The URL can be used to link to this page

Home My WebLink About06/18/2018 - Regular Minutes - City Council - Audit CommitteeT' CITY OF, COIJ,FGf,, STATION Mayor Home of Texas A&M University' Karl Mooney Mayor Pro Tem James M. Benham Interim City Manager Jeff Capps Minutes CITY COUNCIL AUDIT COMMITTEE Monday, June 18, 2018 at 3:30 P.M. City Hall Administrative Conference Room 1101 Texas Avenue College Station, Texas 77840 Audit Committee Members Present: Karl Mooney, Mayor Linda Harvell, Councilmember - Absent James M. Benham, Mayor Pro Tem — Remote Mike Ashfield, Committee Member Nathan Sharp, Committee Member City Staff: Ty Elliott, Internal Auditor Madison Rorschach, Assistant Internal Auditor Jeffrey Capps, Interim City Manager Jeff Kersten, Assistant City Manager Carla Robinson, City Attorney Yvette Dela Torre, Deputy Local Registrar Sindu Menon, Chief Information Officer Melissa Chadd, Accounting Manager/Controller Regular Agenda Item No. 1— Call to Order and Announce a Quorum is Present. Council Members Jerome Rektorik Bob Brick Linda Harvell Barry Moore John Nichols With a quorum present, the Audit Committee of College Station was called to order by Mayor Mooney at 3:36 p.m. on June 18, 2018 in the Administrative Conference Room of the City of College Station City Hall. Regular Agenda Item No. 2 - Presentation, possible action, and discussion of minutes for the Audit Committee meeting held on April 4, 2018. MOTION: Upon a motion made by Mayor Pro Tem Benham and a second by Mayor Mooney, the Audit Committee voted two (2) for and zero (0) opposed, to approve the April 4, 2018 Audit Committee minutes as revised. The motion carried unanimously. Regular Agenda Item No. 3 - Presentation, possible action, and discussion regarding an update of the city-wide COSO Assessment. Internal Auditor, Ty Elliott, updated staff on the status of the COSO Assessment project timeline. The projected timeline for the Control Activities Component will be extended. Auditors are concurrently working on the remaining components. Projected project end date remains the same. Regular Agenda Item No. 4 - Presentation, possible action, and discussion regarding emerging trends in the field of local government internal auditing. Internal Auditor, Ty Elliott, shared with the Audit Committee and staff how the emerging trends discussed at the Association of Local Government Auditor's Conference could impact our current and future audit plans. The four emerging issues were Fraud Risk Management, Continuous Auditing, Cybersecurity, and Auditing Fire Departments. Regular Agenda Item No. 5 - Presentation, possible action, and discussion of annual internal audit performance metrics. There was no discussion on this item. Regular Agenda Item No. 6 - Presentation, possible action and discussion to potentially amend the FY18 audit plan as well as considerations for the FY19 audit plan Internal Auditor, Ty Elliott, asked for direction from the Audit Committee to potentially amend the FYI and/or FY19 audit plans. Mayor Pro Tem Benham and Mayor Mooney directed the internal auditors to complete the COSO Assessment and to then move forward with a fraud response plan as well as continuous auditing. Regular Agenda Item No. 7 - Presentation, possible action and discussion regarding future agenda items. There were no future agenda items discussed. Regular Agenda Item No. 8 - Adjourn. There being no further business, Mayor Mooney adjourned the meeting at 4:18 p m. on Monday, June 18, 2018. ATTEST: Y tte Dela Torre, Deputy Local Registrar COSO Internal Control Framework Update Audit Committee Meeting June 18, 2018 COSO Project Timeline 10/1/17 12/1/17 1/31/18 4/2/18 6/2/18 8/2/18 10/2/18 • Control Environment Risk Assessment Control Actvities Monitoring Activities 10/23/17 12/7/18 4/4/18 6/18/18 7/23/18 9/25/18 Emerging Issues in Local Government Auditing Audit Committee Meeting June 18, 2018 Emerging Issues in the Profession Fraud Risk Management - Continuous Auditing Cybersecurity F� - ��?