The URL can be used to link to this page

Home My WebLink About04/04/2018 - Regular Minutes - City Council - Audit CommitteeJeff Kersten, Assistant City Manager, provided an update on the Comprehensive Annual Financial Report. The CAFR was taken to Council after the Audit Committee not being able to meet prior. Ty Elliott, Internal Auditor, reminded the Committee that the external and single audits should be brought to the Audit Committee before going to City Council. Jeff Kersten, Assistant City Manager, also commented that the city will be in the process of preparing an RFP for an external auditor. James Benham, Mayor Pro Tem, was in favor of external audit firm rotation. Ty Elliott commented on the advantages and disadvantages of audit firm rotation. Mainly the impact of cost and on staff. Regular Agenda Item No. 4 - Presentation, possible action, and discussion regarding an update of internal audit follow-up work. Ty Elliott, Internal Auditor, provided a complete list of every recommendation and the status of each recommendation that their office has issued. In their commitment to do better following up on recommendations, the auditor's office has developed a new follow-up policy. James Benham, suggested that recommendations left blank have a status update of "Pending Update". The auditor's are committed to having a status update for all recommendations. Regular Agenda Item No. 5 - Presentation, possible action, and discussion of annual internal audit performance metrics. Ty Elliott, Internal Auditor, provided an update on the assessment of the annual internal audit performance metrics. The internal auditor has established an audit follow-up policy and procedure. Staff was seeking guidance regarding performance metrics and goals for the auditor's office. It was suggested by James Benham, Mayor Pro Tem, staff choose items that matter to them. The auditor's office is planning their first peer review this summer and was seeking direction from the audit committee regarding the terms of the agreement for the services with ALGA. The recommendation from staff is for the City to make arrangements for a rental car and insurance to cover any liability. By consensus, the Committee agreed to move forward with the staff s recommendation. Regular Agenda Item No. 6 - Presentation, possible action and discussion regarding an update of the city-wide COSO Assessment. Internal Auditor, Ty Elliott, updated the Committee on the status of the COSO Assessment. Regular Agenda Item No. 7 - Presentation, possible action and discussion regarding future agenda items. Ty Elliott, Internal Auditor, is to come back to the audit committee with agenda item to discuss how to better handle fraud investigations in the event a fraud investigation is predicated. Regular Agenda Item No. 8 - Adiourn. There being no further business, Mayor Mooney adjourned the meeting at 11:54 a.m/ on Monday, April 04, 2018. ATTEST: Yv Fte Dela Torre, Deputy Local Registrar Published FY (All) Count of #Column Labels Row Labels Implemented NA Not Addressed Not Implemented Concurred 74 1 6 NA 2 Non-Concurred 1 1 Not Addressed 2 Partially Concurred 2 1 Grand Total 77 2 3 8 Partially Implemented (blank)Grand Total 14 55 150 2 2 1 5 2 4 7 16 60 166 Audit Report Audit Recommendation Description Management Response Recommendation Implementation Published Date Follow-Up Date Purchasing Cards (02.07)Incorporate proper use of p-cards into performance evaluations Concurred Implemented Feb-08 Jan-09 Purchasing Cards (02.07)Make spending limits commensurate with cardholder needs Concurred Implemented Feb-08 Jan-09 Purchasing Cards (02.07)Reduce the number of p-cards Concurred Implemented Feb-08 Jan-09 Purchasing Cards (02.07)Ensure approvers have sufficient authority & independence Concurred Implemented Feb-08 Jan-09 Purchasing Cards (02.07)Institute proper segregation of duties Concurred Implemented Feb-08 Jan-09 Purchasing Cards (02.07)Restrict further vendor categories (MCC codes)Concurred Implemented Feb-08 Jan-09 Purchasing Cards (02.07)Prevent employees from having access to multiple cards Concurred Implemented Feb-08 Jan-09 Purchasing Cards (02.07)Revise the purchasing manual Concurred Implemented Feb-08 Jan-09 Purchasing Cards (02.07)Improve training for p-card users Concurred Implemented Feb-08 Jan-09 Purchasing Cards (02.07)Improve training for p-card administrators Concurred Implemented Feb-08 Jan-09 Purchasing Processes (02.07)Require annual certification of the purchasing manual Concurred Implemented Oct-08 Jul-10 Purchasing Processes (02.07)Establish approval hierarchies Concurred Implemented Oct-08 Jul-10 Purchasing Processes (02.07)Limit access to the vendor master file Concurred Implemented Oct-08 Jul-10 Purchasing Processes (02.07)Institute proper segregation of duties Concurred Implemented Oct-08 Jul-10 Purchasing Processes (02.07)Reevaluate need of users with administrator access Concurred Implemented Oct-08 Jul-10 Purchasing Processes (02.07)Implement stronger check security controls Concurred Implemented Oct-08 Jul-10 Fuel Audit (09.01)Improve the reconciliation processes Concurred Implemented May-09 Feb-10 Fuel Audit (09.01)Improve fuel management system data integrity Concurred Implemented May-09 Feb-10 Fuel Audit (09.01)Implement odometer reasonability controls Concurred Implemented May-09 Feb-10 Fuel Audit (09.01)Implement fuel card quantity restriction controls Concurred Implemented May-09 Feb-10 Fuel Audit (09.01)Improve fuel card usage monitoring procedures Concurred Implemented May-09 Feb-10 Fuel Audit (09.01)Distribute fuel procedures to authorized users Concurred Implemented May-09 Feb-10 Fuel Audit (09.01)Conduct an overhead rate analysis Concurred Implemented May-09 Feb-10 Utility Customer Service Cash Handling (09-02)Institute proper segregation of duties Partially Concurred Implemented Nov-09 Sep-12 Utility Customer Service Cash Handling (09-02)Restrict cashiers from making credit adjustments Concurred Implemented Nov-09 Sep-12 Utility Customer Service Cash Handling (09-02)Improve cash control policies & procedures Concurred Implemented Nov-09 Sep-12 Utility Customer Service Cash Handling (09-02)Cease cashing employees' personal checks Concurred Implemented Nov-09 Sep-12 Utility Customer Service Cash Handling (09-02)Reevaluate the adjustment process for customer accounts Concurred Implemented Nov-09 Sep-12 Utility Customer Service Cash Handling (09-02)Implement electronic signatures when making adjustments Concurred Not Implemented Nov-09 Sep-12 Payroll Overtime & Compensatory Time (10-02)Align policy with FLSA minimum requirements Concurred Implemented May-10 Sep-12 Payroll Overtime & Compensatory Time (10-02)Adjust Fire compensation to align with FLSA 207(k) exemption Concurred Implemented May-10 Sep-12 Payroll Overtime & Compensatory Time (10-02)Reduce/emiminate seasonal employee overtime Concurred Implemented May-10 Sep-12 Payroll Overtime & Compensatory Time (10-02)Eliminate the practice of using comptime to earn overtime Concurred Implemented May-10 Sep-12 Payroll Overtime & Compensatory Time (10-02)Ensure that all seasonal employees are properly classified Concurred Implemented May-10 Sep-12 Payroll Overtime & Compensatory Time (10-02)Ensure secondary employment meets FLSA regulations Concurred Implemented May-10 Sep-12 Parks & Recreation Concessions Cash Handling (10-03)Maintain separate inventories by location Concurred Implemented Nov-10 Sep-12 Parks & Recreation Concessions Cash Handling (10-03)Implement nightly deposit procedures Concurred Implemented Nov-10 Sep-12 Parks & Recreation Concessions Cash Handling (10-03)Conduct daily reconciliations Concurred Implemented Nov-10 Sep-12 Parks & Recreation Concessions Cash Handling (10-03)Strengthen cash receipt controls Concurred Implemented Nov-10 Sep-12 Parks & Recreation Concessions Cash Handling (10-03)Ensure functioning cash registers Concurred Implemented Nov-10 Sep-12 Parks & Recreation Concessions Cash Handling (10-03)Prevent cashiers from sharing login information Concurred Implemented Nov-10 Sep-12 Audit Report Audit Recommendation Description Management Response Recommendation Implementation Published Date Follow-Up Date Parks & Recreation Concessions Cash Handling (10-03)Improve receipt documentation controls Concurred Implemented Nov-10 Sep-12 Parks & Recreation Concessions Cash Handling (10-03)Disseminate cash handling policies & procedures Concurred Implemented Nov-10 Sep-12 Parks & Recreation Concessions Cash Handling (10-03)Maintain detailed sales receipts Concurred Implemented Nov-10 Sep-12 Parks & Recreation Concessions Cash Handling (10-03)Prohibit cash payments to temporary staff Concurred Implemented Nov-10 Sep-12 Parks & Recreation Concessions Cash Handling (10-03)Consider outsourcing concession operations Concurred Implemented Nov-10 Sep-12 Parks & Recreation Aquatics (10-04)Move to a seasonal staffing model Concurred Implemented Feb-11 Sep-12 Parks & Recreation Aquatics (10-04)Cease staffing the Natatorium with City personnel Partially Concurred Implemented Feb-11 Sep-12 Parks & Recreation Aquatics (10-04)Eliminate expenditures misaligned with objectives of program Concurred Implemented Feb-11 Sep-12 Parks & Recreation Aquatics (10-04)Reduce seasonal staff overtime Concurred Implemented Feb-11 Sep-12 Parks & Recreation Aquatics (10-04)Reduce training expenditures for seasonal staff Concurred Implemented Feb-11 Sep-12 Convention & Visitor's Bureau (11-01)Reduce bias in consultant driven reports Concurred Implemented Aug-11 Sep-12 Convention & Visitor's Bureau (11-01)Produce more reliable reporting (e.g. hotel visits data)Concurred Implemented Aug-11 Sep-12 Convention & Visitor's Bureau (11-01)Redesign performance metrics Concurred Implemented Aug-11 Sep-12 Convention & Visitor's Bureau (11-01)Update personnel policies and procedures Concurred Implemented Aug-11 Sep-12 Convention & Visitor's Bureau (11-01)Require sufficient purchasing documentation Concurred Implemented Aug-11 Sep-12 Convention & Visitor's Bureau (11-01)Scrutinize travel, entertainment, and party expenditures Concurred Implemented Aug-11 Sep-12 Convention & Visitor's Bureau (11-01)Require adequate supervision of purchases Concurred Implemented Aug-11 Sep-12 Convention & Visitor's Bureau (11-01)Improve check security and authorization controls Concurred Partially Implemented Aug-11 Sep-12 Convention & Visitor's Bureau (11-01)Institute proper segregation of duties Concurred Implemented Aug-11 Sep-12 Payroll (11-02)Enhance direct deposit security measures Concurred Jun-12 Payroll (11-02)Implement automated timekeeping system Concurred Implemented Jun-12 Payroll (11-02)Timely remove all inactive employees Concurred Jun-12 Payroll (11-02)File official documentation for all pay rate changes Concurred Jun-12 Payroll (11-02)Institute a "trigger point" policy Non-Concurred Not Implemented Jun-12 Contract Administration (12-02)Create a city-wide contract administration policy Concurred Dec-12 Contract Administration (12-02)Hold regular contract administrators training Concurred Dec-12 Contract Administration (12-02)Ensure change order policies are aligned with practices Concurred Dec-12 Contract Administration (12-02)Revise the project delivery manual (Public works)Concurred Dec-12 Contract Administration (12-02)Enhance risk and performance reporting (Public Works)Concurred Dec-12 Contract Administration (12-02)Revise contract administration policies (CSU)Concurred Dec-12 Contract Administration (12-02)Enhance risk and performance reporting (CSU)Concurred Dec-12 Contract Administration (12-02)Institute a contract document filing system (CSU)Concurred Dec-12 Contract Administration (12-02)Revise contract administration policies (Parks & Rec)Concurred Dec-12 Contract Administration (12-02)Enhance risk and performance reporting (Parks & Rec)Concurred Dec-12 Contract Administration (12-02)Institute a contract document filing system (Parks & Rec)Concurred Dec-12 Fire Asset Management (13-01)Obtain an integrated ERP system Concurred Implemented Jul-13 Feb-18 Fire Asset Management (13-01)Create a policy for dealing with 3rd party management systems Concurred Implemented Jul-13 Feb-18 Fire Asset Management (13-01)Emphasize interdepartmental communication Concurred Implemented Jul-13 Feb-18 Fire Asset Management (13-01)Strengthen asset disposal policies Concurred Partially Implemented Jul-13 Feb-18 Fire Asset Management (13-01)Improve asset management data integrity Concurred Implemented Jul-13 Feb-18 Fire Asset Management (13-01)Develop effective method for locating assets Concurred Partially Implemented Jul-13 Feb-18 Audit Report Audit Recommendation Description Management Response Recommendation Implementation Published Date Follow-Up Date Asset Management (13-02)Timely record capital assets into the City record Concurred Implemented Oct-13 Feb-18 Asset Management (13-02)Conduct periodic capital asset inventories Concurred Not Implemented Oct-13 Feb-18 Asset Management (13-02)Ensure capital asset records are reliable Concurred Implemented Oct-13 Feb-18 Asset Management (13-02)Estimate capital asset useful life consistently Concurred Implemented Oct-13 Feb-18 Asset Management (13-02)Consistently capitalize multi-part assets Concurred Implemented Oct-13 Feb-18 Asset Management (13-02)Properly record the disposal of capital assets Concurred Implemented Oct-13 Feb-18 Ringer Library (13-03)Modify computer use policy to reduce staff time Concurred Apr-14 Ringer Library (13-03)Institute job rotations and cross training Non-Concurred Apr-14 Ringer Library (13-03)Set reasonable catologing performance standards Concurred Apr-14 Ringer Library (13-03)Allocate a larger portion of the budget to materials Concurred Apr-14 Ringer Library (13-03)Revise the collection development policy Concurred Apr-14 Ringer Library (13-03)Utilize analytics & other best practices outlined in CREW Concurred Apr-14 Ringer Library (13-03)Evaluate programs based on effectiveness & efficiency Concurred Apr-14 Ringer Library (13-03)Reduce the number of clerks assigned to circulation Concurred Apr-14 Ringer Library (13-03)Institute a seasonal staffing model for clerks Concurred Apr-14 Ringer Library (13-03)Repair or replace the self checkout machine Concurred Apr-14 Ringer Library (13-03)Focus efforts on functions within stated job descriptions Concurred Apr-14 Ringer Library (13-03)Consider operation costs, staff input, & noise reduction in renovation Concurred Apr-14 Ringer Library (13-03)Perserve the library agreement between the two cities Concurred Apr-14 Change Order (14-01)Ensure change order authorization controls Concurred Aug-14 Change Order (14-01)Improve change order documentation procedures Concurred Aug-14 Change Order (14-01)Emphasize negotiating change order prices Concurred Aug-14 Change Order (14-01)Distribute fraud hotline information to vendors Concurred Aug-14 City Facility Risk Assessment (14-03)Invest in current City Hall facility or fund new facility Concurred Not Implemented Sep-14 Dependent Eligibility Implement a comprehensive employee communication plan Concurred Nov-14 Dependent Eligibility Change dependent criteria (legal guardian)Partially Concurred Nov-14 Dependent Eligibility Develop adependent verification process Concurred Implemented Nov-14 Employee Reimbursements (14-02)Do not include employees in the vendors master file Concurred Nov-14 Itemized Receipts (14-04)Require stricter enforcement of p-card processes Concurred Nov-14 Electric Meter Installation & Account Creation (14-05)Improve inventory adjustment controls Concurred Jan-15 Electric Meter Installation & Account Creation (14-05)Enhance cross departmental communication Concurred Jan-15 Electric Meter Installation & Account Creation (14-05)Consider one-stop solution regarding City Hall location Concurred Not Implemented Jan-15 Delinquent Accounts (14.03)Revise policies and procedures Concurred Mar-15 Delinquent Accounts (14.03)Strengthen collection & write-off controls Concurred Mar-15 Delinquent Accounts (14.03)Don't delete customer financial records Partially Concurred Mar-15 Street Maintenance (15-02)Reinstitute skill-based pay for heavy equipment operators Concurred Implemented Nov-15 Jan-18 Street Maintenance (15-02)Increased funding for skill-based pay for mechanics Concurred Implemented Nov-15 Jan-18 Street Maintenance (15-02)Alter the frequency of payment condition analyses Concurred Partially Implemented Nov-15 Jan-18 Street Maintenance (15-02)Increase contractor milling and overlay projects Concurred Implemented Nov-15 Jan-18 Street Maintenance (15-02)Reallocate more resources to preventative maintenance Concurred Partially Implemented Nov-15 Jan-18 Street Maintenance (15-02)Raise standards of street construction for residential streets Concurred Implemented Nov-15 Jan-18 Audit Report Audit Recommendation Description Management Response Recommendation Implementation Published Date Follow-Up Date Street Maintenance (15-02)Research long-term switch to concrete streets Concurred Implemented Nov-15 Jan-18 Street Maintenance (15-02)Create dedicated fund for street maintenance Concurred Implemented Nov-15 Jan-18 Police inventory (15-05)Automate inventory records in accountable system Concurred Not Implemented Dec-15 Feb-18 Police inventory (15-05)Centralize inventory storage Concurred Partially Implemented Dec-15 Feb-18 Police inventory (15-05)Institute proper segregation of duties Concurred Not Implemented Dec-15 Feb-18 Convention & Visitor's Bureau (15-06)Take steps to reach a reasonable liquidity ratio Non-Concurred Partially Implemented Apr-16 Jan-18 Convention & Visitor's Bureau (15-06)Implement job costing procedures Partially Concurred Not Implemented Apr-16 Jan-18 Convention & Visitor's Bureau (15-06)Reevaluate the costs and benefits of expenditures Concurred Implemented Apr-16 Jan-18 Convention & Visitor's Bureau (15-06)Reevaluate mission, goals, and objectives Concurred Partially Implemented Apr-16 Jan-18 Convention & Visitor's Bureau (15-06)Reevaluate the utilizations of the DMAI Calculator Non-Concurred Partially Implemented Apr-16 Jan-18 Convention & Visitor's Bureau (15-06)Develop new CVB strategy with Board engagement Non-Concurred Implemented Apr-16 Jan-18 Water Demand Forecasting (15-04)Implement more sophisticated forecasting methods Concurred Partially Implemented Oct-16 Dec-17 Water Demand Forecasting (15-04)Consider the impacts of climate change Concurred Partially Implemented Oct-16 Dec-17 Water Demand Forecasting (15-04)Implement a rate structure that incentivize departmental goals Concurred Partially Implemented Oct-16 Dec-17 Water Demand Forecasting (15-04)Update forecasts more regularly Concurred Partially Implemented Oct-16 Dec-17 Water Demand Forecasting (15-04)Consider risks with consultant forecasts Concurred Partially Implemented Oct-16 Dec-17 Fire Prevention (17-03)Develop a risk-based multi-year schedule Concurred Not Addressed May-17 Jan-18 Fire Prevention (17-03)Institute a commercial self-inspection