank Order Impact Factors Impact Subtotal Page 1 of 3
LACERS Internal Audit Section Universe Risk Assessment - January 2014
ATTACHMENT 1
Risk Rankings High
High to
Medium Medium
Medium to
Low Low
Definitions 5 4 3 2 1
Division Auditable Unit/Process
Materiality / Financial Impact / Compliance Strategic / Operational Impact Change / Stability Complexity of Operations or Regulations Political / Reputation (Including Impact to Members) Probability Score Final Risk Score Rank Order Impact Factors Impact Subtotal Investments
Risk Management Program & Investment
Compliance Monitoring Process 5 5 5 5 5 25 0.5 12.5 16
Investments Due Diligence Process 5 5 2 3 5 20 0.6 12.0 17 Health Admin
Member Support Services-
Communication 3 5 3 3 5 19 0.6 11.4 18
Investments
Investment RFP Process (manager selection, reporting, renewal, and
termination) 5 5 3 4 4 21 0.5 10.5 19
Health Admin
Enrollment & Dependent Eligibility
Verification Process 4 4 2 4 5 19 0.5 9.5 20
Health Admin
Medicare Enrollment and Medicare Part
B premium reimbursements 4 4 3 3 5 19 0.5 9.5 20
Retirement
Services Larger Annuity Porgram Review 3 3 4 5 3 18 0.5 9.0 22 Admin Services -
Accounting Investment Accounting and Valuation 5 5 3 5 4 22 0.4 8.8 23 Admin Services -
Systems
Wire Transfer and Check Receipt
Process 5 5 2 5 5 22 0.4 8.8 23
Admin Services - Office Services
RFP and Procurement Process, and
Contracting Practices 5 5 4 5 3 22 0.4 8.8 23
Investments Investment Reconciliations 5 5 4 4 4 22 0.4 8.8 23 Retirement
Services Stale Dated Checks 3 3 2 2 4 14 0.6 8.4 27
Human Resources
Temporary Employees - Recruitment and
Monitoring Process 2 3 5 3 3 16 0.5 8.0 28
Admin Services -
Office Services Budgets 5 4 3 2 4 18 0.4 7.2 29
Admin Services -
Systems/Fiscal Actuarial/Member Demographic Data 4 4 5 5 5 23 0.3 6.9 30
LACERS Internal Audit Section Universe Risk Assessment - January 2014
ATTACHMENT 1
Risk Rankings High
High to
Medium Medium
Medium to
Low Low
Definitions 5 4 3 2 1
Division Auditable Unit/Process
Materiality / Financial Impact / Compliance Strategic / Operational Impact Change / Stability Complexity of Operations or Regulations Political / Reputation (Including Impact to Members) Probability Score Final Risk Score Rank Order Impact Factors Impact Subtotal Admin Services -
Accounting Contribution Accounting - Member, City 3 3 1 4 4 15 0.4 6.0 31 Retirement
Services
Benefits Overpayment & Collection
Process 3 3 3 2 3 14 0.4 5.6 32
Admin Services -
Office Services Fixed Assets Inventory 3 3 3 1 3 13 0.4 5.2 33 Admin Services -
Systems IT Governance 2 5 4 4 2 17 0.3 5.1 34
Investments Asset Allocation 5 5 1 3 3 17 0.3 5.1 34 Retirement
Services Service Retirement Counseling Process 3 4 3 3 4 17 0.3 5.1 34 Admin Services -
Accounting Cash Management 4 4 3 3 3 17 0.3 5.1 37 Admin Services -
Accounting General Ledger/Financial Reporting 4 4 2 4 3 17 0.3 5.1 34 Admin Services -
Office Services Vendor Contract Compliance 3 4 2 2 2 13 0.3 3.9 39
Board Governance & Ethics 5 4 1 3 5 18 0.2 3.6 40 Admin Services -
Accounting Accounts Payable 3 3 1 1 3 11 0.3 3.3 41
Human Resources HR Processes - 2 3 1 2 3 11 0.3 3.3 41 Admin Services -
Accounting Travel/Office expenses 3 3 1 1 3 11 0.3 3.3 41 Retirement
Services Record Management and Retention 3 3 3 2 3 14 0.2 2.8 44 Admin Services -
Systems
Pension Administration System - Data Conversion and Post Implemetation
review 5 5 5 5 5 25 0.1 2.5 45
ATTACHMENT 2 Internal Audit Risk Assessment Survey Results
As part of its risk assessment process, Internal Audit surveyed senior staff, executive management and Board Members. Ten responses were received (eight from senior staff and two from Board Members). The purpose of the survey was to seek inputs as to what operational areas and critical functions staff believe need improvement and/or could benefit from audit attention. The following are the areas/concerns identified by staff, along with the number of times mentioned:
1. Accuracy and timeliness of benefit processing (4 times)
2. Making sure that political pressure does not determine investments (4 times) 3. Disaster/business continuity plan (3 times)
