Commission Agenda Item No. 4
Presenter: Carlos Contreras
Approval of FY 2011 Internal Audit Plan
August 26, 2010
I. Executive Summary: Per Government Code, Chapter 2102, Internal Auditing, Section 2102.008 Approval of Audit Plan and Audit Report, “The annual audit plan developed by the internal auditor must be approved by the state agency’s governing board or by the administrator of a state agency if the state agency does not have a governing board.”
II. Discussion: The Office of Internal Audit requests the Commission’s approval for the FY 2011 audit projects listed in Exhibit A.
III. Recommendation: The staff recommends the Texas Parks and Wildlife Commission adopt the following motion:
“The Texas Parks and Wildlife Commission Approves the FY 2011 Office of Internal Audit Work Plan as Listed in Exhibit A.”
Attachments — 1
Commission Agenda Item No. 4
TPW Chairman Peter M. Holt
TPW Commissioner Antonio Falcon, M.D.
TPWD Executive Director Carter P. Smith
Texas Parks and Wildlife Department
FY 2011 Annual Audit Plan
Office of Internal Audit
Carlos Contreras, CIA, CISA, CICA, CGAP, CCSA — Director
Cynthia Hancock, CIA, CICA, CFE
Ed Best, CFE, CICA
Michael K. Hardison, CPA, CICA
Brant Boehnke, CISA, CPA
Betty Moss, CPA, CIA
August 2010 Report 10-002
TEXAS PARKS AND WILDLIFE DEPARTMENT
FY 2011 Annual Audit Plan
Peter M. Holt
TPW Commission Chairman
Antonio Falcon, M.D.
TPW Finance Committee Chairman
Carter P. Smith
TPWD Executive Director
Carlos Contreras, CIA, CISA, CICA, CGAP, CCSA
TPWD Director of Internal Audit
This page is intentionally left blank.
With programs of high interest to the general public and the Legislature, it is critical to ensure the Texas Parks and Wildlife Department’s (TPWD) major systems and programs run efficiently and effectively. Our efforts are geared to provide management assurance and assistance to address varied business and compliance risks.
This proposal is the result of a risk assessment process where the Office of Internal Audit conscientiously assessed and selected areas for audit. We selected areas where failure based on a particular system to adequately perform could significantly hamper TPWD’s ability to complete its mission.
Consequently, a portion of our plan is devoted to functional based audits related to hunting, fishing, and outdoor recreation issues. Additionally, the plan includes ancillary activities which support the department’s core functions. These activities include, but are not limited to, Information Technology, Administrative Resources, Human Resources, Infrastructure, Communications and the Executive Office.
This document presents our proposed project areas for Fiscal Year 2011 and outlines our risk assessment methodology.
Purpose and Mission
This audit plan is required by various criteria including the Texas Internal Auditing Act (Chapter 2102, Title 10, Government Code, Vernon’s Texas Codes Annotated), Generally Accepted Government Auditing Standards issued by the United States Government Accountability Office (GAO), and the Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors (IIA). Specifically, in accordance with the Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors (IIA), Standard 2010 – Planning, our office has prepared this document.
The Office of Internal Audit’s mission statement guides our daily work:
The mission of the Office of Internal Audit is to provide assurance and advisory services that help the Texas Parks and Wildlife Commission (Commission) and management meet agency goals and objectives. We provide independent and objective information, analyses, and recommendations to assist management in effecting constructive change, managing business risk, and/or improving compliance and accountability of the Department and its business partners.
Audit Charter and Internal Auditing Definition
The Audit Charter, approved by the Chairman, Finance Committee Chairman, and Executive Director, clearly defines the dual focus of the Office of Internal Audit’s assurance and advisory service activities. The Charter also defines our mission, scope of activities, responsibilities, authority, independence, professional standards, quality assurance processes, continuing professional development and reporting relationships.
As defined in our Charter, internal auditing encompasses the examination and evaluation of the adequacy and effectiveness of the department’s system of internal control and the quality of performance in carrying out the goals and objectives of the organization.
The Texas Internal Auditing Act was amended during the 78th legislative session to include the Institute of Internal Auditor’s (IIA) definition of internal audit:
An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
For more background information on the Office of Internal Audit, see Appendix A.
The IIA’s International Standards for the Professional Practice of Internal Auditing and the Texas Internal Auditing Act both require that internal auditors develop an audit plan based on the assignment of risk. Risk assessment, as defined by the IIA, is a “systematic process for assessing and integrating professional judgments about probable adverse conditions and/or events.”
In conducting our risk assessment, Internal Audit interviewed TPWD’s Executive Director, the Deputy Executive Directors, and each Division Director. We reviewed prior audit plans, prior external audits, strategic documentation, financial reports, and prior risk assessments to identify the department’s audit universe.
