The URL can be used to link to this page

Home My WebLink AboutID-2999-Auditor CITY OF PALO ALTO OFFICE OF THE CITY AUDITOR July 10, 2012 The Honorable City Council Attention: Policy & Services Committee Palo Alto, California City Auditor’s Office Fiscal Year 2013 Proposed Workplan and Risk Assessment RECOMMENDATION The Office of the City Auditor (OCA) recommends that the Policy & Services Committee review and recommend to the City Council approval of the OCA’s Fiscal Year (FY) 2013 Citywide Risk Assessment and Work Plan. BACKGROUND The mission of the Auditor’s Office is to promote honest, efficient, effective and fully accountable City government. To fulfill this mission, the Auditor’s Office conducts audits of City departments, programs, and services. The purpose of these audits is to provide the City Council and City management with information and evaluations regarding the effectiveness and efficiency with which City resources are employed, the adequacy of systems of internal controls, and compliance with City policies and procedures and regulatory requirements. The Palo Alto Municipal Code requires the City Auditor to submit an annual Work Plan to the City Council for review and approval. The Work Plan is based upon a Citywide Risk Assessment that is conducted annually with the cooperation of City management. The attached report presents an overview and the results of the Citywide Risk Assessment and the proposed Work Plan for FY 2013. NEXT STEPS As audit work proceeds, we will issue quarterly reports summarizing the status and progress of each of the approved assignments. The quarterly reports will be issued to the City Council and discussed with the Policy & Services or Finance Committee as defined in the Work Plan. Respectfully submitted, 2 Packet Pg. 12 Updated: 7/2/2012 1:16 PM by Deniz Tunc Page 2 Jim Pelletier, CIA City Auditor ATTACHMENTS:  -: Attachment A: FY2013 Citywide Risk Assessment & Workplan (PDF) Department Head: Jim Pelletier, City Auditor 2 Packet Pg. 13 Fiscal Year 2013 “Promoting honest, efficient, effective, and fully accountable city government." Attachment A 2.a Packet Pg. 15 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 1 July 2012 CONTENTS OVERVIEW OF THE OFFICE OF THE CITY AUDITOR (OCA)...................................................................................................................... 2 OCA’S CORE PRODUCTS & SERVICES ............................................................................................................................................... 2 PROFESSIONAL STANDARDS ............................................................................................................................................................ 3 ABOUT RISK ASSESSMENT ................................................................................................................................................... 3 RISK ASSESSMENT DEFINED ............................................................................................................................................................ 3 MANAGING RISK IS THE RESPONSIBILITY OF THE CITY COUNCIL AND CITY MANAGEMENT ........................................................................... 4 OCA RISK ASSESSMENT PROCESS ......................................................................................................................................... 4 OVERVIEW .................................................................................................................................................................................. 4 ENVIRONMENTAL SCAN ................................................................................................................................................................. 4 AUDIT UNIVERSE .......................................................................................................................................................................... 5 RISK ASSESSMENT RESULTS ................................................................................................................................................. 7 INTERPRETING THE RISK ASSESSMENT RESULTS .................................................................................................................................. 7 INFORMATION TECHNOLOGY RISK ASSESSMENT ................................................................................................................ 7 IT SYSTEMS INVENTORY (APPLICATIONS) ........................................................................................................................................... 7 IT PROJECTS INVENTORY ................................................................................................................................................................ 8 IT RISK ENVIRONMENT .................................................................................................................................................................. 8 ANNUAL WORK PLAN COMPONENTS .................................................................................................................................. 8 AUDITS ....................................................................................................................................................................................... 8 SERVICE EFFORTS & ACCOMPLISHMENTS (SEA) AND CITIZEN CENTRIC REPORTING (CCR) ......................................................................... 9 ADMINISTRATION OF THE FRAUD, WASTE, AND ABUSE HOTLINE ........................................................................................................... 9 SPECIAL ADVISORY MEMORANDUMS (SAMS) ................................................................................................................................... 9 COUNCIL & MANAGEMENT REQUESTS ............................................................................................................................................. 9 MONITORING & ADMINISTRATIVE ASSIGNMENTS ............................................................................................................................... 9 BUILDING THE ANNUAL WORK PLAN ................................................................................................................................. 