Report to the Audit Committee

(1)

1 January 14, 2014 Committee Report

Report to the Audit Committee

From: Rahoof “Wally” Oyewole, Departmental Audit Manager

Agenda of: JANUARY 14, 2014

ITEM: V

SUBJECT: INTERNAL AUDIT WORKPLAN THROUGH FISCAL YEAR 2014-15 AND POSSIBLE COMMITTEE ACTION

Recommendation:

That the Audit Committee consider the proposed Internal Audit workplan through Fiscal Year (FY) 2014-15; and recommend the workplan to the Board for approval.

Discussion:

Internal Audit is responsible for developing, for Audit Committee consideration, a flexible audit plan using an appropriate risk‐based methodology. In order to meet the International Standards for the Professional Practice of Internal Auditing (IIA Standards), Internal Audit’s Workplan is required to be approved by LACERS’s Audit Committee and/or the Board. The workplan is intended to remain flexible to allow necessary changes as a result of ongoing changes to risk factors, organizational needs, resource limitations or a request from management and/or the Board. Updates information regarding changes to the plan will be provided to the Committee at each Committee meeting during the Fiscal Year.

Internal Audit Risk Assessment Process

To assess the relative importance of potential audit subjects, the IAS prepares an annual risk assessment (Attachment 1) covering all divisions and functions performed by LACERS. This department-wide risk assessment focuses on comparisons between different programs and functions, with the primary purpose of identifying high impact audit areas. Risk is measured through an analysis of various information sources on each critical process/function/unit.

Internal Audit has established a methodology to evaluate the relative importance of potential audit projects. Individual project priority ranking is based on risk factors of impact and likelihood. Internal Audit has identified key processes or programs and the following five risk criteria:

1. Strategic & Operational Impact - The significance of the process or area to LACERS strategic success, or impact of process disruption.

2. Financial Materiality - The magnitude of financial exposure, the degree of regulatory oversight, or possible financial penalties. The higher the financial exposure of an area, the higher the risk.

(2)

3. Complexity of Operations/Regulations - Considers the complexity of programs, activities, and/or functions. The number of individuals, entities, and processes involved, and the degree to which professional judgment or technical expertise is applied. The more complex the operations, the higher the risk.

4. Organizational and System Change Risk – Considers changes in the control environment. How much the process has been altered and the change of personnel carrying out the process. The more recent changes, the higher the risk.

5. Political/Reputation (including impact to Members) - The degree of public interest and awareness, the visibility of the process to the media. The higher the interest, the higher the risk. The following three steps were used to score each potential audit project.

Step 1 – Impact Scores

For each potential audit area, Internal Audit assign an impact risk score relative to each of the above five factors, as follows:

High Medium Low

4 – 5 3 1-2

Step 2 – Probability or Likelihood Scores

In assigning probability scores, Internal Audit considers inputs provided by senior staff and Board Members, as summarized in Attachment 2, interviews with staff and LACERS’ external auditors, review of policies, and the Internal Control Self-Assessment completed by division management. Internal Audit then assigns a probability score for each potential audit area, as follows:

Probability of Risk

High probability or likelihood of significant problems occurring

0.8 - 1.0

Moderate probability of significant problems and/or high

probability of improvements needed 0.4 – 0.7

Low probability of significant problems and/or low probability of improvement needed

0.1 – 0.3

Step 3 – Final Risk Scores

To determine final risk scores, impact scores were sub-totaled for each potential audit area and multiplied by the estimated probability of an adverse event occurring in each audit project area.

(3)

Proposed Audit Projects for the Audit Workplan (Attachment 3)

Based on the result of the risk assessment and final risk scores, Internal Audit recommends scheduling the following audit projects:

1. Business Continuity/Disaster Recovery Plan (Final Risk Score 17.7) - The purpose of a business continuity/disaster recovery is to enable an organization to continue operation in the event of a disruption and to survive a disastrous interruption to its information systems. The objective of an audit of Business Continuity Plan (BCP) will be to evaluate LACERS’ BCP to determine its adequacy and currency in comparison to appropriate standards; verify the plan is effective by reviewing previous test results; and evaluate the ability of the System and user personnel to respond effectively in emergency situations.