Previous audit reports examined included those from TPWD Internal Audit, the Texas State Auditor’s Office (SAO), the Texas Comptroller of Public Accounts, and the Department of the Interior’s Office of Inspector General. Additional documentation considered in planning was information from the General Appropriations Act (81st Legislature, Regular Session), the 2010 Land and Water Resources Conservation and Recreation Plan, the Natural Agenda, Fiscal Years 2009-2013, and the TPWD FY 2010 Business Plan Analyses.
Internal Audit identified through the interviews and document review the universe of auditable activities primarily as those activities conducted to address the strategies funded by the Appropriations Act.
Using the information gathered in our process including our professional judgment, we grouped the universe of auditable activities into the following categories:
- Operational/Programmatic activities and initiatives
- Information Technology activities and initiatives
Staff then risk ranked all identified activities within each category using risk factors developed for the specific category. From this ranking, individual project topics were identified for each high risk area. The risk ranking process also resulted in defining individual audit projects with the use of a graduated scoring system. Additionally, to determine which projects should be included in the proposed audit plan, we scored each identified project area according to subjective factors.
Finally, any specific requests identified by the Commission, executive management, and division directors were included in the plan. The risk factors for the two categories of auditable activities are located in Appendix B.
Proposed Audit Projects for Fiscal Year 2011
Two audit projects in process at the end of FY 2010 were carried over to FY 2011. Results from the:
- Review of the Infrastructure Division’s Construction and Contracting Processes; and,
- An Audit of Local Park Grants will be released in FY 2011.
Deviations from the Approved FY 2010 Audit Plan:
Three projects from the FY 2010 Audit Plan, not yet initiated, were moved to the FY 2011 plan. These changes are due to a variety of factors. Delays included having to wait on the completed development of internal processes, time constraints on key information technology and administrative resources personnel, and increased time spent focusing on the current audit of federal grants. These delays directly affected the following assignments:
- An Audit of the Texas Freshwater Fisheries Center (TFFC)
- An Audit of Software Licensing
- An Audit of the Security of the Department’s Web-based Applications
Proposed Project Areas
Operational & Program Audits:
42 State Park audits
Cash Handling at 14 Selected Law Enforcement Offices (2 rounds of 7 offices)
An Audit of the Recreational Boating Safety Grant
An Audit of Fleet Management
An Audit of the Texas Freshwater Fisheries Center
An Audit of Sand & Gravel Permits
An Audit of the Hunter Education Program
An Audit of the Boater Education Program
An Audit of the Contracting Process
ARRA Funds Audit
Texas Freshwater Fish Stamp Review
Review of the TPWD Purchasing Regulations
Information Technology Audits:
Application Controls Audit of the TxParks System
Security Review of TPWD Web-based applications
Audit of TPWD Software Licensing
Audit of Information Technology Governance
Auditing Network Security
ARRA compliance and reporting
Internal Audit will attempt to schedule audit projects so as to minimize disruptions to normal operations. In order to improve the total audit coverage, our office has also developed a listing of potential alternative projects that can be performed in fiscal year 2011. If necessary, we will initiate projects from the list as needed after informing management and the Commission. This course of action allows our office the latitude to move or substitute projects into our schedule based on future conditions.
Internal Audit will review the audit plan at the mid-point of fiscal year 2011. We will consult with the Commissioners and Executive Management to adjust the plan as needed based on priorities, management requests, workloads, changes in operations, and availability of Internal Audit resources. If needed, we will seek the Commission’s authorization through the Chairman for approval of any amendments to the audit plan that become necessary during the fiscal year.
Acceptable Level of Risk
While the list of proposed projects results from our consideration of a wide-ranging scope of auditable activities, it does not address or provide coverage for all TPWD components or systems. Due to a variety of factors, some significant activities that might warrant review may not be carried forward to the list of proposed audit projects, but all activities received consideration.
Ultimately, we cannot address every risk area. It is important for the Commission and Executive Management to understand the limitations of the audit coverage and the attendant risks for areas not audited.
Additionally, per the Texas Internal Auditing Act, it is the Commission’s responsibility to conclude whether resources are adequate to address the identified risks. Specifically, Senate Bill 1694 of the 78th legislative session amended the Texas Internal Auditing Act to require the governing board of a state agency to periodically review the resources dedicated to the internal audit program and determine if adequate resources exist to ensure that risks identified in the annual risk assessment are adequately covered within a reasonable time frame. This requirement has been satisfied.
Advisory Services and Other Activities
A percentage of the available total audit hours are allocated to planning, administrative, and other special projects. These projects include advisory services, follow-up, external auditor liaison duties, preparation of the FY 2011 Audit Plan, preparation of the Annual Internal Audit Report to the SAO, special requests from the Commission and/or management, and hours dedicated to updating audit programs and documentation.