�Auditing Fire Departments N LU v1 Q U LL 0 F - Z LU V LU CL V7 V) 0 J Z Q H LU 5- What types of organizations are victimized by occupational fraud? 42% z � Private company $164,000 What levels of government are victimized by occupational fraud? Source: ACFE 2018 Global Study on Occupational Fraud y � \v�� `•c k x �P` �+1 1 111 Y A" � � Y Svc >,t' Sys • Source: ACFE 2018 Global Study on Occupational Fraud How is occupational fraud initially detected? External Audit Source: ACFE 2018 Global Study on Occupational Fraud Who reports occupational fraud? Competitor, 2% n,n,nor 10/- Internal source External source Other Fraud Risk Management Framework Commit to combating fraud by creating an organizational culture and structure conducive to fraud risk management. Evaluate outcomes using a risk-based approach and adapt activities to improve fraud risk management. r Commit to combating fraud by Plan regular fraud risk creating an organizational culture assessments and assess risks to and structure conducive to determine a fraud risk profile. fraud risk management. a 0 Evaluate outcomes using a risk-based approach and adapt �:cbvities to improve fraud risk management. Soc : GAO. I GAO-15S93SP EIV __ Design and implement a strategy vaith specific control activities to mitigate assessed fraud risks and collaborate to help ensure effective implementation. Xq Plan regular fraud risk assessments and assess risks to determine a fraud risk profile. Design and implement a strategy with specific control activities to mitigate assessed fraud risks and collaborate to help ensure effective implementation. Source_ GAO. I GAO-15-593SP Mitigate the risk of fraud occurring • Antifraud strategy • Employee background checks • Fraud -awareness trainings • System edit checks • Data matching to verify eligibility • Predictive analytics • Segregation of duties • Standards of conduct • Transaction limits Discover potential fraud that has already occurred • Audits • Data matching after payments have been made • Data mining • Document reviews • Hotlines and other reporting mechanisms • Site visits Investigate potential fraud, take corrective actions, and remedy the harm caused by fraud • Investigations • Prosecutions • Disciplinary actions • Suspensions and debarments • Payment recoveries Internal Control Proactive data monitoring/analysis Surprise audits Percent Reduction Internal audit department Management certification of financial statements External audit of internal controls over financial reporting �„r .. Management review. ,�.�, �... , �. �..� ., .. ,�,h .,..w .....>_..; Hotline..��.w,<. Anti -fraud policy Fraud training for employees Fraud training for managers/executives'�`�= ' Formal fraud risk assessments Rewards for whistleblowers Independent audit committee Code of Conduct��"�.�. Job rotation/mandatory vacation Dedicated fraud department, function, or team External audit of financial statements Employee support programs 0% 10% 20% 30% 40% 50% 60% How does the presence of anti- . r fraud controls relate to median loss? How does the presence of anti -fraud controls relate to the duration of fraud? Source: Association of Certified Fraud Examiners 2018 Global Study on Occupational Fraud Continuous Auditing Continuous audits are usually technology -driven and designed to automate error checking and data verification in real time. A continuous audit driven system generates alarm triggers that provide notice about anomalies and errors detected by the