Meeting_Body
REVISED
FINANCE, BUDGET AND AUDIT COMMITTEE
MAY 17, 2023
Subject
SUBJECT: FY24 AUDIT PLAN
Action
ACTION: ADOPT RECOMMENDATION
Heading
RECOMMENDATION
Title
ADOPT the Fiscal Year 2024 (FY24) Proposed Annual Audit Plan (Attachment A).
Issue
ISSUE
Management Audit Services (MAS) is required to complete an annual agency-wide risk assessment and submit an annual audit plan to the Board of Directors for approval.
Background
BACKGROUND
The Board approved Financial Stability Policy requires MAS to develop a risk assessment and an annual audit plan (AAP) each year and present it to the Board. It also requires the Finance, Budget, and Audit Committee to provide input and approve the audit plan.
All priority projects included in the FY23 AAP were either completed or initiated during FY23. Those expected to still be in progress as of June 30, 2023, are included in the FY 24 audit plan as carryovers. In addition, one FY23 discretionary project is expected to be completed by June 30, 2023, and another has been carried over to the FY24 AAP as a priority project. All carryover projects included in the FY23 AAP have either been completed or will be completed by June 30, 2023.
Discussion
DISCUSSION
The FY24 AAP is developed with consideration to the current state of the agency, which is emerging from the impacts of the COVID-19 pandemic. In addition, the AAP was prepared with consideration of the results of the agency-wide risk assessment. The agency-wide risk assessment incorporated research as well as input received from Metro’s senior leadership teams across the agency. MAS leveraged the results of the risk assessment to prepare an AAP that is flexible, relevant, and risk based. The AAP includes audit projects which add value, provide actionable information to support agency risk management efforts, and will lead to the achievement of organizational goals aligned with Metro’s Vision 2028 Strategic Plan.
A. Risk Assessment
MAS staff performed an agency-wide risk assessment between January and March 2023. The agency-wide risk assessment is a structured, systematic process consisting of both research and stakeholder engagement. The agency-wide risk assessment is the primary basis for selecting internal audit projects which will add value and support the agency’s objectives. The recognized risks varied in nature, the likelihood of occurrence, and their potential impact on the agency. The agency-wide risk assessment also identified areas of potential future opportunity related to the agency’s goals and objectives.
To help MAS understand the various risks the agency currently faces and their potential impacts, MAS incorporated the following foundational principles in the development of the FY24 AAP which include:
§ Identification of auditable units
§ Identification of potential risks, including emerging risks
§ Categorization of identified risks
§ Assessment of the likelihood of identified risks
§ Assessment of the impact of identified risks
The following risk categories were considered in the performance of the agency-wide risk assessment:
§ Capital Project
§ Financial
§ Human Capital
§ Information Technology
§ Legal / Regulatory
§ Operational
§ Public Image / Reputational
§ Safety / Security.
B. Enterprise Risk Themes
The agency-wide risk assessment process led to the identification of the core enterprise-risk themes summarized below:
• Staffing: Metro leadership across all departments expressed concern related to Metro’s 20% non-contract vacancy rate, caused by the competitive labor market, and the agency’s inability to recruit and retain the critical workforce needed to fulfill the agency’s mission, goals, and objectives. The staffing shortage presented as a high-level risk. This includes employees working beyond their capacity, skilled labor, and the professional workforce needed to support the delivery of the agency’s capital program. Widespread internal hiring exacerbates staffing vacancies as the issue creates vacancies in other departments and, therefore, additional hiring efforts. Some departments are considering what the proper mix is for the use of consultants, as there is a desire to reduce reliance on external staffing. Other departments indicated that their inability to hire full-time staff has caused a reliance on external staffing to continue to meet goals and priorities. Staff has initiated efforts to resolve the staffing issue, including streamlining the recruitment process and hosting several bus operator hiring events which resulted in hiring approximately 1000 operators. In addition, a study is underway that will identify key pain points across recruiting, the hiring process, and retention driving vacancies.
• Public Safety: Risks identified related to the agency’s ability to deal effectively with the increase in the unhoused and other crisis populations on Metro buses, trains, and throughout stations. Risks were also identified regarding the public perception of safety while riding Metro buses and trains, the safety of Metro employees, and the potential impact these could have on restoring ridership to pre-pandemic levels. Additionally, there is concern regarding the balance between traditional law enforcement and other public service resources to increase safety on the system.
• Financial: The agency’s ability to replace lost revenues when one-time large-scale infusions of federal funds are exhausted presented as a concern. This includes funding that was provided as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The impact of inflation on the cost of utilities, fuel, and spare parts inventories continues to be a significant risk. There is concern regarding the agency’s fiscal outlook in the coming years.
• Capital projects: Risks and opportunities were identified related to alternative project delivery methods such as progressive design build and construction manager\general contractor. In addition, mentoring programs, and training for new project management staff are being pursued to enhance management skills and support succession planning efforts.
• Global/supply chain: There have been challenges, which persist, in the supply chain, including material shortages and delays in delivery. The current rate of inflation may exacerbate the effects of supply chain disruptions and in turn remain an enterprise risk to the agency. These impacts on the supply chain presented as a risk, including the ongoing impacts of global factors such as the conflict in Ukraine. As Metro transitions to a fully electrified fleet, it may increasingly rely on overseas suppliers that may increase supply chain risks.