We will continue to have senior staff members participating in agency committees and work groups as needed and directed by our Commission or requested by Executive Management. We provide advice and suggestions on management issues, concerns, and proposed policies and procedures.
Follow-up is an important part of our audit effort and is required by professional standards. Our follow-up process will be conducted in April and October of every year with the status of all recommendations to be presented in mid-year and annual follow-up reports to the Commissioners and Executive Management. Follow-up reporting for audits continues until all recommendations and management action plans are implemented, the specific risk reported is otherwise mitigated, or senior management has accepted the risk of not taking action.
External Auditor Liaison
Internal Audit serves as the liaison with the Texas State Auditor’s Office, The Texas Comptroller of Public Accounts, the Department of the Interior’s Office of the Inspector General and other external audit groups having oversight responsibility for TPWD activities. Internal Audit staff assists external auditors on these projects as professionally appropriate. Internal Audit will coordinate with external auditors to conduct examinations in a manner that allows for maximum audit coordination and efficiency.
Management is responsible for establishing a system of internal / management controls adequate to reasonably assure that established objectives are accomplished. In the development of this audit plan, Internal Audit utilized the internal control framework developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.
The original COSO framework is outlined in the document titled: 1992 COSO Report: Internal Control – An Integrated Framework. This document identifies what the Treadway Commission believed to be the fundamental and essential objectives of any business or government entity:
- Economy and efficiency of operations, including safeguarding of assets and achievement of desired outcomes;
- Reliability of financial and management reports; and
- Compliance with laws and regulations.
This framework describes a unified approach for evaluation of the internal control systems that management has designed to:
- provide reasonable assurance of achieving the organization’s mission, objectives, goals and desired outcome, while adhering to laws and regulations;
- allow the Department to accurately report successes and outcomes to the public and interested third parties; and,
- serves as a common basis for management, directors, regulators, academics and others to better understand enterprise risk management, its benefits and limitations, and to effectively communicate about enterprise risk management
The COSO framework contains five control components needed to help assure sound business objectives. The control components include:
- Integrity and Ethical Values
- Commitment to Competence
- Board of Directors/Commission and Audit Committee
- Management’s Philosophy and Operating Style
- Organizational Structure
- Assignment of Authority and Responsibility
- Human Resource Policies and Procedures
- Department-wide Objectives
- Process-level Objectives
- Risk Identification and Analysis
- Managing Change
- Policies and Procedures
- Security (Application and Network)
- Application Change Management
- Business Continuity / Backups
Information and Communication
- Quality of Information
- Effectiveness of Communication
- On-going Monitoring
- Separate Evaluations
- Reporting Deficiencies
Management controls are most effective when they are built into the organization’s infrastructure and are a fundamental part of management’s philosophy. Use of the model supports quality and empowerment initiatives, avoids unnecessary costs, and enables a quick response to changing conditions. The use of this model should provide agency managers with the tools to systematically oversee their area of responsibility.
Through this model, Internal Audit will strive to promote greater understanding and use of risk mitigation plans during audit projects, management meetings, training activities and the dissemination of information to individual managers throughout the year.
Internal Audit is grateful to the Commission and Executive management for their consideration of this proposal. We respectfully request approval of this proposal which includes:
- Approval of the Proposed Project Areas.
- Authorizing the Commission Chairman to approve amendments to the Annual Audit Plan as well as amendments to the Audit Charter.
- Certification that resources provided to the Internal Audit function are adequate to address the risks identified by the internal audit risk assessment.
For further information on the Office of Internal Audit or the FY2011 Annual Audit Plan, please contact Carlos Contreras, Director of Internal Audit at (512) 389-4422 or by email at firstname.lastname@example.org.
This page is intentionally left blank.
About the Office of Internal Audit
Audit Organization and Staffing
The Office of Internal Audit is authorized eleven full-time equivalent positions: a Director, two Headquarters auditors, a Performance/Financial Auditor, an Information Technology Auditor, and six field auditors. Our Fiscal Year 2011 Annual Audit Plan was developed based on the assumption that this staffing level would remain constant during the fiscal year.
Internal Audit staff members collectively have approximately 41 years of agency experience, over 66 years of internal auditing experience, two graduate degrees, and twelve professional certifications including:
- Certified Internal Auditor (CIA)
- Certified Public Accountant (CPA)
- Certified Information Systems Auditor (CISA)
- Certified Fraud Examiner (CFE)
- Certified Government Auditing Professional (CGAP)
- Certified Internal Control Auditor (CICA)
- Certification in Control Self-Assessment (CCSA)
Additionally, five staff members are actively pursuing completion of the Certified Internal Auditor examination. One staff member will complete studies towards a Master of Business Administration degree in August 2010.
