the regional municipality of peel audit and risk …€¦ · 2016 internal audit risk based work...
TRANSCRIPT
THE REGIONAL MUNICIPALITY OF PEEL
AUDIT AND RISK COMMITTEE AGENDA ARC - 1/2016 DATE: Thursday, February 4, 2016 TIME: 11:00 AM – 12:30 PM LOCATION: Regional Council Chamber, 5th Floor 10 Peel Centre Drive, Suite A Brampton, Ontario MEMBERS: F. Dale; C. Fonseca; M. Medeiros; K. Ras; R. Starr; A. Thompson Chaired by Councillor C. Fonseca or Vice-Chair M. Medeiros 1.
DECLARATIONS OF CONFLICTS OF INTEREST
2.
APPROVAL OF AGENDA
3.
DELEGATIONS
4.
REPORTS
4.1.
Phase II - Fleet Audit (For information)
Presentation by Shaun Hewitt, Director, Operations Support; and Joan Appleton, Manager, Internal Audit
4.2.
Integrated Planning Framework Risk Assessment Results (For information)
Presentation by Michelle Morris, Director, Internal Audit; and Lisa Duarte, Director, Integrated Planning Framework
4.3.
2016 Internal Audit Risk Based Work Plan
4.4.
2016 Integrated Risk Management Work Plan
5.
COMMUNICATIONS
ARC - 1/2016 -2- Thursday, February 4, 2016 6. IN CAMERA MATTERS
7.
OTHER BUSINESS
8.
NEXT MEETING Thursday, April 7, 2016, 11:00 a.m. – 12:30 p.m. Council Chamber, 5th Floor Regional Administrative Headquarters 10 Peel Centre Drive, Suite A Brampton, Ontario
9.
ADJOURNMENT
REPORT Meeting Date: 2016-02-04
Audit and Risk Committee
For information
DATE: January 26, 2016
REPORT TITLE: PHASE II - FLEET AUDIT
FROM: Michelle Morris, Director, Internal Audit
OBJECTIVE
To inform the Audit and Risk Committee of the results of the Phase II Fleet Audit.
REPORT HIGHLIGHTS
Fleet Services provides an effective vehicle management service that supports program service delivery across the Region of Peel (Region).
The results of the audit identified that effective processes are in place to procure and maintain the Region’s fleet. Opportunities for improvement include:
Develop and communicate vehicle performance management information;
Develop a vehicle acquisition strategy;
Improve processes to verify external billing;
Assess options for client charge backs;
Develop and communicate disposal criteria; and
Implement segregation of cash handling duties for auction proceeds. Internal Audit is of the opinion that the action plans provided by management will address
the risks identified. DISCUSSION 1. Background
The audit of Fleet Services was broken down into two phases. The Phase I audit focused on assessing the processes and controls in place to manage and monitor the vehicle parts supply and maintenance inventory in Fleet Services. The results of the Phase I audit was included on the September 13, 2013 Audit Committee agenda. Phase II included an assessment of the life cycle management of the Region’s fleet. Fleet Services is a section within Public Works that offers internal and an external client with vehicle management services from three separate locations in the Region. They have a team of professionals that plan, acquire, maintain and dispose of vehicles and equipment to support service delivery by the program areas. They do not own the fleet but are accountable to provide and coordinate the necessary support services to enable service delivery. As of October 2015 there were 541 vehicles in the Region’s fleet that Fleet Services maintains. In addition the Region recently entered into an agreement to maintain the Credit
4.1-1
PHASE II - FLEET AUDIT
- 2 -
Valley Conservation Authority vehicles, which at this point in time is another 38 vehicles. Fleet Services also partners with Peel Regional Police to provide vehicle body repair work. The program areas that utilize Fleet Services include:
Program Area Number of Vehicles
Paramedic Services (Ambulance) 101
Accessible Transportation (Transhelp) 64 Waste Management 137
Road Operations and Manitenance 75 Water and Wastewater 118
Operations Support (Inspection Team) 44 Facility Services - Courier Services 2
Credit Valley Conservation Authority 38 Total 579
2. Audit Objective and Scope
The objective of the audit was to assess whether Fleet Services has systems and processes to effectively and efficiently meet its objective of providing a safe, well maintained, and reliable fleet of vehicles to meet client needs across the Region. The scope of the audit focused on assessing the management and provision of the Regional fleet following the life cycle approach including:
Strategic planning and performance management;
Acquisition and procurement; Operations including asset management;
Preventative maintenance and repairs; and
Disposals. The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.