program Not Addressed Not Addressed May-17 Jan-18 Fire Prevention (17-03)Achieve greater coverage with certified suppression crews Not Addressed Not Addressed May-17 Jan-18 Fire Prevention (17-03)Fund additional staff through the use of fees Concurred Partially Implemented May-17 Jan-18 Fire Prevention (17-03)Develop process to report fire cause of origin Concurred Partially Implemented May-17 Jan-18 Sanitation (17-04)Investigate accountable routing methods Concurred Oct-17 Sanitation (17-04)Create stronger enforcement methods for obstructed canisters Partially Concurred Oct-17 Sanitation (17-04)Develop hiring guidelines based on route balancing Concurred Oct-17 Sanitation (17-04)Institute a hierarchal promotional system for route managers Concurred Oct-17 Sanitation (17-04)Separate residential recycling and refuse collection days Concurred Oct-17 Sanitation (17-04)Reevaluate Sanitation's role in the development process Concurred Oct-17 Sanitation (17-04)Adjust scheduling procedures to aid route balancing Concurred Oct-17 Sanitation (17-04)Develop Sanitation vehicle safety PSAs Concurred Oct-17 Research Valley Partnership (18-01)Update process narratives to prior to each external audit Concurred Oct-17 Research Valley Partnership (18-01)Ensure compensation and benefit forms are complete Concurred Oct-17 Research Valley Partnership (18-01)Improve write-off controls Concurred Oct-17 Research Valley Partnership (18-01)Improve internal controls over AP authorization Concurred Oct-17 Purchasing Cards (17-01)Improve authorization internal controls Concurred Nov-17 Purchasing Cards (17-01)Ensure the p-cards of terminated employees are timely closed Concurred Nov-17 Purchasing Cards (17-01)Improve controls to prevent split purchases Concurred Nov-17 Purchasing Cards (17-01)Improve controls over single and monthly transaction limits Concurred Nov-17 Purchasing Cards (17-01)Reassign cardholders into appropriate spending categories Partially Concurred Nov-17 Fees (15-01)Did not complete the audit NA NA NA NA Police Evidence (15-07)Did not complete the audit NA NA NA NA TY ELLIOTT CITY INTERNAL AUDIT OFFICE AUDIT COMMITTEE City Internal Auditor 1101 Texas Ave. Mayor Karl Mooney telliott@cstx.gov College Station, TX 77840 Councilmember Linda Harvell TEL: (979) 764-6269 Councilmember James Benham Mike Ashfield Nate Sharp TO: Audit Committee Members FROM: Ty Elliott, City Internal Auditor DATE: April 3, 2018 SUBJECT: Request for Guidance on Performance Metrics ATTACHMENTS: Follow-Up Policy Since the conception of our Office, we have been presenting the Audit Committee with annual reports. These reports typically include a summary of the work performed during the previous year, an overview of each of the audits and non-audit services provided, and some kind of performance metrics. Recently, we have established an audit follow-up policy and procedure, which has allowed us to more fully analyze the impacts of our work. In addition, we are planning our first peer review for this summer. According to Generally Accepted Government Auditing Standards (GAGAS), audit organizations must have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every three years. We are currently negotiating an agreement for these services, and will be seeking direction from the audit committee regarding terms of the agreement. We would like the Audit Committee’s guidance regarding future performance metrics and performance goals for the Audit Office. The table below lists several possible metrics and proposed goals that could be used to this end. A more in-depth description of each metric follows. Table 1: Possible Performance Metrics Performance Metric Office Total FY15 – FY17 Proposed FY Goal Number of Audits Published 29 10 Complete Audit Plan Number of Recommendations 164 38 N/A Concurment Rate 95.7% 86.8% Greater than 90% Full Concurment Rate 91.5% 78.9% Greater than 85% Follow-Up Reviews 19 7 All Audits Number of Reviewed Recommendations 104 29 N/A Implementation Rate 89.4% 75.9% Greater than 80% Full Implementation Rate 74.0% 31.0% Greater than 75% Cleared Implementation Rate NA NA Greater than 85% Neglected Rate 6.7% 13.8% Less than 5% “In Spite Of” Recommendations 3 3 N/A Average Time Between Follow-Up & Audit 24 Months 19 Months 6 - 12 Months Peer review received every three years according to GAGAS Full Compliance Successfully pass GAGAS approved peer review Pass without Deficiencies TY ELLIOTT CITY INTERNAL AUDIT OFFICE AUDIT COMMITTEE City Internal Auditor 1101 Texas Ave. Mayor Karl Mooney telliott@cstx.gov College Station, TX 77840 Councilmember Linda Harvell TEL: (979) 764-6269 Councilmember James Benham Mike Ashfield Nate Sharp Number of Audits Published and Number of Recommendations. The number of audits performed and the number of recommendations that were developed from this work. Ideally, all audits from the audit plan would be completed during the fiscal year, however, it is not appropriate to set a goal for recommendations issued, as these stem directly from the condition of the auditee. Concurment Rate. The percentage of recommendations that the auditees fully or partially concurred with out of all recommendations. Full Concurment Rate. The percentage of recommendations that the auditees fully concurred with out of all recommendations. Follow-Up Reviews and Number of Reviewed Recommendations. The number of audits that received a follow-up review and the number of recommendations from these reviews. Ideally, all audits should receive some form of follow-up. After discussion with the audit committee in December of 2017, our Office developed a policy to address follow-up review procedures – this policy is attached. Implementation Rate: The percentage of recommendations that the auditees have fully or partially implemented out of reviewed recommendations. Full Implementation Rate: The percentage of recommendations that the auditees have fully implemented out of reviewed recommendations. Cleared Implementation Rate: The percentage of recommendations implemented or have been “cleared” because the recommendation has been determined to not be critical or feasible. Neglected Rate: The percentage of recommendations with which the auditee originally concurred, but have not fully or partially implemented out of reviewed recommendations. “In Spite Of” Recommendations. The number of recommendations that have been fully or partially implemented, but with which the auditee did not originally concur. Average Time Between Follow-Up & Audit. The number of months between the audit’s publication and completion of the follow-up review. According to the attached policy, follow-ups should be completed between 6 and 12 months after the audit’s publication. In addition, our annual report can include summaries of work completed during the year, more detail regarding the implementation of audit recommendations, and future plans for the Office. We look forward to hearing your thoughts and questions regarding these measures and our current performance. Please feel free to suggest any metrics or information that would interest you. As always, my door is always open. Sincerely, Ty L Elliott CIA, CFE, CGAP, COSO City Internal Auditor Internal Control Component COSO Principle Principle Objective Principle Deployed?Point of Focus Major Controls Compensat ing Controls Major Controls Compensat ing Controls Sets Tone at the Top 7 3 6 2 Establishes Standards of Conduct 1 2 1 1 Evaluates Adherence to Standards of Conduct 2 1 2 1 Addresses Deviations in a Timely Manner 5 0 5 0 Establishes Oversight Responsibilities 3 0 3 0 Applies Relevant Expertise 2 0 2 0 Operates Independently 2 0 2 0 Provides Oversight for the System of Internal Control 1 2 1 2 Considers all Structures of the Entity 3 1 3 0 Establishes Reporting Lines 3 1 3 1 Defines, Assigns, and Limits Authorities and Responsibilities 6 2 6 1 Establishes Policies and Practices 1 1 1 0 Evaluates Competence and Addresses Shortcomings 8 1 7 0 Attracts, Develops, and Retains Individuals 5 2 5 1 Plans and Prepares for Succession 0 2 0 2 Enforces Accountability through Structures, Authorities, and Responsibilities 6 3 5 2 Establishes Performance Measures, Incentives, and Rewards 1 1 1 0 Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance 2 1 2 0 Considers Excessive Pressures 2 1 2 1 COSO Framework Total Controls Effective Controls Control Environment Principle 1: Demonstrates Commitment to Integrity and Ethical Values The organization demonstrates a commitment to integrity and ethical values Yes Principle 2: Exercises Oversight Responsibility The City Council demonstrates independence from management and exercises oversight of the development and performance of internal control.Yes Principle 3: Establishes Structure, Authority, and Responsibility Management establishes, with Council oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Yes Principle 4: Demonstrates Commitment to Competence The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.Yes Principle 5: Enforces Accountability The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Yes Internal Control Component COSO Principle Principle Objective Principle Deployed?Point of Focus Major Controls Compensat ing Controls Major Controls Compensat ing Controls Evaluates Performance and Rewards or Disciplines Individuals 4 1 2 0 Operations Objectives Reflect Management's Choices 3 0 3 0 Operations Objectives Consider Tolerances for Risk 1 1 1 1 Includes Operations and Financial Performance Goals 2 0 2 0 Forms a Basis for Committing of Resources 2 0 2 0 Complies with Applicable Accounting Standards 2 0 2 0 Considers Materiality 2 0 2 0 External Financial Reporting Objectives Reflect Entity Activities 2 0 2 0 Complies with Externally Established Standards and Frameworks 0 2 0 2 External Non-Financial Reporting Objectives Consider the Required Level of Precision 1 1 1 1 External Non-Financial Reporting Objectives Reflect Entity Activities 1 1 1 1 Internal Reporting Objectives Reflect Management's Choices 1 0 Internal Reporting Objectives Consider the Required Level of Precision 1 0 Internal Reporting Objectives Reflect Entity Activities 1 0 Reflects External Laws and Regulations 2 2 2 2 Compliance Objectives Consider Tolerances for Risk 1 1 1 1 Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels 3 3 3 3 Analyzes Internal and External Factors 9 5 8 4 Involves Appropriate Levels of Management 2 2 2 2 Risk Assessment Principle 7: Identifies and Analyzes Risk The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.Yes Yes Principle 6: Specifies Suitable Objectives The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives Internal Control Component COSO Principle Principle Objective Principle Deployed?Point of Focus Major Controls Compensat ing Controls Major Controls Compensat ing Controls Estimates Significance of Risks Identified 1 2 0 2 Determines How to Responde to Risks 2 2 2 2 Considers Various types of Fraud 3 0 3 0 Assesses Incentives & Pressures 2 0 2 0 Assesses Opportunities 2 0 2 0 Assesses Attitudes and Rationalizations 2 0 2 0 Assesses Changes in the External Environment 4 1 3 1 Assesses Changes in the Business Model 2 1 2 1 Assesses Changes in Leadership 1 1 1 1 Principle 8: Assesses Fraud Risk The organization considers the potential for fraud in assessing risks to the achievement of objectives.Yes Principle 9: Identifies and Analyzes Significant Change The organization identifies and assesses changes that could significantly impact the system of internal control.Yes Principle 1: Demonstrates Commitment to Integrity and Ethical Values Objective: The organization demonstrates a commitment to Integrity and Ethical Values Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Employee Handbook (section 9) Major Preventive WP D-4 WP C-2 Reviewed the City's Employee Handbook and compared it to criteria identified in the Green Book's "Internal Control Management and Evaluation Tool." The employee handbook contains adequate policies to establish an ethical tone at the top. MR 12.14.17 Yes Benefits Open Enrollment and Employee Handbook Compensati ng Preventive WP D-5 WP D-33 Reviewed the acknowledgement language used during Open Enrollment. The City of College Station's employee handbook only requires an employee to know where they can review the Handbook, not for the employee to acknowledge that they "know" the policies contained within it. MR 12.18.17 No Employees should be required to read the employee handbook, however, the City has reinforced ethical values through a number of other compensating controls. RECOMMENDATION: Change the language used during open enrollment to state that the employee "knows" what policies are included in the handbook. Performance Appraisals Major Detective WP C-23 WP D-16 Reviewed all 2015 employee appraisal templates provided by Human Resources. Only 17% of reviewed templates included an evaluation of ethics and integrity. However, 75% of evaluations reviewed the employee's adherence to City and Department policies and procedures - which include the Code of Ethics. This means that 79% of templates included a review of ethics and integrity either directly or indirectly. MR 12.22.17 No While including an evaluation of ethics and integrity is a positive step in encouraging an ethical organizational culture, it is not necessary for an adequately ethical "tone at the top," especially considering most employees are evaluated on their compliance with policies and procedures. Internal Audit Office Major Detective WP C-1 WP C-7 WP C-8 WP C-23 WP C-51 WP D-15 WP D-26 Reviewed the City Charter, City Ordinances, and City Internal Audit Office's webpage and compared this documentation to criteria identified in the Green Book's "Internal Control Management and Evaluation Tool." Reviewed management responses and audit recommendation implementation efforts to previous internal audit engagements (164 recommendations) over the last 10 fiscal years. We found evidence that the City Internal Audit Office is set up to effectively evaluate the City's internal control structure. Also, management generally concurs with and implements both internal audit and external audit recommendations MR 01.04.18 SS 01.30.18 Yes Financial Transparency and Open Records Requests Major Preventive WP C-1 WP C-5 WP C-21 WP C-53 WP C-54 WP D-28 Reviewed the City's webpage about financial transparency and examined all external audit recommendations from FY06 through FY16. The City promotes ethical behavior by publishing many financial documents online for public review and undergoing an external audit annually. SS 01.17.18 Yes Strategic Plan Major Preventive WP C-18 Reviewd the City's 2017 Strategic Plan.The City's Strategic Plan lists "Do the right thing. Act with integrity and honesty" as an organizational value. MR 02.19.18 Yes Sets the Tone at the Top – The City Council and management at all levels of the entity demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. The City has a formal Employee Handbook that includes a Code of Ethics section. Each year during benefits Open Enrollment employees are required to acknowledge that they know where to read the handbook. Newly hired employees are also briefed on the City's ethical expectations during New Hire Orientation and most departments have additional ethics and integrity training or policies that they expect their employees to follow. The City also supports a number of transparency efforts such as the Internal Audit Office, Open Records Requests, and financial transparency efforts. Some performance appraisals also include evaluations of an employee's integrity and ethical behavior. Integrity and honesty were also identified by the City Council as organizational values. Finally, there is evidence that the City has disciplined employees due to ethics violations in the past. While we found that few performance appraisals include a direct evaluation of an employees adherence to the City's ethical standards, most reviewed the City's adherence to City policies - including the Code of Ethics. In addition, the City adequately supports an ethical "tone at the top" through a number of other methods. Though we found that this point of focus is designed and operating effectively, we believe it could be improved by altering the Employee Handbook acknowledgement language to state that employees "know" what policies are included in the handbook. Yes Principle 1: Demonstrates Commitment to Integrity and Ethical Values Objective: The organization demonstrates a commitment to Integrity and Ethical Values Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes New Hire Orientation Employee Handbook (section 2.12) Major Preventive WP C-2 WP C-14 WP C-15 Reviewed the City's Employee Handbook. Reviewed the City's New Hire Orientation agenda and booklet. All newly hired regular full-time and part- time employees must attend New Hire Orientation. During this orientation, HR staff spends 30 minutes discussing ethics and integrity. Additionally, the City's Code of Ethics is included in the new hire booklet. MR 02.08.18 Yes Informal monitoring mechanisms Compensati ng Detective WP C-51 WP D-25 Reviewed previous audit observations.There is evidence of informal monitoring mechanisms among employees that reinforce integrity and ethical behavior. MR 02.02.18 Yes HR's Case Management System (Tyler Munis) Major Corrective WP D-24 WP C-46 Reviewed the Case Management system from March 2017 and interviewed staff from the Human Resources department. Found evidence that 10 employees who had deviated from standards of conduct (Code of Ethics) were reported to HR and handled using the Case Management System. MR 01.25.18 Yes Individual Department policies and procedures Compensati ng Preventive WP D-32 Surveyed 14 Department Directors regarding how they remove the temptation for unethical behavior. 86% of departments have additional policies and procedures to remove temptation for unethical behavior above what the City already provides. MR 02.09.18 Yes Employee Handbook (section 9) Major Preventive WP D-4 Reviewed the City's Employee Handbook and compared it to criteria identified in the Green Book's "Internal Control Management and Evaluation Tool." The Employee Handbook contains adequate policies related to ethics and integrity. MR 12.14.17 Yes Job Descriptions Compensati ng Preventive WP D-7 WP D-9 From a sample of 198 job descriptions (giving us a 95% confidence that the estimated percentages are within plus or minus 5% of the true value), we evaluated if the job description listed any ethical behavioral traits as part of the job duties or qualifications. Only 12% of reviewed job descriptions included specific employee responsibilities or qualifications related to ethics or integrity. Additionally, we found evidence that job descriptions were developed with the help of HR. MR 12.19.17 No While this control component would add additional weight to establishing standards of conduct, a formal City- wide Employee Handbook with a dedicated Ethics and Integrity section is an adequate level of control. Individual Department policies and procedures Compensati ng Preventive WP D-32 WP I-7 WP I-9 WP I-17 WP I-37 Surveyed 14 Department Directors regarding how they remove the temptation for unethical behavior in their department. 