4. Employer Audit - accuracy of employee information and contributions (3 times) 5. Inconsistent application/interpretation of policies (including HR-related) and
Admin Code – (special accommodation for employees at certain level) (3 times) 6. Disconnect between frontline staff and management (3 times)
7. Customer service -monitoring of outgoing communications to Members (3 times)
8. Certain Board members may be stepping out of policy making and oversight arena into operational areas (3 times)
9. System access/controls & data security (2 times) 10. IRC compliance - (2 times)
11. Accurate reporting to stakeholders (2 times)
12. Monitoring of investment managers to ensure compliance with investment policy (2 times)
13. Inability to track international deaths- Risk of continuing payments after Member's death (2 times)
14. Budget monitoring and reporting - lack of systematic data (1 time) 15. Succession planning - reliance on few subject matter experts (1 time) 16. Lack of system to promptly identify concerns (1 time)
17. Preventing & recovering benefit overpayments (1 time) 18. Authentication of external documents (1 time)
19. Untimely communication from management regarding change that impact processing or delivery of benefits (1 time)
20. Inequitable span of control (1 time)
21. LACERS should pursue legal access rights (same as LACERA and CalPERS) to Members’ banking information for monitoring (1 time)
LACERS INTERNAL AUDIT SECTION
AUDIT PLAN THROUGH FY 2014-15
ATTACHMENT 3
Internal Audit Projects Description/Audit Objective
Rank Based on Risk Scores Estimated Hours Business Continuity/Disaster Recovery Plan (BCP)
To evaluate LACERS' BCP to determine its adequacy and currency, review previous test results and evaluate staff's ability to respond
effectively in emergency situations.. 1 400
Investment Manager Fees
To determine whether investment management fees paid during FY 2012-13 are accurate in accordance with contract terms approved by
the Board. 3 400
Employer Audit
To evaluate the accuracy of enrollment information, and deductions
remitted to LACERS on behalf of employees. 3 450
Benefit Determination & Payments
To determine the efficiency and effectiveness of benefit setup process, and whether benefits calculations are accurate and properly
supported. 5 450
System Access, Change Control & Data Security
To evaluate employees' access rights, change control and data
security procedures for reasonableness and effectiveness. 6 400 Follow -Up Program
Establish a Follow-up Program to track and follow up on prior audit
recommendations. 400
2,500 External Audits
Network Vulnerability & Penetration Testing
Perform vulnerability assessment and penetration testing to identify
any weaknesses that need to be addressed. 2 250
Annual Financial Statement Audit Performed by external auditors 100
External Audit Subtotal 350
Non-Audit Projects
Consulting Activities 600
GASB 67 Implementation 150
Internal Audit Subtotal
Task Force participation
As requested by Executive Management
(1) This workplan assumes two auditors effective April 1, 2014
LACERS INTERNAL AUDIT SECTION
AUDIT PLAN THROUGH FY 2014-15
ATTACHMENT 3
2015 Risk Assessment/Audit Plan 200
Internal Control Self Assessment 150
1,100 Administration
Committee and Board Meetings 200
General Administration 300
Audit Software Implementation 80
580 Leave/Time Off Training/Conferences 200 Leave 490 690 5,220 Training to maintain CPA and other certifications, APPFA, IIA or ALGA Conferences
Annual risk assessment and preparation of subsequent audit plan
Provide management with internal control worksheets and review responses. Non-Audit Subtotal
Holidays and Time Off Leave/Time Off Grand Total Hours
Preparation and attendance at Audit Committee, other Committees and Board meetings.
Audit administrative duties, staff meetings & other duties
Lay the groundwork for acquiring and implementing electronic workpaper and
computer-assisted data analysis software (research different tools, obtain quotes and make recommendation)
Administration Subtotal
(1) This workplan assumes two auditors effective April 1, 2014