10 OVERVIEW ................................................................................................................................................................................ 10 ANNUAL WORK PLAN LIMITATIONS ............................................................................................................................................... 10 CONSIDERATION OF AUDITS NOT COMPLETED IN FY 2012 PLAN ........................................................................................................ 10 OCA ANNUAL WORK PLAN RESOURCE ALLOCATION ......................................................................................................................... 11 AUDITS SELECTED FOR THE FISCAL YEAR 2013 WORK PLAN ............................................................................................... 12 ATTACHMENT 1 – BREAKDOWN OF CITY DIVISIONS & FUNDS ........................................................................................... 14 ATTACHMENT 2 – ASSIGNMENT OF RISK FACTOR WEIGHTS .............................................................................................. 15 ATTACHMENT 3 – GENERAL FUND RISK ASSESSMENT RESULTS ......................................................................................... 16 ATTACHMENT 4 – ENTERPRISE FUND RISK ASSESSMENT RESULTS ..................................................................................... 17 Attachment A 2.a Packet Pg. 16 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 2 July 2012 INTRODUCTION Overview of the Office of the City Auditor (OCA) The OCA conducts performance audits of City departments, programs, and services. Performance audits provide the City Council, City management, and the public with independent and objective information regarding the economy, efficiency, and effectiveness of City programs and activities. Our goal is to help the City achieve its strategic, operational, reporting, and compliance objectives using a systematic, disciplined approach to evaluating and recommending improvements to the effectiveness of the City’s risk management, control, and governance processes. Through our audit activities, the OCA supports the key governance roles of Oversight, Insight, and Foresight as described below: Oversight Insight Foresight OCA provides oversight of City management on behalf of the City Council and the residents of Palo Alto by evaluating whether departments have established efficient and effective means of doing what they are required to do, spending funds for intended purposes, and complying with applicable laws and regulations. OCA provides insight to assist City management by assessing the adequacy of internal controls; sharing best practices and benchmark information; and looking across departments to help management identify opportunities to borrow, adapt, or re-engineer good practices. OCA helps City management look forward by identifying trends and bringing attention to emerging challenges before they become crises. These issues often represent long-term risks that can sometimes receive low priority for attention where scarce resources drive more short-term focus on urgent concerns. OCA’s Core Products & Services Audits – OCA’s core product addressing performance (efficiency and effectiveness), compliance, and information technology matters that provide management with value-added recommendations focused on mitigating risks and improving internal control. Audits are designed to support the achievement of the City’s strategic, operational, reporting, and compliance objectives and the City Council’s priorities. Service Efforts and Accomplishments (SEA) and Citizen Centric Report (CCR) – The SEA is an annual report that provides data about the costs, quality, quantity, and timeliness of City services. The report includes a variety of comparisons to other cities and the results of a citizen survey. The goal is to provide the residents of Palo Alto, the City Council, City Staff, and other stakeholders with information on past performance to strengthen public accountability, improve government efficiency and effectiveness, and support future decision making. Prepared in coordination with the annual SEA report, the CCR is intended to be a brief, easy to read document that provides a quick snapshot of the City’s progress over the year. Based on guidance from the Association of Government Accountants, the report is a method to foster innovative means of communication between the City and the public. Administration of the Fraud, Waste, and Abuse Hotline (Hotline) – The Hotline provides an anonymous mechanism for employees to report fraud, waste, and/or abuse of City resources. The OCA is responsible for partnering with an outside vendor to administer the Hotline and ensure that all calls are reviewed and acted upon by the Hotline Review Committee. The OCA may, as necessary, investigate certain cases. Additionally, the OCA will provide quarterly reporting of Hotline activity to the City Council. Attachment A 2.a Packet Pg. 17 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 3 July 2012 Special Advisory Memorandums (SAMs) – Utilized for time critical engagements including limited assessments, reviews, or evaluations as requested by management or the Council. These services do not typically conform to the rigorous audit standards required for Audits, but allow for important information to be provided to management in a quick, flexible manner and can be focused on singular issues. Comprehensive Annual Financial Report (CAFR) and Single Audit Report – Each year, the OCA contracts with an independent, certified public accountant to perform both the City’s annual financial audit as well as the annual Single Audit. Sales and Use Tax Monitoring – The OCA conducts sales and use tax monitoring internally and contracts with an external vendor for quarterly sales and use tax recovery and information services. The purpose of this monitoring is to identify misallocations of local sales and use tax generated by companies doing business in Palo Alto. In addition, the external vendor prepares quarterly sales and use tax summary reports that are provided to the City Council as informational items. Professional Standards The OCA must adhere to a set of professional standards in conducting its work. The Palo Alto Municipal Code requires the OCA to adhere to Government Auditing Standards issued by the US Government Accountability Office. These standards require that we plan and