3. Audit Observations
The results of the audit identified that effective processes are in place to procure and maintain the Region’s fleet. Opportunities for improvement include:
Develop and communicate vehicle performance management information;
Develop a vehicle acquisition strategy;
Improve processes to verify external billing;
Assess options for client charge backs;
Develop and communicate disposal criteria; and
Implement segregation of cash handling duties for auction proceeds.
4.1-2
PHASE II - FLEET AUDIT
- 3 -
Develop and Communicate Vehicle Performance Management Information Hansen is the system that Fleet Services uses to record vehicle life cycle information, including maintenance costs and expected life cycle. Management reports have been created in Hansen to provide the fleet owners with operating costs and frequency of maintenance and repair information for their fleet. Assessing vehicle utilization (over/under usage) is a better practice and can inform decision making for the fleet owner in assessing if their fleet is the right size. The technology to track vehicle utilization rates as a performance measure is not something that Fleet Services or fleet owners currently have available. The performance information to track and assess vehicle utilization, availability and downtime would be an outcome of implementing a Global Positioning System (GPS) tracking in each vehicle and can provide the fleet owners with the information they need to effectively manage their fleets. Management has the approved budget to acquire GPS and is currently in the pilot phase of implementing GPS for the entire Fleet. Functionality to capture vehicle downtime will be included in the specifications for replacing or upgrading Hansen.
Develop a Vehicle Acquisition Strategy
New vehicle requests are driven by the approved budget. Expectations from the client may not be aligned with the processes and timelines that Fleet Services is bound by to acquire new vehicles. To ensure there is a mutual understanding of the required timelines and expectations on both sides, the process should be documented in either a policy or service level agreement.
Fleet Services is an advisory and support service that informs their clients when vehicles should be replaced, purchases them on their behalf and ensures they are appropriately outfitted for the road. Fleet vehicles may be retained past their useful and economical life resulting in excessive costs to keep the vehicles in operation. Clarifying and communicating roles and responsibilities as well as the criteria for vehicle replacement can help management make informed and effective decisions. Management will develop and communicate to all Fleet Services employees and clients a policy for vehicle replacement. Strengthen the Process to Verify External Billing
External contractor maintenance and repair invoices are reviewed to help ensure that job times billed are reasonable for work conducted. Minimal verification is currently performed to ensure that the prices for parts and other charges are in compliance with the terms of the contracts including quoted job rates, labour charges and other terms of the contract. Vendors may be paid in excess of contract terms for parts and labour provided to service regional vehicles. Management will develop and communicate responsibilities for verifying contract terms in a procedure. Where possible, future contract awards will include pricing for parts and labour rates to enable timely verification of external billings.
4.1-3
PHASE II - FLEET AUDIT
- 4 -
Assess Processes and Options for Client Charge Backs
Fleet Services is a support service and as such recovers all their costs through charge backs to their clients. The current process for charge backs is based on the information recorded on manual work orders for actual hours of work by each mechanic and the cost of the materials used. Actual hours worked can vary for the same work and the number of vehicles serviced can vary month to month resulting in unpredictable cost fluctuations to the clients. Efficiencies can be gained by assessing and streamlining processes to charge clients. Management will assess options to develop standard rates which would stabilize the impact on the budget and financial processes. Develop and Communicate Disposal Criteria
There is no procedure or other documentation that defines the criteria to be used for disposal of vehicles, which could result in keeping vehicles at a cost that exceeds the benefit of extending the life cycle. The criteria to be used should be documented including the mileage, the condition of the vehicle, the age of the vehicle as well as any other factors influencing the vehicle life expectancy and disposal decision. Management will develop and communicate a policy that will provide fleet owners with disposal criteria that will aid in making efficient and economical decisions. Implement Segregation of Cash Handling Duties for Auction Proceeds
Vehicles are disposed of through public auction two to three times per year. The current process is open to misappropriation of funds due to the absence of segregated duties and can be improved. The Fleet Coordinator is responsible for receiving, reconciling and preparing the deposit for the proceeds from the auctions. There is an opportunity for misappropriation of funds when one person has full custody of cash or cheques. One solution is to have the Auctioneer E-transfer the proceeds directly to the Region’s bank account. Another is to segregate the duties so that no one person is responsible for the collection and deposit of funds. Management will immediately investigate direct deposit options for auction proceeds and if not possible, duties will be appropriately segregated.