86% of departments have additional policies and procedures to remove temptation for unethical behavior above what the City already does. MR 02.09.18 Yes Performance Appraisals Major Detective WP C-13 WP C-25 WP C-57 WP D-22 From a sample of 87 full-time employees (giving us a 95% confidence that the estimated percentages are within plus or minus 10% of the true value), we identified if an employee had a FY17 performance appraisal in their employee file. E-mailed HR staff regarding employees whose appraisals were not easily located. 86% of the employees sampled had been evaluated during FY17. The other 14% were either new hires or had been recently promoted and thus did not receive and end of year performance appraisal. MR 01.10.18 MR 02.20.18 Yes Establishes Standards of Conduct – The expectations of the City Council and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners. A formal standard of conduct is established in the Employee Handbook Code of Ethics section. Furthermore, most departments have additional ethics and integrity training or policies that they expect their employees to follow. Finally, some job descriptions list specific employee responsibilities or qualifications related to ethics and integrity that are expected; while this control component would add additional weight to establishing standards of conduct, a formal City-wide Employee Handbook with a dedicated Code of Ethics adequately establishes standards of conduct. Yes Evaluates Adherence to Standards of Conduct – Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct. At least annually, fulltime employees recieve performance evaluations by their supervisor. All department directors also believe their employees are provided with the proper amount of supervision to supplement annual appraisals. While we found that few performance appraisals include a direct evaluation of an employees adherence to ethical standards, most evaluated the employee's adherence to City policies - Yes Principle 1: Demonstrates Commitment to Integrity and Ethical Values Objective: The organization demonstrates a commitment to Integrity and Ethical Values Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Performance Appraisals Major Preventive WP C-23 WP D-16 WP D-33 Reviewed all 2015 employee appraisal templates provided by Human Resources. Only 17% of reviewed templates included an evaluation of ethics and integrity. However, 75% of evaluations reviewed the employee's adherence to City and Department policies and procedures - which include the Code of Ethics. This means that 79% of templates included a review of ethics and integrity either directly or indirectly. MR 12.22.17 Yes Performance appraisals should be designed to directly include an evaluation of an employee's ethics and integrity. RECOMMENDATION: Design a performance appraisal template that is used City wide and includes criteria that should be common to all City employees. Employee Supervision Compensati ng Detective WP D-32 WP I-37 Surveyed 14 Department directors regarding their opinion on if employees are provided the proper amount of supervision. 100% of department directors believe their employees are provided with the proper amount of supervision. MR 02.09.18 Yes HR's Performance Improvement Plans (PIPs) Major Corrective WP D-22 WP D-24 WP C-46 Interviewed staff from the Human Resources department and reviewed records in the Case Management system. Found evidence that one employee was placed on a performance improvement plan when an appraisal indicated that performance deviated from expectations. MR 01.10.18 MR 01.25.18 Yes Employee Handbook (section 10) Major Preventive WP D-4 WP C-2 Reviewed the City's Employee Handbook and compared it to criteria identified in the Green Book's "Internal Control Management and Evaluation Tool." The employee handbook contains adequate policies that communicate the general disciplinary process and disciplinary actions that can be expected if violations of the Code of Ethics occur. MR 12.14.17 Yes Appeals Process - Employee Handbook (section 10.02) Major Corrective WP D-24 WP C-2 WP C-46 Interviewed staff from the Human Resources department and reviewed records in the Case Management system. There was no evidence of the appeals process being utilized in the Case Management system. MR 01.25.18 Yes While there was no evidence in the Case Management system, we only received data from this system back to March 2017. Grievance Process - Employee Handbook (section 10.04) Major Corrective WP D-24 WP C-2 WP C-46 Interviewed staff from the Human Resources department and reviewed records in the Case Management system from March 2017 to January 2018 Found evidence of seven employees bringing grievances to HR. There is evidence of grievances being substantiated (3) and unsubstantiated (3). MR 01.25.18 MR 02.14.18 Yes HR's Case Management System (Tyler Munis) Major Corrective WP D-24 WP C-46 Reviewed the Case Management system from March 2017 to January 2018 and interviewed staff from the Human Resources department. Calculated the average time it took to resolve an issue from when it occurred. Found evidence that 10 employees who had deviated from standards of conduct were reported to HR and handled using the Case Management System. On average, disciplinary action issues reach a resolution after 8 days. MR 01.25.18 Yes Addresses Deviations in a Timely Manner – Deviations of the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner. The City's formal Employee Handbook includes a section that contains guidelines for disciplinary action including the general disciplinary process and what disciplinary actions can be taken. These also include an appeals process for employees who feel the disciplinary action they received was unfair, and a grievance process for employees to initiate investigations of other staff member's behavior. These issues are generally recorded in Human Resources' Case Management system; typically disciplinary issues are handled in eight days. Employees who receive negative performance evaluations are put on a performance improvement plan (PIP), which is monitored through this Case Management system as well. Yes p y y p including the Code of Ethics. While this does not fully cover the City, employees are also supervised during which they are being evaluated based on the City's standards of conduct. This being said, we recommend that the City develop performance appraisal criteria that specifically addresses integrity and ethical behavior, on which all employees are evaluated. Principle 2: Exercises Oversight Responsibility Objective: The City Council demonstrates independence from management and exercises oversight of the development and performance of internal control. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes City Charter (section 22) Major Preventive WP C-1 WP C-2 Reviewed the City Charter for duties assigned to the City Council. The City Charter adequately enumerates the City Council's powers and duties to the City regarding oversight and overall responsibility. MR 02.07.18 Yes City Council Meetings Major Preventive WP D-29 Used discovery sampling of City Council Workshop and Regular Meeting minutes to determine if the City Council had considered a number of different issues. Interviewed the City Manager and City Internal Auditor regarding their interactions with Council. Found that the Council had considered IT, financial, and operational internal controls, long-term plans, expenditures, organizational and fee structures, and legal issues during City Council meetings. Additionally, the Council meets with key City employees regularly. MR 02.08.18 Yes City Committees Major Preventive WP D-30 Reviewed the City's Citizen Committees, Boards, and Commissions webpage and related webpages to determine what commissions, boards, and committees had been established. The City has a number of citizen, Council, and combination committees that are all appointed by and report to the City Council. MR 02.08.18 Yes City Council Training Major Preventive WP D-31 Reviewed Council Orientation documentation provided by City staff. Used Council expenditure data to determine what trainings Council members attended throughout FY17. City Council is adequately trained and maintains the relevant knowledge need to be a functional municipal oversight body. MR 02.08.18 Yes City Committees Major Preventive WP D-30 Reviewed the City's Citizen Committees, Boards, and Commissions webpage and related webpages to determine what requirements must be meet for all commissions, boards, and committees. There is evidence that the knowledge needed for each committee has been considered and is ensured during the appointment process. MR 02.08.18 Yes City Charter Major Preventive WP C-1 Reviewed the City Charter for sections detailing Council member independence requirements. The City Charter states that City Council members shall comply with state law pertaining to conflicts of interest of local government officials, including Texas Local Government Code, Chapter 171. MR 02.07.18 Yes Employee Handbook (section 9.03.C) Major Preventive WP C-2 Reviewed the City Employee Handbook for sections detailing how employee independence regarding the City Council. The Employee Handbook states that any City employee who files for a City of College Station City Council position automatically resigns from their City employment. MR 02.07.18 Yes Yes Yes Yes Establishes Oversight Responsibilities - The City Council identifies and accepts its oversight responsibilities in relation to established requirements and expectations The City Council is responsible for structuring the City government, authorizing expenditures and revenue plans, and regulating the City of College Station's development. Twice a month, the City Council meets to review information presented by City staff whether by request or requirement. At these meetings the City Council reviews and approves long-term plans, expenditures, fee structures, etc. Additionally, the City Council oversees several committees including the Audit Committee. Applies Relevant Expertise - The City Council defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate actions. The City Council periodically attends municipal government trainings. Additionally, the City Council forms committees to advise them in certain areas and appoint members with relevant expertise. Operates Independently - The City Council has sufficient members who are independent from management and objective in evaluations and decision making. The Mayor and City Council are elected from and by the citizenry of College Station by a majority vote. City Council members must comply with state law pertaining to conflicts of interest of local government officials, including Texas Local Government Code, Chapter 171. City Policy requires an employee to automatically resign from their City employment if they file for a College Station City Council position. Principle 2: Exercises Oversight Responsibility Objective: The City Council demonstrates independence from management and exercises oversight of the development and performance of internal control. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes City Council Meetings Major Preventive WP D-29 Used discovery sampling of City Council Workshop and Regular Meeting minutes to determine if the City Council had considered a number of different issues. Interviewed the City Manager and City Internal Auditor regarding their interactions with Council. Found that the Council had considered IT, Financial, and Operational internal controls, long-term plans, expenditures, organizational and fee structures, and legal issues during City Council meetings. Additionally, the Council meets with key City employees regularly. The City Manager has formal meetings with the Mayor weekly and all other Council members every other week; the City Manager also has informal meetings with all other Council members in varying frequencies. Additionally, the City Internal Auditor meets with the Mayor monthly and other Council members on request. MR 02.08.18 Yes Department Head Meetings with Council Compensati ng Preventive WP D-32 WP I-37 Surveyed 14 Department directors regarding their opinion on the level of interactions their department have with other departments, City Council, and executive management. 100% of department directors claim they maintain good working relationships with other executive team members. 100% of department directors frequently meet with the City Manager or other members of the City Manager's Office. 79% of department directors say their employees give presentations to City Council or Council appointed committees. MR 02.09.18 Yes Performance Appraisals Major Preventive WP C-18 WP C-23 WP D-16 Reviewed all 2015 employee appraisal templates provided by Human Resources. 99% of performance appraisal templates are linked to the departments goals. All department goals are linked to the City's strategic plan, which is informed by the City Council. MR 12.22.17 Yes YesProvides Oversight for the System of Internal Control - The City Council retains oversight responsibility for management’s design, implementation, and conduct of internal control: - Control Environment - Establishing integrity and ethical values, oversight structures, authority and responsibility, expectations of competence, and accountability to the board. - Risk Assessment - Overseeing management’s assessment of risks to the achievement of objectives, including the potential impact of significant changes, fraud, and management override of internal control. - Control Activities - Providing oversight to senior management in the development and performance of control activities. - Information and Communication - Analyzing and discussing information relating to the entity’s achievement of objectives. - Monitoring Activities - Assessing and overseeing the nature and scope of monitoring activities and management’s evaluation and remediation of deficiencies Twice a month, the City Council meets to review information presented by City staff whether by request or requirement. At these meetings the City Council reviews and approves long-term plans, expenditures, fee structures, etc. Additionally, the City Council meets with key City managers (including the City Auditor, City Attorney, and City Manager) regularly. Department directors and their staff meet with City Council members via City Council Meetings, Council appointed Committee Meetings, and other meetings by request. Employee performance appraisals generally include an evaluation of the employee's work to meet the department or division's goals, which directly stem from the City Council's direction via the Strategic Plan. Principle 3: Establishes structure, authority, and responsibility Objective: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Annual Budget Process Major Preventive WP C-19 WP C-20 WP C-23 WP D-27 Reviewed the FY18 budget kickoff memo. Reviewed the City's annual budgets from FY09 through FY18. Department organizational charts are updated at least annually. In addition, there is evidence that all departments and the City as a whole periodically consider the organization's structure and make changes as necessary. MR 02.13.18 MR 02.05.18 Yes Employee Roles and Responsibilities Compensati ng Preventive WP D-32 WP I-2 WP I-13 WP I-15 WP I-19 WP I-22 WP I-36 WP I-37 Surveyed 14 Department directors regarding their opinion on their departments staffing levels. 86% of department directors believe their managers and supervisors have time to carry out their duties and responsibilities. 29% of directors responded that their managers and supervisors do not fulfill the roles of more than one employee. MR 02.09.18 No While some employees are fulfilling more than one role, this is most likely not do to a lack of organizational structure consideration, but prioritization due to resource deficiencies. Long-Term Planning Major Preventive WP C-23 WP C-26 WP C-27 WP C-28 WP C-29 WP C-30 WP C-31 WP D-13 WP D-18 Reviewed the FY18 budget for evidence of long term planning, reviewed master plans and rate studies. Found evidence that City management and City Council have considered long term City planning issues such as development, growth, and fee structures and how they affect the City. In addition, financial forecasts are generally conservative. TE 01.04.18 MR 01.17.18 Yes Tyler Munis System Major Detective WP D-12 Reviewed documentation regarding the implementation of the Tyler Munis enterprise resource planning system. There is evidence that the ERP system was implemented to increase department communication efforts. MR 01.02.18 Yes Job Descriptions Major Preventive WP D-7 WP D-9 From a sample of 198 job descriptions (giving us a 95% confidence that the estimated percentages are within plus or minus 5% of the true value), we evaluated if the job description listed the potential employee's supervisor's title. 99% of job descriptions reviewed had a supervisor's title clearly listed. MR 12.19.17 Yes Annual Budget Process Major Preventive WP C-23 Reviewed the FY18 annual budget.The annual budget shows a detailed organizational chart for each department - excluding general government departments. MR 02.13.18 Yes City-wide Communication Channels Major Detective WP C-15 WP C-17 Reviewed the City's 2018 New Hire Orientation Booklet. Reviewed a 2016 Public Communications Survey which received responses from 43% of City employees. The City has established an Employee Involvement Committee (established in 2007) to give the City Manager a forum for communicating with employees on various issues. 