system. Increasing... n, Audit quality and consistency of controls automated �� % of controls tested rM L= Adherence to city policies - Decreasin g... Time spent testing controls s JL Audit and compliance costs mow # of audit findings Help Meet Strategic Objectives COSO Annual Testing V' Risk Assessment V' External Audit Assistance -/ Fraud Detection V" Fraud Prevention Cybersecurity to sAM- a 5 u C 4t . yT r "4y'SYp tib" 2S, ' 'tJ £ �'Ttb F' r U rm Average cost has increased by 62% from FY13 to FY17 $14M 12M 10M 8M 6M 4M 2M 0 .............................. T FY2013 I FY2014 I FY2015 $11.7 NIT $ 9 .sM ............... FY2016 I FY2017 Source: 2017 Cost of Cyber Crime Study (Ponemon Institute) The global average cost of cyber crime over five years US dollars Legend Consolidated view n = 254 separate companies -4- Total average cost --- Five-year average Types of Cyber Attacks Cost Malware S2,364,806 Web -based attacks Denial of services Malicious insiders Phishing & social engineering Malicious code Stolen devices Ransomware 2,014,142 ,ss,3s 1,415,217 1,298,978 1,232,32- 1,2,233 532,914 Botnets 350,012 $oM 1M 2M 3M Source: 2017 Cost of Cyber Crime Study (Ponemon Institute) Total annualized cyber crime cost for attack types US$ millions Legend Consolidated view n = 254 separate companies 50% 40 30 20 10 0 Most expensive consequence —Information Theft 33% 36 43 39 21 20 3 4 0 1 Source: 2017 Cost of Cyber Crime Study (Ponemon Institute) Percentage cost by consequence Legend Consolidated view n = 254 separate companies FY 2017 FY 2016 FY 2015 16% 14% 12% Q 10% 8 U 6% Q) 4% r 2% 0% —2% —4% Fire Department Costs % Change n Taw FY2014 FY2015 Athens Clarke County Budget E Iowa City Budget , Columbia Budget ■ College Station Budget rim, Fayetteville Budget m` x FY2016 Lawrence Budget Denton Budget City's that have recently conducted Audits of Fire Departments • Howard County, VA (2018) • Kansas City, MO (2018) • San Jose, CA (2018) • Clearwater, FL (2017) • Sacramento, CA (2017) • Austin, TX (2017) • Maui, HI (2017) • Buffalo, NY (2017) • Palo Alto, CA (2017) • Kern County, CA (2017) Oakland, CA (2017) • Atlanta, GA (2017) • Houston, TX (2017) • Washington, DC (2017) • Berkeley, CA (2017) • Suffolk County, NY (2017) • Jacksonville, FL (2017) • Asheville, NC (2017) Jacksonville, FL (2015) Austin, TX (2012) • Kansas City, MO (2016) Los Angeles, CA (2014) San Jose, CA (2012) • Charlotte, NC (2016) Scottsdale, AZ (2014) Portland, OR (2012) • San Diego, CA (2016) Kansas City, MO (2014) Johnson County, IN (2011) • Los Angeles, CA (2016) Sacramento, CA (2014) Hoboken, NJ (2011) • Killeen, TX (2016) Austin, TX (2014) Honolulu, HI (2011) • Glendale, CA (2016) Jacksonville, FL (2014) Grand Isle, LA (2011) • Philadelphia, PA (2016) Riverside, CA (2014) San Antonio, TX (2011) • Arlington, TX (2016) Durham, NC (2013) Dallas, TX (2011) • Monterey, CA (2015) Hamilton, ON (2013) Chicago, IL (2011) • Aurora, CO (2015) Tallahassee, FL (2013) Albuquerque, NM (2011) • Long Beach, CA (2015) San Jose, CA (2013) San Diego, CA (2011) • Vacaville, CA (2015) Nashville, TN (2013) Oklahoma City, OK (2011) • Nashville, TN (2015) Jacksonville, FL (2013) Portland, OR (2011) • Los Angeles, CA (2015) Portland, OR (2012) San Diego, CA (2010) • Oklahoma City, OK (2015) Pittsburgh, PA (2012) Boise, ID (2010) • Dallas, TX (2015) San Jose, CA (2012) Yonkers, NY (2010) Common Fire Dept. Audit Findings • Relying on increasing levels of overtime to meet operational needs • Lacking sufficient controls over the administration and use of overtime • Utilizing inefficient staffing models and methodologies • Engaging in ineffective union negotiations that result in incentive provisions that increase payroll costs • Increasing costs of fire apparatus and equipment