CONCLUSION
Overall Fleet Services provides an effective service that supports service delivery across the Region. There are opportunities to provide the clients of Fleet Services with information that will assist with managing the various fleets. There are also opportunities to s trengthen administrative processes.
4.1-4
PHASE II - FLEET AUDIT
- 5 -
Internal Audit is of the opinion that the action plans provided by management will address the risks identified. Internal Audit will follow up on the implementation of the action plans and report the progress in our annual report to the Audit and Risk Committee.
Michelle Morris, Director, Internal Audit Approved for Submission:
D. Szwarc, Chief Administrative Officer For further information regarding this report, please contact Michelle Morris, Director, Internal Audit at x4247 or [email protected] Authored By: Joan Appleton, CPA, CGA, CIA, CRMA
4.1-5
1
Audit & Risk Committee
Phase II – Fleet Audit
February 4, 2016
4.1-6
2
Audit Objective
• To assess whether Fleet Services has
systems and processes to effectively and
efficiently meet its objective of providing
a safe, well maintained, and reliable fleet
of vehicles to meet client needs across
the Region.
4.1-7
3
Audit Scope
The audit focused on assessing:
• Strategic planning and performance
management
• Acquisition and procurement,
• Operations including asset management,
• Preventative maintenance and repairs,
and
• Disposals.
4.1-8
4
Observations/Opportunities for
Improvement
• Develop and communicate vehicle
performance management information
• Develop a vehicle acquisition strategy
• Improve processes to verify external billing
• Assess options for client charge backs
4.1-9
5
Observations/Opportunities for
Improvement • Develop and communicate disposal
criteria
• Segregate cash handling duties for auction
proceeds
4.1-10
6
Conclusion
• Fleet Services provides an effective
service that supports service delivery
• There are opportunities to strengthen
administrative processes to provide
guidance and information that will assist
clients with fleet management decisions
4.1-11
7
Actions to Strengthen
Processes • Future GPS will provide opportunities for
improved performance and utilization
information
• A vehicle replacement policy supporting
the current practices will be developed
• Processes to communicate and verify
external billings will be developed
4.1-12
8
Actions to Strengthen
Processes • The charge back process will be revisited
• Disposal criteria will be communicated to
assist with decision making
• Processes have been implemented to
safeguard auction proceeds
4.1-13
9
Management has developed action plans to
address the risks identified
Internal Audit will follow-up and report on the
status of management action plans
Next Steps
4.1-14
10
Questions
4.1-15
REPORT Meeting Date: 2016-02-04
Audit and Risk Committee
For Information
DATE: January 27, 2016
REPORT TITLE: INTEGRATED PLANNING FRAMEWORK RISK ASSESSMENT
RESULTS
FROM: Michelle Morris, Director, Internal Audit
OBJECTIVE
To provide the Audit and Risk Committee with the results of the Integrated Planning Framework
Risk Assessment.
REPORT HIGHLIGHTS
A risk assessment of the Integrated Planning Framework was included in the 2015 Integrated Risk Management Work Plan.
The scope of the Integrated Planning Framework Risk Assessment was to identify risks to the program achieving its core objectives.
Mitigation strategies were also identified to ensure the risks are appropriately managed.
DISCUSSION 1. Background
The 2015 Integrated Risk Management Work Plan included a risk assessment of the Integrated Planning Framework Process. In 2014, the Executive Leadership Team identified ‘Excellence in Integrated Strategy Development and Execution’ as a high priority. The desired outcome included integrated, prioritized strategies at the corporate, departmental and divisional levels that drive work. This initiative involved developing processes and tools to enable a systematic approach to planning, budgeting and performance measurement. Due to the significant changes to existing processes and development of new processes, it was important to identify the risks associated with these changes to ensure they were effectively managed.