2. Investment Manager Fees (Final Risk Score 16.8) – In FY 2012-13, LACERS paid approximately $48 million in investment management fees, with $27 million (56%) of this amount attributed to real estate and alternative investments. It is has become increasingly difficult for Fiscal staff and LACERS external auditors to validate the accuracy of fees paid, particularly for real estate and private equity investments. This is primarily because of the limited supporting documentation submitted with invoices. The objective of an audit of fees will be to recalculate fees that LACERS paid to a sample of investment managers during FY 2012-13, to ensure they are accurate and in accordance with contract terms approved by the Board. It should be noted that a few months ago, LAFPP Board approved an appropriation for the Department to engage a CPA firm to re-calculate fees paid for alternative investments management.

3. Employer Audit (Final Risk Score 16.8) – The objective of this audit will be to evaluate the accuracy of enrollment information, and deductions remitted to LACERS for employees. The focus will be to evaluate procedures in place to ensure individuals are placed in correct tier and/or plan. The audit will also assess procedures to ensure accurate deductions are remitted, particularly for employees who receive non-traditional lump sum payments that are subject to retirement contributions.

4. Benefit Determination and Payments (Final Risk Score 14.7) - The objective of this audit will be to determine the efficiency of benefit setup process and whether benefits calculations are accurate and properly supported. The audit will also assess the accuracy and timeliness of ongoing payments after the initial setup to determine whether the process is efficient, effective and in accordance with the Administrative Codes.

5. System Access, Change Control & Data Security (Final Risk Score 14.4) - The objective of this audit will be to evaluate whether employees’ access to various systems are appropriate based on their duties. This audit will also evaluate procedures to ensure adequate data security and change control procedures.

6. Network Vulnerability and Penetration Testing (Final Risk Score 17.5) – Penetration testing is often referred to as ethical hacking and is intended to mimic an experienced hacker attacking a live site. Many organizations engage security professionals to perform penetration testing to find vulnerabilities so that they can fix them before an attack. Penetration testing should only be performed by experienced and qualified professionals who are aware of the risks and can limit any damage resulting from a successful break-in. This project is contingent on the Board’s appropriating necessary funds in the FY 2014-15 Budget to engage an outside security firm with expertise in penetration testing to complete the project.

(4)

In accordance with the Internal Audit Charter, the workplan also set aside some hours for consulting activities to assist management during the Fiscal Year. Staff will also take active roles in managing the external audit contract as well as the upcoming implementation of the new GASB 67.

As LACERS’ needs and priorities change, Internal Audit will use professional judgment as to determine the order in which audit projects are completed. Staff will focus on efficiency and effectiveness in performing work and will make effort to review all areas identified in this workplan. Staff will provide Audit Committee a quarterly update on the workplan. At the end of FY 2014-15, any remaining projects will be re‐evaluated during the Annual Risk Assessment process for consideration in the next Fiscal Year audit plan.

This report was prepared by Rahoof “Wally” Oyewole, Departmental Audit Manager, Internal Audit Section.

RWO

Attachments: 1) LACERS Internal Audit’s Universe Risk Assessment – January 2014 2) Risk Assessment Survey Results

3) LACERS Internal Audit Proposed Workplan Through FY 2014-15

(5)

LACERS Internal Audit Section Universe Risk Assessment - January 2014

ATTACHMENT 1

Risk Rankings High

High to

Medium Medium

Medium to

Low Low

Definitions 5 4 3 2 1

Division Auditable Unit/Process

Materiality / Financial Impact / Compliance Strategic / Operational Impact Change / Stability Complexity of Operations or Regulations Political / Reputation (Including Impact to Members) Admin Services - Systems

Business Continuity / Disaster Recovery

Plan 5 5 3 4 5 22 0.8 17.6 1

Admin Services - Systems

Web-Based Network Vulnerabilities,

Penetration Test 5 5 5 5 5 25 0.7 17.5 2

Investments Investment Manager Fees 4 4 3 5 5 21 0.8 16.8 3

Plan Sponsor

City - Accuracy of Enrollment &

Deductions Remitted to LACERS 5 4 4 4 4 21 0.8 16.8 3

Retirement Services

Benefits Determination, Setup &

Payments 5 5 3 3 5 21 0.7 14.7 5

Admin Services - Systems

System Access,Change Control & Data

Security Process 5 4 5 5 5 24 0.6 14.4 6

Retirement

Services Reciprocity & Service Purchase Process 5 4 4 5 5 23 0.6 13.8 7 Retirement

Services Disability Retirement Process 5 5 3 5 5 23 0.6 13.8 7 Retirement

Services

Death Comparison/Member Status

Verification Process 5 4 4 5 5 23 0.6 13.8 7

Health Admin

Account Reconciliation, Billing and

Invoices 5 4 4 5 4 22 0.6 13.2 10

Health Admin Medical Subsidy Process 5 4 3 5 5 22 0.6 13.2 10 Retirement

Services Survivor Claims/Family Death Benefits 5 4 4 4 5 22 0.6 13.2 10 Retirement