45% of surveyed employees agree that the City as a whole communicates well. 43% of employees agree that the City provides adequate ways for them to give feedback to the CMO. MR 02.13.18 MR 02.13.18 Yes Considers All Structures of the Entity - Management and the City Council consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives. Annually, the City's structure is considered and changed as necessary through the budget process. Additionally, the Tyler Munis ERP system is being implemented to facilitate the flow of communication across functionally unique departments. Long-term planning initiatives involving the City's development, growth, and fee structures are considered and brought to the City Council. Finally, departments generally believe that their managers and supervisors have time to carry out their duties and responsibilities even if they are fulfilling multiple roles. Even though some employees are fulfilling more than one role, this is most likely not do to a lack of organizational structure planning or consideration byt a necessary prioritization of resources. Yes Establishes Reporting Lines - Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. Annually, general reporting lines within each department are evaluated and changed as necessary through the budget process. In addition, job descriptions contain the job title of the employee's direct supervisor. Departments have also established additional ways of delivering key information to all employees and communicating information up the chain of command. The City has also established processes for employees to raise issues directly to the City Manager. Yes Principle 3: Establishes structure, authority, and responsibility Objective: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Departmental Communication Channels Compensati ng Detective WP C-17 WP D-32 WP I-37 Surveyed 14 Department directors regarding their opinion on the clarity and appropriateness of their department's internal reporting relationships. Reviewed a 2016 Public Communications Survey which received responses from 43% of City employees. Found that 100% of departments have procedures and processes established to deliver key information to all employees, and 79% of departments have policies or procedures established to effectively communicate information up the chain of command. 49% of surveyed employees agree that their department communicates well. 56% of employees agree that there are adequate ways for them to give feedback to their supervisors or department directors. MR 02.13.18 MR 02.09.18 Yes Job Descriptions Major Preventive WP D-7 WP D-9 From a sample of 198 job descriptions (giving us a 95% confidence that the estimated percentages are within plus or minus 5% of the true value), we evaluated if the job description listed the potential employee's job duties and responsibilities. 99% of job descriptions had clearly defined job duties and responsibilities. MR 12.19.17 Yes Overtime Tracking and Analysis Compensati ng Detective WP B-9 WP D-17 Reviewed city overtime hours between 2013 and 2017. College Station employees appear to work excessive overtime to complete assigned tasks - specifically in Police and Fire. TE 01.11.18 No Overtime indicates that employee responsibilities may not be appropriately limited in some departments; however, overall the City has appropriately established responsibilities. Employee Handbook Purchasing Policies and Procedures IT Policies and Procedures Major Preventive WP C-1 WP C-2 WP C-21 WP C-22 WP C-24 WP D-14 Reviewed the Employee Handbook, Purchasing Manual, and IT Policies and Procedures to identify any guidance regarding overriding internal controls. Found eleven instances of guidance regarding overriding internal controls; two instances specifically require documentation; all instances required an employee to seek approval from a higher authority. MR 01.03.18 Yes City Council Meetings Major Preventive WP D-29 WP D-30 Used discovery sampling of City Council Workshop and Regular Meeting minutes to determine if the City Council had considered a number of different issues. Interviewed the City Manager and City Internal Auditor regarding their interactions with Council. Found that the Council retains final authority over IT, financial, and operational internal controls, long-term plans, expenditures, organizational and fee structures, and legal issues through City Council meetings and additional meetings with key City employees. MR 02.08.18 Yes Contract Indemnification Language Major Preventive WP C-56 Reviewed the City's form/standard contracts for indemnification language. Found that all standard contracts required the vendor to indemnify the City to the fullest extent of the law. MR 01.10.17 Yes Departmental Communication Channels Compensati ng Preventive WP D-32 WP I-37 Surveyed 14 Department directors regarding their opinion on how areas of responsibility and authority are communicated and defined in their department. 100% of departments believe key areas of authority and responsibility are defined and communicated through their department. MR 02.09.18 Yes Defines, Assigns, and Limits Authorities and Responsibilities - Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization: City Council - Retains authority over significant decisions and reviews management’s assignments and limitations of authorities and responsibilities Senior Management - Establishes directives, guidance, and control to enable management and other personnel to understand and carry out their internal control responsibilities Management - Guides and facilitates the execution of senior management directives within the entity and its subunits Personnel - Understands the entity’s standard of conduct, assessed risks to objectives, and the related control activities at their respective levels of the entity, the expected information and communication flow, and monitoring activities relevant to their achievement of the objectives Outsourced Service Providers - Adheres to management’s definition of the scope of authority and Employee authority and responsibilities are listed on their job descriptions. Additional responsibilities for all employees are detailed in operational manuals such as the Employee Handbook, the Purchasing Manual, and IT's Policies and Procedures. Overtime analysis indicates that employee responsibilities may not be appropriately limited in some departments; however, overall the City has appropriately established responsibilities. Departments believe that key areas of authority and responsibility (i.e. supervisors and managers) are defined, assigned, and communicated adequately throughout their departments. In addition, most departments have established procedures to monitor the results of this delegated authority and responsibility. The City Council has final authority over many decisions involving IT, financial, and operational internal controls, long-term plans, expenditures, organizational and fee structures, and legal issues. The City appropriately requires contractors to indemnify the City to the fullest extent of the law regarding mistakes made on the contractors part. Yes Principle 3: Establishes structure, authority, and responsibility Objective: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Departmental Performance Monitoring Procedures Major Detective WP D-32 WP I-2 WP I-13 WP I-15 WP I-19 WP I-22 WP I-36 WP I-37 Surveyed 14 Department directors regarding how authority and responsibility are assigned and delegated in their department. 86% of department directors believe authority and responsibility are clearly assigned throughout their department. 71% have established practices and procedures that monitor the results of delegated authority and responsibility. MR 02.09.18 Yes Employee Roles and Responsibilities Major Preventive WP D-32 WP I-37 Surveyed 14 Department directors regarding their opinion on the appropriateness of delegated authority in relation to the assignment of responsibility. 86% of department directors believe their employees are empowered to correct problems or implement improvements at appropriate levels. MR 02.09.18 Yes responsibility for all non-employees engaged Principle 4: Demonstrates Commitment to Competence Objective: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes The City of College Station has a formal Employee Handbook. Major Preventive WP C-2 WP D-4 Reviewed the City's Employee Handbook and compared it to criteria identified in the Green Book's "Internal Control Management and Evaluation Tool." The Employee Handbook establishes adequate policies that address competencies required by all City employees. MR 12.14.17 Yes Job Descriptions Compensati ng Preventive WP D-6 WP D-7 WP D-33 From a sample of 198 job descriptions (giving us a 95% confidence that the estimated percentages are within plus or minus 5% of the true value), we evaluated if the job description listed specific duties that an employee must perform and specific qualifications that an employee must have to be hired. Over 98% of job descriptions included a clear list of responsibilities and listed requirements concerning education, experience, and accomplishments. However, almost 40% of job descriptions had not been updated in over five years (almost 80% hadn't been updated in over a year). There is no City policy regarding when or how often job descriptions should be updated. MR 12.18.17 MR 12.19.17 No While job descriptions are not regularly updated, if a job remains the same over many years there is no reason to update it. RECOMMENDATION: Have employees verify that their job description accurately describes their duties and responsibilities annually during their performance appraisal. Performance Appraisals Major Detective WP C-13 WP C-25 WP C-57 WP D-22 From a sample of 87 full-time employees (giving us a 95% confidence that the estimated percentages are within plus or minus 10% of the true value), we identified if an employee had a FY17 performance appraisal in their employee file. 86% of the employees sampled had been evaluated during FY17. The other 14% were either new hires or had been recently promoted and thus did not receive and end of year performance appraisal. MR 01.10.18 MR 02.20.18 Yes Performance Appraisals Major Preventive WP C-23 WP D-16 Reviewed all 2015 employee evaluation templates provided by Human Resources. 99% of performance appraisals include an evaluation of the employee's competence. MR 12.22.17 Yes Performance Appraisals Major Corrective WP C-13 WP C-25 WP C-57 WP D-22 WP D-33 From a sample of 87 full-time employees (giving us a 95% confidence that the estimated percentages are within plus or minus 10% of the true value), we identified if an employee had received suggestions for improvement and what type of comments the employee had received on their appraisal. 49% of sampled employee performance appraisals were given suggestions for improvement. On the other hand, 78% sampled employee performance appraisals included feedback, but 62% of these comments were entirely positive and thus more likely to be ineffective for the employee. MR 01.10.18 MR 02.20.18 No Though employees are not always receiving constructive criticism on their formal appraisal, appropriate supervision helps to ensure employees are being adequately evaluated. RECOMMENDATION: Supervisors should receive clear instruction or training regarding how and to whom performance appraisals are directed. Performance Appraisals Case Management System Major Corrective WP C-13 WP C-25 WP C-57 WP D-22 WP D-24 Interviewed staff from the Human Resources department and reviewed records in the Case Management system. Found evidence that one employee was placed on a performance improvement plan when an appraisal indicated that performance deviated from expectations. MR 01.10.18 MR 01.25.18 Yes Employee Handbook (section 2.05) Major Preventive WP C-2 Reviewed the City's Employee Handbook.The Employee Handbook allows for departments to require the completion of a skills test when hiring. Previous audits have found evidence of this in the Fire Department and Police Department. MR 02.12.18 Yes Establishes Policies and Practices - Policies and practices reflect expectations of competence necessary to support the achievement of objectives Formal expectations of competency for all employees are established in the Employee Handbook. In addition, job descriptions list specific employee responsibilities or qualifications that employees are expected to meet. While these are not regularly updated, there is evidence that they are updated when needed. This being said, we recommend that employees annually verfiy that their job description is accurate during the performance appraisal process. Yes Evaluates Competence and Address Shortcomings- The City Council and management evaluate competence across the organization and in outsourced service providers in relation to established policies and practices, and act as necessary to address shortcomings. The Employee Handbook allows departments to evaluate potential new employee's competence through skills tests. In addition, all potential new employees are required to undergo and pass a background test and a reference check. Annually, employees are evaluated on their job competency through the performance appraisal process. These appraisals include comments on the employee's performance as well as suggestions for improvement. Employees who receive negative appraisals are placed on a performance improvement plan (PIP), which is monitored by Human Resources in their Case Management system. In addition, the Employee Handbook provides guidance regarding what disciplinary actions can be taken if deviations in expected competency occur. Supervisors and managers are allowed and encouraged to involve Human Resources in repeated or egregious competency issues, which are tracked in the Case Management system. While it is City policy for potential new employees to undergo a reference check, this is not a necessary step to evaluting competence given other compensating controls such as background tests and the six month, probationary performance evaluation. In addition, though some employees did not receive written suggestions for improvements f db k d l i i Yes Principle 4: Demonstrates Commitment to Competence Objective: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Employee Handbook (sections 2.05, 2.06, and 2.07) Hiring Process Major Preventive WP C-2 WP C-13 WP C-25 WP C-57 WP D-22 Reviewed the Employee Handbook for policies that indicate City-wide competency requirements. From a sample of 87 full-time employees (giving us a 95% confidence that the estimated percentages are within plus or minus 10% of the true value), we identified if an employee had received a background check if it was required at the time. Found adequate policies that require potential new employees to meet certain competency requirements including background checks. Found evidence that 99% of employees received a background check. MR 02.12.18 Yes Employee Handbook (sections 2.05, 2.06, and 2.07) Hiring Process Compensati ng Preventive WP C-2 WP C-13 WP C-25 WP C-57 WP D-22 Reviewed the Employee Handbook for policies that indicate City-wide competency requirements. From a sample of 87 full-time employees (giving us a 95% confidence that the estimated percentages are within plus or minus 10% of the true value), we identified if an employee had received reference check if it was required at the time. Found adequate policies that require potential new employees to meet certain competency requirements including experience checks. Found evidence that 39% of employees received an experience check. MR 02.12.18 No While reference checks are appropriate, they are not necessary in judging a potential new employee's competence if a thorough application is complete. Employee Handbook (section 10) Major Preventive WP C-2 WP D-4 Reviewed the City's Employee Handbook and compared it to criteria identified in the Green Book's "Internal Control Management and Evaluation Tool." The employee handbook contains adequate policies that communicate the general disciplinary process and disciplinary actions that can be expected if deviations from expected competency levels occur. MR 12.14.17 Yes HR's Case Management System (Tyler Munis) Major Corrective WP D-24 WP C-46 Reviewed the Case Management system and interviewed staff from the Human Resources department. Found evidence that ten employees who had deviated from competency expectations were reported to HR and handled using the Case Management System. MR 01.25.18 Yes HR Trainings Major Preventive WP D-8 Interviewed Human Resources' staff and reviewed the city-wide trainings (via presentation slides) they have provided. Human Resources has provided multiple city-wide trainings - particularly regarding supervising - to employees; however, there has been very few trainings since 2014. In response to this, HR is currently in the process of hiring a Training & Development Coordinator. MR 12.21.17 Yes New Hire Orientation Major Preventive WP C-14 WP C-15 Reviewed the 2017 New Hire Orientation Agenda and the 2018 New Hire Orientation Booklet. New Hire Orientation includes an overview of the City's programs, expectations regarding safety and respect for fellow employees, highlights from the City's Employee Handbook, and a review of the City's values and history. MR 02.13.18 Yes or feedback, adequate employee supervision may provide an effective avenue for evalutating employee competence. This being said, we recommend that supervisors receive clear instruction or training on to whom performance appraisal comments should be directed. Attracts, Develops, and Retains Individuals - The organization provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives The Employee Handbook allows departments to evaluate potential new employee's competence through skills tests. In addition, all potential new employees are required to undergo and pass a background test and a reference check. After hire, all full-time and part-time employees undergo new hire orientation at the City-wide level and typically some type of departmental or job specific training at the department level. In addition, employees are typically supervised more heavily while they are new, bust still appropriately after the probation period. Over the past few years, Human Resources has also offered a number of City-wide trainings, Yes Principle 4: Demonstrates Commitment to Competence Objective: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Turnover Tracking and Analysis Compensati ng Detective WP C-10 WP D-3 WP D-11 Reviewed turnover rates from FY16 through FY14. Further investigated turnover rates for key fiscal and operational internal control departments. Used the City Internal Auditor's institutional knowledge to identify why key employees in Fiscal Services separated from the City. For most departments turnover is under the national state and local government average. Additionally, turnover rates in key internal control departments do not appear to indicate a problem with internal control structures. MR 02.07.18 MR 12.12.17 TE 12.29.17 Yes Individual Department Training Efforts Compensati ng Preventive WP C-16 WP D-32 WP I-3 WP I-4 WP I-37 Surveyed Department directors regarding the training and counseling above what HR offers City-wide that is offered to employees in their department. Reviewed an Employee Survey conducted in 2013 by the CMO and Public Communications; At the time 64% of all City employees (608) participated. 100% of Department directors say their department provides employees with additional training opportunities. 64% of departments have mechanisms in place to ensure employees receive the appropriate training. 