ANNUAL AUDIT RISK ASSESSMENT & WORK PLAN Presented by Sandra Healy, CGFM Principal Auditor Idaho Transportation Department 1
Mar 29, 2015
ANNUAL AUDIT RISKASSESSMENT & WORK PLAN
Presented by Sandra Healy, CGFMPrincipal Auditor
Idaho Transportation Department
1
Office of Internal Review Org Chart
2
Donita Stephens Admin Assistant
Mike Cram
Principal Auditor
Sandra Healy, CGFM
Principal Auditor
Diego Curt, CISA
Principal Auditor
Michelle Doane Mary Quarles,CPA
Internal Review ManagerCarri Rosti,
CPA, CGFM
ITD Director
ITD Board
(Audit Committee)
Principal Auditor Principal Auditor
ITD Office of Internal Review
Internal Review conducts independent reviews to assess the effectiveness, compliance, and efficiency of department programs, procedures, and internal controls (GAGAS compliant)
Internal Review reviews records and financial reports for certain third parties contracting and sub granting with ITD
3
Internal Review Staff & DutiesManager and five auditorsBoth internal & external auditsAllocation of staff hours between internal &
externalManagement requests for non-audit services
4
Audit and Review Work PlanBased upon Audit Risk AssessmentCriteria
Management Need Date of Last Audit Amount of Monies involved Inherent Control Risk
5
Annual Audit Work Plan Risk AssessmentAu
dit M
anag
erIT
D B
oard
@6/21/12
Begin Risk Assessment Mid-Dec
Meet with Exec Mgt for audit requests
for next 12 months
Review running list of audit requests
Meet w/FHWA to review their
requests for joint reviews
Log new requests into running list of
audit requests. Rate for high, med and
low risk
Choose top 5-7 high risk projects and prioritize using
IR Audit Risk Assessment Template to assess risk value for each project
Estimate time required for top 3-4 requests (960-1200
man hours per internal audit)
Calculate staff availability hours
Deduct estimated man hours for
external audits & joint FHWA reviews
Remainder is staff availability for
internal audits and non-audit services
Develop IR Work Plan; internal,
external and non-audit services
Complete audit work plan by mid-Feb
IR Annual report to Board scheduled in
March
Report covers past yrs audits & efforts
and plans for current year
Panel presentation; each auditor
presents on audit they conducted
Applause!
6
Risk Assessment ProcessProcess begins mid-DecReview running list of audit requestsMeet with executive managementMeet with FHWAAdd new requests to running listRate high, medium and low risk
7
IR Audit Risk AssessmentTop 5-7 high risk projectsIR Audit Risk Assessment Template Assess level of risk for each project
8
Internal Audit Risk AssessmentCriteria Weight
Factor Value Extension
Dollar Impact 5
>$ 10 mil. 5
$ 5 mil. approximately 3
<$100 K 1
Federal Responsibility/Requirement 5
Importance of Federal Regulations to this Program – Degree (5-0)
Public Impact 5
Degree (5-0)
Prior Audit Performed (by IR, Legislative Auditor, FHWA) 5
>5 Years 5
Within 2 Years -2
Past 12 Months -5
Management Need/Request 5
Within 6 Months 5
No Hurry 1
9
Internal Audit Risk Assessment (cont.)Inherent Risk Factor 3
Potential for Irregularity or Fraud – Degree (5-0)
Internal Controls/Administrative Controls 3
Degree (5-0) (Very strong = 0;Very weak = 5)
Legal Responsibility/Requirement 3
Degree (5-0)
Department Impact 3
Degree (5-0)
Reported Audit Problems on Most Recent Audit 3
Degree (5-0)
Potential Efficiency Improvement 2
Degree (5-0)
Audit Time Estimate 1
<10 Man-Weeks 5
>60 Man-Weeks 1
Total Audit Risk Value
10
Internal Review Audit Coverage2009 2010 2011 2012 2013 2014
Division of Motor Vehicles
X X X X X X
Division of Transportation Performance
X X X X
Division of Aeronautics
X X X
Division of Highways
X X X X X X
Division of Administration
X X X X X X
Division of Human Resources
X X X X
11
Audit Plan DevelopmentHours required for an Internal AuditStaff availability hoursExternal audit hoursResulting Internal Audit hours availableAudit work plan
12
Estimate Time Required (Internal Audits)Formula: Take top 3-4 and estimate time required
Planning: 4 weeksField Work: 8–12 weeks (complexity,
travel, etc.)Wrap-up: 4 weeksTotal: 16 – 20 weeks (team lead)
16 weeks x 40 hours/week = 640 hrs. 20 weeks x 40 hours/week = 800 hrs.
