Meeting_Body
FINANCE, BUDGET AND AUDIT COMMITTEE
AUGUST 17, 2022
Subject
SUBJECT: FY23 AUDIT PLAN
Action
ACTION: ADOPT RECOMMENDATION
Heading
RECOMMENDATION
Title
ADOPT the Fiscal Year 2023 (FY23) Proposed Annual Audit Plan (AAP).
Issue
ISSUE
Management Audit Services (MAS) is required to complete an annual agency-wide risk assessment and submit an annual audit plan to the Board of Directors for approval.
Background
BACKGROUND
The Board approved Financial Stability Policy requires MAS to develop a risk assessment and an annual audit plan (AAP) each year and present it to the Board. It also requires the Finance, Budget, and Audit Committee to provide input and approve the audit plan.
Discussion
DISCUSSION
The FY23 AAP has been developed with consideration to the current state of the agency, which is still recovering from the impacts of the COVID-19 pandemic. In addition, the AAP was prepared with consideration of the results of the agency-wide risk assessment. The agency-wide risk assessment incorporated research and input received from Metro’s senior leadership teams across the agency. MAS leveraged the results of the risk assessment to prepare an AAP that is flexible, relevant and risk based. The AAP includes audit projects which add value, provide actionable information to support agency risk management efforts, and will lend to the achievement of organizational goals aligned with Metro’s Vision 2028 Strategic Plan.
A. Risk Assessment
MAS staff performed an agency-wide risk assessment between March 2022 and July 2022. The agency-wide risk assessment was a structured, systematic process consisting of both research and stakeholder engagement. The agency-wide risk assessment is the primary basis for selecting internal audit projects which will add value and support the agency’s objectives. The recognized risks varied in nature, the likelihood of occurrence, and their potential impact on the agency. The agency-wide risk assessment also identified areas of potential future opportunity related to the agency goals and objectives.
To help MAS understand the various risks the agency currently faces and their potential impacts, MAS incorporated the following foundational principles in the development of the FY23 AAP which include:
§ Identification of auditable units
§ Identification of potential risks
§ Categorization of identified risks
§ Assessment of the likelihood of identified risks qualitatively and quantitatively
§ Assessment of the impact of identified risks qualitatively and quantitatively
The following risk categories were considered in the performance of the agency-wide risk assessment:
§ Capital Project
§ Financial
§ Human Capital
§ Information Technology
§ Legal / Regulatory
§ Operational
§ Public Image / Reputational
§ Safety / Security.
B. Enterprise Risk Themes
The agency-wide risk assessment process led to the identification of the core enterprise-risk themes summarized below:
• Staffing: Metro leadership across all departments expressed concern related to the competitive labor market, and the agency’s ability to recruit and retain critical workforce needed to fulfill the agency’s mission, goals, and objectives. The staffing risks presented as a high-level risk, particularly in regard to recruitment of bus operators, skilled labor, and the professional workforce needed to support the delivery of the agency’s capital program.
• Political/external: Risks were identified related to the agency’s ability to deal effectively with the increase of the unhoused and other crisis populations on Metro buses, trains, and throughout stations. Risks were also identified regarding the public perception of safety while riding Metro buses and trains, and the potential impact this could have on restoring ridership to pre-pandemic levels.
• Financial: The agency’s ability to replace lost revenues when one-time large-scale infusions of federal funds are exhausted presented as a concern. This includes funding that was provided as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The impact of inflation on the cost of utilities, fuel, and spare parts inventories were also risks identified as part of the agency-wide risk assessment. In addition, uncertainty about the definitive amount of funding that will be made available to the agency from the November 2021 Infrastructure Investment and Jobs Act lends to potential exposure.
• Resources for capital projects: As projects move from the planning phase to the construction phase risks were identified related to the reliance that Program Management has on consultant resources. Risks and opportunities were identified related to alternative project delivery methods such as progressive design build and construction manager\general contractor.
• Global/supply chain: The impacts of the pandemic led to disruptions in the supply chain, such as key material shortages and delays in delivery. The current rate of inflation may exacerbate the effects of supply chain disruptions and in-turn remain an enterprise risk to the agency. These continued impacts to the supply chain presented as a risk, including the ongoing impacts of global factors such as the conflict in Ukraine.
• Unknown: There are also unique risks that do not fit clearly into one of the outlined major risk categories, as well as unique risks that may have not been identified and/or presented during the agency-wide risk assessment, hence defined as “unknown” risks.
