FY 2015 Annual Audit Report

(1)

FY 2015

(2)

TxDOT 2015 Annual Audit Report | 2

I. Compliance with House Bill 16 (Texas Government Code, Section 2102.015):

Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit

Information on Internet Site

House Bill 16 (83rd_{Legislature, Regular Session) signed by Governor Perry on June 14, 2013,}

amended the Internal Auditing Act to require state agencies and institutions of higher education, as defined in the bill, to post internal audit plans, internal audit annual reports, and any

weaknesses or concerns resulting from the audit plan or annual report on the entities’ Internet site within 30 days after the audit plan and annual report are approved by an entity’s governing board or chief executive.

The requirements are met by posting the approved documents at the following link:

http://www.txdot.gov/inside-txdot/administration/commission/subcommittee-meetings.html

A detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns raised by the

audit plan or annual report and a summary of actions taken by TxDOT to address concerns, if any, that are raised by the audit plan or annual report is included in the fiscal year (FY) 2015 Annual

Audit Report.

II. Planned Work Related to the Proportionality of Higher Education Benefits

Not applicable

(4)

TxDOT Annual Audit Report 4

III. Internal Audit Plan for Fiscal Year 2015

PHASES OF THE AUDIT/CONSULTING SERVICES CYCLE

Reports Issued Report

Number Report Date Report Name Audit Service

FS1415 2/2015 Professional Engineering Procurement Service (PEPS) _{Contract and Work Authorizations} Internal Audit LS1501 5/2015 Construction Engineering & Inspection Contracts Internal Audit

LS1502 5/2015 Data Classification Internal Audit

FS1501 2/2015 Emergency Equipment Requisition Process Internal Audit

FS1503 5/2015 Grant Reimbursement – CTIF Internal Audit

FS1503 5/2015 Grant Reimbursement – Traffic Safety Internal Audit

FS1509 8/2015 Mobile Security Internal Audit

FS1505 8/2015 Toll Operations Contract Management Internal Audit

MP1501 11/2014 Advance Funding Agreements MAP Follow-Up

MP1515 8/2015 Bond Covenants MAP Follow-Up

MP1502 11/2014 CDA Monitoring MAP Follow-Up

MP1504 6/2015 COMPASS MAP Follow-Up

MP1506 5/2015 Construction Operations MAP Follow-Up

MP1505 5/2015 Construction/Maintenance Inspection MAP Follow-Up MP1507 5/2015 Delegation of Authority/Budget Compliance MAP Follow-Up

MP1508 5/2015 Encumbrance MAP Follow-Up

MP1516 8/2015 Equipment Maintenance, and Repair MAP Follow-Up

MP1513 8/2015 Ferry Operations MAP Follow-Up

MP1517 8/2015 Inventory MAP Follow-Up

MP1503 11/2014 Privacy MAP Follow-Up

(5)

MP1510 5/2015 Receivables Management – SOC MAP Follow-Up

MP1514 8/2015 ROW Governance & Internal Controls MAP Follow-Up

MP1511 5/2015 SH 130 Segments 5 & 6 MAP Follow-Up

MP1512 5/2015 Tuition Assistance Program MAP Follow-Up

CT1406 8/2015 Traffic Safety Grant Monitoring Consulting

CT1408 1/2015 TMPA Indirect Cost Rates 2014-15 Consulting

CT1501 2/2015 Kennedy Consulting 2013 Indirect Cost Rate Consulting

CT1502 7/2015 NEPA Assignment, Phase 2 Consulting

CT1503 8/2015 Multiple Use Agreements Consulting

CT1505 7/2015 SOX 2014 Annual Controls Testing Consulting

CT1508 8/2015 SOX 2015 Non-Annual Controls Testing Consulting 604000 8/2015 BNSF Railway Additive Rates Review – 2012 Review

Carryovers to FY 2016 Internal Audit Plan Report

Number Report Name Audit Service

FS1514 Post-Implementation Review – ERP Payroll and Recruiting (Closing Phase) Internal Audit