2. Results of Risk Assessment
A core objective of the Integrated Planning Framework Process is to design, develop and implement an integrated set of planning processes with clear handover points to improve alignment among strategic plans, business plans, budgets and priorities selection. The
4.2-1
INTEGRATED PLANNING FRAMEWORK RISK ASSESSMENT RESULTS
- 2 -
scope of the risk assessment was to identify the risks that could prevent the Integrated Planning Framework Program from achieving this objective.
A number of risks were identified through the sessions Integrated Risk Management facilitated with the Integrated Planning Framework Extended Team which is a multidisciplinary team with representation from Regional departments. The risks were scored based on the likelihood of the risk occurring and how severe the impact could be on objectives. Risks are forward facing and represent the effect of uncertainty on objectives and outcomes. Current mitigation strategies were identified for each risk and management was able to determine if the plans are sufficient or if more effort is required to reduce the risk exposure. The most significant risks have been summarized and are included in Appendix I.
CONCLUSION
The Integrated Planning Framework Process is a major initiative for the Region of Peel which core objective is to design, develop and implement an integrated set of planning processes. The Program will result in significant changes to existing planning processes. The risk assessment identified risks to the Program achieving its objectives and management plans in place to address the risks.
Michelle Morris, Director, Internal Audit Approved for Submission:
D. Szwarc, Chief Administrative Officer For further information regarding this report, please contact Michelle Morris, Director, Internal Audit at extension 4247 or via email at [email protected]. Authored By: Michelle Morris,CPA, CGA, FCCA, CIA, CRMA and Anila Lalani, CIA, CISA
APPENDICES Appendix I – IPF Risk Assessment Dashboard
4.2-2
Appendix I
Internal Audit Division
Integrated Risk Management
Risk Assessment: Integrated Planning Framework (IPF) Process Planning Objectives: To design, develop and implement an integrated set of planning processes with clear handover points to improve alignment between strategic
plans, business plans, budgets and initiative selection.
A number of risks were identified during the risk assessment process. The most significant risks and what management
is currently doing to manage them is outlined in the table below.
Risks Risk Type Mitigation Strategy Owner Trending
Changes to existing planning processes may impact role clari ty among management and staff resulting in
minimal application of the newly developed processes.
Governance - Implementation of the approved Accountability Framework which will clearly define accountability, authority and
responsibility of management and staff as i t pertains to integrated planning (commencing Q1 2016)
- Execution of the Change Management Plan which will address organizational readiness and cultural change to reinforce and
sustain the newly developed integrated planning approach. (commencing Q1 2016)
IPF Program Director
Organizational responsibility beyond the l ife of the project may be unclear resulting in l imited management overs ight and monitoring of the newly developed
processes.
Governance - Establishment of a permanent divisional lead for the integrated planning processes who will be responsible for oversight and monitoring of the integrated planning processes into i ts
operational s tate. (Q1 2016)
Commissioner, Corporate Services
Current s ervices provided may be misaligned with the new strategic objectives and direction of the Region
pending the finalization and endorsement of the service inventory, a list that accurately describes all services
provided by an organization.
Bus iness Process - Approval of the revised service inventory s tructure and components – completed December 2015
- Department leads identified and working with the Strategy Development Measurement and Reporting area (SDMR) to
finalize Service Inventory content (Q1 2016) - Implementation of the revised service inventory throughout 2016
to help ensure that services are aligned to the strategic objectives
and direction of the Region.
IPF Program Director
Organizational capacity to transition responsibility, for
the enabling technology that supports IPF, may result in l imited ability to support the technology solution.