Services Privacy of Member Data 4 4 3 5 5 21 0.6 12.6 13

Health Admin

Medial Premium Reimbursement Program (for members out of regular

coverage area) - MPRP 4 3 3 3 5 18 0.7 12.6 13

Retirement

Services Member Refunds/Lump Sum Payments 5 4 3 4 5 21 0.6 12.6 13

Probability Score Final Risk Score Rank Order Impact Factors Impact Subtotal Page 1 of 3

(6)

ATTACHMENT 1

High to

Medium Medium

Medium to

Low Low

Materiality / Financial Impact / Compliance Strategic / Operational Impact Change / Stability Complexity of Operations or Regulations Political / Reputation (Including Impact to Members) Probability Score Final Risk Score Rank Order Impact Factors Impact Subtotal Investments

Risk Management Program & Investment

Compliance Monitoring Process 5 5 5 5 5 25 0.5 12.5 16

Investments Due Diligence Process 5 5 2 3 5 20 0.6 12.0 17 Health Admin

Member Support Services-

Communication 3 5 3 3 5 19 0.6 11.4 18

Investments

Investment RFP Process (manager selection, reporting, renewal, and

termination) 5 5 3 4 4 21 0.5 10.5 19

Health Admin

Enrollment & Dependent Eligibility

Verification Process 4 4 2 4 5 19 0.5 9.5 20

Health Admin

Medicare Enrollment and Medicare Part

B premium reimbursements 4 4 3 3 5 19 0.5 9.5 20

Retirement

Services Larger Annuity Porgram Review 3 3 4 5 3 18 0.5 9.0 22 Admin Services -

Accounting Investment Accounting and Valuation 5 5 3 5 4 22 0.4 8.8 23 Admin Services -

Systems

Wire Transfer and Check Receipt

Process 5 5 2 5 5 22 0.4 8.8 23

Admin Services - Office Services

RFP and Procurement Process, and

Contracting Practices 5 5 4 5 3 22 0.4 8.8 23

Investments Investment Reconciliations 5 5 4 4 4 22 0.4 8.8 23 Retirement

Services Stale Dated Checks 3 3 2 2 4 14 0.6 8.4 27

Human Resources

Temporary Employees - Recruitment and

Monitoring Process 2 3 5 3 3 16 0.5 8.0 28

Admin Services -

Office Services Budgets 5 4 3 2 4 18 0.4 7.2 29

Systems/Fiscal Actuarial/Member Demographic Data 4 4 5 5 5 23 0.3 6.9 30

(7)

ATTACHMENT 1

High to

Medium Medium

Medium to

Low Low

Materiality / Financial Impact / Compliance Strategic / Operational Impact Change / Stability Complexity of Operations or Regulations Political / Reputation (Including Impact to Members) Probability Score Final Risk Score Rank Order Impact Factors Impact Subtotal Admin Services -

Accounting Contribution Accounting - Member, City 3 3 1 4 4 15 0.4 6.0 31 Retirement

Services

Benefits Overpayment & Collection

Process 3 3 3 2 3 14 0.4 5.6 32

Office Services Fixed Assets Inventory 3 3 3 1 3 13 0.4 5.2 33 Admin Services -

Systems IT Governance 2 5 4 4 2 17 0.3 5.1 34

Investments Asset Allocation 5 5 1 3 3 17 0.3 5.1 34 Retirement

Services Service Retirement Counseling Process 3 4 3 3 4 17 0.3 5.1 34 Admin Services -

Accounting Cash Management 4 4 3 3 3 17 0.3 5.1 37 Admin Services -

Accounting General Ledger/Financial Reporting 4 4 2 4 3 17 0.3 5.1 34 Admin Services -

Office Services Vendor Contract Compliance 3 4 2 2 2 13 0.3 3.9 39

Board Governance & Ethics 5 4 1 3 5 18 0.2 3.6 40 Admin Services -

Accounting Accounts Payable 3 3 1 1 3 11 0.3 3.3 41

Human Resources HR Processes - 2 3 1 2 3 11 0.3 3.3 41 Admin Services -

Accounting Travel/Office expenses 3 3 1 1 3 11 0.3 3.3 41 Retirement

Services Record Management and Retention 3 3 3 2 3 14 0.2 2.8 44 Admin Services -

