the regional municipality of peel audit and risk …€¦ · 2016 internal audit risk based work...

THE REGIONAL MUNICIPALITY OF PEEL

AUDIT AND RISK COMMITTEE AGENDA ARC - 1/2016 DATE: Thursday, February 4, 2016 TIME: 11:00 AM – 12:30 PM LOCATION: Regional Council Chamber, 5th Floor 10 Peel Centre Drive, Suite A Brampton, Ontario MEMBERS: F. Dale; C. Fonseca; M. Medeiros; K. Ras; R. Starr; A. Thompson Chaired by Councillor C. Fonseca or Vice-Chair M. Medeiros 1.

DECLARATIONS OF CONFLICTS OF INTEREST

2.

APPROVAL OF AGENDA

3.

DELEGATIONS

4.

REPORTS

4.1.

Phase II - Fleet Audit (For information)

Presentation by Shaun Hewitt, Director, Operations Support; and Joan Appleton, Manager, Internal Audit

4.2.

Integrated Planning Framework Risk Assessment Results (For information)

Presentation by Michelle Morris, Director, Internal Audit; and Lisa Duarte, Director, Integrated Planning Framework

4.3.

2016 Internal Audit Risk Based Work Plan

4.4.

2016 Integrated Risk Management Work Plan

5.

COMMUNICATIONS

ARC - 1/2016 -2- Thursday, February 4, 2016 6. IN CAMERA MATTERS

7.

OTHER BUSINESS

8.

NEXT MEETING Thursday, April 7, 2016, 11:00 a.m. – 12:30 p.m. Council Chamber, 5th Floor Regional Administrative Headquarters 10 Peel Centre Drive, Suite A Brampton, Ontario

9.

ADJOURNMENT

REPORT Meeting Date: 2016-02-04

Audit and Risk Committee

For information

DATE: January 26, 2016

REPORT TITLE: PHASE II - FLEET AUDIT

FROM: Michelle Morris, Director, Internal Audit

OBJECTIVE

To inform the Audit and Risk Committee of the results of the Phase II Fleet Audit.

REPORT HIGHLIGHTS

Fleet Services provides an effective vehicle management service that supports program service delivery across the Region of Peel (Region).

The results of the audit identified that effective processes are in place to procure and maintain the Region’s fleet. Opportunities for improvement include:

Develop and communicate vehicle performance management information;

Develop a vehicle acquisition strategy;

Improve processes to verify external billing;

Assess options for client charge backs;

Develop and communicate disposal criteria; and

Implement segregation of cash handling duties for auction proceeds. Internal Audit is of the opinion that the action plans provided by management will address

the risks identified. DISCUSSION 1. Background

The audit of Fleet Services was broken down into two phases. The Phase I audit focused on assessing the processes and controls in place to manage and monitor the vehicle parts supply and maintenance inventory in Fleet Services. The results of the Phase I audit was included on the September 13, 2013 Audit Committee agenda. Phase II included an assessment of the life cycle management of the Region’s fleet. Fleet Services is a section within Public Works that offers internal and an external client with vehicle management services from three separate locations in the Region. They have a team of professionals that plan, acquire, maintain and dispose of vehicles and equipment to support service delivery by the program areas. They do not own the fleet but are accountable to provide and coordinate the necessary support services to enable service delivery. As of October 2015 there were 541 vehicles in the Region’s fleet that Fleet Services maintains. In addition the Region recently entered into an agreement to maintain the Credit

4.1-1

PHASE II - FLEET AUDIT

- 2 -

Valley Conservation Authority vehicles, which at this point in time is another 38 vehicles. Fleet Services also partners with Peel Regional Police to provide vehicle body repair work. The program areas that utilize Fleet Services include:

Program Area Number of Vehicles

Paramedic Services (Ambulance) 101

Accessible Transportation (Transhelp) 64 Waste Management 137

Road Operations and Manitenance 75 Water and Wastewater 118

Operations Support (Inspection Team) 44 Facility Services - Courier Services 2

Credit Valley Conservation Authority 38 Total 579

2. Audit Objective and Scope

The objective of the audit was to assess whether Fleet Services has systems and processes to effectively and efficiently meet its objective of providing a safe, well maintained, and reliable fleet of vehicles to meet client needs across the Region. The scope of the audit focused on assessing the management and provision of the Regional fleet following the life cycle approach including:

Strategic planning and performance management;

Acquisition and procurement; Operations including asset management;

Preventative maintenance and repairs; and

Disposals. The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

3. Audit Observations

The results of the audit identified that effective processes are in place to procure and maintain the Region’s fleet. Opportunities for improvement include:

Develop and communicate vehicle performance management information;

Develop a vehicle acquisition strategy;

Improve processes to verify external billing;

Assess options for client charge backs;

Develop and communicate disposal criteria; and

Implement segregation of cash handling duties for auction proceeds.

4.1-2


- 3 -

Develop and Communicate Vehicle Performance Management Information Hansen is the system that Fleet Services uses to record vehicle life cycle information, including maintenance costs and expected life cycle. Management reports have been created in Hansen to provide the fleet owners with operating costs and frequency of maintenance and repair information for their fleet. Assessing vehicle utilization (over/under usage) is a better practice and can inform decision making for the fleet owner in assessing if their fleet is the right size. The technology to track vehicle utilization rates as a performance measure is not something that Fleet Services or fleet owners currently have available. The performance information to track and assess vehicle utilization, availability and downtime would be an outcome of implementing a Global Positioning System (GPS) tracking in each vehicle and can provide the fleet owners with the information they need to effectively manage their fleets. Management has the approved budget to acquire GPS and is currently in the pilot phase of implementing GPS for the entire Fleet. Functionality to capture vehicle downtime will be included in the specifications for replacing or upgrading Hansen.

Develop a Vehicle Acquisition Strategy

New vehicle requests are driven by the approved budget. Expectations from the client may not be aligned with the processes and timelines that Fleet Services is bound by to acquire new vehicles. To ensure there is a mutual understanding of the required timelines and expectations on both sides, the process should be documented in either a policy or service level agreement.

Fleet Services is an advisory and support service that informs their clients when vehicles should be replaced, purchases them on their behalf and ensures they are appropriately outfitted for the road. Fleet vehicles may be retained past their useful and economical life resulting in excessive costs to keep the vehicles in operation. Clarifying and communicating roles and responsibilities as well as the criteria for vehicle replacement can help management make informed and effective decisions. Management will develop and communicate to all Fleet Services employees and clients a policy for vehicle replacement. Strengthen the Process to Verify External Billing

External contractor maintenance and repair invoices are reviewed to help ensure that job times billed are reasonable for work conducted. Minimal verification is currently performed to ensure that the prices for parts and other charges are in compliance with the terms of the contracts including quoted job rates, labour charges and other terms of the contract. Vendors may be paid in excess of contract terms for parts and labour provided to service regional vehicles. Management will develop and communicate responsibilities for verifying contract terms in a procedure. Where possible, future contract awards will include pricing for parts and labour rates to enable timely verification of external billings.

4.1-3


- 4 -

Assess Processes and Options for Client Charge Backs

Fleet Services is a support service and as such recovers all their costs through charge backs to their clients. The current process for charge backs is based on the information recorded on manual work orders for actual hours of work by each mechanic and the cost of the materials used. Actual hours worked can vary for the same work and the number of vehicles serviced can vary month to month resulting in unpredictable cost fluctuations to the clients. Efficiencies can be gained by assessing and streamlining processes to charge clients. Management will assess options to develop standard rates which would stabilize the impact on the budget and financial processes. Develop and Communicate Disposal Criteria

