AC 02-22-2021 Enterprise Risk Assessment and Audit Plan_PresentationCity of CupertinoEnterprise Risk Assessment and Audit PlanAudit Committee MeetingFebruary 22, 2021
OverviewI. IntroductionII. Internal Audit Program ComponentsIII. Risk Assessment ProcessIV. Risk Assessment ResultsV. Internal Audit Plan2
•The City retained Moss Adams LLP to serve as the designated Internal Auditor and conduct projects focusing on:◦Risks◦Internal controls◦Compliance◦Performance◦Best practices•Work is being completed under appropriate industry standardsI. Introduction33
4II. Internal Audit Program Components4Internal Audit PlanRisksInternal ControlsCompliancePerformanceAccounting and financial reporting, asset management, capital programs, compliance, economics and funding, fraud, governance, human resources, internal controls, maintenance and operations, management, operations and service delivery, organization and staffing, processes and procedures, procurement, public safety, risk management, and technologyFunctions Components PlanCity Internal Audit Annual
5III. Risk Assessment ProcessPLANNINGWe began planning our assessment by requesting a standard set of documents from the City, including (but not limited to) prior risk assessments, audits, public website documents, and financial reports. We used these documents to identify the first round of individuals to interview and additional document needs based on business process/functional areas.FACT-FINDINGFact finding encompassed analyzing received documents, interviewing employees and City Council members, and soliciting additional employee feedback via an online survey. During this phase, we gathered information in order to gain a clear understanding of the City and the way it operates to achieve its goals and purpose.ANALYSISWith the information collected and compiled, we performed a risk assessment that included a comprehensive review and analysis of the various categories of risks. This analysis included assessing current risk conditions and trajectory, the level of preparedness efforts to mitigate risks, and the probability and potential impact a negative event may have on the City’s ability to achieve its mission, vision, and strategic goals.REPORTINGDuring this phase, we developed a draft report to engage in review and discussion with senior leadership. Based on feedback, we finalized the report for delivery to the City Manager and presentation to the Audit Committee.5
6III. Risk Assessment ProcessRISK LEVEL Level of uncertainty that could impair functions and processes, in the absence of any actions taken to alter either the risk’s likelihood or impact. LIKELIHOOD Qualitative assessment of the probability of a negative event occurring, given the current risk conditions. IMPACT Level of potential impact of a negative event on strategy, people, operations, systems, and resources. PREPAREDNESS Level of preparedness through activities and resources to manage risks and minimize and limit potential losses. TRAJECTORY Trajectory of the risk level, given the current risk conditions. RISK MITIGATION Potential strategies for reducing risk. RESIDUAL RISK Possible remaining exposure after known risks have been mitigated through specific actions. 6
7IV. Risk Assessment ResultsRISK CATEGORY RISK ASSESSMENT EMPLOYEE SURVEY RESULTSGovernanceHigh ModerateProcurement and ContractingHigh Low-to-ModerateExternal EnvironmentModerate-to-High ModerateHuman Capital and ResourcesModerate-to-High ModerateInformation TechnologyModerate-to-High Low-to-ModeratePlanning and StrategyModerate-to-High ModeratePolicies and ProceduresModerate-to-High ModerateCapital Improvement ProgramModerate Low-to-ModerateCompliance and Financial ReportingModerate Low-to-ModerateEthics and Fraud, Waste, AbuseModerate Low-to-ModerateInternal ControlsModerate Low-to-ModerateOperations and Service DeliveryModerate ModerateOrganization and StaffingModerate ModerateRisk ProgramsModerate ModerateAccounting and FinanceLow-to-Moderate Low-to-ModerateAsset ManagementLow-to-Moderate Low-to-ModerateManagement and LeadershipLow-to-Moderate ModeratePublic Safety and SecurityLow-to-Moderate Low-to-ModerateReputation and Public PerceptionLow-to-Moderate Low-to-Moderate7
IV. Risk Assessment Results8
9V. Potential Internal Audit Projects•Governance Policies: Assist the City with revising the Council Policy Manual and Commissioner Policy Manual. (12 weeks)•Procurement Operational Review: Assess the City’s procurement function, including structure, policies and procedures, processes, tools, oversight, and training. (14 weeks)•Fraud, Waste, and Abuse (FWA) Program Development: Develop a FWA program, including program design, hotline implementation, ongoing hotline administration, and training. (10 weeks)•Policy Inventory and Plan: Perform an inventory of policies, compare to best practices, and establish a prioritized plan to develop/update priority policies. (12 weeks)9
10V. Potential Internal Audit Projects•Senior Center Operational Review: Conduct a programmatic review of Senior Center services, including the Senior Case Management program and the Senior Travel program, to evaluate service offerings and utilization. (14 weeks)•Vendor Management Internal Controls Review: Assess vendor management practices and controls throughout the City, including policies and procedures, vendor selection, due diligence, monitoring, and reporting. (14 weeks)•Capital Program Effectiveness Study: Assess processes, interdepartmental collaboration, and throughput for capital planning and execution, including contract management and reporting. (14 weeks)10
11V. Potential Internal Audit Projects•Grants Management Process Review: Assess grant management processes across the City, including policies, procedures, and processes to support compliance with federal, state, and other grants. (14 weeks)•AR and Revenue Internal Controls Review: Assess AR and revenue collection processes throughout the City, including policies and procedures, revenue intake, revenue recording, and associated internal controls. (14 weeks)•Employee Performance Management Review: Evaluate existing employee performance management processes, including expectation-setting, reviews, accountability, and employee development. (14 weeks)•Ongoing Program Management: Provide status reports, attend Audit Committee and Council meetings, and prepare annual internal audit plan. 11
12V. Recommended Internal Audit PlanFY 20-211.Procurement Operational ReviewFY 21-222.Policy Inventory and Plan3.Capital Program Effectiveness Study4.FWA Program Development12
13V. Recommended Internal Audit Plan# Project Budget 3-6/21 7-9/21 10-12/21 1-3/22 4-6/221Procurement Operational Review$50,0002Policy Inventory and Plan$35,0003 Capital Program Effectiveness Study $35,0004FWA Program $25,0005 Ongoing Program Management $5,000FY 20-21 Budget* $50,000FY 21-22 Budget $100,00013* FY 20-21 Total Budget $100,000, $50,000 remaining after Enterprise Risk Assessment ($50,000)
The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including, without limitation, legal, accounting, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but nor limited to, an accountant-client relationship. Although this information may have been prepared by professionals, it should not be used as a substitute for professional services. If legal, accounting, investment, or other professional advice is required, the services of a professional should be sought.Assurance, tax, and consulting offered through Moss Adams LLP. Wealth management offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.