rF Region d Peel Wo~tkik!f loll qoll

DATE: January 15, 2014

REPORT Meeting Date: February 6, 2014

Audit Committee

REPORT TITLE: 20141NTERNAL AUDIT RISK BASED WORK PLAN

FROM: Anil Persaud, Director, Internal Audit

RECOMMENDATION

That the 2014 Work Plan as outlined in Appendix I to the report of the Director, Internal Audit, dated January 15, 2014, titled "2014 Internal Audit Risk Based Work Plan" be approved.

REPORT HIGHLIGHTS • Projects for the 2014 Work Plan have been identified using 2013 risk assessment

information on higher risk programs and services and from client requests. • Consideration was given to aligning projects with the Strategic Plan, Term of Council

Priorities and Enabling Priorities as well as to provide coverage of higher risk areas over the concluding four year term of Council.

• The 2014 Work Plan will continue to be dynamic and flexible based on emerging risks and issues identified throughout the year.

DISCUSSION

1. Background

The Internal Audit Division has a professional responsibility to develop an Internal Audit work plan that reflects the changes and risks within the Region. The work plan is to be developed based on the results of an organization wide risk assessment and should consider input from senior management and the Audit Committee.

The 2014 Internal Audit Risk Based Work Plan (Appendix I) was created based on a risk assessment that took place across the Region in the fall of 2013. The risk assessment information on emerging risks and issues was gathered during management interviews and from proactive client requests for audit services. The rationale for the inclusion of the various projects in the 2014 Work Plan is discussed in the Appendix. Appendix I includes two tables. Table 1 provides details of the new projects that are planned to commence during 2014, including an estimated start date. The second table lists the projects from the 2013 Risk Based Work Plan that are continuing in 2014.

V-01-002 2013/09

January 15, 2014

l.f-C\.-2. - 2 -

2014 INTERNAL AUDIT RISK BASED WORK PLAN

The audit planning process will continue to be dynamic and flexible. Changes to the 2014 Work Plan may be required throughout the year to reflect emerging risks and issues as they unfold. Internal Audit will keep Audit Committee and the Executive Management Team updated on any required changes to the 2014 Work Plan.

2. 2014 Work Plan Highlights and Comments

Where possible, the 2014 Work Plan projects have been aligned with Strategic Plan Themes, the Term of Council Priorities and the Enabling Priorities. This ensures Internal Audit can conduct projects in a manner that is aligned with the way the Region provides programs and services for its constituents. Furthermore, projects were prioritized giving consideration to covering the higher risk areas during the concluding four year term of council. In an effort to be more responsive and proactive in our approach to providing assistance with governance, risk management and control processes in the planning phase of each project, consideration will be given to whether to conduct an assurance based audit looking at historical transactions and current procedures or whether to provide consulting services on new initiatives and process changes.

Internal Audit is implementing a new process to analyze data from program specific applications in order to assist in developing the scope for a project and assist in conducting the audit testing. For projects in the 2014 Work Plan, Internal Audit staff will be scheduling and communicating requirements to extract data relevant to the project.

In addition to conducting planned projects throughout the organization, the 2014 Work Plan sets aside time to respond to management requests for control advice, to have involvement in committees and to conduct investigations as needed.

Based on the projects included in the 2014 Internal Audit Risk Based Work Plan, Internal Audit will be able to independently and objectively carry out the work identified.

CONCLUSION

The 2014 Work Plan has been developed to provide reasonable assurance and comfort that sound management practices are in place.

Internal Audit creates a higher value when they focus on the right controls that manage the higher significant risks. The 2014 Work Plan reflects higher emerging risks and issues that are aligned with Strategic Plan Themes; the Term of Council Priorities; and the way the Region delivers its programs and services.

V-{)1.{)02 2013109

January 15, 2014

4C\, -3 - 3-

2014 INTERNAL AUDIT RISK BASED WORK PLAN

Anil Persaud Director, Internal Audit

Approved for Submission:

D. Szwarc, Chief Administrative Officer

For further information regarding this report, please contact Ani/ Persaud at extension 4557 or via email at ani/.persaud@peelregion.ca

Authored By: Jennifer Weinman, CPA, CA, CIA, CRMA and Barb Morris, CIA, CMA, CFE

c. Legislative Services

L.f ~ -L\ APPENDIX I - 1 -January 15, 2014 2014 INTERNAL AUDIT RISK BASED WORK PLAN

Table 1- New 2014 Work Plan Projects

Strategic Plan Estimated Theme Project Start Date Rationale and Risks

(Program) Community Health Children in Need August Rationale: CINOT offers one-time dental services (Public Health) of Treatment for eligible children under 18 who need treatment.