There is no procedure or other documentation that defines the criteria to be used for disposal of vehicles, which could result in keeping vehicles at a cost that exceeds the benefit of extending the life cycle. The criteria to be used should be documented including the mileage, the condition of the vehicle, the age of the vehicle as well as any other factors influencing the vehicle life expectancy and disposal decision. Management will develop and communicate a policy that will provide fleet owners with disposal criteria that will aid in making efficient and economical decisions. Implement Segregation of Cash Handling Duties for Auction Proceeds

Vehicles are disposed of through public auction two to three times per year. The current process is open to misappropriation of funds due to the absence of segregated duties and can be improved. The Fleet Coordinator is responsible for receiving, reconciling and preparing the deposit for the proceeds from the auctions. There is an opportunity for misappropriation of funds when one person has full custody of cash or cheques. One solution is to have the Auctioneer E-transfer the proceeds directly to the Region’s bank account. Another is to segregate the duties so that no one person is responsible for the collection and deposit of funds. Management will immediately investigate direct deposit options for auction proceeds and if not possible, duties will be appropriately segregated.

CONCLUSION

Overall Fleet Services provides an effective service that supports service delivery across the Region. There are opportunities to provide the clients of Fleet Services with information that will assist with managing the various fleets. There are also opportunities to s trengthen administrative processes.

4.1-4


- 5 -

Internal Audit is of the opinion that the action plans provided by management will address the risks identified. Internal Audit will follow up on the implementation of the action plans and report the progress in our annual report to the Audit and Risk Committee.

Michelle Morris, Director, Internal Audit Approved for Submission:

D. Szwarc, Chief Administrative Officer For further information regarding this report, please contact Michelle Morris, Director, Internal Audit at x4247 or [email protected] Authored By: Joan Appleton, CPA, CGA, CIA, CRMA

4.1-5

1

Audit & Risk Committee

Phase II – Fleet Audit

February 4, 2016

4.1-6

2

Audit Objective

• To assess whether Fleet Services has

systems and processes to effectively and

efficiently meet its objective of providing

a safe, well maintained, and reliable fleet

of vehicles to meet client needs across

the Region.

4.1-7

3

Audit Scope

The audit focused on assessing:

• Strategic planning and performance

management

• Acquisition and procurement,

• Operations including asset management,

• Preventative maintenance and repairs,

and

• Disposals.

4.1-8

4

Observations/Opportunities for

Improvement

• Develop and communicate vehicle

performance management information

• Develop a vehicle acquisition strategy

• Improve processes to verify external billing

• Assess options for client charge backs

4.1-9

5

Observations/Opportunities for

Improvement • Develop and communicate disposal

criteria

• Segregate cash handling duties for auction

proceeds

4.1-10

6

Conclusion

• Fleet Services provides an effective

service that supports service delivery

• There are opportunities to strengthen

administrative processes to provide

guidance and information that will assist

clients with fleet management decisions

4.1-11

7

Actions to Strengthen

Processes • Future GPS will provide opportunities for

improved performance and utilization

information

• A vehicle replacement policy supporting

the current practices will be developed

• Processes to communicate and verify

external billings will be developed

4.1-12

8

Actions to Strengthen

Processes • The charge back process will be revisited

• Disposal criteria will be communicated to

assist with decision making

• Processes have been implemented to

safeguard auction proceeds

4.1-13

9

Management has developed action plans to

address the risks identified

Internal Audit will follow-up and report on the

status of management action plans

Next Steps

4.1-14

10

Questions

4.1-15



For Information


REPORT TITLE: INTEGRATED PLANNING FRAMEWORK RISK ASSESSMENT

RESULTS


OBJECTIVE

To provide the Audit and Risk Committee with the results of the Integrated Planning Framework

Risk Assessment.

REPORT HIGHLIGHTS

A risk assessment of the Integrated Planning Framework was included in the 2015 Integrated Risk Management Work Plan.

The scope of the Integrated Planning Framework Risk Assessment was to identify risks to the program achieving its core objectives.

Mitigation strategies were also identified to ensure the risks are appropriately managed.