Technology - Bui lding competency and capacity of staff who will be expected
to assume responsibility of the technology (Q1 2016) - Developing complete and accurate system documentation
(administration, user and program guides) in partnership with technology vendor that enables the Region to support the
technology and enhance it as required. (Q1 2016)
IPF Program
Director
The arrows in the trending column is an assessment of the potential direction of this risk, ie. - increasing risk exposure, - risk exposure currently constant, - reduced
risk exposure. All risks are future orientated.
we succeed helping
you succeed
4.2-3
1
Integrated Planning Framework
Risk Assessment Results
Audit and Risk Committee
February 4, 2016
4.2-4
2
Potential Risks and Mitigation Strategies
Risks Mitigation Strategy Trending
Changes to existing planning processes may
impact role clarity among management and staff
resulting in minimal application of the newly
developed processes.
Risk Type - Governance
- Implementation of the approved Accountability Framework
which will clearly define accountability, authority and
responsibility of management and staff as it pertains to
integrated planning (commencing Q1 2016)
- Execution of the Change Management Plan which will address
organizational readiness and cultural change to reinforce and
sustain the newly developed integrated planning approach.
(commencing Q1 2016)
Risk Owner - IPF Program Director
Organizational responsibility beyond the life of the
project may be unclear resulting in limited
management oversight and monitoring of the
newly developed processes.
Risk Type – Governance
- Establishment of a permanent divisional lead for the integrated
planning processes who will be responsible for oversight and
monitoring of the integrated planning processes into its
operational state. (Q1 2016)
Risk Owner - Commissioner, Corporate Services
4.2-5
3
Potential Risks and Mitigation Strategies
Risks Mitigation Strategy Trending
Current services provided may be misaligned with
the new strategic objectives and direction of the
Region pending the finalization and endorsement
of the service inventory, a list that accurately
describes all services provided by an organization.
Risk Type – Business Process
- Approval of the revised service inventory structure and
components – completed December 2015
- Department leads identified and working with the Strategy
Development Measurement and Reporting area (SDMR) to
finalize Service Inventory content (Q1 2016)
- Implementation of the revised service inventory throughout
2016 to help ensure that services are aligned to the strategic
objectives and direction of the Region.
Risk Owner - IPF Program Director
Organizational capacity to transition
responsibility, for the enabling technology that
supports IPF, may result in limited ability to
support the technology solution.
Risk Type – Technology
- Building competency and capacity of staff who will be
expected to assume responsibility of the technology (Q1 2016)
- Developing complete and accurate system documentation
(administration, user and program guides) in partnership with
technology vendor that enables the Region to support the
technology and enhance it as required. (Q1 2016)
Risk Owner - IPF Program Director
4.2-6
4
4.2-7
REPORT Meeting Date: 2016-02-04
Audit and Risk Committee
DATE: January 27, 2016
REPORT TITLE: 2016 INTERNAL AUDIT RISK BASED WORK PLAN
FROM: Michelle Morris, Director, Internal Audit
RECOMMENDATION
That the 2016 work plan as outlined in the report from the Director, Internal Audit, titled “2016 Internal Audit Risk Based Work Plan,” be approved. REPORT HIGHLIGHTS
The 2016 Internal Audit Risk Based Work Plan was developed from risk assessment information gathered from various sources.
Audit projects have been aligned with the Region of Peel’s (Region) Strategic Plan where possible.
The 2016 Work Plan is dynamic and flexible and may change as emerging risks and issues unfold throughout the year.
Completion of the Work Plan is intended to provide Audit and Risk Committee with reasonable assurance that sound management practices are in place and are functioning as intended in the areas audited.
DISCUSSION 1. Background
Internal Audit has a professional responsibility to develop annual work plans that reflect the changes and emerging risks within the Region. The 2016 Internal Audit Risk Based Work Plan (Appendix I) was developed from:
risk assessment information that was gathered during interviews with Executive Leadership Team and select Directors;
inherent fraud risk assessment information that was gathered through surveys; and
a scan of 2015 Council reports and Council decisions.
The rationale and associated risks for 2016 audit projects are included in Table 1 of the attached Appendix. Table 2 of the Appendix includes projects from the revised 2015 Risk Based Work Plan that will conclude in 2016. Table 3 of the Appendix provides a description of other audit related services.