(CINOT) Children are screened at school or at a Peel Dental Strategic Plan Screening Clinic. There is a cost-sharing with the Goal3 Province and information on children in the program Maintain and is maintained by Public Health. The program plays improve the health an important role in maintaining and improving the of peel's community health of Peel's communities. This program, that

involves reimbursement of fees to third parties, will Goal7 be assessed to ensure management has controls in Strive for continued place to manage the risks of dealing with third party excellence as a payment requests. municipal government Risk: Without effective and efficient processes,

systems and applications, there is a risk CINOT goals and objectives may not be achieved thus not maintaining or improving the health of Peel's communities.

Community Health Follow Up May Rationale: The 2007 audit of Paramedic Services (Paramedics) Paramedics Audit was conducted to determine the extent that the

division was managed in an efficient and effective Strategic Plan manner with clearly established and monitored Goal3 responsibilities and accountabilities. While the Maintain and majority of the 21 audit observations have been improve the health addressed, four are in progress. They relate to of Peel's community. automating reports and the review of processes and

data management for the Program Wide System ToCP12 Performance and Quality Assurance Program. Explore the Conducting a detailed follow up on the four feasibility of management actions in progress will ensure the community findings brought forward in 2007 are still relevant para medicine and the actions being taken by management partnerships and continue to address the underlying risk. strategies

Risk: Without effective and efficient automated ToCP 21 processes in place, there is a risk that time Reduce paramedic consuming manual processes will impact the response times timeliness of service delivery.

Community Health Make Ready To Be Rationale: The purpose is to review draft contracts (Paramedics) Contracts Determined and provide management with advice and

recommendations regarding mitigation strategies Strategic Plan and updates to the contract. Goal3 Maintain and Risk: Contract risks and mitigation strategies may improve the health not be fully analyzed and addressed in draft of Peel's community. contracts.

ToCP 12 Explore the feasibility of community paramedicine partnerships and strategies

V-Q1-Q02 2013/09

~~ -~ APPENDIX I - 2 -January 15, 2014 2014 INTERNAL AUDIT RISK BASED WORK PLAN

ToCP 21 Reduce paramedic response times

Social Early Learning October Rationale: As provincially delegated Service Development System Manager, Peel must ensure compliance to (Early Learning and legislation of child care providers, implement Child Care) provincial funds, and create policy and local rules.

The Service System Manager is also managing a ToCP 19 change in the strategic focus of Peel's Early Build community Learning and Child Care Services. Given the capacity ongoing changes in the Region's Child Care

services and provincial legislation, a review of business objectives, risks and controls will provide assurance the risk associated with these changes are being mitigated.

Risk: With constant change, there is a risk that creation of policy and the corresponding roll out will not keep pace with legislated requirements.

Environment Environmental April Rationale: Lab testing was recently contracted to a (Wastewater) Control Contract third party. As a result of this change in approach to

Review service delivery, there is an opportunity to conduct Strategic Plan an audit to assess whether management has Goal1 adequate controls in place to manage the new Protect, enhance contracted service. and restore the environment Risk: Without effective contract management

processes in place, there is a risk that the third party ToCP6 service provider may not comply with our Enhance integrity of contractual requirements. wastewater collection system

Enabling Strategy Project Estimated Rationale and Risks and Priorities Start Date

Corporate Asset Fleet Audit Phase June Rationale: Fleet Services purchases and services Management II all Regional vehicles. Phase I audit reviewed Fleet

Services inventory practices. Phase II will look at Strategic Plan strategic objectives, the maintenance and Goal7 management of the Region's fleet and compliance Strive for continued with legislation. excellence as a municipal Risk: Without an alignment between strategy and government. operations, there is a risk that the Regional

resources may not be used effectively. Enabling Priority 4 Excellence in Integrated Strategy Development & Execution

Corporate Fraud Policy January Rational: Purpose of this project is to work with Governance and Development management to develop a fraud risk policy and Leadership principles as well as relevant training and

development to ensure the level of fraud risk Strategic Plan awareness is raised within the organization. Goal7 Strive for continued Risk: Incidents of fraud may occur or fraud may not excellence as a be identified. Due to the absence of fraud municipal guidelines for conducting fraud investigations there government may be inconsistencies in handling and reporting

Lfc...-t, APPENDIX I - 3 -January 15, 2014 20141NTERNAL AUDIT RISK BASED WORK PLAN

fraud investigations. Enabling Priority 3 Effective Leadership

Enabling Priority 4 Excellence in Integrated Strategy Development & Execution

Financial Purchasing Card April Rationale: Purchase cards (pcards) facilitate low Management Controls and value purchases and ensure timely payment to

Usage suppliers. Regional pcards facilitates the business Strategic Plan of Regional programs and services and effective Goal7 monitoring and management of pcard activity Strive for continued ensures purchasing is conducted within the By-law. excellence as a This project will review controls in place for municipal purchases using pcard and look for efficiencies in government pcard usage.