DISCUSSION 1. Background

The 2015 Integrated Risk Management Work Plan included a risk assessment of the Integrated Planning Framework Process. In 2014, the Executive Leadership Team identified ‘Excellence in Integrated Strategy Development and Execution’ as a high priority. The desired outcome included integrated, prioritized strategies at the corporate, departmental and divisional levels that drive work. This initiative involved developing processes and tools to enable a systematic approach to planning, budgeting and performance measurement. Due to the significant changes to existing processes and development of new processes, it was important to identify the risks associated with these changes to ensure they were effectively managed.

2. Results of Risk Assessment

A core objective of the Integrated Planning Framework Process is to design, develop and implement an integrated set of planning processes with clear handover points to improve alignment among strategic plans, business plans, budgets and priorities selection. The

4.2-1

INTEGRATED PLANNING FRAMEWORK RISK ASSESSMENT RESULTS

- 2 -

scope of the risk assessment was to identify the risks that could prevent the Integrated Planning Framework Program from achieving this objective.

A number of risks were identified through the sessions Integrated Risk Management facilitated with the Integrated Planning Framework Extended Team which is a multidisciplinary team with representation from Regional departments. The risks were scored based on the likelihood of the risk occurring and how severe the impact could be on objectives. Risks are forward facing and represent the effect of uncertainty on objectives and outcomes. Current mitigation strategies were identified for each risk and management was able to determine if the plans are sufficient or if more effort is required to reduce the risk exposure. The most significant risks have been summarized and are included in Appendix I.

CONCLUSION

The Integrated Planning Framework Process is a major initiative for the Region of Peel which core objective is to design, develop and implement an integrated set of planning processes. The Program will result in significant changes to existing planning processes. The risk assessment identified risks to the Program achieving its objectives and management plans in place to address the risks.


D. Szwarc, Chief Administrative Officer For further information regarding this report, please contact Michelle Morris, Director, Internal Audit at extension 4247 or via email at [email protected]. Authored By: Michelle Morris,CPA, CGA, FCCA, CIA, CRMA and Anila Lalani, CIA, CISA

APPENDICES Appendix I – IPF Risk Assessment Dashboard

4.2-2

Appendix I

Internal Audit Division

Integrated Risk Management

Risk Assessment: Integrated Planning Framework (IPF) Process Planning Objectives: To design, develop and implement an integrated set of planning processes with clear handover points to improve alignment between strategic

plans, business plans, budgets and initiative selection.

A number of risks were identified during the risk assessment process. The most significant risks and what management

is currently doing to manage them is outlined in the table below.

Risks Risk Type Mitigation Strategy Owner Trending

Changes to existing planning processes may impact role clari ty among management and staff resulting in

minimal application of the newly developed processes.

Governance - Implementation of the approved Accountability Framework which will clearly define accountability, authority and

responsibility of management and staff as i t pertains to integrated planning (commencing Q1 2016)

- Execution of the Change Management Plan which will address organizational readiness and cultural change to reinforce and

sustain the newly developed integrated planning approach. (commencing Q1 2016)

IPF Program Director

Organizational responsibility beyond the l ife of the project may be unclear resulting in l imited management overs ight and monitoring of the newly developed

processes.

Governance - Establishment of a permanent divisional lead for the integrated planning processes who will be responsible for oversight and monitoring of the integrated planning processes into i ts

operational s tate. (Q1 2016)

Commissioner, Corporate Services

Current s ervices provided may be misaligned with the new strategic objectives and direction of the Region

pending the finalization and endorsement of the service inventory, a list that accurately describes all services

provided by an organization.

Bus iness Process - Approval of the revised service inventory s tructure and components – completed December 2015

- Department leads identified and working with the Strategy Development Measurement and Reporting area (SDMR) to

finalize Service Inventory content (Q1 2016) - Implementation of the revised service inventory throughout 2016

to help ensure that services are aligned to the strategic objectives

and direction of the Region.

IPF Program Director

Organizational capacity to transition responsibility, for

the enabling technology that supports IPF, may result in l imited ability to support the technology solution.