64% of employees agreed or somewhat agreed that the City provides the ongoing training they need. Additionally, 66% of employees agreed or somewhat agreed that employees in their department are encouraged to get additional training. MR 02.12.18 MR 02.09.18 No While it appears that department's aren't consistently providing employees with additional training opportunities employees who must meet professional requirements do so; city-wide trainings are adequate. Employee Supervision Major Detective WP D-8 WP D-32 WP I-37 Surveyed Department directors regarding their opinion on if employees are provided the proper amount of supervision. Reviewed Human Resources training presentation's (via presentation slides) provided by HR staff. 100% of department directors say their employees are provided with the proper amount of supervision which includes guidance, review, and on-the-job training. Over the past five years the City's Human Resources department has offered a variety of supervisor oriented trainings. MR 12.21.17 MR 02.09.18 Yes Employee Handbook (section 2.05) Major Preventive WP C-2 Reviewed the City's Employee Handbook.The Employee Handbook allows for departments to require the completion of a skills test when hiring. MR 02.12.18 Yes Employee Handbook (sections 4, 5, and 6) Major Preventive WP D-10 WP C-2 Reviewed the City's Employee Handbook.The City utilizes benefits policies to encourage longevity such as the leave accrual policy and the retirement vesting system. TE 12.27.17 Yes HR Trainings Compensati ng Preventive WP D-10 Interviewed Human Resources' staff and reviewed the documentation provided. Currently 17% of the City's employees are eligible for retirement. In 2008 a training for supervisors was conducted that revolved around planning for employees retirement. MR 12.22.17 Yes offered a number of City wide trainings, particularly in regards to properly supervising employees. Finally, the City utilizes a number of benefits such as leave accrual and retirement policies to encourage employee retention and longevity. Plans and Prepares for Succession - Senior management and the City Council develop contingency plans for assignments of responsibility important for internal control. Succession planning has been considered informally by Human Resources staff. The City has trained supervisors to plan for succession in the past (2008). While there is no formal process for succession planning, we found evidence that departments have considered and plan for succession. This being said, we Yes Principle 4: Demonstrates Commitment to Competence Objective: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Informal Consideration at the Department Level Compensati ng Detective WP D-10 WP D-33 Reviewed audit work previously conducted regarding succession planning and the loss of institutional knowledge. We also found that 43% of 74 key City supervisors identified loss of institutional knowledge as a risk to their operations. MR 12.22.17 Yes There is no formal procedure for succession planning, however, there is evidence that the City as a whole and departments on their own have considered succession planning. RECOMMENDATION: Formalize procedures that identify and help to mitigate the risk of losing institutional knowledge. p g recommend that City-wide procedures be formalized to reducse the risk of losing institutional knowledge. Principle 5: Enforces Accountability Objective: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Informal Monitoring Mechanisms Compensati ng Detective WP D-25 Reviewed previous audit observations.There is evidence of informal monitoring mechanisms that reinforce internal controls. MR 02.02.18 Yes City Internal Audit Office Major Detective WP C-51 WP D-15 WP D-26 Reviewed the City Charter, City Ordinances, and City Internal Audit Office's webpage and compared this documentation to criteria identified in the Green Book's "Internal Control Management and Evaluation Tool." Reviewed management responses and audit recommendation implementation efforts to previous internal audit engagements (164 recommendations) over the last 10 fiscal years. We found evidence that the City Internal Audit Office is set up to effectively evaluate the City's internal control structure. Also, management generally implements these recommendations MR 01.04.18 SS 01.30.18 Yes Purchasing Policies and Procedures Major Preventive WP C-24 WP D-14 Reviewed policies and procedures manual.The Purchasing Manual establishes adequate monitoring controls over the purchasing function. In addition, it includes guidance for when overriding an internal control is necessary. MR 02.07.18 MR 01.03.18 Yes IT Policies and Procedures Major Preventive WP C-22 WP D-14 Reviewed policies and procedures manual.The IT Polices and Procedures manual establishes adequate monitoring controls over information technology security. In addition, it includes guidance when overriding an internal control is necessary. MR 02.07.18 MR 01.03.18 Yes Performance Appraisals Major Corrective WP D-22 From a sample of 87 full-time employees (giving us a 95% confidence that the estimated percentages are within plus or minus 10% of the true value), we identified if an employee was given suggestions for improvement. 49% of sampled employee performance appraisals were given suggestions for improvement. On the other hand, 78% sampled employee performance appraisals included feedback, but 62% of these comments were entirely positive and thus more likely to be ineffective for the employee. MR 01.10.18 MR 02.20.18 No Through performance appraisals may not always include written suggestions for improvements or feedback, adequate employee supervision provides alternative accountability mechanisms. Employee Supervision Compensati ng Detective WP D-8 WP D-32 WP I-37 Surveyed Department directors regarding their opinion on if employees are provided the proper amount of supervision. Reviewed Human Resources training presentation's (via presentation slides) provided by HR staff. 100% of department directors say their employees are provided with the proper amount of supervision which includes guidance, review, and on-the-job training. Over the past five years the City's Human Resources department has offered a variety of supervisor oriented trainings. MR 12.21.17 MR 02.09.18 Yes Individual Department policies and procedures Compensati ng Preventive WP D-32 WP I-37 Surveyed 14 Department directors regarding their endorsement of performance-based management. 29% of department directors had established policies or procedures to enforce accountability above what the City already does. MR 02.09.17 No The City has adequate controls in this area without additional department support. Enforces Accountability through Structures, Authorities, and Responsibilities - Management and the City Council establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action as necessary The City encourages accountability through City-wide transparency programs and policies such as the City Internal Auditor's Office, the annual external audit, the Purchasing Manual, IT Policies and Procedures, and some individual department policies and procedures. In addition, all employees are annually evaluated on their performance of internal control related job duties and those employees that deviate from expectations are put on performance improvement plans (PIP), which are monitored by Human Resources. In addition, we found evidence of informal, peer pressure-based monitoring mechanisms during previous audits. Though most departments do not have additional accountablility policies or procedures, the City has adequate controls in this area without additional department support. Finally, through performance appraisals may not always include written suggestions for improvements or feedback, adequate employee supervision provides alternative accountability mechanisms. Yes Principle 5: Enforces Accountability Objective: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes HR's Case Management System (Tyler Munis) Major Corrective WP D-24 WP C-46 Reviewed the Case Management system from March 2017 and interviewed staff from the Human Resources department. Found evidence that two employees who had deviated from internal control competency standards were reported to HR and handled using the Case Management System. MR 01.25.18 Yes External Audit Major Detective WP D-28 Reviewed all external audit reports from FY06 through FY16. The City's Comprehensive Annual Financial Reports do not have material misstatements. SS 01.17.18 Yes Annual Budgeting Process Major Preventive WP C-23 WP D-23 Compared the City's policies and procedures to the US Office of Personnel Management's Human Capital Framework criteria. All City department's have a strategic plan in the annual budget that lists performance metrics that are directly linked with the City Council's strategic plan. MR 02.01.18 Yes Individual Department policies and procedures Compensati ng Preventive WP D-32 WP I-37 Surveyed 14 Department directors regarding their endorsement of performance-based management. 57% of departments individually endorse performance based management through additionally policies and procedures. MR 02.09.18 No Although 43% of departments do not specifically endorse all aspects of performance based management, the City as a whole demonstrates a dedication to performance-based management. Annual Budgeting Process Major Preventive WP C-23 WP D-23 Compared the City's policies, procedures, and other documentation to the US Office of Personnel Management's Human Capital Framework criteria. Found evidence that performance metrics are considered over multiple years and evaluated as necessary. MR 02.01.18 Yes City Internal Audit Office Major Detective WP C-51 WP D-15 WP D-26 Reviewed management responses and audit recommendation implementation efforts to previous internal audit engagements (164 recommendations) over the last 10 fiscal years. Found that on average management concurs with about 90% of audit recommendations. Of those recommendations followed-up on, only 6% had not been implemented. SS 01.30.18 Yes Individual Department policies and procedures Compensati ng Preventive WP D-32 WP I-37 Surveyed 14 Department directors regarding their endorsement of performance-based management. 57% of departments individually endorse performance based management through additionally policies and procedures. MR 02.09.18 No Although 43% of departments do not specifically endorse all aspects of performance based management, the City as a whole demonstrates a dedication to performance-based management. Performance Appraisals Compensati ng Preventive WP C-23 WP D-16 Reviewed all 2015 employee appraisal templates provided by Human Resources. About 50% of performance appraisals evaluated their employees on individual "dynamic competencies." MR 02.08.18 Yes Employee Handbook Purchasing Policies and Procedures IT Policies and Procedures Major Preventive WP C-1 WP C-2 WP C-21 WP C-22 WP C-24 WP D-14 Reviewed the Employee Handbook, Purchasing Manual, and IT Policies and Procedures to identify any guidance regarding overriding internal controls. Found twelve instances of guidance regarding overriding internal controls; three instances specifically require documentation; all instances required an employee to seek approval from a higher authority. MR 01.03.18 Yes Establishes Performance Measures, Incentives, and Rewards - Management and the City Council establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives. Annually, departmental performance metrics for all divisions are established during the budgeting process. In addition, some departments endorse and practice a performance-based management style based on benchmarks and performance metrics. Though not all departments practice performance-based management, the City's focus on this adequately establishes performance measures and incentives for meeting them. Yes Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance - Management and the City Council align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives. Annually, departmental performance metrics for all divisions are evaluated during the budgeting process. Using a risk-based approach the City Internal Auditor's Office has evaluated departments, divisions, and functions throughout the City and recommended improvements; generally, these improvements are well received and implemented. In addition, some departments endorse and practice a performance-based management style based on benchmarks and performance metrics. Though not all departments practice performance-based management, the City's has an adequate evaluation process for established performance measures and the incentives for meeting them. Yes Considers Excessive Pressures - Management and the City Council evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. Annually, managers and supervisors evaluate their employees using a performance appraisal. Some performance appraisals include an evaluation on dynamic competencies that are employee-specific goals and objectives; these goals and the pressures to meet them are evaluated annually. Those employees that are not evaluated on dynamic competencies do not sustain this pressure. At a City-wide level, annual zero-based Yes Principle 5: Enforces Accountability Objective: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Annual Budgeting Process Major Preventive WP C-19 WP C-20 WP C-23 WP D-19 Interviewed Fiscal Services staff involved in the annual budgeting process. Obtained documentation of the budget process. All departments must justify their service level adjustments to the City Manager's Office where in the City Manager ascertains what departments need versus what they want. SS 01.17.18 Yes Case Management System Major Corrective WP D-24 WP C-46 Reviewed the Case Management system and interviewed staff from the Human Resources department. Found evidence that employees who had deviated from competency expectations were reported to HR and handled using the Case Management System. MR 01.25.18 Yes Employee Handbook (section 10) Major Preventive WP C-2 WP D-4 Reviewed the City's Employee Handbook and compared it to criteria identified in the Green Book's "Internal Control Management and Evaluation Tool." The employee handbook contains adequate policies that communicate the general disciplinary process and disciplinary actions that can be expected if violations of policy occur. MR 12.14.17 Yes Performance Appraisals (Employee Handbook section 3.09) Major Preventive WP C-2 WP C-13 WP C-16 WP C-25 WP D-22 WP D-33 Reviewed City policy regarding employee promotions. Reviewed an Employee Survey conducted in 2013 by the CMO and Public Communications; At the time 64% of all City employees (608) participated. From a judgement sample of 30 recently promoted employees we identified if an employee had received an evaluation linked to their promotion. Compared the average of these performance scores to the "all employee" average performance scores. According to City policy employees who receive a promotion should be evaluated six months after their promotion. Out of a sample of 30, we found that only 1 employee had been adequately evaluated. In addition, there is no statistical difference in overall performance score between a sample of all employees and a judgement sample of promoted employees. Also, about 2 of every 5 employees see a clear connection between pay and performance. MR 02.09.18 MR 02.09.18 MR 01.10.18 No While the comparison made in this test is not statistically sound due to only a judgement sample of employees being taken, it still indicates that high scoring performance evaluations do not necessarily mean promotion. This being said, many performance appraisals did note what compensation increase an employee could expect to receive the next year. RECOMMENDATION: Improve associations between employees' performance and rewards. Performance Appraisals Major Detective WP C-13 WP C-25 WP D-22 From a sample of 87 full-time employees (giving us a 95% confidence that the estimated percentages are within plus or minus 10% of the true value), we identified if an employee had a FY17 performance appraisal in their employee file. 86% of the employees sampled had been evaluated during FY17. The other 14% were either new hires or had been recently promoted and thus did not receive and end of year performance appraisal. On the other hand, only 49% of sampled employees received suggestions for improvement. MR 01.10.18 No Individual Department policies and procedures Compensati ng Preventive WP D-32 WP I-37 Surveyed 14 Department directors regarding their endorsement of performance-based management. 