perform our audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on the objectives of each audit. The OCA’s compliance with these standards is reviewed every three years by an external firm. About Risk Assessment Risk Assessment Defined Risk is present in every aspect of government. From financial reporting and investing to community services and public safety, risk is present in the delivery of all services provided and all activities performed by the City. The annual risk assessment performed by the OCA is the process of identifying and analyzing inherent risks to the achievement of the City’s objectives. Risk is defined as the potential event or missed opportunity that may negatively impact the City’s ability to meet its objectives. Inherent risk represents the risks to the organization in the absence of any actions management might take to reduce or otherwise manage identified risks. In general, there are two key factors in assessing risk:  Likelihood represents the probability that a risk can occur. In determining likelihood, we consider the source of the threat or opportunity, the capability of that source, and the nature of the possible vulnerability in the City.  Impact represents the potential effect that a risk could have on the City if it occurs. Impact can be present in many forms including financial, operational, compliance, and reputational, among others. Risk - the potential event or missed opportunity that may negatively impact the City’s ability to meet its objectives. Attachment A 2.a Packet Pg. 18 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 4 July 2012 Managing Risk is the Responsibility of the City Council and City Management Managing and mitigating risk is the responsibility of the City Council and City Management. The City Council and City Management should continually assess risks and should take the appropriate actions (risk response) to address those risks. Possible risk responses include:  Reduction of the risk by taking actions to reduce the likelihood and/or impact of the risk. This is the most common risk response and involves the implementation of controls.  Sharing of the risk by transferring all or a portion of the risk to another entity. Examples include purchasing insurance or outsourcing certain activities (although outsourcing does not relieve the City’s responsibility to manage the risk, it simply brings additional expertise to assist in controlling it).  Acceptance of the risk which means that no action is taken and management is willing to deal with the risk as is rather than spending valuable resources.  Avoidance of the risk by not participating in the process that initially generated the risk. This is often not an option for the City as many of the activities performed are required. OCA Risk Assessment Process Overview The OCA has completed this risk assessment as a means to help identify, measure, and prioritize potential audits based on the level of risk to the City. Our Risk Assessment contains four components: Environmental Scan, General Fund Risk Assessment, Enterprise Fund Risk Assessment, and Information Technology (IT) Risk Assessment. The OCA Risk Assessment Process is the foundation for the development of the Annual Work Plan. This risk-based approach provides the following benefits:  Prioritizes high-risk areas within the City for audits in upcoming fiscal years.  Ensures that the OCA’s resources are effectively and efficiently focused on where they are most needed in alignment with the City Council’s Priorities and the City’s goals and objectives.  Eliminates unnecessary audits that may be duplicative or audits that may not address higher risk areas of the City. Environmental Scan Throughout the year, the OCA collects information that provides important input into the risk assessment process. Additionally, the OCA solicits input from multiple sources including the City Council, City Management, the City’s external auditors, audit departments in peer cities and other local jurisdictions, as well as regional/national audit resources including the Government Accountability Office, the Association of Local Why is Risk Assessment Important? Prioritizes high-risk areas for audit Ensures effective & efficient use of OCA resources Eliminates unnecessary audits Attachment A 2.a Packet Pg. 19 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 5 July 2012 Government Auditors, and the Institute of Internal Auditors. See the Summary of Environmental Scan Considerations below for more information. Table 1 - Summary of Environmental Scan Considerations Environmental Scan Consideration Description Expectations from External Parties Consideration of citizen survey results, current events, & broad economic conditions. Input from the City’s external auditor and from Statewide audit entities. Benchmarking Input from city peer groups including surveys of other audit departments and research of current audit trends from regional and national resources. Expectations from inside the City Input from City Council, City management, and OCA staff. Past Audit Experience Review of past audits and audit recommendations. Consideration of gaps in audit coverage and the length of time since last audit. Current Risk Environment Economic conditions impacting City operations, current IT environment, and considerations of disaster recovery and business continuity. Risk Environment Forecast Budgetary pressures, economic outlook, and State / Federal agendas. Audit Universe The term Audit Universe is used to describe all areas within the City that are subject to risk assessment and potential audits. There are several approaches that could be taken for defining the Audit Universe. For this year’s Risk Assessment, we defined the City’s Audit Universe as the City’s 62 Divisions plus 10 Funds (9 Enterprise Funds and 1 Internal Service Fund). Due to the current structure of the OCA, we segregated General Fund Operations from Enterprise Fund Operations. A breakdown of the Divisions and Funds by department can be found in Attachment 1 – Breakdown of City Divisions & Funds. To provide a framework for assessing the risks associated with each of the Divisions/Funds, we identified 15 broad Risk Factors. Risk Factors are observable or measurable indicators of conditions or events that could adversely impact the organization. Applying each of these Risk Factors to each of the City’s Divisions/Funds established the