Technology - Bui lding competency and capacity of staff who will be expected

to assume responsibility of the technology (Q1 2016) - Developing complete and accurate system documentation

(administration, user and program guides) in partnership with technology vendor that enables the Region to support the

technology and enhance it as required. (Q1 2016)

IPF Program

Director

The arrows in the trending column is an assessment of the potential direction of this risk, ie. - increasing risk exposure, - risk exposure currently constant, - reduced

risk exposure. All risks are future orientated.

we succeed helping

you succeed

4.2-3

1

Integrated Planning Framework

Risk Assessment Results


February 4, 2016

4.2-4

2

Potential Risks and Mitigation Strategies

Risks Mitigation Strategy Trending

Changes to existing planning processes may

impact role clarity among management and staff

resulting in minimal application of the newly

developed processes.

Risk Type - Governance

- Implementation of the approved Accountability Framework

which will clearly define accountability, authority and

responsibility of management and staff as it pertains to

integrated planning (commencing Q1 2016)

- Execution of the Change Management Plan which will address

organizational readiness and cultural change to reinforce and

sustain the newly developed integrated planning approach.

(commencing Q1 2016)

Risk Owner - IPF Program Director

Organizational responsibility beyond the life of the

project may be unclear resulting in limited

management oversight and monitoring of the

newly developed processes.

Risk Type – Governance

- Establishment of a permanent divisional lead for the integrated

planning processes who will be responsible for oversight and

monitoring of the integrated planning processes into its

operational state. (Q1 2016)

Risk Owner - Commissioner, Corporate Services

4.2-5

3

Potential Risks and Mitigation Strategies

Risks Mitigation Strategy Trending

Current services provided may be misaligned with

the new strategic objectives and direction of the

Region pending the finalization and endorsement

of the service inventory, a list that accurately

describes all services provided by an organization.

Risk Type – Business Process

- Approval of the revised service inventory structure and

components – completed December 2015

- Department leads identified and working with the Strategy

Development Measurement and Reporting area (SDMR) to

finalize Service Inventory content (Q1 2016)

- Implementation of the revised service inventory throughout

2016 to help ensure that services are aligned to the strategic

objectives and direction of the Region.


Organizational capacity to transition

responsibility, for the enabling technology that

supports IPF, may result in limited ability to

support the technology solution.

Risk Type – Technology

- Building competency and capacity of staff who will be

expected to assume responsibility of the technology (Q1 2016)

- Developing complete and accurate system documentation

(administration, user and program guides) in partnership with

technology vendor that enables the Region to support the

technology and enhance it as required. (Q1 2016)


4.2-6

4

4.2-7




REPORT TITLE: 2016 INTERNAL AUDIT RISK BASED WORK PLAN


RECOMMENDATION

That the 2016 work plan as outlined in the report from the Director, Internal Audit, titled “2016 Internal Audit Risk Based Work Plan,” be approved. REPORT HIGHLIGHTS

The 2016 Internal Audit Risk Based Work Plan was developed from risk assessment information gathered from various sources.

Audit projects have been aligned with the Region of Peel’s (Region) Strategic Plan where possible.

The 2016 Work Plan is dynamic and flexible and may change as emerging risks and issues unfold throughout the year.

Completion of the Work Plan is intended to provide Audit and Risk Committee with reasonable assurance that sound management practices are in place and are functioning as intended in the areas audited.


Internal Audit has a professional responsibility to develop annual work plans that reflect the changes and emerging risks within the Region. The 2016 Internal Audit Risk Based Work Plan (Appendix I) was developed from:

risk assessment information that was gathered during interviews with Executive Leadership Team and select Directors;

inherent fraud risk assessment information that was gathered through surveys; and

a scan of 2015 Council reports and Council decisions.

The rationale and associated risks for 2016 audit projects are included in Table 1 of the attached Appendix. Table 2 of the Appendix includes projects from the revised 2015 Risk Based Work Plan that will conclude in 2016. Table 3 of the Appendix provides a description of other audit related services.