FS1511 Change Order Process (Closing Phase) Internal Audit

FS1506 Contract Administration (Closing Phase) Internal Audit

FS1504 Local Letting Process (Closing Phase) Internal Audit

FS1507 Maintenance Operations (Closing Phase) Internal Audit

FS1508 Materials Testing (Closing Phase) Internal Audit

FS1510 Software License Management (Closing Phase) Internal Audit LS1504 Toll Operations Federal Reporting (Closing Phase) Internal Audit FS1502 Fuel Consumption Oversight and Coordination – (Closing Phase) Internal Audit

LS1505 Commission Office Vetting Internal Audit

SH 183 Managed Lanes Project Internal Audit

Post-Implementation Review – ERP Project Costing Internal Audit Post-Implementation Review – ERP Purchasing Internal Audit Post-Implementation Review – ERP Inventory Internal Audit Post-Implementation Review – ERP Accounts Payable Internal Audit External Audits carried over to FY16 will be included in the Compliance Office’s FY16 work plan.

(6)

TxDOT Annual Audit Report 6 Detailed summary of the weaknesses, deficiencies, wrongdoings or other concerns raised by the FY15 Audit Plan or Annual Audit Report are as follows:

 16 internal/external audits and consulting engagements were completed. - 16 findings were identified with control design and operating effectiveness

deficiencies as noted below o 15 control design

o 16 operating effectiveness

 17 Management action plan (MAP) follow-up engagements were completed to determine whether previously-communicated risks have been mitigated. The following details were noted:

- 49 closed MAPs – corrective actions have been completed

- 19 open MAPs – corrective actions require completion to address identified risk from the original audit

- 8 new MAPs – corrective actions that were newly identified and further actions are necessary to properly address the remaining risk

Deviations from FY 2015 Planned Audits

Continuous evaluation of the audit plan, based on risks identified, resulted in the modification of the FY 2015 Audit Plan. Modifications were presented to the Chief Audit and Compliance Officer for review and approval and subsequently communicated to the Audit Subcommittee for review.

Report

Number Report Title Deviation

LS1501 Consulting Engineering and Inspection Contracting / _{Work Authorizations} Renamed “Construction Engineering & Inspection Contracts “

FS1503 Grant Reimbursement

Two Reports Issued: “Grant Reimbursement – CTIF” &

“Grant Reimbursement – Traffic Safety”

MP1513 Ferry Operations MAP Follow-Up Added

MP1517 Inventory MAP Follow-Up Added

MP1514 ROW Governance and Internal Controls MAP Follow-Up Added

CT1501 Consultant 2013 Indirect Cost Rate Added

LS1503 Construction Project Performance Measures Cancelled – Lower Risk Considering SAO Coverage and Results

OCR Commercially Useful Function Review Database Removed Metropolitan Planning Organization (MPO) Credit Swap Program Removed

NEPA Application Program, Phase 3 Removed

(7)

IV. Consulting Services and Non-Audit Services Completed

1. TMPA Indirect Cost Rates 2014 and 2015

Objective: To provide assistance to the Traffic Operations Division’s Traffic Safety Section (TRF) by reviewing the indirect cost rates for the Texas Municipal Police Association (TMPA) for fiscal years 2014 and 2015.

Results: TMPA’s proposed rates and any recommended adjustments were provided to TRF in individual internal memos as work on each fiscal year was completed. The decision to accept/modify TMPA’s indirect cost rates are the responsibility of TRF management. Report Date: January 2015

2. Consultant 2013 Indirect Cost Rate

Objective: To provide information on the auditability of the indirect cost rate of Kennedy Consulting Inc. for the year ended December 31, 2013, and provide the results of an indirect cost rate audit, if applicable.

Results: An audit of Kennedy Consulting, Inc.’s indirect cost rate was not performed as it was determined that an indirect cost rate could not be calculated, since there were no direct costs on which to base such a rate.

