Meeting_Body
FINANCE, BUDGET AND AUDIT COMMITTEE
MAY 15, 2024
Subject
SUBJECT: FY25 AUDIT PLAN
Action
ACTION: ADOPT RECOMMENDATION
Heading
RECOMMENDATION
Title
ADOPT the Fiscal Year 2025 (FY25) Proposed Annual Audit Plan (Attachment A).
Issue
ISSUE
Management Audit Services (MAS) is required to complete an annual agency-wide risk assessment and submit an annual audit plan to the Board of Directors for approval.
Background
BACKGROUND
The Board-approved Financial Stability Policy requires MAS to develop a risk assessment and an annual audit plan each year and present it to the Board. It also requires the Finance, Budget, and Audit Committee to provide input and approve the audit plan.
Certain projects included in the FY25 (Audit Plan) are identified as carryovers. These are FY24 Audit Plan projects initiated in FY24 but expected to be completed in FY25. Certain other projects from FY24 that were not initiated during the year but are still deemed important to execute are included in the Audit Plan in the priority category. These projects were not initiated due to resource constraints and special projects requested during FY24.
Discussion
DISCUSSION
The FY25 Audit Plan is developed with consideration to the current state of the agency and the results of the agency-wide risk assessment. The agency-wide risk assessment incorporated research as well as input received from Metro’s leadership teams across the agency. MAS leveraged the risk assessment results to prepare an Audit Plan that is flexible, relevant, and risk based. The Audit Plan includes audit projects that add value, provide actionable information to support agency risk management efforts, and will lead to the achievement of organizational goals aligned with Metro’s Vision 2028 Strategic Plan and the CEO 2023 strategic aspiration placemat.
A. Risk Assessment
MAS staff performed an agency-wide risk assessment between January and March 2024. The agency-wide risk assessment is a structured, systematic process involving research and stakeholder engagement. The agency-wide risk assessment is the primary basis for selecting internal audit projects to add value and support the agency’s objectives. The recognized risks varied in nature, the likelihood of occurrence, and their potential impact on the agency. The agency-wide risk assessment also identified areas of potential future opportunity related to the agency’s goals and objectives.
To help MAS understand the various risks the agency currently faces and their potential impacts, MAS incorporated the following foundational principles in the development of the FY25 AAP which include:
§ Identification of auditable units
§ Identification of potential risks, including emerging risks
§ Categorization of identified risks
§ Assessment of the likelihood of identified risks
§ Assessment of the impact of identified risks
The following risk categories were considered in the performance of the agency-wide risk assessment:
§ Capital Project
§ Financial
§ Human Capital
§ Information Technology
§ Legal / Regulatory
§ Operational
§ Public Image / Reputational
§ Safety / Security
§ Environmental, Social, and Governance
B. Enterprise Risk Themes
The agency-wide risk assessment process led to the identification of the core enterprise-risk themes summarized below:
• Staffing: Metro leadership across many departments expressed concern related to the agency’s ability to recruit and retain the critical workforce needed to fulfill the agency’s mission, goals, and objectives. The inability to hire in an expedited time frame may lead to existing employees working beyond their capacity. In addition, widespread internal hiring creates vacancies in other departments and, therefore, additional hiring efforts. There is also concern that other employers may be more agile in their hiring efforts creating a challenge for the agency in competing for highly qualified candidates.
• Public Safety: Progress has been made in this area with Agency leadership anticipating benefits from opening its new Emergency Security Operations Center in FY 25. Opportunities exist for the agency to make greater use of data analytics and robotics and to deploy additional Transit Security Officers to bus-riding teams.
• Operational: The agency’s ability to provide maintenance, including cleaning, mechanical upkeep, and security for all future projects opening in the near term was a risk mentioned by some stakeholders. This is reasonable, given that the increased ridership expected from the opening of newly completed projects will require increased maintenance efforts.
• Capital projects: As indicated in the 2023 Metro Construction Market Analysis, The agency accounts for 30% of the construction spending by public agencies within Southern California. Management expressed concern over the tight labor market for skilled labor needed for the agency's large-scale projects in the upcoming years. There is also both risk and opportunity for the agency as more projects are expected to be delivered in the future using collaborative delivery methods such as the construction manager/general contractor and progressive design-build methods.