4.3-1

2016 INTERNAL AUDIT RISK BASED WORK PLAN

- 2 -

2. 2016 Work Plan Highlights and Comments

Audit projects in the 2016 Work Plan have been aligned with the Region’s Strategic Plan where possible. This alignment helps ensure that audits will be conducted on programs and services where there are significant risks.

In addition to conducting independent and objective audit projects, the 2016 Work Plan also sets aside time for Internal Audit to:

respond to control advice requests from management; follow-up on outstanding management action plans from previous audit reports;

advance and promote the fraud prevention program; and

conduct investigations as needed.

The audit planning process is dynamic and flexible. As a result, changes to the 2016 Work Plan may be required throughout the year in order to reflect emerging risks and issues as they unfold. Internal Audit will update the Audit and Risk Committee and Executive Leadership Team on the changes to the Work Plan accordingly.

Lastly, completion of the 2016 Work Plan is intended to provide Audit and Risk Committee as well as senior management with reasonable assurance that sound management practices are in place and are functioning as intended in the areas audited.

CONCLUSION

Internal Audit adds more value when audits and advisory services focus on the controls that have been designed and implemented to manage and mitigate significant risks. Internal Audit has developed and aligned its 2016 Work Plan to reflect the risks and issues associated with the Region’s Strategic Plan and with its programs and services.


D. Szwarc, Chief Administrative Officer APPENDICES

Appendix I - Projects for 2016 For further information regarding this report, please contact Michelle Morris, Director, Internal Audit at x4247 or [email protected] Authored By: Frank Medeiros, CIA, CRMA

4.3-2

2016 INTERNAL AUDIT RISK BASED WORK PLAN APPENDIX I

- 1 -

Table 1 - 2016 Work Plan Projects

Strategic Plan Area of Focus

Audit Project

Last Time Audited

Rationale and Risks

Living

(a place where people have a high quality of

l i fe)

Long Term Care 2011 Rationale: The Region operates five Long Term Care centres with a

growing waitlist and increasing special needs required by the res idents. Providing long term care is highly regulated in order to protect some of the most vulnerable residents in the community.

An audit of administrative processes can provide assurance that best practices for efficient and effective operations are in place in all

five centres. Risk: There is a risk that operations may be inefficient or ineffective

i f best practices and administrative processes are not consistently implemented and followed at each Long Term Care centre.

Thriving (a sustainable and prosperous community)

Heart Lake Community Recycl ing Centre – Contract Review

N/A Rationale: Responsibility for operating the Heart Lake Community Recycl ing Centre was contracted to an independent third party in 2015. There i s an opportunity to conduct an audit to determine i f the operator is complying with the contract and to determine if the intended outsourcing benefits are being realized by the Region.

Risk: Without an effective contract management and evaluation process in place, there is a ri sk the contractor may not be complying with the requirements of the contract and a ri sk the intended

outsourcing benefits are not being realized by the Region.

Thriving (a sustainable and prosperous community)

Water Revenue Forecasting Model

N/A Rationale: Each year, water revenue is forecasted by using a model. Over the past few years, there have been variances between forecasted and actual consumption rates which have resulted i n revenue shortfalls. There is an opportunity to review the water revenue forecasting model and methodology being used. Risk: Without an effective water revenue forecasting model and

methodology, there is ri sk ‘revenue shortfalls’ - which impact the Regional operating budget - may continue.

Leading (a future

oriented and accountable government)

Driver Certi fication

Program

2014 Rationale: The Region trains, i ssues and renews classified provincial driving l icences and endorsements for employees on behalf of the

Ministry of Transportation (MTO). This ensures Regional employees are properly tra ined and can obtain the required licence(s) in a timely and efficient manner. There may be a request to conduct an

audit on behalf of the MTO to ensure the Region is complying with applicable legislation and with the terms and conditions of the

agreement. Risk: Without an effective Driver Certification Program, there is a ri sk the Region may not be complying with MTO legislation or with the terms and conditions of the agreement.