4.3-1
2016 INTERNAL AUDIT RISK BASED WORK PLAN
- 2 -
2. 2016 Work Plan Highlights and Comments
Audit projects in the 2016 Work Plan have been aligned with the Region’s Strategic Plan where possible. This alignment helps ensure that audits will be conducted on programs and services where there are significant risks.
In addition to conducting independent and objective audit projects, the 2016 Work Plan also sets aside time for Internal Audit to:
respond to control advice requests from management; follow-up on outstanding management action plans from previous audit reports;
advance and promote the fraud prevention program; and
conduct investigations as needed.
The audit planning process is dynamic and flexible. As a result, changes to the 2016 Work Plan may be required throughout the year in order to reflect emerging risks and issues as they unfold. Internal Audit will update the Audit and Risk Committee and Executive Leadership Team on the changes to the Work Plan accordingly.
Lastly, completion of the 2016 Work Plan is intended to provide Audit and Risk Committee as well as senior management with reasonable assurance that sound management practices are in place and are functioning as intended in the areas audited.
CONCLUSION
Internal Audit adds more value when audits and advisory services focus on the controls that have been designed and implemented to manage and mitigate significant risks. Internal Audit has developed and aligned its 2016 Work Plan to reflect the risks and issues associated with the Region’s Strategic Plan and with its programs and services.
Michelle Morris, Director, Internal Audit Approved for Submission:
D. Szwarc, Chief Administrative Officer APPENDICES
Appendix I - Projects for 2016 For further information regarding this report, please contact Michelle Morris, Director, Internal Audit at x4247 or [email protected] Authored By: Frank Medeiros, CIA, CRMA
4.3-2
2016 INTERNAL AUDIT RISK BASED WORK PLAN APPENDIX I
- 1 -
Table 1 - 2016 Work Plan Projects
Strategic Plan Area of Focus
Audit Project
Last Time Audited
Rationale and Risks
Living
(a place where people have a high quality of
l i fe)
Long Term Care 2011 Rationale: The Region operates five Long Term Care centres with a
growing waitlist and increasing special needs required by the res idents. Providing long term care is highly regulated in order to protect some of the most vulnerable residents in the community.
An audit of administrative processes can provide assurance that best practices for efficient and effective operations are in place in all
five centres. Risk: There is a risk that operations may be inefficient or ineffective
i f best practices and administrative processes are not consistently implemented and followed at each Long Term Care centre.
Thriving (a sustainable and prosperous community)
Heart Lake Community Recycl ing Centre – Contract Review
N/A Rationale: Responsibility for operating the Heart Lake Community Recycl ing Centre was contracted to an independent third party in 2015. There i s an opportunity to conduct an audit to determine i f the operator is complying with the contract and to determine if the intended outsourcing benefits are being realized by the Region.
Risk: Without an effective contract management and evaluation process in place, there is a ri sk the contractor may not be complying with the requirements of the contract and a ri sk the intended
outsourcing benefits are not being realized by the Region.
Thriving (a sustainable and prosperous community)
Water Revenue Forecasting Model
N/A Rationale: Each year, water revenue is forecasted by using a model. Over the past few years, there have been variances between forecasted and actual consumption rates which have resulted i n revenue shortfalls. There is an opportunity to review the water revenue forecasting model and methodology being used. Risk: Without an effective water revenue forecasting model and
methodology, there is ri sk ‘revenue shortfalls’ - which impact the Regional operating budget - may continue.
Leading (a future
oriented and accountable government)
Driver Certi fication
Program
2014 Rationale: The Region trains, i ssues and renews classified provincial driving l icences and endorsements for employees on behalf of the
Ministry of Transportation (MTO). This ensures Regional employees are properly tra ined and can obtain the required licence(s) in a timely and efficient manner. There may be a request to conduct an
audit on behalf of the MTO to ensure the Region is complying with applicable legislation and with the terms and conditions of the
agreement. Risk: Without an effective Driver Certification Program, there is a ri sk the Region may not be complying with MTO legislation or with the terms and conditions of the agreement.