Systems

Pension Administration System - Data Conversion and Post Implemetation

review 5 5 5 5 5 25 0.1 2.5 45

(8)

ATTACHMENT 2 Internal Audit Risk Assessment Survey Results

As part of its risk assessment process, Internal Audit surveyed senior staff, executive management and Board Members. Ten responses were received (eight from senior staff and two from Board Members). The purpose of the survey was to seek inputs as to what operational areas and critical functions staff believe need improvement and/or could benefit from audit attention. The following are the areas/concerns identified by staff, along with the number of times mentioned:

1. Accuracy and timeliness of benefit processing (4 times)

2. Making sure that political pressure does not determine investments (4 times) 3. Disaster/business continuity plan (3 times)

4. Employer Audit - accuracy of employee information and contributions (3 times) 5. Inconsistent application/interpretation of policies (including HR-related) and

Admin Code – (special accommodation for employees at certain level) (3 times) 6. Disconnect between frontline staff and management (3 times)

7. Customer service -monitoring of outgoing communications to Members (3 times)

8. Certain Board members may be stepping out of policy making and oversight arena into operational areas (3 times)

9. System access/controls & data security (2 times) 10. IRC compliance - (2 times)

11. Accurate reporting to stakeholders (2 times)

12. Monitoring of investment managers to ensure compliance with investment policy (2 times)

13. Inability to track international deaths- Risk of continuing payments after Member's death (2 times)

14. Budget monitoring and reporting - lack of systematic data (1 time) 15. Succession planning - reliance on few subject matter experts (1 time) 16. Lack of system to promptly identify concerns (1 time)

17. Preventing & recovering benefit overpayments (1 time) 18. Authentication of external documents (1 time)

19. Untimely communication from management regarding change that impact processing or delivery of benefits (1 time)

20. Inequitable span of control (1 time)

21. LACERS should pursue legal access rights (same as LACERA and CalPERS) to Members’ banking information for monitoring (1 time)

(9)

LACERS INTERNAL AUDIT SECTION

AUDIT PLAN THROUGH FY 2014-15

ATTACHMENT 3

Internal Audit Projects Description/Audit Objective

Rank Based on Risk Scores Estimated Hours Business Continuity/Disaster Recovery Plan (BCP)

To evaluate LACERS' BCP to determine its adequacy and currency, review previous test results and evaluate staff's ability to respond

effectively in emergency situations.. 1 400

Investment Manager Fees

To determine whether investment management fees paid during FY 2012-13 are accurate in accordance with contract terms approved by

the Board. 3 400

Employer Audit

To evaluate the accuracy of enrollment information, and deductions

remitted to LACERS on behalf of employees. 3 450

Benefit Determination & Payments

To determine the efficiency and effectiveness of benefit setup process, and whether benefits calculations are accurate and properly

supported. 5 450

System Access, Change Control & Data Security

To evaluate employees' access rights, change control and data

security procedures for reasonableness and effectiveness. 6 400 Follow -Up Program

Establish a Follow-up Program to track and follow up on prior audit

recommendations. 400

2,500 External Audits

Network Vulnerability & Penetration Testing

Perform vulnerability assessment and penetration testing to identify

any weaknesses that need to be addressed. 2 250

Annual Financial Statement Audit Performed by external auditors 100

External Audit Subtotal 350

Non-Audit Projects

Consulting Activities 600

GASB 67 Implementation 150

Internal Audit Subtotal

Task Force participation

As requested by Executive Management

(1) This workplan assumes two auditors effective April 1, 2014

(10)

LACERS INTERNAL AUDIT SECTION

AUDIT PLAN THROUGH FY 2014-15

ATTACHMENT 3

2015 Risk Assessment/Audit Plan 200

Internal Control Self Assessment 150

1,100 Administration

Committee and Board Meetings 200

General Administration 300

Audit Software Implementation 80

580 Leave/Time Off Training/Conferences 200 Leave 490 690 5,220 Training to maintain CPA and other certifications, APPFA, IIA or ALGA Conferences

Annual risk assessment and preparation of subsequent audit plan

Provide management with internal control worksheets and review responses. Non-Audit Subtotal

Holidays and Time Off Leave/Time Off Grand Total Hours

Preparation and attendance at Audit Committee, other Committees and Board meetings.

Audit administrative duties, staff meetings & other duties

Lay the groundwork for acquiring and implementing electronic workpaper and

computer-assisted data analysis software (research different tools, obtain quotes and make recommendation)

Administration Subtotal

(1) This workplan assumes two auditors effective April 1, 2014