Team member: 320–400 hrs. (1/2 time)Thus, each internal audit time estimate: 960–1200 hrs.
13
Estimate Staff Availability5 Auditors @ 2,080 hours 10,400
Less vacation & SL @ 200 ea. 1,000Less training @ 50 ea. 250
Net 9,150Lost productivity (20%) 1,830
Estimated available time 7,320
(Not an exact science!)
14
External AuditsNeed to deduct from staff availability (high est.)40 Pre-award reviews
24-40 hours ea. 1,60060 Overhead rate reviews
16-24 hours ea. 1,4402-3 Cognizant reviews@80 hrs. 240
2 Post audits/yr. @120 hrs. 2401-2 Sub-grantees/yr. @ 80 hrs. 160Total 3,680
15
Internal Audits - Staff AvailabilityEstimated available staff hrs.7,320Less:
Est. external audits3,680
Est. FHWA joint audits 160Available time for internal audits &
non-audit services3,480(about 2-3 internal audits) 16
Audit Work Plan
17
Year: 2012 Auditor Jan Feb Mar Apr May June Jul Aug
INTERNAL AUDITS/REVIEWSDist Admin Fcts Follow up Rev Quarles X X X / > > w/ Procurement Pilot Doane X > >
Bus & Support Mgt. Perf Audit Doane > > >/ X X X
DMV - Motor Carrier Services Healy > > > X X X X Record's Sales (preventive) Quarles / > X
X One Month; > Two Weeks; / One Week; * One Day (Times are approximate)
Key:
Audit Work Plan (cont.)
18
Year: 2012 Auditor Jan Feb Mar Apr May June Jul AugEXTERNAL AUDITS/REVIEWS LHTAC Fin/Compl Rev w/FHWA Cram / > > / / COMPASS MPO OH Rate Rev Quarles * *
Ada Co Hwy Dist OH Rate Rev Cram **
Consultants: Pre Awards Staff / > / / / / / / OH Rate Reviews Staff / / / / / / / /
Audit Work Plan (cont.)
19
Year: 2012 Auditor Jan Feb Mar Apr May June Jul AugNon Audit and Consul ServMgt Control System update Healy / / > / / Internal Control Training
A-133 Monitoring Rosti/Staff * * * * * * * *
Peer Rev - Other States (Utah) Quarles / >/ / Remote Procedure Dev. Healy
Annual Report to the BoardPanel presentation – all auditorsLast year’s audits and reviews (Internal,
external & non-audit services)Each auditor speaks 1-2 mins. on a particular
audit/review or effort involved inAudit and review work plan for current year
(Internal, external and non-audit services)
20
Audit Resolution LogPrior audit recommendationsAudit Resolution Committee meets quarterlyRequests status updatesUpdate audit resolution logAudit Mgr. presents to Executive Team
21
SummaryRisk Assessment ProcessAudit Work PlanAudit Resolution Follow Up
22
Office of Internal Review Thank You/Questions
23
Contact InformationSandra Healy, CGFM Principal Auditor Idaho Transportation DepartmentOffice of Internal Review3311 W State StBoise, ID 83703 [email protected]
24