• Cyber Risks: There is continued concern about the increased incidents of cyber attacks against not only private sector entities but public sector entities as well. Stakeholders want increased assurance that the Agency’s ability to prevent, detect, and respond to cyber incidents is comprehensive and based on the latest tools, techniques, and methods.
There are also unique risks that do not fit clearly into one of the outlined major risk categories, as well as unique risks that may have not been identified and/or presented during the agency-wide risk assessment. MAS will continue to assess emerging risks throughout FY24 and, if necessary, adjust the AAP.
C. Audit Plan
The FY24 AAP is based primarily on the results of the agency-wide risk assessment. The most prominent risks from the risk assessment and the projects associated with those risks are presented in the heat map below:
|
A. |
Continuity of Operations Plan - Bus Operations |
J. |
Grant Funding Management |
|
B. |
Personnel Hiring |
K. |
Major Construction Contractor Prequal |
|
C. |
Westside Purple Line Extension 1 |
L. |
Information Technology Governance |
|
D. |
Spare Parts Inventory |
M. |
State of Good Repair Assessment |
|
E. |
Third Party Risk Management |
N. |
Subrecipient Reporting |
|
F. |
Capital Project Inflation Risk |
O. |
Physical Security Monitoring Equipment |
|
G. |
Succession Planning |
P. |
Supply Chain Ethics Monitoring |
|
H. |
Operations KPIs |
Q. |
Planning Phase Activities Project Management |
|
I. |
Division 20 Portal Widening Project |
|
|
The total score assigned to a risk is based on the risk7score, which is a consideration of the assigned likelihood and potential impact. The risk score may place the risk in a low, moderately low, moderate, moderately high, or a high-risk range. Higher risk scores occur when the risk identified is high in likelihood and potential impact. These risks were therefore identified as areas that would benefit from independent audit engagement.
Of note, risk scores were not the only guide used by MAS to select audit projects for the FY24 AAP. Additional factors were considered as part of the agency-wide risks assessment such as:
• Perceived strength of management controls
• Prior audits or reviews
• Subject matter expertise/capacity required by MAS to perform an audit or review
• Complexity of the risk area
• Input from senior leadership
Accordingly, the AAP includes audit projects to address areas of moderate risk that are expected to add value, mitigate potential future risks, and will lead to the advancement of enterprise opportunities.
The FY24 AAP includes 17 14 audit projects in three categories: priority, and discretionary carryover.
• Priority: Audit projects that will be given primary focus and initiated during the first part of FY24.
• Discretionary: Audit projects in areas with lower-level risk scores that MAS will perform based on the status of priority and carryover projects throughout the course of the annual audit plan year.
• Carryover: Audit projects that were initiated in FY23 and will be completed in FY24.
A summary of the FY24 priority, carryover, and discretionary audits is provided in Attachment A.
The FY24 AAP also includes the required Contract and Financial Compliance Audits throughout the year. These audits include contract pre-award and incurred cost audits as requested by Vendor/Contract Management, incurred cost audits of various grant projects, and external financial and compliance audits of Metro and sub-recipients.
Professional audit standards and leading practices indicate that the agency is best served if the audit plan is a dynamic plan that can be modified based on changing business conditions, the discovery of new information, or areas being elevated to priority status based upon the needs of the Board of Directors, Chief Executive Officer, and/or senior leadership.
Determination_Of_Safety_Impact
DETERMINATION OF SAFETY IMPACT
Approval of this item will not impact the safety of Metro patrons or employees.
Financial_Impact
FINANCIAL IMPACT
There are no financial impacts associated with the approval of the FY24 AAP.
Equity_Platform
EQUITY PLATFORM
In applying an equity lens to the FY24 AAP, MAS will inquire of departments when conducting the audits if any applicable and required Metro equity assessments were completed.
Implementation_of_Strategic_Plan_Goals
IMPLEMENTATION OF STRATEGIC PLAN GOALS
Approval of this item supports Metro Vision 2028 Goal #5: Provide responsive, accountable, and trustworthy governance within the Metro organization. The projects included in the Audit Plan directly or indirectly support various goals outlined in Metro’s Vision 2028 Strategic Plan.
Alternatives_Considered
ALTERNATIVES CONSIDERED
An alternative is not to approve the Annual Audit Plan. This is not recommended since the Annual Audit Plan is a management tool to systematically assign resources for the delivery of an agency-wide audit plan in accordance with the Financial Stability Policy. Additionally, the development of an annual internal audit plan is consistent with the MAS’ Charter and with Generally Accepted Government Auditing Standards.
Next_Steps
NEXT STEPS
Upon Board approval, MAS will develop the FY24 AAP schedule and deliver quarterly status reports to the Board of Directors.
Attachments
ATTACHMENTS
Attachment A - FY24 Proposed Audit Plan
Prepared_by
Prepared by: Lauren Choi, Deputy Executive Officer, Administration (Interim), (213) 922-3926
Alfred Rodas, Sr. Director, Audit, (213) 922-4553
Reviewed_by
Reviewed by: Sharon Gookin, Deputy Chief Executive Officer, (213) 418-3101