Audit Universe. The Risk Factors were then weighted based on relative importance as determined by input from OCA staff (see Attachment 2 – Assignment of Risk Factor Weights). The Risk Factors used for this year’s Risk Assessment are described below: Attachment A 2.a Packet Pg. 20 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 6 July 2012 Table 2 - Risk Factors Risk Factor Definition Revenue A measure of the level of risk associated with the nature and sources of revenues for a Division or Activity. Expenditures A measure of the level of risk associated with the nature and types of expenditures incurred by a Division or Activity. Cash Handling & Asset Liquidity A measure of the level of exposure to potential loss due to cash transactions, or the level of ease in which assets can be converted to cash. Purchasing & Contracting A measure of the level of exposure to outside contracts for goods and services. Considers the number and dollar amounts of contracts relative to the budget of the Division or Activity, the complexity of the contracted services provided, and/or the degree of reliance the Division places on the goods provided. Payroll & Staffing A measure of the level of risk associated with the number of employees in a division. Asset Management A measure of the level of exposure to loss, theft, or misuse of assets. Considers the number and types of assets. Business Plan Volatility A measure of the level of risk associated with the level of change to a Division’s business plan. Considers changes in the nature of services provided, changes in the goals and objectives, and/or reorganizations that may have occurred. Budget Volatility A measure of the level of risk associated with changes to a Division’s budget over the prior year. Staffing Volatility A measure of the level of risk associated with staff turnover and the loss of institutional knowledge. Operational / Service Complexity A measure of the level of risk associated with the complexity of operations and/or services provided. Considers the number and types of services provided, the key business partners/stakeholders involved, and the risks associated with operations and/or services not being properly executed. Citizen Impact / Reputational Risk A measure of the exposure to loss or embarrassment caused by the level of visibility and/or public interest in the Division or Activity. Reliability of Information A measure of the risk associated with the extent to which data and/or information from the Division is used to support the City Council decision making process. Considers the volume and types of information presented, the types of decisions made based on the data/information, and the level of reliance placed on the data/information. Safety & Security A measure of the exposure to physical safety and/or security concerns experienced during the course of normal operations. Considers employees’ exposure to physical or environmental hazards/harm. Information Technology A measure of the level of risk associated with the use of information technology by the Division. Considers the importance, impact, complexity, nature, and sensitivity of the information associated with the system(s). Compliance A measure of the level of exposure to loss or regulatory sanction due to the complexity and volume of regulations. Considers the City Charter, municipal code, resolutions, ordinances, Federal and State laws and regulations, MOUs, contract requirements, and grant requirements. Attachment A 2.a Packet Pg. 21 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 7 July 2012 Risk Assessment Results We conducted a comprehensive, collaborative Risk Assessment that included detailed input from the City’s Executive Leadership Team (ELT) in addition to the continuous Environmental Scan mentioned earlier. We sent out a Risk Assessment Management Questionnaire to the ELT for input on the Risk Factors and areas of audit interest in their operations. Each of the questions on the questionnaire had five possible answers ranging from low risk (0) to high risk (9). We reviewed the completed questionnaires and followed up with an interview of each ELT member to ensure we understood their responses and to discuss any audit related concerns within their Department. Additionally, weights were assigned to each of the Risk Factors based on relative importance as determined by input from OCA staff. The final step to completing the Risk Assessment was to calculate the risk scores for each Risk Factor across each Division/Fund. Attachments 3 and 4 illustrate the results of the Risk Assessment for General Fund and Enterprise Fund Departments, respectively. Interpreting the Risk Assessment Results High risk scores for a Division/Fund indicate that if something were to go wrong within that Division/Fund, it could have a greater impact to the City than a Division/Fund with a lower risk score. A high risk score is not a measurement of the current efficiency or effectiveness of any given Division/Fund. The overall results of the Risk Assessment identify the highest risk Divisions/Funds that may warrant and benefit from additional management attention and/or audit services. Information Technology Risk Assessment Recent significant changes to IT within the City include:  Establishment of the standalone IT Department (previously a division of the Administrative Services Department).  Hiring of a new Chief Information Officer (CIO) reporting to the City Manager.  Hiring of the Information Security Manager reporting to the CIO. Given this restructuring of the IT function, the OCA is introducing a new, conceptual framework for an IT Risk Assessment. Starting in Fiscal Year 2014, this framework will be used to perform an IT Risk Assessment to identify and prioritize specific IT Audits for the OCA. There are three components to the framework for IT Risk Assessment: the IT Systems Inventory, the IT Project Inventory and the IT Risk Environment. When combined, these components form the basis for the IT Audit Universe. IT Systems Inventory (Applications) The IT Department is currently in the process of compiling an inventory of all IT systems used within the City. For future risk assessments, the OCA will utilize this inventory as the basis for identifying the IT Audit Universe. Important A high risk score does not mean that the Division is being managed ineffectively or that internal controls are not adequate. A high risk