4.3-3


- 2 -

Strategic Plan

Area of Focus

Audit

Project

Last Time

Audited

Rationale and Risks

Leading (a future oriented and accountable government)

Information, Systems and Technology Services Audit

N/A Rationale: Technology has gone through another major evolution and the Region needs to keep pace with the changes. A ‘platform’ approach is being implemented to consolidate and s treamline applications and data as part of Peel’s Digital Strategy. There is an opportunity to review the risks and controls within this new approach to help ensure ri sks are properly identified and effectively mitigated.

Risk: Without an effective risk management approach, there is a risk that the objectives of Peel’s Digital Strategy may not be achieved.

Leading

(a future oriented and accountable government)

Peel Living

Procurement

N/A Rationale: The Purchasing By-law (#113-2013) governs over the

purchase and disposal of goods and services for the Region of Peel, Peel Regional Police and Peel Living. There is an opportunity to review the effectiveness of procurement practices and processes being followed for the goods and services that are purchased for Peel Living.

Risk: Without effective procurement practices and processes, there i s a risk that needed goods and services for Peel Living may not be obta ined in accordance with applicable By-laws and policies.

Leading (a future

oriented and accountable

government)

Employee Expense Cla ims

2010 Rationale: The Region has an Employee Expense Policy (F30-01) that provides direction for the reimbursement of business and travel

expenses. There is an opportunity to review management controls and processes.

Risk: Without adequate controls and processes, there is a risk reimbursements to employees may not be in compliance with

exis ting policies.

N/A = Not Previously Audited

4.3-4


- 3 -

Table 2 - 2015 Audit Projects Concluding in 2016

Strategic Plan

Area of Focus

Audit

Project

Audit Objective

Living (a place where people have a

high quality of l i fe)

TransHelp To evaluate the effectiveness and efficiency of controls in place to mitigate the ri sks associated with the management of:

administrative functions such as: client fare payment processing and col lections, and vendor invoicing.

cl ient personal information for compliance with Municipal Freedom of

Information and Protection of Privacy Act.

Thriving (a sustainable and prosperous

community)

Community Investment Program

To determine whether management has implemented effective oversight and accountability to help ensure agency grants awarded through the Community Investment Program meet the program objectives, and that the associated risks

are managed.


Fleet Services Audit - Phase II

To assess whether Fleet Services has systems and processes in place to effectively and efficiently meet its objective of providing a safe, well maintained, and reliable fleet of vehicles to meet client needs across the Region.

Leading


Hi ring Practices

Phase II

Phase II of the audit has yet to be scoped but may include a review of the hiring of

s tudents; learning assignments; the conversion of short-term contracts to long-term contracts or permanent positions; the use of employment agencies and personnel service firms; the placement of candidates into the temporary pool; and

employee onboarding practices.


Purchasing By-law – Request For Proposal Review

Audit requested by the Audit and Risk Committee. The purpose is to review purchasing objectives and compliance with the new Request For Proposal authorization thresholds included in the Purchasing By-law (#113-2013).

Leading


Scheduled Standby

Duty – Phase III - Publ ic Health

Audit requested by the Commissioner, Health Services.

The purpose is to review processes followed to schedule standby duty in the Communicable Diseases and Environmental Health divisions.

4.3-5


- 4 -

Table 3 - Other Audit Related Services

Strategic Plan

Area of Focus

Audit

Service

Description

Leading (a future oriented

and accountable government)

Control Advice and Advisory Work

Risks and issues emerge and evolve throughout the year. Internal Audit sets as ide time each year to handle special projects, assignments and advisory work.

The objective is to be more proactive by addressing client needs on the front-end. In addition, Internal Audit may be asked to sit in on Committees as a way to provide proactive control advice to management or provide outreach tra ining.

Leading


Fol low-up on

Internal Audit Reports

To fol low-up on outstanding audit observations and management action plans

from audit reports that have been previously reported to the Audit and Risk Committee.