57% of departments individually endorse performance based management through additionally policies and procedures. MR 02.09.18 No Although 43% of departments do not specifically endorse all aspects of performance based management, the City as a whole demonstrates a dedication to performance-based management. Evaluates Performance and Rewards or Disciplines Individuals - Management and the City Council evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence and provide rewards or exercise disciplinary action as appropriate. Annually, employees receive a performance appraisal that covers competency, ethics, and internal control duties as they relate to the employee's job. Promotions, pay increases, and discipline are decided upon from these appraisals. In addition, employees who either receive a negative performance review or are seen to be incompliant with competency or conduct expectations are disciplined by their supervisors and/or Human Resources as appropriate. Finally, some departments support performance based management as a day to day managing style. Though it seems that performance is adequately connected to discipline, some improvements could be made involving the connection between performance and rewards. Additionally, while not all departments endorse performance-based management, the City as a whole has developed adequate policies and procedures in this respect. Yes y , budgeting techniques require department directors to make a business case for their service level adjustments; this allows the City Manager's Office to get a better understanding of the pressures departments are under and adjust these pressures in turn. In addition, I Principle 6: Specifies Suitable Objectives Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Strategic Plan Major Preventive WP C-18 WP E-3 Reviewed the City's 2017 Strategic Plan document. Periodically, the City Council updates the City's strategic objectives. We found that these objectives are directly linked to departmental objectives. MR 03.15.18 MR 01.26.18 Yes Strategic Business Plan Process Major Preventive WP C-59 WP C-60 WP E-5 Reviewed several strategic business plans.Strategic Business Plans include a section in which business units develop performance measures and project forward their expected output. These measures are developed based on current services that the business unit provides. MR 02.21.18 Yes Annual Budget Process Major Preventive WP C-19 WP C-20 WP C-23 WP E-3 Reviewed the City FY18 Annual Budget and supporting documents. Compared all department goals to each other. The annual budget process involves departments developing annual goals, on- going key performance indicators, and annual department issues and needs. Additionally, we found that some department's annual goals are complimentary - particularly within the same department. Also, we found that all department goals are related to the City's strategic plan objectives. MR 1.26.18 Yes Varying Department Risk Appetites Compensati ng Preventive WP E-7 Interviewed 74 City leaders at the beginning of FY17 and assigned each individual a risk rating. Found that the City's leadership is slightly risk averse, however, the City Council is more risk taking. These tendencies are reflected in the controls they cited as being in place in their respective department/division. SS 02.28.18 Yes Annual Budget Process Major Preventive WP C-19 WP C-20 WP C-23 WP D-19 WP E-3 Reviewed the City FY18 Annual Budget and supporting documents. Department directors develop a list of issues and needs - essentially risks - and propose service level adjustments (SLAs) to mitigate these risks. The City Manager and the Budget division then review these SLAs to determine if there is a more efficient way to mitigate the risks identified. SS 01.17.18 MR 1.26.18 Yes Annual Budget Process Major Detective WP C-19 WP C-20 WP C-23 Reviewed the City FY18 Annual Budget and supporting documents. The annual budget breaks down revenue and expenditure projections - or objectives - by fund, department, and division. In addition, it identifies departmental issues and needs, on-going performance measures, and annual department goals. MR 03.15.18 Yes Op e r a t i o n s O b j e c t i v e s Operations Objectives Reflect Management's Choices - Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity. Periodically, the City Council develops and updates City-wide strategic objectives. These are directly linked to department goals identified in the annual budget process. In addition, the department lists several on-going key performance measures that stem from performance measures developed at the business unit level as part of the strategic business plan process. We found that no department goals directly contradicted each other and that all were related to City-wide strategic objectives. Yes YesAnnually, department directors, with the help of division managers, develop a list of issues and needs - essentially risks - as part of the budget process. They then propose solutions to these risks as service level adjustments (SLAs), which reflect their combined risk appetites. The City Manager and budget division then review these SLAs to determine if there is a more efficient way to mitigate the risks identified or if the City must be willing to accept the risk. Operations Objectives Consider Tolerances for Risk - Management considers the acceptable levels of variation relative to the achievement of operations objectives. Includes Operations and Financial Performance Goals - The organization reflects the desired level of operations and financial performance for the entity within operations objectives. At the department level, the annual budget identified revenue and expenditure objectives by fund, department, and division, which are integrated with specific department operational objectives. At the business unit level, performance objectives and expenditure objectives - including capital improvement plans - are identified for the following five Yes Principle 6: Specifies Suitable Objectives Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Strategic Business Plan Process Major Preventive WP C-59 WP C-60 WP E-5 Reviewed several strategic business plans.Strategic business plans includes the development of performance measurement goals as well as projected operating budgets and capital improvement plans for the next five years. MR 03.15.18 Yes Strategic Plan Major Preventive WP C-18 WP E-3 Reviewed the City's 2017 Strategic Plan document. The City’s strategic plan guides prioritization of department operational and financial objectives. MR 1.26.18 Yes Annual Budget Process Major Detective WP C-19 WP C-20 WP C-23 Reviewed the City FY18 Annual Budget and supporting documents. Department directors propose service level adjustments (SLAs) to correct or fulfull issues or needs that they have identified. The City Manager and the Budget division then review these SLAs to determine if there is a more efficient way to mitigate the risks identified. These SLAs are then finalized after review from the City Council and resources are officially committed to the projects and expenditures identified in the budget. MR 1.26.18 Yes Comprehensive Annual Financial Report Major Preventive WP C-21 WP C-72 WP D-28 Reviewed Fiscal and Budgetary Policy Statements which provides the rules and guidelines to be followed by the Fiscal Services Department. According to Fiscal and Budgetary policies the City presents its financial position in accordance with generally accepted accounting principles (GAAP). In addition, the Comprehensive Annual Financial Report should be prepared in accordance with GAAP and presented to the Government Finance Officer's Association (GFOA) for evaluation. We found that the City received the Certificate of Achievement for Excellence in Financial Reporting - awarded by the GFOA - annually since 2012. MR 03.15.18 SS 1.17.18 Yes External Audits Major Detective WP C-72 WP D-28 Reviewed the City's Comprehensive Annual Financial Report. Reviewed the external audit opinions from FY06 through FY16 to determine if any material misstatements were identified. Annually, an independent audit is conducted to determine the City's accuracy in financial reporting. We verified that the external auditors presented an opinion that "the financial statements … present fairly, in all material respects, the respective financial position of the government activities, the business-type activities, each major fund, and the aggregate remaining fund information of the City" from FY06 through FY16. MR 03.15.18 SS 1.17.18 Yes v e s Complies with Applicable Accounting Standards - Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances. Forms a Basis for Committing of Resources - Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance. Annually, department directors propose service level adjustments (SLAs) intended to correct or fulfill issues or needs that they have identified. These SLAs are then reviewed by the City Manager who then advises the department on what SLAs to submit based on the City's strategic plan - created by the City Council. The Budget division then reviews the submitted SLAs and brings them before the City Council who has final approval over spending decisions. Yes p g years. The City conforms to Generally Accepted Accounting Principles (GAAP) and presents its Comprehensive Annual Financial Report (CAFR) to the Government Finance Officer's Association (GFOA) for evaluation annually. The CAFR is also reviewed annually by an independent external auditor to determine if there are any material misstatements presented. Yes Principle 6: Specifies Suitable Objectives Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Comprehensive Annual Financial Report Major Preventive WP C-21 WP C-72 WP D-28 Reviewed Fiscal and Budgetary Policy Statements which provides the rules and guidelines to be followed by the Fiscal Services Department. Reviewed the accounting standards followd by the City. According to Fiscal and Budgetary policies the City presents its financial position in accordance with generally accepted accounting principles (GAAP). According to these standards the organization must consider materiality when presenting its financial position. MR 03.15.18 SS 1.17.18 Yes External Audits Major Detective WP C-72 WP D-28 Reviewed the City's Comprehensive Annual Financial Report. Reviewed the external audit opinions from FY06 through FY16 to determine if any material misstatements were identified. Annually, an independent audit is conducted to determine the City's accuracy in financial reporting. We verified that the external auditors presented an opinion that "the financial statements … present fairly, in all material respects, the respective financial position of the government activities, the business-type activities, each major fund, and the aggregate remaining fund information of the City" from FY06 through FY16. MR 03.15.18 SS 1.17.18 Yes Comprehensive Annual Financial Report Major Preventive WP C-21 WP C-72 WP D-28 Reviewed the FY17 Comprehensive Annual Financial Report. The Comprehensive Annual Financial Report includes financial statements broken out by fund and department - adequately linking revenues and expenditures to the entity's activities. MR 03.15.18 Yes Annual Budget Process Major Preventive WP C-19 WP C-20 WP C-23 Reviewed the City FY18 Annual Budget and supporting documents. The annual budget presents the actual revenues and expenditures from the past fiscal year and the estimated revenues and expenditures from the year the budget was released. These revenues and expenditures are broken out by fund, department, and activity, which adequately relates them back to the entity's activities. In addition, we found that the City received the Distinguished Budget Presentation Award - awarded by the GFOA - annually since 2012. MR 03.15.18 Yes Annual Budget Process Compensati ng Preventive WP C-23 WP E-13 Reviewed all performance metrics identified in the FY18 budget and determined what type of outside agency - if any - they were related to. Determined that few key performance indicators are used to directly report to outside agencies. Most likely this is because the budget is used more internally and does not necessarily indicate that the City does not report metrics to outside agencies. MR 03.15.18 Yes Additional External Department Reports Compensati ng Preventive Interviewed key personnel involved in control, communication, and monitoring activites. WILL BE COMPLETED DURING THE CONTROL ACTIVITIES PORTION OF THIS ASSESSMENT. Ex t e r n a l F i n a n c i a l R e p o r t i n g O b j e c t i v v e s Considers Materiality - Management considers materiality in financial statement presentation. YesAccording the generally accepcted accounting principles (GAAP) - which the City claims to utilize - organizations must consider materiality when presenting their financial position. Annually, an independent external auditor ensures that these standards - including those involving materiality - are met and that the City's financial position is presented fairly and accurately. External Financial Reporting Objectives Reflect Entity Activities - External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions. Guidelines regarding financial reporting and accounting principles are addressed in the Fiscal and Budgetary Policy Statements. The City Charter sets the guidelines for remaining ethical and accurate during the budget process. Also,the City has be awarded with the Certificate of Achievement for Excellence in Financial Reporting - awarded by the GFOA - annually since 2012 for the CAFR, which is obtained by following the Generally Accepted Accounting Principles set by the Financial Accounting Standards Board. In addition, a similar award - the Distinguished Budget Presentation Award - has been given to the City for the annual budget since 2012. Yes Complies with Externally Established Standards and Frameworks - Management establishes objectives consistent with laws and regulations, or standards and frameworks of recognized external organization. In addition, some key performance indicators developed and reported during the annual budget process refer to standards and regulations set by outside agencies. Principle 6: Specifies Suitable Objectives Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Annual Budget Process Major Preventive WP C-18 WP C-23 WP E-13 Reviewed all performance metrics identified in the FY18 budget and determined if they were reported in an understandable and precise way. Determined that 93% of key performance indicators meaningfully indicated performance (i.e. were understandable and adequately precise). In addition, 93% of performance indicators actually measured the City’s performance – the other 7% only indicated workload. 99% of performance metrics were reproducible from year to year. 86% of metrics were comparable to other cities – allowing for the City to account for its unique activities while still being able to benchmark. MR 03.15.18 Yes Additional External Department Reports Compensati ng Preventive Interviewed key personnel involved in control, communication, and monitoring activites. WILL BE COMPLETED DURING THE CONTROL ACTIVITIES PORTION OF THIS ASSESSMENT. Annual Budget Process Major Preventive WP C-23 WP E-13 Reviewed all performance metrics identified in the FY18 budget and determined if they were adequately related to the entity's objectives. Determined that 99% of performance metrics were directly linked to the City's strategic objectives. MR 03.15.18 Yes Additional External Department Reports Compensati ng Preventive Interviewed key personnel involved in control, communication, and monitoring activites. WILL BE COMPLETED DURING THE CONTROL ACTIVITIES PORTION OF THIS ASSESSMENT. Internal Reporting Objectives Reflect Management's Choices - Operations objective reflect management's choices about structure, industry considerations, and performance of the entity. Additional Internal Department Reports Major Preventive Interviewed key personnel involved in control, communication, and monitoring activites. WILL BE COMPLETED DURING THE CONTROL ACTIVITIES PORTION OF THIS ASSESSMENT. Internal Reporting Objectives Consider the Required Level of Precision - Management reflects the required level of precision and accuracy suitable for user needs and as based on criteria established by third parties in non- financial reporting. Additional Internal Department Reports Major Preventive Interviewed key personnel involved in control, communication, and monitoring activites. WILL BE COMPLETED DURING THE CONTROL ACTIVITIES PORTION OF THIS ASSESSMENT. Internal Reporting Objectives Reflect Entity Activities - External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions. Additional Internal Department Reports Major Preventive Interviewed key personnel involved in control, communication, and monitoring activites. WILL BE COMPLETED DURING THE CONTROL ACTIVITIES PORTION OF THIS ASSESSMENT. Ex t e r n a l N o n - F i n a n c i a l R e p o r t i n g O b j e c t i v Generally, key performance indicators developed and reported during the annual budget process are adequate to indicated the City's objectives and performance. In t e r n a l R e p o r t i n g O b j e c t i v e s Yes External Non-Financial Reporting Objectives Consider the Required Level of Precision - Management reflects the required level of precision and accuracy suitable for user needs and as based on criteria established by third parties in non-financial reporting. Yes External Non-Financial Reporting Objectives Reflect Entity Activities - External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions. Key performance indicators developed and reported during the annual budget process are relevant to the City's strategic objectives and thus reflect the entity's activities. Principle 6: Specifies Suitable Objectives Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Purchasing Manual (Chapter 5) Major Preventive WP C-24 Reviewed the City's purchasing manual. The purchasing manual contains several references to the Texas Local Government Code and Government Code, which restricts how its municipal purchases are made. MR 03.15.18 Yes Employee Handbook Major Preventive WP C-2 WP C-11 WP C-69 WP D-4 Reviewed the City's Employee Handbook including the original 2004 version, 2004 version with edits, and the new 2018 version. The City has identified that its policies and procedures shall remain in compliance with Federal and State laws and regulations. In addition, the employee handbook contains several policies that reflect Federal or state laws and regulations. In addition, the City of College Station hired outside legal council to update its Employee Handbook to ensure that it complied with all Federal, state, and local laws and regulations. MR 12.14.17 Yes Annual Budget Process Compensati ng Preventive WP C-23 WP E-13 Reviewed all performance metrics identified in the FY18 budget and determined if they were related to any Federal, state, or local laws and regulations. Determined that 1 key performance indicator directly alludes to federal, state, and local laws or regulations. Most likely this is because the budget is used more internally and does not necessarily indicate that the City does not report metrics to outside agencies. MR 03.15.18 Yes Strategic Business Plan Compensati ng Preventive WP C-18 WP E-5 Reviewed the strategic business plan work paper. As part of the strategic business plan, key personnel from the City Manager’s Office develop or update an assessment of the regulatory environment surrounding the City. Department or division level managers then adapt these assessments to their specific business unit. MR 2.21.18 Yes Varying Department Risk Appetites Compensati ng Preventive WP E-7 Interviewed 74 City leaders at the beginning of FY17 and assigned each individual a risk rating. Found that the City's leadership is slightly risk averse, however, the City Council is more risk taking. These tendencies are reflected in the controls they cited as being in place in their respective department/division. SS 02.28.18 Yes Co m p l i a n c e O b j e c t i v e s Compliance Objectives Consider Tolerances for Risk - Management considers the acceptable levels of variation relative to the achievement of operations objectives. The City has several policies, procedures, and manuals that instruct employees on internal controls that vary according to the department or division manager's risk appetite. In addition, there are few instances of guidance on overriding internal controls. This suggests that the department has considered and is The City's Purchasing Manual provides evidence that laws and regulations are considered and applied throughout City activities. The employee handbook requires city employees to comply with state and federal laws. In the event of a conflict between employment or City ordinances with any State or Federal law, that law should prevail. In addition, the handbook includes several policies that reflect Federal or state laws and regulations. Strategic business plans assess the City's regulatory environment, to which departments and divisions are supposed to comply and adapt. In addition, once key performance indicator reported during the annual budget process refer to meeting laws and regulations. Yes Yes Reflects External Laws and Regulations - Laws and regulations establish minimum standards of conduct which the entity integrates into compliance