score indicates that if something were to go wrong, it could have a greater impact on the organization. Attachment A 2.a Packet Pg. 22 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 8 July 2012 IT Projects Inventory The OCA will work with the IT Department to identify major IT projects that could have significant impact to City resources. Major IT projects are those with budgets greater than $500,000 or those that require executive visibility and oversight. Major IT projects will be included in the IT Audit Universe. IT Risk Environment The IT Risk Environment, illustrated below, identifies the foundational IT general and application controls and how they apply at the application and infrastructure level. General controls span all IT systems and are put in place to ensure the integrity, reliability, and accuracy of the City’s applications. Application controls pertain to individual applications and ensure that system processes and logic perform according to specifications. Figure 1 - Information Technology Risk Environment Annual Work Plan Components The development of the Annual Work Plan is a dynamic, continuous process. The Risk Assessment drives the Plan, but there are other components including: the Service Efforts & Accomplishments report and the Citizen Centric Report; administration of the Fraud, Waste, and Abuse Hotline; Special Advisory Memorandums; Council & Management Requests; and Monitoring and Administrative Assignments. Each of these components requires OCA resources that are considered in the Plan. Audits We select audits from the Risk Assessment process described above. The Risk Assessment guides the prioritization of the audits selected given limited resources. IT Infrastructure Application Host Database Applications Application A Application B Application C General Controls Systems Development Change Management Logical Access Physical Controls Service & Support Processes Backup & Restore Security Application Controls Authorization Integrity Availability Confidentiality Segregation of Duties Least Access Network Source: figure adapted and revised from IT Control Objectives for Sarbanes-Oxley, 2nd Ed., IT Governance Institute Attachment A 2.a Packet Pg. 23 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 9 July 2012 Service Efforts & Accomplishments (SEA) and Citizen Centric Reporting (CCR) The OCA prepares the annual SEA Report as well as the annual CCR. These reports are designed to provide the residents of Palo Alto, the City Council, and City staff with important data and information regarding the performance of the City. The reports are unique in that they are compilations of vast amounts of data obtained from both inside and outside the City and are prepared in coordination with all City departments. Additionally, the SEA includes the results of the annual National Citizens Survey which provides insight into residents’ perceptions of the City’s performance and allows the City to compare itself to other jurisdictions. Administration of the Fraud, Waste, and Abuse Hotline The OCA is responsible for administering the City’s Employee Only Fraud, Waste, and Abuse Hotline, which is currently in a trial phase. Incident routing and monitoring is administered by the OCA and the City Auditor is a member of the Hotline Review Committee with the City Manager and the City Attorney. Additionally, certain incidents may require investigation by OCA staff. Special Advisory Memorandums (SAMs) SAMs provide important information to the City Council and City management in a quick and flexible manner. SAMs are prepared in coordination with relevant City Departments and are utilized for timely communication of limited assessments, reviews, or evaluations. Council & Management Requests The Plan accommodates special requests from City management and the City Council throughout the year. Larger requests may require changes to the Plan. Monitoring & Administrative Assignments The OCA performs certain monitoring and administrative assignments including:  Comprehensive Annual Financial Report (CAFR) and Single Audit Report – the OCA contracts with an external accounting firm to perform both the annual CAFR and Single Audit Report for the City.  Sales and Use Tax Monitoring - the OCA monitors Sales and Use Tax payments due to the City both through our own analysis and through partnering with a third party specialist. Claims are submitted to the State Board of Equalization to redirect misallocated tax proceeds to the City.  Preparation of Quarterly Status Reports – the OCA prepares quarterly status reports for the City Council. Annual Work Plan Audits SEA & CCR Hotline SAMs Council & Mgt Requests Monitoring & Administration Figure 2 - Work Plan Components Attachment A 2.a Packet Pg. 24 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 10 July 2012  Annual Open Audit Recommendation Follow Up – as required by the Municipal Code, the OCA provides an annual update to the City Council on the current status of open audit recommendations.  Advisory Roles – the City Auditor serves as an advisor to the Utilities Risk Oversight Committee and the Library Bond Oversight Committee. Building the Annual Work Plan Overview Development of the Annual Work Plan begins with the identification of the available resources within the OCA. This is defined as the number of staff hours available after vacation, training, and administrative time has been considered. Sufficient staff hours are then committed to SEA & CCR Development, Hotline Administration, SAMs, Council & Management Requests, and Monitoring & Administrative Assignments. The remaining hours are dedicated to the audits identified and prioritized through the Annual Risk Assessment Process. Annual Work Plan Limitations As with any plan, the OCA’s Annual Work Plan is limited by the following factors:  The OCA has finite audit resources for the execution of our audits. This means that not every risk identified can be addressed each year, but is partially mitigated by the prioritization inherent in our risk- based approach.  Risks and priorities are subject to continuous change and the Plan is required to be flexible. This could require certain audits to be removed from the Plan while others are added. All changes to the Plan are reviewed by the City Council for approval.  Other auditors, typically state and/or federal, may perform audits within the City. The Plan will be adjusted to avoid duplicate work or to provide additional audit coverage if necessary.  