Enabling Priority 4 Risk: Without a periodic review of purchase card Excellence in usage, there is a risk that purchasing practices may Integrated Strategy not be in compliance to the Regional Purchasing By-Development & law. Execution

Procurement New Purchasing December Rationale: To be conducted as a result of a request By-Law RFP from the Audit Committee to review purchasing

Strategic Plan Review objectives and compliance with new authorization Goal7 thresholds. Strive for continued excellence as a Risk: Changes in authority levels delegated from municipal Council to staff increase the risk that procurement government transactions may not follow Regional processes.

Enabling Priority 4 Excellence in Integrated Strategy Development & Execution

Financial Treasury Services June Rationale: Treasury Services oversees all facets of Management the Region's banking/investment functions. This

includes cash, investment and debt management as Strategic Plan well as managing banking relationships. The Goal7 Division follows applicable legislation and Council Strive for continued direction. Policies and procedures related to cash excellence as a management; debt management; and investment municipal management have also been developed and government. implemented. The Division is responsible to

manage and invest a large amount of money which Enabling Priority 1 carries a high degree of underlying risk. This project Long-Term Financial will provide assurance that the section has controls Sustainability in place to ensure legislation and Council direction

are followed.

Risk: Changes in management and processes such as taking on debt increase the risk that controls may not be effective or efficient.

Enabling Priority 4 Audit Advisory Ongoing Rationale: Risks and issues emerge and evolve Excellence in Services throughout the year. Internal Audit sets aside time Integrated Strategy to handle special projects, assignments and Development & investigations. The objective is to be more proactive

4"-'\-+ APPENDIX I - 4 -January 15, 2014 2014 INTERNAL AUDIT RISK BASED WORK PLAN

Execution to client needs. In addition, Internal Audit may be asked to sit on committees as a way to provide proactive advice.

Follow-up on Ongoing Rationale: To follow-up on outstanding audit Internal Audit observations and management action plans. Reports

tt 0.. -~ APPENDIX I - 5 -January 15, 2014 20141NTERNAL AUDIT RISK BASED WORK PLAN

Table 2 - Audit Projects that are from the 2013 Work Plan

Strategic Plan Theme Project Rationale and Risks (Program)

Environment Supervisory Control and Data Rationale: SCADA collects and (Potable Water) Acquisition (SCADA) System analyzes data from sensors at water

plants and pumping stations and uses this data to manage the water supply and ensure Peel's water exceeds Ontario Drinking Water Standards. The system is operated by the Water Division. The Division's work is highly regulated by Provincial legislation and standards.

Risk: Without effective controls and secure systems, there is a risk systems may be accessed inappropriately and a risk that information contained in those systems may be inappropriately used, released, modified or destroyed.

Social Development Affordable Housing Service Rationale: As Service Manager, Peel (Affordable I Assisted Housing) Manager is responsible for housing I

homelessness system planning. Term of Council Priority actions include investing in housing I homelessness prevention; increasing rent-geared-to income/rent supplements; providing home ownership assistance and rental I utility arrears supports; and presenting Council with wait list policy options. Work is strategic and requires an overall approach and collaboration with stakeholders.

Risk: Without an overall coordinated approach and strategy, there is a risk the Region may not increase the supply of affordable I assisted housing.

Enabling Strategy Project Rationale and Risks

Financial Management Cash Controls Rationale: Cash is highly susceptible to misappropriation. Good cash handling practices involve periodic reviews of cash handling, reconciliations, security and documented processes.

Risk: Without a periodic review of cash handling practices, there is a risk that changes in staffing, reorganizations and retirements may create vulnerabilities in cash management practices.

Financial Management Overtime/Standby Rationale: At times overtime work may be required in emergency situations or in other instances that require staff to work more than their standard daily I weekly hours of work. This overtime work is governed by Regional policies,

4 C'\. -'\

APPENDIX I -6 -January 15, 2014 2014 INTERNAL AUDIT RISK BASED WORK PLAN

procedures, collective agreements and applicable legislation.

Risk: There are risks associated with the use of human and financial resources as well as complying with policies, procedures, collective agreements and applicable legislation that need to be efficiently and effectively managed.

Corporate Governance and Code of Conduct- Review & Rationale: The purpose of the project Leadership Research is to review the current Code of

Conduct and provide management advice and recommendations for possible updates and changes to the Code that will raise the level of awareness in the organization.

Risk: An out-of-date Code may not reflect current Regional Values and may not be clear as to expected business behaviours for employees. This could result in employees conducting business in a manner inconsistent with values; negative employee morale; negative public perception; and or perceived conflicts of interest.