Report Date: February 2015

3. NEPA Assignment, Phase 2

Objective: Determine if the Environmental Affairs Division’s (ENV) processes are appropriate and complete to assume the Federal Highway Administration’s (FHWA) responsibilities for the National Environmental Policy Act (NEPA) and assist in preparing ENV staff for upcoming FHWA audits. Results: Deliverables specified in the statement of work (see below) were completed and accepted by ENV, as follows:

 Flow charts of SAB and CAT processes and procedures for assuming FHWA’s responsibilities for NEPA.

 Results of a review of the effectiveness and efficiency of Self-Assessment Branch and Corrective Action Team processes and procedures.

 A reference document to assist in “Preparing for an Audit.” Report Date: July 2015

(8)

TxDOT Annual Audit Report 8 4. Sarbanes-Oxley (SOX) 2014 Annual Key Controls Testing

Objective: Determine the operating effectiveness of the selected annual key controls over financial reporting for FY 2014.

Results: The seven annual key controls over financial reporting that were selected for testing by the Finance Division (FIN) were operating effectively.

Report Date: July 2015

5. Traffic Safety Grant Monitoring

Objective: To provide assistance to the Traffic Operation Division’s Traffic Safety Section (TRF-TSS) in the development of a risk assessment for their monitoring function of grant recipients.

Results: The deliverable consisted of a listing of risk factors for TRF-TSS to consider including in its risk assessment for grant recipients.

Since the data for many of the risk factors was available in eGrants, the design of the tool and piloting of a risk assessment was performed by TRF–TSS staff. The advisory service team participated in meetings with TRF-TSS staff as they made final decisions on risk factors and weights based upon their impact in the piloted risk assessment.

Report Date: August 2015

6. Multiple Use Agreements – Paid Parking Facilities

Objective: To provide information to the Maintenance Division (MNT) regarding Multiple Use Agreements (MUAs) with paid parking facilities.

Results: The following deliverables specified in the Statement of Work were completed and provided to MNT.



A summary of clauses in existing MUAs with paid parking facilities that are missing or different than those in the current MUA template.



A memo listing key facts and potential issues identified from a review of the information received from entities with paid parking facilities regarding each parking facility’s fee

structure, fund balance, financial reports, and other information deemed useful. The original documentation received from the entities was also provided to MNT with the memo.



Suggestions for improvements to the MUA policies, procedures, and terms within the MUA template.

Audits of paid parking facilities were not performed because the review of the existing MUAs and information from entities with paid parking facilities (see first two bullets above) found that there

(9)

TxDOT Annual Audit Report 9 are policies and MUA provisions that need to be in place to define the criteria necessary for an audit to be effective.

MNT management decided that they would make revisions to the MUA process and to the existing MUAs based upon the work performed. The need for external audits of the paid parking facilities will be reassessed in FY16.

Report Date: August 2015

7. Sarbanes-Oxley (SOX) 2015 Non-Annual Key Controls Testing

Objective: Determine the operating effectiveness of the selected non-annual key controls over financial reporting for FY 2015 as part of TxDOT’s “Spirit of SOX” initiative.

Results: Thirteen non-annual key controls over financial reporting were selected for testing by the Finance Division (FIN). Of the 13 controls tested, one control was found to be ineffective. However, it was determined that the failure of this control would not have a significant impact on the TxDOT financial statements. The Compliance Office and FIN will be revising the process for the “Spirit of SOX” at TxDOT, to focus on key controls for financial reporting, beginning in fiscal year 2016. Report Date: August 2015

(10)

V. External Quality Assurance Review (Peer Review)

(11)

(12)

(13)

VI. Internal Audit Plan for Fiscal Year 2016

Risk Assessment

The Chief Audit and Compliance Officer performs a department-wide risk assessment to develop the Plan. The risk assessment process is conducted to assign the audit resources and includes:



Review of state legislation.



Obtaining input from members of the Commission, Administration, DDO, and staff.



Performing an evaluation of department functions, based on objective criteria and professional judgment.



Review and consideration of prior audit results.



Review and consideration of the Federal Highway Administration (FHWA) Risk Assessment.



Review and consideration of the Compliance Office’s work plan.



Review and consideration of investigative trends.



Review and consideration of professional/industry standards.