The Plan must align with the City Council’s priorities. Any changes to the priorities may result in adjustments to the Plan. Consideration of Audits Not Completed In FY 2012 Plan As a result of an aggressive Annual Work Plan and staff turnover in FY 2012, certain audits in the FY 2012 Plan were not completed. These audits were given special consideration for this year’s Plan. Audits from the FY 2012 Plan that were not completed include: Audit Title Status Rationale Human Resources Employee Benefits In Process This audit was delayed due to staff turnover. The audit is focused on employee health benefits. Alarm Permitting Recommend Deferral According to the Police Chief, there are pending changes to alarm permit processing. Will be reconsidered in future years. Grants Management Recommend Deferral The 2011 Single Audit identified, ~$9,000,000 in Federal Grants which represents only ~2% of the City’s total revenue. As these grants are generally covered by the annual Single Audit The City’s risks and priorities are subject to change requiring the Plan to be flexible. Attachment A 2.a Packet Pg. 25 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 11 July 2012 performed by the City’s external auditor, we recommend deferring while the City addresses past Single Audit findings. Real Estate Management Recommend Deferral The Real Estate Division, within the Administrative Services Department, is responsible for managing the City’s real estate assets, generating revenue by disposing of surplus properties, and/or reducing leasing costs. This audit was introduced in FY 2012 as a result of risk assessment discussions with department directors. The audit will focus on lease agreements and rent payments associated with City-owned real estate. Recommend deferral to accommodate higher priority audits in FY 2013. Planning & Community Environment Development Permit Process FY 2013 In FY 2010, the City Council requested that the OCA review the Development Center’s permitting process to identify opportunities for efficiency and effectiveness. At the same time, the City Manager and the Planning and Community Environment Department initiated efforts to study the permit process and identify improvements, and requested that the audit be deferred until FY 2013. Utility Users Tax Revenues (Outsourced) FY 2013 (Tentative) Utility Users Tax Revenues have dropped in the last few years presumably related to increased cell phone usage. In FY 2012, the Administrative Services Director requested that the OCA contract with a utility tax auditor to determine whether the City is receiving all of the revenues that it is entitled to receive. Wastewater Treatment Fund FY 2013 The Regional Water Quality Control Plant provides services to Mountain View, Los Altos, Los Altos Hills, Stanford, and East Palo Alto. This audit will focus on the cost-sharing agreements and allocation of charges to partner agencies. Construction Process FY 2013 Recommended by the Finance Committee in FY 2012, this audit will assess the effectiveness and efficiency of the City’s construction management practices as they relate to the bidding and change order process. OCA Annual Work Plan Resource Allocation As discussed above, the Annual Work Plan is limited by the finite resources of the OCA. The chart summarizes available staff hours and how they are applied to the various components of the Plan. The Plan may be adjusted throughout the year to accommodate the changing risk environment. If a situation arises that requires OCA attention and resources are not available, the City Auditor may request additional funding from the City Council to support the use of external, supplementary resources. 46% 29% 8% 1% 2% 14% OCA Resource Allocation (hrs) Risk Based Audits SEA & CCR Hotline Administration SAMs Council & Mgt Requests Monitoring & Administration Attachment A 2.a Packet Pg. 26 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 12 July 2012 Audits Selected for the Fiscal Year 2013 Work Plan The following table summarizes the audits that were selected for this year’s Work Plan: Audit Department Preliminary Scope* Planned Hours* Council Committee Human Resources Employee Benefits Human Resources and ASD-Payroll Carryover from FY 2012. Examination of benefit oversight, costs, and administration through the HR Department. Will include ASD’s administration process over the General Benefits Fund and the Retiree Health Benefit Fund as needed. Due to the size and complexity, we will limit the scope to health benefits for both current and retired employees. 400 Policy & Services Development Permit Process Development Center (multiple departments) This audit will seek to identify opportunities to improve the efficiency and effectiveness of the Development Permit Process. 600 Policy & Services Construction Process Public Works The audit will assess the effectiveness and efficiency of the City’s construction management practices including compliance with applicable policies, regulations, and key contract terms. This audit will be limited to the bidding and change order processes within the overall construction management framework. 560 Policy & Services Utilities Asset Management Utilities Specific concerns regarding the effective and efficient safeguarding of certain assets were identified during the Risk Assessment process. This audit will follow up on those concerns and assess the adequacy of controls over Utilities assets including compliance with relevant policies and the Municipal Code. 320 Finance Wastewater Treatment Fund Public Works The Regional Water Quality Control Plant provides services to Mountain View, Los Altos, Los Altos Hills, Stanford, and East Palo Alto. This audit will assess whether the cost- sharing agreements and allocation of charges to partner agencies have been properly implemented and maintained. 600 Finance Utility Users Tax Revenues (Tentative, Outsourced) Utilities Utilizing a utility tax expert, this audit will determine whether the City is receiving all of the Utility Users Tax revenues that it is entitled to receive. This Audit is marked as tentative as follow up research will be performed to ensure the City’s exposure to missed UUT funds remains high before OCA requests additional funding from the City Council to outsource the audit. 