C. Audit Plan
The FY23 AAP is based primarily on the results of the agency-wide risk assessment. The most prominent risks from the risk assessment and the projects associated with those risks are presented in the heat map below:
|
A. |
Continuity of Operations Plan - Bus Operations |
J. |
Monitoring of Environmental Contracts |
|
B. |
Metro Center Street Project |
K. |
Contract price structures for professional services |
|
C. |
Westside Purple Line Extension 1 |
L. |
Information Technology Governance |
|
D. |
Spare Parts Inventory |
M. |
Continuity of Operations Plan - Rail |
|
E. |
Information Security Risk - Contractors |
N. |
Micro Transit |
|
F. |
Construction Inflation Risk |
O. |
Operations Central Instruction & Development Training |
|
G. |
Business Interruption Fund |
P. |
Central Maintenance Shops Manufacturing Process |
|
H. |
Operations and Maint. of CNG Div. |
Q. |
Cybersecurity Follow-Up |
|
I. |
Division 20 Portal Widening Project |
R. |
Real Estate Management System |
The total score assigned to a risk is based on the risk score, which is a consideration of the assigned likelihood and potential impact. The risk score may place the risk in a low, moderately low, moderate, moderately high, or a high- risk range. Higher risk scores occur when the risk identified is high in likelihood and potential impact. These risks were therefore identified as areas that would benefit from independent audit engagement.
Of note, risk scores were not the only guide used by MAS to select audit projects for the FY23 AAP. Additional factors were considered as part of the agency-wide risks assessment such as:
• Perceived strength of management controls
• Prior audits or reviews
• Subject matter expertise/capacity required by MAS to perform an audit or review
• Complexity of the risk area
• Input from senior leadership
Accordingly, the AAP includes audit projects to address areas of moderate risk which are expected to add value, mitigate potential future risks, and will lead to advancement of enterprise opportunities.
The FY23 AAP includes 18 audit projects in three categories: priority, carryover, and discretionary.
• Priority: Audit projects that will be given primary focus and initiated during the first part of FY23. The priority projects address high-level risk areas.
• Carryover: Audit projects that were initiated in FY22 which will be completed in FY23.
• Discretionary: Audit projects in areas with relatively lower-level risk scores. These are projects that MAS will perform based on the status of Priority and carryover projects throughout the course of the annual audit plan year.
A summary of the FY 23 priority, carryover, and discretion audits is provided as Attachment A.
The FY23 AAP also includes the required Contract and Financial Compliance Audits throughout the year. These audits include contract pre-award and incurred cost audits as requested by Vendor/Contract Management, incurred cost audits of various grant projects, and external financial and compliance audits of Metro and subrecipients.
Professional audit standards and leading practices indicate that the agency is best served if the audit plan is a dynamic plan that can be modified based upon changing business conditions, the discovery of new information, or areas being elevated to priority status based upon the needs of the Board of Directors, Chief Executive Officer, and/or senior leadership.
Determination_Of_Safety_Impact
DETERMINATION OF SAFETY IMPACT
Approval of this item will not impact the safety of Metro patrons or employees.
Financial_Impact
FINANCIAL IMPACT
Funding for the annual audit plan has been included within Management Audit’s FY23 budget and corresponding cost center.
Equity_Platform
EQUITY PLATFORM
In applying an equity lens to the FY23 AAP, MAS included a program area for audit in the FY 23 AAP where MAS will assess if the department overseeing the selected program completed a Rapid Equity Assessment or Equity Planning and Evaluation Tool. The inclusion of this project is consistent with goals articulated in FY 23 Comprehensive Agency Performance Evaluation for MAS.
Implementation_of_Strategic_Plan_Goals
IMPLEMENTATION OF STRATEGIC PLAN GOALS
Approval of this item supports Metro Vision 2028 Goal #5: Provide responsive, accountable, and trustworthy governance within the Metro organization. The projects included in the Audit Plan directly or indirectly support various goals outlined in Metro’s Vision 2028 Strategic Plan.
Alternatives_Considered
ALTERNATIVES CONSIDERED
An alternative is not to approve the Annual Audit Plan. This is not recommended since the Annual Audit Plan is a management tool to systematically assign resources for the delivery of an agency-wide audit plan in accordance with the Financial Stability Policy. Additionally, the development of an annual internal audit plan is consistent with the MAS’ Charter and with Generally Accepted Government Auditing Standards.
Next_Steps
NEXT STEPS
Upon Board approval, MAS will develop the Annual Audit Plan schedule and deliver quarterly status reports to the Board of Directors.
Attachments
ATTACHMENTS
Attachment A - FY23 Proposed Audit Plan
Prepared_by
Prepared by: Shalonda Baldwin, Executive Officer, Administration, (213) 418-3265
Lauren Choi, Sr. Director, Audit (213) 922-3926
Alfred Rodas, Sr. Director, Audit (213) 922-4553
Reviewed_by
Reviewed by: Sharon Gookin, Deputy Chief Executive Officer, (213) 418-3101