Review and consideration of Moving Ahead for Progress in the 21st_{Century (MAP-21).}

The Chief Audit and Compliance Officer will provide quarterly status reports on audit activities to the Commission and Administration, and will present the results of completed audits at quarterly Audit Subcommittee meetings.

Audit Plan

The Plan consists of 75 risk-based audit engagements. The audit engagements (including FY2015 audits carried over) are divided into six areas of focus and coverage, as follows:



Contracting/Third Party – provide assurance of reporting and operational reliability to stakeholders.



Governance/Program Management - provide assurance that business activities of the organization are optimized toward achievement of objectives.



Information Technology – focus on the integrity and security of information assets.



District Operations – provide assurance and insight of distributed activities.



Carryovers and Carryovers in Closing Phase – engagements not completed in FY15 which remain important to cover.



Management Action Plan (MAP) Follow-Up – determine remediation and risk management regarding previously identified organizational risks.

(14)

Audit Plan FY 2016

Office of Internal Audit

Contracting/Third Party (6) Budgeted Hours

Right of Way Acquisition - Contract Management 1,300

NTT Data Contract Management –Transformation 1,300

Performance Based Maintenance Contracts 1,609

Contract Administration - Segment 41 Contracts 1,300

Contract Administration - Closeout Phase 1,300

Toll Operations Call Center and Back Office Operations 1,609

Governance/Program Management (4) Budgeted Hours

Toll Operations Federal Reporting 1,300

Bulk Fuel Management and Reporting 1,300

Budget Development, Allocation, and Monitoring 1,609

Fleet Operations Rental Equipment 1,300

Information Technology (3) Budgeted Hours

Business Continuity 1,609

TAC 202 Reporting 1,300

Cloud Storage 1,609

District Operations (4) Budgeted Hours

NEPA Public Involvement Process _1,609

Routine Maintenance Contracts 1,609

Non-MES Equipment/Consumables Management 1,609

Fair Labor Standards Act Overtime 1,609

FY15 Audits Carried Over (5) Budgeted Hours

SH 183 Managed Lanes Project 1,300

Post-Implementation Review ERP Project Costing 1,609

Post-Implementation Review ERP Purchasing 1,609

Post-Implementation Review ERP Inventory 1,609

Post-Implementation Review ERP Accounts Payable 1,609

Management Action Plan (MAP) Follow-Up (43) Budgeted Hours

Engagements performed to determine mitigation of risks previously

(15)

Carryovers in Closing Phase (10)

Toll Operations Federal Reporting Local Letting Process

Maintenance Operations Materials Testing

Change Order Process Contract Administration Software License Management

Post-Implementation Review ERP Payroll and Recruiting Fuel Consumption Oversight and Coordination

Commission Office Vetting

Summary – Internal Audit Section Budgeted Hours

Contracting/Third Party 8,418

Governance/Program Management 5,509

Information Technology 4,518

District Operations 6,436

Management Action Plan (MAP) Follow-Up 7,736

FY 2015 Audits Carried Over 5,719

(16)

VII. External Audit Services Procured in Fiscal Year 2015

Not applicable

VIII. Reporting Suspected Fraud and Abuse

Actions taken to implement the requirements of:

 Fraud Reporting

Article IX, Section 7.09 General Appropriations Act (83rd_{Legislature, Conference}

Committee Report)

- A link to the State Auditor’s Office (SAO) Fraud Hotline is available on the TxDOT website:

txdot.gov/inside-txdot/office/compliance-ethics/reporting-fraud.html

- Information about reporting suspected fraud involving state funds to the State Auditor’s Office is included in TxDOT policy. Call the State Auditor’s Office fraud hotline at

1-800-TX-AUDIT (892-8348) or report online at sao.fraud.state.tx.us.

- Compliance Office (CMP) maintains an external hotline number (877-769-8936) and website (txdotwatch.com).

 Coordination of Investigations

Texas Government Code, Section 321.022

- Reasonable Cause to Believe reports are completed by the Office of Compliance and sent to SAO at least semi-annually.