40 Finance Pcard and/or Payroll Analytic Development Administrative Services The OCA will begin development of data analytics that can be used to continuously audit certain high risk processes. As time allows, we will begin to identify and develop analytics for the Pcard and/or Payroll processes. 40 N/A *Preliminary scope and/or planned hours may change based upon the preliminary survey of the audit. Attachment A 2.a Packet Pg. 27 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 13 July 2012 Intentionally Left Blank Attachment A 2.a Packet Pg. 28 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 14 July 2012 Attachment 1 – Breakdown of City Divisions & Funds •Administration •Consultation & Advisory •Litigation & Dispute Resolution •Official & Administration Duties City Attorney •Public Information •Council Support Services •Election/Conflict of Interest •Legislative Records Managment •Administrative Citations City Clerk •Admin & City Management •Public Communication •Sustainability •Economic Development City Manager •Administration •Accounting •Purchasing •Real Estate •Treasury •Office of Management & Budget Administrative Services •Admin & Human Services •Arts & Sciences •Open Space, Parks & Golf •Recreations & Cubberley Community Services •Fire Administration •Emergency Response •Environmental Safety Management •Training •Personnel Fire Department •Admin, Emp-Org Development & HR Systems •Employee/Labor Relations •Benefits/Compensation •Recruitment •Risk Management, Safety & Workers Compensation Human Resources •Administration •Collection & Technical Services •Public Services Library •Administration •Advanced Planning •Building •Current Planning •Development Center •Transportation •Code Enforcement Planning & Community Environment •Administration •Field Services •Technical Services •Investigations & Crime Prev. •Traffic Services •Police Personnel Selection •Animal Services •Parking Services Police Department •Office of Emergency Services Office of Emergency Services •Administration •Streets •Trees •Structures & Grounds •Engineering •Vehicle Replacement Fund Public Works •Refuse Fund •Storm Drainage Fund •Wastewater Treatment Fund •Airport Fund Public Works (Enterprise Funds) •Administration •Engineering •Resource Management •Customer Support •Operations Utilities (Enterprise Funds) •Electric Fund •Fiber Optic Fund •Gas Fund •Wastewater Collection Fund •Water Fund Utilities (Enterprise Funds) Attachment A 2.a Packet Pg. 29 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 15 July 2012 Attachment 2 – Assignment of Risk Factor Weights Based on their experience and knowledge, OCA staff recorded whether they felt the Risk Factors listed down the left of the matrix have a greater level of inherent risk when compared to the Risk Factors along the top of the matrix. The results were used to calculate the weights to apply to each of the Risk Factors in the Risk Assessment. Column1 Re v e n u e Exp e n d i t u r e s Ca s h H a n d l i n g & A s s e t L i q u i d i t y Pu r c h a s i n g & C o n t r a c t i n g Pa y r o l l & S t a f f i n g As s e t M a n a g e m e n t Bu s i n e s s P l a n V o l a t i l i t y Bu d g e t V o l a t i l i t y Sta f f i n g V o l a t i l i t y Op e r a t i o n a l / S e r v i c e C o m p l e x i t y Cit i z e n I m p a c t / R e p u t a t i o n a l R i s k Re l i a b i l i t y o f I n f o r m a t i o n Saf e t y & S e c u r i t y Inf o r m a t i o n T e c h n o l o g y Co m p l i a n c e Total % of Total Weight Revenue 1 1 0 2 1 4 2 2 2 1 0 1 1 0 18 3.4%3.4 Expenditures 4 3 2 4 2 5 4 3 4 4 3 3 2 3 46 8.7%8.7 Cash Handling & Asset Liquidity 4 2 1 2 3 4 3 3 2 3 1 2 1 1 32 6.1%6.1 Purchasing & Contracting 5 4 4 5 5 5 4 5 5 4 3 3 3 3 58 11.0%11.0 Payroll & Staffing 3 1 3 0 0 4 3 2 3 3 0 1 0 0 23 4.4%4.4 Asset Management 4 3 2 0 5 5 3 4 3 3 0 1 2 1 36 6.8%6.8 Business Plan Volatility 1 0 1 0 1 0 2 2 2 2 1 0 0 1 13 2.5%2.5 Budget Volatility 3 1 2 1 2 2 3 3 3 2 1 1 1 1 26 4.9%4.9 Staffing Volatility 3 2 2 0 3 1 3 2 4 4 1 1 3 0 29 5.5%5.5 Operational/Service Complexity 3 1 3 0 2 2 3 2 1 2 1 1 1 1 23 4.4%4.4 Citizen Impact/Reputational Risk 4 1 2 1 2 2 3 3 1 3 0 1 0 0 23 4.4%4.4 Reliability of Information 5 2 4 2 5 5 4 4 4 4 5 2 0 1 47 8.9%8.9 Safety & Security 4 2 3 2 4 4 5 4 4 4 4 3 2 2 47 8.9%8.9 Information Technology 4 3 4 2 5 3 5 4 2 4 5 5 3 3 52 9.9%9.9 Compliance 5 2 4 2 5 4 4 4 5 4 5 4 3 2 53 10.1%10.1 Attachment A 2.a Packet Pg. 30 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 16 July 2012 Attachment 3 – General Fund Risk Assessment Results 4.4 5.5 8.7 3.4 6.1 10.1 2.5 4.9 6.8 4.4 9.9 4.4 8.9 8.9 11.0 Department Division Pa y r o l l & S t a f f i n g Sta f f i n g V o l a t i l i t y Ex p e n d i t u r e s Re v e n u e s Ca s h H a n d l i n g & A s s e t L i q u i d i t y Co m p l i a n c e Bu s i n e s s P l a n V o l a t i l i t y Bu d g e t V o l a t i l i t y As s e t M a n a g e m e n t Op e r a t i o n a l / S e r v i c e C o m p l e x i t y Inf o r m a t i o n T e c h n o l o g y Cit i z e n I m p a c t / R e p u t a t i o n a l R i s k Sa f e t y & S e c u r i t y Re l i a b i l i t y o f I n f o r m a t i o n Pu r c h a s i n g & C o n t r a c t i n g Div i s i o n T o t a l City Attorney Administration 16 33 29 31 0 0 11 18 23 0 55 16 30 50 0 310 City Attorney Consultation & Advisory 27 33 68 0 21 100 11 18 23 49 98 16 50 89 60 662 City Attorney Litigation & Dispute Resolution 16 33 29 0 21 33 18 18 23 49 98 49 30 89 84 589 City Attorney Official & Administration Duties 16 33 29 0 0 33 11 18 23 49 76 49 30 89 0 455 City Clerk Public Information 16 0 0 0 0 33 0 0 39 16 33 38 50 30 0 254 City Clerk Council Support Services 27 20 49 0 0 100 0 0 70 49 55 49 50 89 36 591 City Clerk Election/Conflict of Interest 16 0 29 0 0 56 0 53 70 49 98 49 50 89 0 558 City Clerk Legislative Records Management 27 0 0 0 0 56 0 0 39 38 33 38 30 89 36 385 City Clerk Administrative Citations 16 0 29 0 0 56 0 18 0 38 55 27 69 30 0 337 City Manager Admin & City Management 27 46 68 22 21 56 18 18 0 49 76 38 30 89 36 592 City Manager Public Communication 5 33 29 0 0 0 0 53 0 38 76 38 30 30 36 367 City Manager Sustainability 16 59 29 0 0 56 11 18 0 38 33 38 30 89 36 451 City Manager Economic Development 16 33 29 0 0 33 18 30 23 49 76 38 30 69 36 479 Administrative Services Administration 16 20 49 0 21 100 18 18 70 49 98 49 30 89 60 685 Administrative Services Accounting 38 33 68 0 50 78 11 41 70 49 98 49 30 89 36 738 Administrative Services Purchasing 27 46 