4.3-3
2016 INTERNAL AUDIT RISK BASED WORK PLAN APPENDIX I
- 2 -
Strategic Plan
Area of Focus
Audit
Project
Last Time
Audited
Rationale and Risks
Leading (a future oriented and accountable government)
Information, Systems and Technology Services Audit
N/A Rationale: Technology has gone through another major evolution and the Region needs to keep pace with the changes. A ‘platform’ approach is being implemented to consolidate and s treamline applications and data as part of Peel’s Digital Strategy. There is an opportunity to review the risks and controls within this new approach to help ensure ri sks are properly identified and effectively mitigated.
Risk: Without an effective risk management approach, there is a risk that the objectives of Peel’s Digital Strategy may not be achieved.
Leading
(a future oriented and accountable government)
Peel Living
Procurement
N/A Rationale: The Purchasing By-law (#113-2013) governs over the
purchase and disposal of goods and services for the Region of Peel, Peel Regional Police and Peel Living. There is an opportunity to review the effectiveness of procurement practices and processes being followed for the goods and services that are purchased for Peel Living.
Risk: Without effective procurement practices and processes, there i s a risk that needed goods and services for Peel Living may not be obta ined in accordance with applicable By-laws and policies.
Leading (a future
oriented and accountable
government)
Employee Expense Cla ims
2010 Rationale: The Region has an Employee Expense Policy (F30-01) that provides direction for the reimbursement of business and travel
expenses. There is an opportunity to review management controls and processes.
Risk: Without adequate controls and processes, there is a risk reimbursements to employees may not be in compliance with
exis ting policies.
N/A = Not Previously Audited
4.3-4
2016 INTERNAL AUDIT RISK BASED WORK PLAN APPENDIX I
- 3 -
Table 2 - 2015 Audit Projects Concluding in 2016
Strategic Plan
Area of Focus
Audit
Project
Audit Objective
Living (a place where people have a
high quality of l i fe)
TransHelp To evaluate the effectiveness and efficiency of controls in place to mitigate the ri sks associated with the management of:
administrative functions such as: client fare payment processing and col lections, and vendor invoicing.
cl ient personal information for compliance with Municipal Freedom of
Information and Protection of Privacy Act.
Thriving (a sustainable and prosperous
community)
Community Investment Program
To determine whether management has implemented effective oversight and accountability to help ensure agency grants awarded through the Community Investment Program meet the program objectives, and that the associated risks
are managed.
Leading (a future oriented and accountable government)
Fleet Services Audit - Phase II
To assess whether Fleet Services has systems and processes in place to effectively and efficiently meet its objective of providing a safe, well maintained, and reliable fleet of vehicles to meet client needs across the Region.
Leading
(a future oriented and accountable government)
Hi ring Practices
Phase II
Phase II of the audit has yet to be scoped but may include a review of the hiring of
s tudents; learning assignments; the conversion of short-term contracts to long-term contracts or permanent positions; the use of employment agencies and personnel service firms; the placement of candidates into the temporary pool; and
employee onboarding practices.
Leading (a future oriented and accountable government)
Purchasing By-law – Request For Proposal Review
Audit requested by the Audit and Risk Committee. The purpose is to review purchasing objectives and compliance with the new Request For Proposal authorization thresholds included in the Purchasing By-law (#113-2013).
Leading
(a future oriented and accountable government)
Scheduled Standby
Duty – Phase III - Publ ic Health
Audit requested by the Commissioner, Health Services.
The purpose is to review processes followed to schedule standby duty in the Communicable Diseases and Environmental Health divisions.
4.3-5
2016 INTERNAL AUDIT RISK BASED WORK PLAN APPENDIX I
- 4 -
Table 3 - Other Audit Related Services
Strategic Plan
Area of Focus
Audit
Service
Description
Leading (a future oriented
and accountable government)
Control Advice and Advisory Work
Risks and issues emerge and evolve throughout the year. Internal Audit sets as ide time each year to handle special projects, assignments and advisory work.
The objective is to be more proactive by addressing client needs on the front-end. In addition, Internal Audit may be asked to sit in on Committees as a way to provide proactive control advice to management or provide outreach tra ining.
Leading
(a future oriented and accountable government)
Fol low-up on
Internal Audit Reports
To fol low-up on outstanding audit observations and management action plans
from audit reports that have been previously reported to the Audit and Risk Committee.