objectives. Principle 6: Specifies Suitable Objectives Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Employee Handbook Purchasing Policies and Procedures IT Policies and Procedures Major Preventive WP C-1 WP C-2 WP C-21 WP C-22 WP C-24 WP D-14 Reviewed the Employee Handbook, Purchasing Manual, and IT Policies and Procedures to identify any guidance regarding overriding internal controls. Found twelve instances of guidance regarding overriding internal controls; three instances specifically require documentation; all instances required an employee to seek approval from a higher authority. MR 01.03.18 Yes p responsive to varying risk tolerances regarding compliance objectives. Principle 7: Identifies and Analyzes Risk Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes City Internal Audit Office Compensati ng Detective WP C-10 WP C-49 WP C-50 WP C-58 Reviewed previous Internal Audit Risk Assessment reports. Every three to five years the City Internal Audit Office performs a City-wide risk assessment. MR 03.05.18 Yes Annual Budget Process Major Detective WP C-19 WP C-23 WP E-3 Reviewed FY18 Department strategic plans.Annually, departments are asked to identify three to five pressing issues or risks to address completely or partially during that fiscal year. MR 03.05.18 Yes Actuarial Report Compensati ng Detective WP C-61 WP E-4 Reviewed the FY17 Workers Compensation, Auto Liability, General Liability and Property Coverages Actuarial Report. Annually, risk is quantitatively identified for City-wide insurance policies. MR 03.05.18 Yes Strategic Business Plan Process Major Detective WP C-60 WP C-62 WP E-5 Reviewed previous Strategic Business Plan documents for several business units. Every five years, City departments assess each business units risks through a SWOT analysis as part of the Strategic Business Plan process. MR 02.21.18 Yes Standard Contracting Major Preventive WP C-40 WP C-56 WP E-4 Reviewed standard contracting forms promulgated by the City Attorney's Office. Standard City contracts adequately transfer risk to vendors and other outside agencies. Non-standard contracts are typically reviewed by the Contract Review Committee. The City has adopted ordinances to regulate the way contracts are executed. MR 03.05.18 Yes Risk Management Division Compensati ng Detective WP C-64 WP E-4 Interviewed the Risk & Workforce Compliance Manager to determine what risk analysis activities they conduct. Reviewed loss-run documentation as well as documentation of risk analysis conducted by Risk Management for specific projects. The Risk Management Division creates "loss- runs" for departments which are able to quantify the monetary effect of risks that have occurred. In addition, Risk staff are occasionally brought in by departments to conduct a risk analysis for specific projects. TE 01.24.18 Yes Strategic Business Plan Process Compensati ng Detective WP C-60 WP C-62 WP E-5 Reviewed previous Strategic Business Plan documents for several business units. As part of the strategic business plan process, key managers develop or update City-wide assessments of the City's economic, organization, policy, regulatory, technology, and demographic outlook. These are then adapted to fit each business unit's unique challenges within the actual strategic business plan. MR 02.21.18 Yes IT Disaster Recovery Plan Major Preventive WP C-71 Reviewed the City's IT Disaster Recover Plan and discussed it with the City's Assistant Director of Information Technology. The City's IT Disaster Recovery Plan began development in 2013, but was never completed or approved by the City Council. MR 03.12.18 No While it is appropriate for the City to have a IT specific Disaster Recovery plan, part of this risk is analyzed in the Emergency Management Plan. RECOMMENDATION: The City should update its IT Disaster Recovery Plan. Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels - The organization identifies and assesses risks at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives Risk is assessed at an entity-wide level by the City Internal Audit Office periodically. In addition, the City commissions an actuarial report annually that estimates City-wide insurance risks. At the department level, risks are identified and assessed annually through the annual budget process. In addition, we found evidence that the Risk Management Division occasionally identifies and analyzes risks based on insurance "loss-runs." At the business unit level, risks are identified and assessed every five years as part of the strategic business plan process. Also, the Risk Management Division is occasionally brought into specific projects to identify and assess potential risks. The City uses standard contracting to transfer risk to outside agencies or vendors. When these standard contracts are not used, the situation is reviewed by the Contract Review Committee, which identifies and assesses the risks involved. Yes Analyzes Internal and External Factors - Risk identification considers both internal and external factors and their impact on the achievement of objectives. Externally, the City has its employees develop and update a City-wide assessment of the City's economic, organization, policy, regulatory, technology, and demographic outlook every five years as part of the strategic business plan process. In addition, the City has developed an Emergency management Plan; this is supplemented by the IT Disaster Recovery Plan, which was not completed or approved by the City Council. The City has also developed standard contracts, waivers, and agreements to transfer risk to outside organizations. Finally, the City has developed several department driven reactionary measures in response to risks that have been realized historically. Internally the City ensures employees are Yes Principle 7: Identifies and Analyzes Risk Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Emergency Management Plan Major Preventive WP C-63 WP E-6 Interviewed the Emergency Management Coordinator, conducted site visit of the Emergency Operations Center, and reviewed the City's 2014 Emergency Management Plan. The City's emergency management plan identifies and analyzes a number of natural disasters, structural failures, and mass security threats. SS 02.26.18 MR 03.05.18 Yes Standard Contracting Major Preventive WP C-40 WP C-56 WP E-4 Reviewed standard contracting forms promulgated by the City Attorney's Office. Reviewed contract administration summary documentation promulgated by the City Attorney's Office. Standard City contracts adequately transfer risk to vendors and other outside agencies. Non-standard contracts are typically reviewed by the Contract Review Committee. The City has adopted ordinances to regulate the way contracts are executed. MR 03.05.18 Yes Waivers and Other Agreements Major Preventive WP E-10 Reviewed waiver, agreements, and other standard forms requiring outside parties to release the City from risk. Found a number of waivers and agreements that the City utilizes that adequately protect the City from risk through transference. MR 03.06.18 Yes Externally Orientated Department-Driven Reactionary Measures Compensati ng Corrective WP C-36 WP C-66 WP E-4 WP J-2 Interviewed the Risk & Workforce Compliance Manager to determine examples of documentation, plans, policies, or procedures were developed in reaction to changing external conditions. Obtained documentation of these examples. Found evidence that the City has analyzed and reacted to external factors with the following documents: ADA Transition Plan (C-66), Economic Development Master Plan (C-36), and policies involving CBDG and HOME grants requiring proof of loan- payoffs and release lien of prior to future reimbursements (J-2, page 111). MR 03.05.18 MR 03.13.18 Yes Job Descriptions Major Preventive WP C-2 WP D-7 Reviewed all policies and procedures that could reduce the risk of hiring inept employees. Reviewed 198 job description (giving us a 95% confidence that the estimated percentages are within plus or minus 5% of the true value) to see if job qualifications were clear. Job descriptions list the experience, education, and accomplishments needed to adequately fulfill a job and are reviewed by potential employees when they apply. MR 12.19.17 Yes Reference Checks Compensati ng Preventive WP C-2 WP D-22 Reviewed all policies and procedures that could reduce the risk of hiring inept employees. Reviewed 87 employee files (giving us a 95% confidence that the estimated percentages are within plus or minus 10% of the true value) to see if employees had received the appropriate reference checks. It is the City's policy to require hiring managers to verify a potential new employee's experience by requiring reference checks. We found evidence that 39% of employees hired after this policy was implemented received this check. MR 01.10.18 No While reference checks are appropriate, they are not necessary in judging a potential new employee's competence if a thorough application is complete. Purchasing Manual Major Preventive WP C-24 Reviewed the Purchasing Manual (updated February of 2018). The purchasing manual requires large purchases to be openly bid, reducing the risk of 'favoritism.' MR 03.05.18 Yes Internally, the City ensures employees are adequately qualified for their job through job descriptions, background checks, and reference checks. While the City does not seem to uniformly enforce reference checks this is not a material deficiency. In addition, the City encourages longevity and retention through compensation and benefits policies. Purchasing and spending risks are also mitigated through the purchasing manual and annual budget process. Finally, many departments have developed reactionary measures in reponse to risks that have been realized historically and several departments have gone through an accreditation process. Principle 7: Identifies and Analyzes Risk Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Background Checks Major Preventive WP C-2 WP C-13 WP C-25 WP C-34 WP C-57 WP C-75 WP D-22 Reviewed the Employee Handbook for policies that indicate City-wide competency requirements. From a sample of 87 full-time employees (giving us a 95% confidence that the estimated percentages are within plus or minus 10% of the true value), we identified if an employee had received a background check if it was required at the time. Found adequate policies that require potential new employees to meet certain competency requirements including background checks. Found evidence that 99% of employees received a background check. In addition, we found evidence that employees in Facilities and IT must undergo more extensive background checks because they have access to the Police Department. MR 02.12.18 MR 03.05.18 Yes Employee Handbook (Compensation and Benefits) Compensati ng Preventive WP D-10 WP C-2 WP C-16 Reviewed the City's Employee Handbook. Reviewed an Employee Survey conducted in 2013 by the CMO and Public Communications; At the time 64% of all City employees (608) participated. The City utilizes benefits policies to encourage longevity and retention such as the leave accrual policy and the retirement vesting system. Found that 71% of employees surveyed in 2013 were satisfied or somewhat satisfied with their overall benefits package. TE 12.27.17 Yes Annual Budget Process Major Detective WP D-19 WP D-27 WP E-3 Interviewed key Fiscal Services staff members. Reviewed the City's annual budgets from FY09 through FY18. The City's annual budgeting and services level adjustment process requires department heads to make a business case for the funding of their operations, requiring a consideration of risk. There is evidence that the City has downsized agency operations in the past. MR 02.05.18 MR 03.05.18 Yes Department Accreditation Processes Major Detective WP E-4 WP E-12 Interviewed the Risk & Workforce Compliance Manager to determine which departments had undergone accreditation and obtained documentation of this. We found evidence that the following agencies had undergone an accreditation process that required a consideration of risk: Water Services, Public Works, Parks & Recreation, Fire, and Police. MR 03.08.18 Yes Internally Orientated Department-Driven Reactionary Measures Compensati ng Corrective WP C-43 WP C-44 WP D-12 WP E-4 Interviewed the Risk & Workforce Compliance Manager to determine examples of documentation, plans, policies, or procedures were developed in reaction to changing external conditions. Obtained documentation of these examples. Found evidence that the City has analyzed and reacted to internal factors with the following documents: Tyler Munis Implementation. City Internal Audit Office Compensati ng Detective WP C-10 WP C-49 WP C-50 WP C-58 WP D-15 Reviewed previous Internal Audit Risk Assessment reports. City-wide risk assessments are reported to the City's Audit Committee, which includes three City Council Members and prepared by the Internal Audit Office - a functionally independent department. MR 03.05.18 MR 01.04.18 YesInvolves Appropriate Levels of Management - The organization puts into place effective risk assessment mechanisms that involve appropriate levels of management. Periodically the City Internal Audit Office - a functionally independent department - conducts a City-wide risk assessment that is reported to City Councilmembers. In addition, actuarial reports are prepared by a consultant annually, which are then reported to Councilmembers. Yes Principle 7: Identifies and Analyzes Risk Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Annual Budget Process Major Detective WP C-19 WP C-23 WP E-3 Reviewed FY18 Department strategic plans.Risks identified at the department level are reviewed annually as part of the budget process - specifically at budget hearings with the City Manager and City Council members. These are prepared by department directors. MR 03.05.18 Yes Actuarial Report Compensati ng Detective WP C-61 WP E-4 Reviewed the FY17 Workers Compensation, Auto Liability, General Liability and Property Coverages Actuarial Report. Actuarial reports are presented to City Council annually and are prepared by an outside actuarial consultant. MR 03.05.18 Yes Strategic Business Plan Process Major Detective WP C-60 WP C-62 WP E-5 Reviewed previous Strategic Business Plan documents for several business units. Strategic business unit processes are completed by business unit managers and reviewed by department directors and the City Manager's Office. MR 02.21.18 Yes City Internal Audit Office Compensati ng Detective WP C-10 WP C-49 WP C-50 WP C-58 Reviewed previous Internal Audit Risk Assessment reports. As part of the Internal Audit Office's City- wide risk assessment, risks are verified and analyzed in an attempt to estimate the significance of the risk. Areas deemed high- risk are often further reviewed by the Department in future audits. MR 03.05.18 Yes Annual Budget Process Compensati ng Detective WP C-19 WP C-23 WP E-3 Reviewed FY18 Department strategic plans. Determined if issues/risks identified were relevant to the Department's activities. As part of the annual budget process, risks or issues are identified for each department and the most pressing issues are identified. We found that all issues/risks identified were relevant to the departments' activities. In addition, departments submit potential service level adjustments - meant to respond to identified risks - which are then ranked once by the City Manager's Office and then again by the Budget Division. MR 03.05.18 MR 03.01.18 Yes According to COSO this is a deficiency. Strategic Business Plan Process Major Detective WP C-60 WP C-62 WP E-5 Reviewed previous Strategic Business Plan documents for several business units. Determined if the issues/risks identified in the FY11 through FY15 strategic business plans were relevant to the business unit's activities. As part of the strategic business plan process, risks are identified as threats or weaknesses in a SWOT analysis and the most pressing threats or weaknesses are identified, however, the City does not have a standardized system used to estimate the significance of these risks. This being said, we found that all threats and weaknesses identified were relevant to the business units' activities. MR 02.21.18 MR 03.01.18 No According to COSO this is a deficiency. Estimates Significance of Risks Identified - Identified risks are analyzed through a process that includes estimating the potential significance of the risk. At the City-wide level, risk significance is estimated by the City Internal Audit Office. Annually, City departments identify and analyze risks. The reponse to these risks is then identified and submitted to the City Manager's Office as a service level adjustment (SLA). The City Manager's Office then ranks these risks by recommending the SLAs as part of the budget process. These are then ranked again by the Budget division. Every five years, the City undergoes the Strategic Business Plan process which identifies risks through a SWOT analysis, however, the City does not have a standard way for departments to estimate the significance of these risks. The City's lack of standardized risk estimation in the strategic business plan process is a deficiency. Yes Department directors also prepare the department's annual strategic plans, which include a risk analysis. These plans are reviewed by the City Manager's Office and City Councilmembers. Finally, business unit risk analyses are prepared by the business unit manager, which are then reviewed by the department director and the City Manager's Office. Principle 7: Identifies and Analyzes Risk Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes City Internal Audit Office Compensati ng Detective WP C-10 WP C-49 WP C-50 WP C-58 Reviewed previous Internal Audit Risk Assessment reports. The City Internal Audit Office's risk assessments do not typically include recommendations, however, they typically lead to audit topic suggestion, which generally include recommendations to improve operations. MR 03.05.18 Yes Varying Department Risk Appetites Compensati ng Preventive WP E-7 Interviewed 74 City leaders at the beginning of FY17 and assigned each individual a risk rating. Found that the City's leadership is slightly risk averse, however, the City Council is more risk taking. These tendencies are reflected in the controls they cited as being in place in their respective department/division. SS 02.28.18 Yes Annual Budget Process Major Detective WP C-19 WP C-23 WP E-3 Reviewed FY18 Department strategic plans. Annually, departments identify risks or issues and how they plan to address these issues in the next fiscal year. MR 03.05.18 MR 03.01.18 Yes Strategic Business Plan Process Major Detective WP C-60 WP C-62 WP E-5 Reviewed previous Strategic Business Plan documents for several business units. Every five years, the strengths and weaknesses of the City's business units are identified and potential solutions to these