Leading


Fraud Prevention

Program

To advance and promote the fraud prevention program as defined in the Fraud

Prevention Policy (#G00-22). The Director, Internal Audit has the lead responsibility for advancing, promoting and educating the organization about the fraud prevention program.

Leading (a future oriented and accountable

government)

Conduct Investigations

The Region is committed to protecting i ts revenue, property, proprietary information and other assets. The Region will not tolerate any misuse or misappropriation of those assets. It i s the Region’s intent to fully investigate any

suspected acts of “fraud” as defined in the Fraud Prevention Policy (#G00-22). The Director, Internal Audit has the lead responsibility for conducting fraud related investigations.

4.3-6




REPORT TITLE: 2016 INTEGRATED RISK MANAGEMENT WORK PLAN


RECOMMENDATION

That the 2016 Integrated Risk Management Work Plan as outlined in the report of the Director, Internal Audit, titled “2016 Integrated Risk Management Work Plan” be approved.

REPORT HIGHLIGHTS

The Director, Internal Audit is responsible to develop an annual Integrated Risk Management (IRM) Work Plan.

Significant progress has been made to advance Integrated Risk Management within the Region of Peel’s (Region) processes and practices since inception in 2011.

The 2016 IRM Work Plan was developed based on an assessment against a risk management maturity model; which enables an organization to determine next steps toward a more structured approach to risk management.

The 2016 Integrated Risk Management Work Plan will be more strategic in nature and takes into consideration in-year requests.


The Internal Audit Charter states that it is the responsibility of the Director, Internal Audit to develop an Integrated Risk Management Work Plan. Significant progress has been made to advance IRM within the Region’s processes and practices since inception in 2011. Over the past years, the IRM Work Plan has included several key deliverables to establish risk management within the Region and a series of pilots to validate the risk management processes. In 2015, an Integrated Risk Management Maturity Model was used to assess the current state of the Integrated Risk Management Program at the Region. The model also provided an overview of the steps that need to be undertaken to move the Region toward a more structured approach to risk management.

4.4-1

2016 INTEGRATED RISK MANAGEMENT WORK PLAN

- 2 -

2. 2016 Integrated Risk Management Work Plan and Comments Based on the results of the Integrated Risk Management Maturity Model assessment, the following initiatives will be undertaken in 2016.

Item Rationale

Define Risk Appetite and Tolerances

Once defined, the risk appetite and tolerance will help to determine the level of risk the Region is willing to assume in pursuing Regional strategic objectives and the Term of Council Priorities.

Integrate risk management into decision making processes

Once formalized, all major decisions will have a risk consideration component to help inform the decisions. This will include recommendations brought forward to Council and the Executive Leadership Team.

Identify risk champions in each department

Risk champions will track departmental risk management activities, facilitate risk discussions and work with IRM staff to compile and gather risk information that will be used to develop the Region’s risk profile.

Formalize the risk assessment process

Risk assessment process will be embedded within routine planning processes.

Establish a risk monitoring and reporting protocol – Corporate Risk Profile

The purpose of the Corporate Risk Profile will be to inform Regional Council, the Audit and Risk Committee and the Executive Leadership Team of the significant risks facing the Region and the plans in place to mitigate these risks.

CONCLUSION

Significant progress has been made towards embedding risk management within the Region’s processes and practices. The planned activities for 2016 are focused on moving the Region to a more structured approach to risk management. As in the past, the work plan will continue to be flexible and will address emerging risks and issues that arise throughout the year.

4.4-2

2016 INTEGRATED RISK MANAGEMENT WORK PLAN

- 3 -


D. Szwarc, Chief Administrative Officer For further information regarding this report, please contact Michelle Morris, Director, Internal Audit at x4247 or [email protected] Authored By: Michelle Morris, CPA, CGA, FCCA, CIA, CRMA and Anila Lalani, CIA, CISA

4.4-3

the regional municipality of peel audit and risk …€¦ · 2016 internal audit risk based work...

Documents