• Financial: Some stakeholders expressed concern about having adequate funding to support the infrastructure augmentation needed to support upcoming major events, such as the 2026 World Cup and the 2028 Summer Olympic and Paralympic Games.
• Environmental, Social, and Governance Risks: There is continued concern about the potential for cyber-attacks against Agency systems and the ability to prevent, detect, and respond to cyber incidents using the latest tools, techniques, and methods. In general, there is also increased awareness that supply chains rely on ethically sourced materials.
There are also unique risks that do not fit clearly into one of the outlined major risk categories and unique risks that may have not been identified and/or presented during the agency-wide risk assessment. MAS will continue to assess emerging risks throughout FY25 and, if necessary, adjust the Audit Plan.
C. Audit Plan
The FY25 Audit Plan is based primarily on the results of the agency-wide risk assessment.
Scores were assigned to individual risks in our risk assessment, with consideration given to the potential likelihood and impact of the individual risks. Individual risk scores fall into a range that encompasses low to high. Higher risk scores occur when the risk identified is high in likelihood and potential impact. These risk scores helped guide the selection of projects for inclusion in the FY25 Audit Plan.
Risk scores were not the only guide used by MAS to select audit projects for the FY25 Audit Plan. Additional factors considered included:
• Perceived strength of management controls
• Prior audits or reviews
• Subject matter expertise/capacity required by MAS to perform an audit or review
• Complexity of the risk area
• Input from senior leadership
Accordingly, the Audit Plan includes audit projects to address areas of moderate risk that are expected to add value, mitigate potential future risks, and support the achievement of agency goals and objectives.
The FY25 Audit Plan includes 12 audit projects in three categories: priority, discretionary, and carryover.
• Priority: Audit projects that will be given primary focus during FY25.
• Discretionary: Audit projects that MAS will perform based on the status of priority and carryover projects and time and resources permitting.
• Carryover: Audit projects initiated in FY24 and will be completed in FY25.
A summary of the FY25 priority, carryover, and discretionary audits is provided in Attachment A.
The FY25 Audit Plan also includes the required Contract and Financial Compliance Audits throughout the year. These audits include contract pre-award and incurred cost audits as requested by Vendor/Contract Management, incurred cost audits of various grant projects, and external financial and compliance audits of Metro and sub-recipients.
Professional audit standards and leading practices indicate that the agency is best served if the audit plan is a dynamic plan that can be modified based on changing business conditions, the discovery of new information, or areas being elevated to priority status based upon the needs of the Board of Directors, Chief Executive Officer, and/or senior leadership.
Determination_Of_Safety_Impact
DETERMINATION OF SAFETY IMPACT
Approval of this item will not impact the safety of Metro patrons or employees.
Financial_Impact
FINANCIAL IMPACT
No financial impacts are associated with the approval of the FY25 Audit Plan.
Equity_Platform
EQUITY PLATFORM
In applying an equity lens to the FY25 Audit Plan, MAS will inquire of departments when conducting the audits if any applicable and required Metro equity assessments were completed.
Implementation_of_Strategic_Plan_Goals
IMPLEMENTATION OF STRATEGIC PLAN GOALS
Approval of this item supports Metro Vision 2028 Goal #5: Provide responsive, accountable, and trustworthy governance within the Metro organization. The projects included in the Audit Plan directly or indirectly support various goals outlined in Metro’s Vision 2028 Strategic Plan and the CEO 2023 strategic aspiration placemat.
Alternatives_Considered
ALTERNATIVES CONSIDERED
An alternative is not to approve the Audit Plan. This is not recommended since it is a management tool to systematically assign resources for the delivery of an agency-wide audit plan in accordance with the Financial Stability Policy. Additionally, the development of an annual internal audit plan is consistent with the MAS Audit Charter and with Generally Accepted Government Auditing Standards.
Next_Steps
NEXT STEPS
Upon Board approval, MAS will develop the FY25 Audit Plan schedule and deliver quarterly status reports to the Board of Directors.
Attachments
ATTACHMENTS
Attachment A - FY25 Proposed Audit Plan
Prepared_by
Prepared by: Kimberly L. Houston, Deputy Chief Auditor, (213) 922-4720
Alfred Rodas, Senior Director, Audit, (213) 922-4553
Reviewed_by
Reviewed by: Sharon Gookin, Deputy Chief Executive Officer, (213) 418-3101