49 0 36 100 18 0 23 49 98 49 30 50 84 656 Administrative Services Real Estate 27 59 49 22 21 33 25 41 55 49 55 38 50 89 84 695 Administrative Services Treasury 38 20 68 0 64 78 0 0 70 49 55 16 50 69 60 635 Administrative Services Office of Management & Budget 27 59 49 0 21 78 25 53 23 49 98 49 30 89 60 708 Community Services Administration & Human Services 27 33 87 0 0 33 0 0 23 38 55 16 30 50 60 451 Community Services Arts & Sciences 49 33 87 31 36 33 11 18 39 38 55 38 30 30 60 585 Community Services Open Space, Parks, & Golf 49 33 87 40 21 33 0 0 23 38 33 38 50 50 60 553 Community Services Recreation & Cubberley 49 20 87 31 36 33 11 18 39 38 55 38 30 50 60 592 Fire Department Fire Administration 16 46 68 0 21 100 32 53 23 49 98 38 69 69 36 718 Fire Department Emergency Response 49 59 87 40 21 56 25 18 39 49 98 49 69 69 84 810 Fire Department Environmental Safety Management 38 59 87 31 36 56 0 41 39 38 76 27 30 30 36 622 Fire Department Training 16 59 0 0 0 100 0 18 0 49 98 27 89 30 36 521 Fire Department Personnel 16 59 0 0 0 78 18 18 0 38 55 49 69 69 36 503 Human Resources Adm., Emp-Org Dev. & HR Systems 16 46 49 0 0 100 18 18 0 49 98 38 69 69 36 604 Human Resources Employee/Labor Relations 16 59 49 0 0 100 18 30 0 49 98 49 30 89 84 668 Human Resources Benefits/Compensation 16 46 29 0 21 78 18 18 0 38 98 27 30 69 108 595 Human Resources Recruitment 16 46 49 0 0 100 11 30 0 38 98 27 30 50 60 552 Human Resources Risk Mgt, Safety, & Workers Comp 16 20 29 0 21 78 0 18 0 49 76 38 69 30 60 503 Library Administration 16 59 68 0 21 33 18 30 23 49 55 27 30 50 36 513 Library Collection & Technical Services 27 59 49 22 0 33 18 18 39 38 76 27 30 30 84 548 Library Public Services 49 20 87 13 36 33 18 18 23 27 76 27 50 30 60 566 Planning & Community Env.Administration 27 33 49 0 0 33 11 18 23 38 98 49 30 89 60 556 Planning & Community Env.Advanced Planning 27 59 68 13 0 100 18 18 23 49 76 38 30 89 84 691 Planning & Community Env.Building 38 33 87 40 0 56 18 53 39 49 76 38 69 50 84 728 Planning & Community Env.Current Planning 27 33 68 31 0 0 18 41 0 49 98 49 30 89 84 615 Planning & Community Env.Development Center 27 59 49 0 0 33 32 0 0 49 98 49 30 69 60 553 Planning & Community Env.Transportation 27 33 68 22 21 78 18 0 23 49 98 49 69 89 84 727 Planning & Community Env.Code Enforcement 16 0 29 0 0 0 0 0 23 49 55 49 50 30 36 336 Police Department Administration 16 20 49 0 21 100 32 53 23 49 98 49 89 89 36 723 Police Department Field Services 49 59 87 31 21 56 25 30 39 49 98 49 89 89 84 853 Police Department Technical Services 49 59 87 22 21 56 18 0 39 38 98 38 30 69 108 730 Police Department Investigations & Crime Prevention 38 59 87 40 50 33 0 18 39 49 98 49 50 30 60 697 Police Department Traffic Services 27 20 68 0 21 33 25 53 39 38 76 49 89 89 36 663 Police Department Police Personnel Selection 27 20 68 13 21 78 0 0 0 38 98 49 30 50 60 550 Police Department Animal Services 38 20 68 22 36 100 18 53 55 49 76 49 69 50 84 784 Police Department Parking Services 27 20 68 31 21 33 11 18 23 38 98 38 50 30 60 564 Office of Emergency Services Office of Emergency Services 16 59 68 22 21 33 32 18 39 49 98 27 69 30 60 640 Public Works Administration 16 59 68 13 0 0 11 0 0 49 33 49 30 89 0 415 Public Works Streets 38 20 87 0 0 33 11 18 39 27 33 49 50 30 60 493 Public Works Trees 38 59 87 0 0 33 0 18 39 27 55 49 69 30 108 611 Public Works Structures and Grounds 38 33 87 40 0 33 11 18 55 38 55 38 50 30 84 607 Public Works Engineering 49 33 87 31 0 56 11 0 23 49 33 49 50 89 108 665 Public Works Vehicle Replacement Fund 38 59 87 40 0 78 18 53 55 38 98 27 50 50 84 772 Risk Factor Total 1,588 2,139 3,317 691 802 3,208 728 1,251 1,599 2,457 4,404 2,279 2,693 3,604 3,264 Risk Factor Weight Important A high risk score does not mean that the Division is being managed ineffectively or that internal controls are not adequate. A high risk score indicates that if something were to go wrong, it could have a greater impact on the organization. Attachment A 2.a Packet Pg. 31 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t ) 17 July 2012 Attachment 4 – Enterprise Fund Risk Assessment Results 4.4 5.5 8.7 3.4 6.1 10.1 2.5 4.9 6.8 4.4 9.9 4.4 8.9 8.9 11.0 Department Division Pa y r o l l & S t a f f i n g Sta f f i n g V o l a t i l i t y Ex p e n d i t u r e s Re v e n u e s Ca s h H a n d l i n g & A s s e t L i q u i d i t y Co m p l i a n c e Bu s i n e s s P l a n V o l a t i l i t y Bu d g e t V o l a t i l i t y As s e t M a n a g e m e n t Op e r a t i o n a l / S e r v i c e C o m p l e x i t y Inf o r m a t i o n T e c h n o l o g y Cit i z e n I m p a c t / R e p u t a t i o n a l R i s k Sa f e t y & S e c u r i t y Re l i a b i l i t y o f I n f o r m a t i o n Pu r c h a s i n g & C o n t r a c t i n g Div i s i o n T o t a l Public Works Refuse Fund 38 33 87 40 0 100 25 53 39 49 98 38 69 89 108 865 Public Works Storm Drainage Fund 27 20 87 40 0 78 0 18 39 38 76 27 69 69 84 672 Public Works Wastewater Treatment Fund 49 59 87 40 0 100 11 41 39 49 98 38 89 69 108 876 Public Works Airport Fund 16 0 29 0 0 100 32 53 39 49 55 38 89 69 84 652 Utilities Administration 27 33 87 40 21 100 18 30 23 49 98 49 89 89 36 788 Utilities Engineering 49 59 87 40 21 100 11 18 23 49 98 38 50 69 108 818 Utilities Resource Management 38 46 87 40 0 78 25 30 23 49 98 49 30 89 108 787 Utilities Customer Support 49 33 87 40 36 56 11 18 39 38 98 38 69 69 108 787 Utilities Operations 49 59 87 40 50 100 11 18 70 49 98 49 89 69 108 944 Utilities Electric Fund 49 59 87 40 50 100 11 30 70 49 98 49 89 89 108 975 Utilities Fiber Optic Fund 27 33 68 40 50 56 11 41 55 38 98 27 50 50 60 701 Utilities Gas Fund 49 59 87 40 36 100 18 30 55 49 98 49 89 89 108 953 Utilities Wastewater Collection Fund 49 59 87 40 36 100 11 30 39 49 98 49 89 89 108 930 Utilities Water Fund 49 59 87 40 50 100 11 30 55 49 98 49 89 89 108 960 Risk Factor Total 562 605 1,145 515 348 1,265 200 437 608 648 1,308 583 1,049 1,089 1,344 Risk Factor Weight Important A high risk score does not mean that the Division is being managed ineffectively or that internal controls are not adequate. A high risk score indicates that if something were to go wrong, it could have a greater impact on the organization. Attachment A 2.a Packet Pg. 32 -: A t t a c h m e n t A : F Y 2 0 1 3 C i t y w i d e R i s k A s s e s s m e n t & W o r k p l a n ( 2 9 9 9 : F Y 2 0 1 3 P r o p o s e d W o r k p l a n a n d R i s k A s s e s s m e n t )