Internal Audit staff actively participates in professional auditing, accounting, and information systems organizations. These groups are excellent sources for obtaining information on auditing, accounting, business management, and other professional issues:
- Institute of Internal Auditors (IIA)
- Texas State Board of Public Accountancy (TSBPA)
- Information Systems Audit and Control Association (ISACA)
- Association of Certified Fraud Examiners (ACFE)
- Institute for Internal Controls (IIC)
- Texas State Agency Internal Audit Forum (SAIAF)
Quality Assurance and Improvement Program
Internal quality assurance is an important component in providing high quality auditing services. We conduct a supervisory and quality assurance review of each project and the resulting audit report.
Audit standards require internal audit departments to undergo a periodic external quality assurance review every three years. Internal Audit was evaluated in August 2009 by a State Agency Internal Audit Forum (SAIAF) team. Their final report supports the conclusion that the work of the TPWD Office of Internal Audit fully complies with the Standards for the Professional Practice of Internal Auditing, the Generally Accepted Government Auditing Standards, and the Texas Internal Auditing Act. Our next peer review, to be led again by a SAIAF team, is scheduled for 2012.
The Director of Internal Audit led an external quality assurance review of the Comptroller of Public Accounts Internal Audit Division in May 2010. Participation in these reviews creates opportunities to observe different processes and to possibly enhance operations through sharing.
Finally, a recent standard requires our office to perform periodic reviews through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices. We conducted a review of the working papers for the audit of the Law Enforcement Division’s cash handling procedures. This review noted three specific areas for improvement within our processes. There was management concurrence with the findings and we have since updated our operations manual with the changes.
The Office of Internal Audit measures performance with the following:
- Completion of 100% of the approved audit plan, allowing for appropriate project substitutions and amendments (Output).
- Percentage of prior audit recommendations that are in the process of being implemented or have been implemented. Combined performance target is 89% (Outcome).
FY 2011 Audit Plan
Risk Factor Definitions — Operations
Purpose: Part of our audit planning process includes performing a risk assessment of all auditable units to identify the potential areas of high risk throughout the Department. We have a separate risk assessment for operations and information technology audits. Both focus on the overall business risk of the units. The factors used to assess operational risk(s) include:
- Criticality of Auditable Unit – This factor measures the importance of the functional unit to the proper functioning and support of strategic aims for the Department. This includes the unit’s ability to provide service within a required time frame and/or at a predetermined level.
- Internal Control – This factor measures the quality of the internal control environment based on results of prior audit work, general observations, and/or other interactions. We are evaluating whether controls are in place and working effectively as designed.
- Public and/or Political Sensitivity – This measures the sensitivity of the functional area to public exposure of critical internal issues. This includes the degree of interest exhibited by the public, press, peers, and/or management. There is a potential for customer dissatisfaction, negative publicity, and/or damage to the Department’s reputation.
- Legal and Governance – This factor evaluates the exposure to potential litigation and/or governance by outside entities. This would include potential or current litigation and Department compliance with all required mandates, regulations, laws, and policies of external entities.
- Changes in Management and/or Organizational Structure – This evaluates the extent of change and the stability in the structure of the functional unit. This would include changes in management, key employees, and new or discontinued areas of responsibility.
- Financial Impact – This factor considers the biennial budget for the unit from all funding sources. We will evaluate the impact of inappropriate activity. Also being considered are appropriations and appropriation authority; consideration of transaction volumes for expenditures and revenues, liquidity, and/or asset valuation.
FY 2011 Audit Plan
Risk Factor Definitions – Information Technology (IT)
Purpose: Part of our audit planning process includes performing a risk assessment of all auditable units to identify the potential areas of high risk throughout the Department. We have a separate risk assessment for operations and information technology audits. Both focus on the overall business risk of the units. The factors used to assess IT risk(s) include:
- Criticality of Division and/or Section – This factor is based on information gathered from the Department’s Land and Water Use Plan, the FY 2010 Business Analyses and other internal documentation.
- Centralized vs. Decentralized – This factor relates to the level of centralization of the IT activities.
- Level of IT Activities – This factor relates to the complexity, technical expertise required, and uniqueness of the IT activities within the functional area (division/section) in comparison to its peers within the Department.
- Maturity of the IT Environment – This factor relates to the level of IT governance in place per COBIT standards (IT Governance Maturity Model) and the Capability Maturity Model Integration. The Department’s level would include documented policies and appropriate processes including adequate data and security controls.
- Physical Security and/or Control of IT Assets – This factor is based on the internal Department information on location and custodianship of IT assets. Additional consideration must be given to the “transformation” (migration) of servers to IBM/TFT data centers in the next few months.
- Business Continuity and Disaster Recovery – This factor relates to the measures established to ensure continuing operations in the case of debilitating IT and/or business incidents whether man-made or natural.
- Internal and/or External reviews – This factors into any audit performed by our office or external oversight entities (SAO, Comptroller, OIG) including those solely performing tests such as penetration testing.