are proposed. MR 02.21.18 MR 03.01.18 Yes Determines How to Respond to Risks - Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk. The City Internal Audit Office's risk assessments typically lead to audit topics, which further explore and recommend responses to identified risks. Department strategic plans in the annual budget include potential responses to identified risks and issues. Strategic Business Plans include potential responses to threats and weaknesses identified. Departments also have varying risk appetites that are appropriately established considering their functions. Yes Principle 8: Assesses Fraud Risk Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes City Internal Audit Office Major Detective C-65 C-68 E-11 Reviewed City Internal Audit Officer's policies and procedures. Reviewed the auditing standards followed by the City Internal Audit Office. Identified evidence of standards being followed. Auditing standards followed by the City Internal Audit Office include examples of various types of fraud that could be indicated in financial audits, attestation engagements, and performance audits. We found documentation that these standards were followed. MR 03.07.18 Yes Employee Fraud Hotline Major Corrective E-11 Reviewed fraud hotline results, policies, and case summary information. In addition, we found that the City Internal Audit Office has implemented an anonymous ethics hotline. TE 03.08.18 Yes External Compliance and Single Audits Major Detective C-67 C-68 E-11 Reviewed FY17 Compliance and Single Audit Reports. Reviewed the auditing standards followed by the external auditors. Auditing standards followed by the external auditors include examples of various types of fraud that could be indicated in financial audits, attestation engagements, and performance audits. MR 03.07.18 Yes City Internal Audit Office Major Detective C-65 C-68 E-11 Reviewed City Internal Audit Officer's policies and procedures. Reviewed the auditing standards followed by the City Internal Audit Office. Identified evidence of standards being followed. Auditing standards followed by the City Internal Audit Office state that the audit team must discuss individuals' incentives or pressures to commit fraud. There is evidence that these standards are followed by the City Internal Audit Office. MR 03.07.18 Yes External Compliance and Single Audits Major Detective C-67 C-68 E-11 Reviewed FY17 Compliance and Single Audit Reports. Reviewed the auditing standards followed by the external auditors. Auditing standards followed by the external auditors state that the audit team must discuss individuals' incentives or pressures to commit fraud. MR 03.07.18 Yes City Internal Audit Office Major Detective C-65 C-68 E-11 Reviewed City Internal Audit Officer's policies and procedures. Reviewed the auditing standards followed by the City Internal Audit Office. Identified evidence of standards being followed. Auditing standards followed by the City Internal Audit Office state that the audit team must discuss the opportunities for fraud to occur. We found documentation that these standards were followed. MR 03.07.18 Yes External Compliance and Single Audits Major Detective C-67 C-68 E-11 Reviewed FY17 Compliance and Single Audit Reports. Reviewed the auditing standards followed by the external auditors. Auditing standards followed by the external auditors state that the audit team must discuss the opportunities for fraud to occur. MR 03.07.18 Yes City Internal Audit Office Major Detective C-65 C-68 E-11 Reviewed City Internal Audit Officer's policies and procedures. Reviewed the auditing standards followed by the City Internal Audit Office. Identified evidence of standards being followed. Auditing standards followed by the City Internal Audit Office state that the audit team must discuss rationalizations or attitudes that could allow individuals to commit fraud. We found documentation that these standards were followed. MR 03.07.18 Yes External Compliance and Single Audits Major Detective C-67 C-68 E-11 Reviewed FY17 Compliance and Single Audit Reports. Reviewed the auditing standards followed by the external auditors. Auditing standards followed by the external auditors state that the audit team must discuss rationalizations or attitudes that could allow individuals to commit fraud. MR 03.07.18 Yes Assesses Opportunities - The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate acts. The auditing standards followed by the City Internal Audit Office and the external auditors state that the audit team must discuss the opportunities for fraud to occur. We found documentation that these standards were followed by the City Internal Audit Office. Yes Assesses Attitudes and Rationalizations - The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions. The auditing standards followed by the City Internal Audit Office and the external auditors state that the audit team must discuss rationalizations or attitudes that could allow individuals to commit fraud. We found documentation that these standards were followed by the City Internal Audit Office. Yes Considers Various Types of Fraud - The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur. The auditing standards followed by the City Internal Audit Office and the external auditors include examples of various types of fraud that could be indicated in financial audits, attestation engagements, and performance audits. We found documentation that these standards were followed by the City Internal Audit Office. In addition, we found that the City Internal Audit Office has implemented an anonymous ethics hotline. Yes Assesses Incentive and Pressures - The assessment of fraud risk considers incentives and pressures. The auditing standards followed by the City Internal Audit Office and the external auditors state that the audit team must discuss individuals' incentives or pressures to commit fraud. There is documentation that these standards are followed by the City Internal Audit Office. Yes Principle 9: Identifies and Analyzes Significant Change Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Strategic Business Plan Process Major Detective WP C-60 WP C-62 WP E-5 Reviewed previous Strategic Business Plan documents for several business units. As part of the strategic business plan process, key managers develop or update City-wide assessments of the City's economic, organization, policy, regulatory, technology, and demographic outlook. These are then adapted to fit each business unit's unique challenges within the actual strategic business plan. MR 02.21.18 Yes IT Disaster Recovery Plan Major Preventive WP C-71 Reviewed the City's IT Disaster Recover Plan and discussed it with the City's Assistant Director of Information Technology. The City's IT Disaster Recovery Plan began development in 2013, but was never completed or approved by the City Council. MR 03.12.18 No While it is appropriate for the City to have a IT specific Disaster Recovery plan, part of this risk is analyzed in the Emergency Management Plan. RECOMMENDATION: The City should update its IT Disaster Recovery Plan. Emergency Management Plan Major Preventive WP C-63 WP E-6 Interviewed the Emergency Management Coordinator. Reviewed the City's 2014 Emergency Management Plan. The City's emergency management plan considers and proposes responses to sudden environmental changes that cause hazardous conditions. SS 02.26.18 MR 03.05.18 Yes Economic Development Master Plan Compensati ng Preventive WP C-36 Reviewed the City's 2013 Economic Development Master Plan. The Economic Development Master Plan takes into account existing economic conditions and is updated and revised periodically. MR 03.08.18 Yes Waivers and Other Agreements Major Preventive WP E-10 Reviewed waiver, agreements, and other standard forms requiring outside parties to release the City from risk. Found a number of waivers and agreements that the City utilizes that adequately protect the City from risk through transference. MR 03.06.18 Yes Annual Budget Process Major Preventive WP C-19 WP C-20 WP C-23 WP D-27 Reviewed the FY18 budget kickoff memo. Reviewed the City's annual budgets from FY09 through FY18. Department organizational charts are updated at least annually. In addition, there is evidence that all departments and the City as a whole periodically consider the organization's structure and make changes as necessary. MR 02.13.18 MR 02.05.18 Yes ERP Implementation Compensati ng Preventive WP C-43 WP C-44 WP D-12 WP E-4 Reviewed documentation related to the ICE Project and examined training documentation and premade reports for the Tyler Munis system. Interviewed the City's Risk and Workforce Compliance Manager. There is evidence that the City considered the impact of transitioning to a new enterprise resource management system by implementing training programs for Tyler Munis. MR 01.02.18 TY 01.24.18 Yes Assesses Changes in the External Environment - The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. The City has its employees develop and update a City-wide assessment of the City's economic, organization, policy, regulatory, technology, and demographic outlook every five years as part of the strategic business plan process. In addition, the City has developed an Emergency Management Plan; this is supplemented by the IT Disaster Recovery Plan, which was not completed or approved by the City Council. The City has also developed standard contracts, waivers, and agreements to transfer risk to outside organizations. Finally, the City has developed several department driven reactionary measures in response to risks that have been realized historically. Yes Assesses Changes in the Business Model - The organization considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies. Annually, organizational, and thus business model, changes are assessed during the budget process. In addition, we found that the City had considered the impact of major changes to the business model through conducting trainings for the Tyler Munis system. Finally, the City has also developed a Comprehensive Plan that anticipates and guides growth in the City. Yes Principle 9: Identifies and Analyzes Significant Change Objective: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Auditor Conclusion: We have performed audit procedures to assess if the entity level controls below are deployed across the City to provide reasonable assurance that the above principal is present. The results of these audit procedures are documented below. Are entity level controls deployed across the City to demonstrate the key principle above is present? YES Points of Focus Control Activity Point of Focus Supported Control Component Control Type Ref. Docs Audit Testing Procedures Audit Results Auditor Control Effective Auditor Notes Planning and Development Comprehensive Plan Major Preventive WP C-70 Reviewed the 2009-2030 College Station Comprehensive Plan. The Comprehensive Plan is used to anticipate and guide growth in a manner that provides College Station with a balance of land uses that promote economic growth while retaining the quality of life. MR 03.13.18 Yes Informal Consideration of Succession at the Department Level Compensati ng Detective WP D-10 WP D-33 WP E-9 Reviewed audit work previously conducted regarding succession planning and the loss of institutional knowledge. Requested any succession planning documentation or information from department directors. We found that 43% of 74 key City supervisors identified loss of institutional knowledge as a risk to their operations. Most departments plan for succession as it becomes apparent employee are going to retire or leave the City. Only one department has a formal succession plan. MR 12.22.17 TE 03.05.18 Yes There is no formal procedure for succession planning, however, there is evidence that the City as a whole and departments on their own have considered succession planning. RECOMMENDATION: Formalize procedures that identify and help to mitigate the risk of losing institutional knowledge. City Council Trainings Major Corrective WP C-4 WP C-5 WP C-6 WP C-55 WP D-31 Reviewed Council Orientation documentation provided by City staff. Used Council expenditure data to determine what trainings Council members attended throughout FY17. After every election, City staff hold an orientation for new City Council members. In addition, Council members undergo various trainings throughout the year. MR 02.08.18 Yes Assesses Changes in Leadership - The organization considers changes in management and respective attitudes and philosophies on the system of internal control. After every election, the City conducts a City Council orientation to bring new members up to speed with City policies and procedures. The City also has several informal department succession plans to help mitigate the risks associated with leadership changes. Yes COSO Assessment Update Audit Committee Meeting April 4, 2018 What is internal control? Objective identified Controls designed Controls in place Objective achieved How does internal control work? Run its operations efficiently and effectively Report reliable information about its operations Comply with applicable laws and regulations COSO’s 17 Principles of Internal Control Internal Controls Verified Ma j o r Co m p e n s a t i n g 6 2 Sets the tone at the top 1 1 Establishes standards of conduct 2 1 Evaluates adherence to standards of conduct 5 0 Addresses deviations in timely manner Recommendations: 1. Require all employees to acknowledge they have read and understand polices in the Employee Handbook. 2. All performance evaluations should contain ethics and integrity criteria common to all employees. 7 3 2 Internal Controls Verified Ma j o r Co m p e n s a t i n g 3 0 Establishes oversight responsibilities 2 0 Applies relevant expertise 2 0 Operates independently 1 2 Provides oversight for the system of internal control Internal Controls Verified Ma j o r Co m p e n s a t i n g 3 0 Considers all structures of the entity 3 1 Establishes reporting lines 6 1 Defines, assigns, & limits authorities & responsibilities Internal Controls Verified Ma j o r Co m p e n s a t i n g 1 0 Establishes policies & practices 7 0 Evaluates competencies & address shortcomings 5 1 Attracts, develops,& retain individuals 0 2 Plans and prepares for succession Recommendations: 1. Require annual employee verification of job descriptions. 2. Improve performance appraisal process to be more employee centric. 3. Formalize procedures that identify and help to mitigate the risk of losing institutional knowledge. 1 18 2 1 Internal Controls Verified Ma j o r Co m p e n s a t i n g 5 2 Enforces accountability through structures, authorities, & responsibilities 1 0 Establishes perf. measures, incentives, & rewards 2 0 Evaluates perf. measures, incentives, & rewards for ongoing relevance 2 1 Considers excessive pressures 2 0 Evaluates Performance & Rewards or Disciplines Individuals Recommendations: Improve associations between employees’ performance and rewards. 36 1 1 4 COSO’s 17 Principles of Internal Control Recommendations: To be determined. We decided to incorporate aspects of this principal into the next component of COSO due to some synergies in the workload that can be realized. Internal Controls Verified Ma j o r Co m p e n s a t i n g 8 1 Operations Objectives (4) 6 0 External Financial Reporting Objectives (3) 2 1 External Non-Financial Reporting Objectives (3) 0 0 Internal Reporting Objectives (3) 4 2 Compliance Objective (2) Internal Controls Verified Recommendations: 1. The City should update its IT Disaster Recovery Plan. Ma j o r Co m p e n s a t i n g 3 3 Includes Entity, Subsidiary, Division, Operating Unit, & Functional Levels 8 4 Analyzes Internal and External Factors 2 2 Involves Appropriate Levels of Management 1 2 Estimates Significance of Risks Identified 2 2 Determines How to Respond to Risks 59 Internal Controls Verified Ma j o r Co m p e n s a t i n g 3 0 Considers Various Types of Fraud 2 0 Assesses Incentive and Pressures 2 0 Assesses Attitudes and Rationalizations Internal Controls Verified Ma j o r Co m p e n s a t i n g 3 1 Assesses Changes in the External Environment 2 1 Assesses Changes in the Business Model 1 1 Assesses Changes in Leadership Recommendations: Procedures should be formalized that identify and help to mitigate the risk of losing institutional knowledge. 4 COSO Project Timeline 10/1/17 12/1/17 1/31/18 4/2/18 6/2/18 8/2/18 10/2/18 COSO Training Planning Control Environment Risk Assessment Control Actvities Info.& Communication Monitoring Activities 10/23/17 12/7/18 4/4/18 6/26/18 9/25/18 COSO’s 17 Principles of Internal Control Internal Controls Verified Recommendations: 1. 2. Ma j o r Co m p e n s a t i n g 9 9 Integrates with Risk Assessment 9 9 Considers Entity-Specific Factors 9 9 Determines Relevant Business Processes 9 9 Evaluates a Mix of Control Activity Types 9 9 Considers at What Level Activities are Applied 9 9 Addresses Segregation of Duties Internal Controls Verified Recommendations: 1. 2. Ma j o r Co m p e n s a t i n g 9 9 Integrates with Risk Assessment 9 9 Considers Entity-Specific Factors 9 9 Determines Relevant Business Processes 9 9 Evaluates a Mix of Control Activity Types 9 9 Considers at What Level Activities are Applied 9 9 Addresses Segregation of Duties Internal Controls Verified Recommendations: 1. 2. Ma j o r Co m p e n s a t i n g 1 0 Establishes policies & practices 7 0 Evaluates competencies & address shortcomings 5 1 Attracts, develops,& retain individuals 0 2 Plans and prepares for succession COSO’s 17 Principles of Internal Control Recommendations: 1. 2. Internal Controls Verified Ma j o r Co m p e n s a t i n g 9 9 Identifies Information Requirements 9 9 Captures Internal and External Sources of Data 9 9 Processes Relevant Data into Information 9 9 Maintains Quality throughout the Process 9 9 Considers Costs and Benefits Internal Controls Verified Ma j o r Co m p e n s a t i n g 3 0 Establishes oversight responsibilities 2 0 Applies relevant expertise 2 0 Operates independently 1 2 Provides oversight for the system of internal control Recommendations: 1. 2. Recommendations: 1. 2. Internal Controls Verified Ma j o r Co m p e n s a t i n g 9 9 Communicates to External Parties 9 9 Enables Inbound Communications 9 9 Communicates with the Board of Directors 9 9 Provides Separate Communication Lines 9 9 Selects Relevant Methods of Communication COSO’s 17 Principles of Internal Control Internal Controls Verified Ma j o r Co m p e n s a t i n g 9 9 Considers a Mix of Ongoing and Separate Evaluations 9 9 Considers Rate of Change 9 9 Establishes Baseline Understanding 9 9 Uses Knowledgeable Personnel 9 9 Integrates with Business Processes 9 9 Adjusts Scope and Frequency 9 9 Objectively Evaluates Recommendations: 1. 2. Internal Controls Verified Ma j o r Co m p e n s a t i n g 9 9 Assesses Results 9 9 Communicates Deficiencies 9 9 Monitors Corrective Action Recommendations: 1. 2.