Leading
(a future oriented and accountable government)
Fraud Prevention
Program
To advance and promote the fraud prevention program as defined in the Fraud
Prevention Policy (#G00-22). The Director, Internal Audit has the lead responsibility for advancing, promoting and educating the organization about the fraud prevention program.
Leading (a future oriented and accountable
government)
Conduct Investigations
The Region is committed to protecting i ts revenue, property, proprietary information and other assets. The Region will not tolerate any misuse or misappropriation of those assets. It i s the Region’s intent to fully investigate any
suspected acts of “fraud” as defined in the Fraud Prevention Policy (#G00-22). The Director, Internal Audit has the lead responsibility for conducting fraud related investigations.
4.3-6
REPORT Meeting Date: 2016-02-04
Audit and Risk Committee
DATE: January 22, 2016
REPORT TITLE: 2016 INTEGRATED RISK MANAGEMENT WORK PLAN
FROM: Michelle Morris, Director, Internal Audit
RECOMMENDATION
That the 2016 Integrated Risk Management Work Plan as outlined in the report of the Director, Internal Audit, titled “2016 Integrated Risk Management Work Plan” be approved.
REPORT HIGHLIGHTS
The Director, Internal Audit is responsible to develop an annual Integrated Risk Management (IRM) Work Plan.
Significant progress has been made to advance Integrated Risk Management within the Region of Peel’s (Region) processes and practices since inception in 2011.
The 2016 IRM Work Plan was developed based on an assessment against a risk management maturity model; which enables an organization to determine next steps toward a more structured approach to risk management.
The 2016 Integrated Risk Management Work Plan will be more strategic in nature and takes into consideration in-year requests.
DISCUSSION 1. Background
The Internal Audit Charter states that it is the responsibility of the Director, Internal Audit to develop an Integrated Risk Management Work Plan. Significant progress has been made to advance IRM within the Region’s processes and practices since inception in 2011. Over the past years, the IRM Work Plan has included several key deliverables to establish risk management within the Region and a series of pilots to validate the risk management processes. In 2015, an Integrated Risk Management Maturity Model was used to assess the current state of the Integrated Risk Management Program at the Region. The model also provided an overview of the steps that need to be undertaken to move the Region toward a more structured approach to risk management.
4.4-1
2016 INTEGRATED RISK MANAGEMENT WORK PLAN
- 2 -
2. 2016 Integrated Risk Management Work Plan and Comments Based on the results of the Integrated Risk Management Maturity Model assessment, the following initiatives will be undertaken in 2016.
Item Rationale
Define Risk Appetite and Tolerances
Once defined, the risk appetite and tolerance will help to determine the level of risk the Region is willing to assume in pursuing Regional strategic objectives and the Term of Council Priorities.
Integrate risk management into decision making processes
Once formalized, all major decisions will have a risk consideration component to help inform the decisions. This will include recommendations brought forward to Council and the Executive Leadership Team.
Identify risk champions in each department
Risk champions will track departmental risk management activities, facilitate risk discussions and work with IRM staff to compile and gather risk information that will be used to develop the Region’s risk profile.
Formalize the risk assessment process
Risk assessment process will be embedded within routine planning processes.
Establish a risk monitoring and reporting protocol – Corporate Risk Profile
The purpose of the Corporate Risk Profile will be to inform Regional Council, the Audit and Risk Committee and the Executive Leadership Team of the significant risks facing the Region and the plans in place to mitigate these risks.
CONCLUSION
Significant progress has been made towards embedding risk management within the Region’s processes and practices. The planned activities for 2016 are focused on moving the Region to a more structured approach to risk management. As in the past, the work plan will continue to be flexible and will address emerging risks and issues that arise throughout the year.
4.4-2
2016 INTEGRATED RISK MANAGEMENT WORK PLAN
- 3 -
Michelle Morris, Director, Internal Audit Approved for Submission:
D. Szwarc, Chief Administrative Officer For further information regarding this report, please contact Michelle Morris, Director, Internal Audit at x4247 or [email protected] Authored By: Michelle Morris, CPA, CGA, FCCA, CIA, CRMA and Anila Lalani, CIA, CISA
4.4-3