The URL can be used to link to this page

Home My WebLink About07-20-2022 Audit Ad Hoc Committee Complete Agenda Packet ORANGE COUNTY SANITATION DISTRICT SPECIAL NOTICE REGARDING CORONAVIRUS (COVID-19) AND ATTENDANCE AT PUBLIC MEETINGS Governor Newsom signed Assembly Bill (AB) 361 on September 16, 2021, which, in part, addresses the conduct of public meetings in light of the continued State of Emergency order. Effective October 1, 2021, AB 361 suspends the requirements located in California Government Code, Section 54953, Subdivision (b), Paragraph (3) specifically pertaining to the conduct of public meetings. As such, the Orange County Sanitation District (OC San) Board of Directors has determined that due to the size of OC San’s Board of Directors (25), and the health and safety of the members, the Board of Directors will be participating in meetings of the Board telephonically and via Internet accessibility. PUBLIC PARTICIPATION Your participation is always welcome. OC San offers several ways in which to interact during meetings. You will find information as to these opportunities below. ONLINE MEETING PARTICIPATION You may join the meeting live via Teams on your computer or similar device or web browser by using the link below: Click here to join the meeting We suggest testing joining a Teams meeting on your device prior to the commencement of the meeting. For recommendations, general guidance on using Teams, and instructions on joining a Teams meeting, please click here. Please mute yourself upon entry to the meeting. Please raise your hand if you wish to speak during the public comment section of the meeting. The Clerk of the Board will call upon you by using the name you joined with. Meeting attendees are not provided the ability to make a presentation during the meeting. Please contact the Clerk of the Board at least 48 hours prior to the meeting if you wish to present any items. Additionally, camera feeds may be controlled by the meeting moderator to avoid inappropriate content. OC ~SAN ORANGE COUNTY SANITATION DISTRICT HOW TO PARTICIPATE IN THE MEETING BY TELEPHONE To join the meeting from your phone: Dial (213) 279-1455 When prompted, enter the Phone Conference ID: 326 580 801# All meeting participants may be muted during the meeting to alleviate background noise. If you are muted, please use *6 to unmute. You may also mute yourself on your device. Please raise your hand to speak by using *5 during the public comment section of the meeting. The Clerk of the Board will call upon you by using the last 4 digits of your phone number as identification. NOTE: All attendees will be disconnected from the meeting at the beginning of Closed Session. If you would like to return to the Open Session portion of the meeting, please login or dial-in to the Teams meeting again and wait in the Lobby for admittance. VIEW THE MEETING ONLINE ONLY The meeting will be available for online viewing only at: https://ocsd.legistar.com/Calendar.aspx HOW TO SUBMIT A COMMENT You may provide verbal comment in real time during the meeting. In order to provide a verbal comment, please raise your hand as described above or alert the Clerk of the Board before or during the public comment period. You may also submit your comments and questions in writing for consideration in advance of the meeting by using the eComment feature available online at: https://ocsd.legistar.com/Calendar.aspx or sending them to OCSanClerk@ocsan.gov with the subject line “PUBLIC COMMENT ITEM # (insert the item number relevant to your comment)” or “PUBLIC COMMENT NON-AGENDA ITEM”. You may also submit comments and questions for consideration during the meeting by using the eComment feature available online at: https://ocsd.legistar.com/Calendar.aspx. The eComment feature will be available for the duration of the meeting. All written public comments will be provided to the legislative body and may be read into the record or compiled as part of the record. TECHNICAL SUPPORT PRIOR TO AND DURING MEETINGS For technical assistance before and during the meeting, please call 714-593-7431. For any other questions and/or concerns, please contact the Clerk of the Board’s office at 714-593-7433. Thank you, in advance, for your patience in working with these technologies. We appreciate your interest in OC San! July 13, 2022 NOTICE OF REGULAR MEETING AUDIT AD HOC COMMITTEE ORANGE COUNTY SANITATION DISTRICT Wednesday, July 20, 2022 – 4:00 P.M. ACCESSIBILITY FOR THE GENERAL PUBLIC Your participation is always welcome. Specific information as to how to participate in this meeting is detailed in the Special Notice attached to this agenda. In general, OC San offers several ways in which to interact during meetings: you may join the meeting live via Teams on your computer or similar device or web browser, join the meeting live via telephone, view the meeting online, and/or submit comments for consideration before or during the meeting. The Regular Meeting of the Audit Ad Hoc Committee of the Orange County Sanitation District will be held at the above location and in the manner indicated on Wednesday, July 20, 2022 at 4:00 p.m. 0 ~SAN 10844 Ellis Avenue Fountain Valley, CA 92708 714.962.2411 ORANGE COUNTY SANITATION DISTRICT www.ocsan.gov Our Mission: To protect public health and the environment by providing effective wastewater collection, treatment, and recycling. Serving: Anaheim Brea Buena Park Cypress Fountain Valley Fullerton Garden Grove Huntington Beach Irvine La Habra La Palma Los Alamitos Newport Beach Orange Placentia Santa Ana Seal Beach Stanton Tustin Villa Park County of Orange Costa Mesa Sanitary District Midway City Sanitary District Irvine Ranch Water District Yorba Linda Water District ROLL CALL AUDIT AD HOC COMMITTEE Meeting Date: July 20, 2022 Time: 4:00 p.m. Adjourn: COMMITTEE MEMBERS (4) Glenn Parker, Chair (Brea) Anthony Kuo, Vice-Chair (Irvine) Marshall Goodman (La Palma) Patrick Harper (Fountain Valley) OTHERS Brad Hogin, General Counsel STAFF Jim Herberg, General Manager Lorenzo Tyner, Assistant General Manager Wally Ritchie, Controller Kelly Lore, Clerk of the Board I I I I ORANGE COUNTY SANITATION DISTRICT Effective 03/07/2022 BOARD OF DIRECTORS Complete Roster AGENCY/CITIES ACTIVE DIRECTOR ALTERNATE DIRECTOR Anaheim Stephen Faessel Gloria Ma’ae Brea Glenn Parker Cecilia Hupp Buena Park Art Brown Connor Traut Cypress Paulo Morales Anne Hertz-Mallari Fountain Valley Patrick Harper Ted Bui Fullerton Jesus J. Silva Nick Dunlap Garden Grove Steve Jones John O’Neill Huntington Beach Kim Carr Dan Kalmick Irvine Anthony Kuo Farrah N. Khan La Habra Rose Espinoza Steve Simonian La Palma Marshall Goodman Nitesh Patel Los Alamitos Ron Bates NONE Newport Beach Brad Avery Joy Brenner Orange Kim Nichols Chip Monaco Placentia Chad Wanke Ward Smith Santa Ana Johnathan Ryan Hernandez Nelida Mendoza Seal Beach Sandra Massa-Lavitt Schelly Sustarsic Stanton David Shawver Carol Warren Tustin Ryan Gallagher Austin Lumbard Villa Park Chad Zimmerman Robert Collacott Sanitary/Water Districts Costa Mesa Sanitary District Bob Ooten Art Perry Midway City Sanitary District Andrew Nguyen Mark Nguyen Irvine Ranch Water District John Withers Douglas Reinhart Yorba Linda Water District Brooke Jones Ted Lindsey County Areas Board of Supervisors Donald P. Wagner Doug Chaffee AUDIT AD HOC COMMITTEE Regular Meeting Agenda Wednesday, July 20, 2022 - 4:00 PM Board Room Administration Building 10844 Ellis Avenue Fountain Valley, CA 92708 (714) 593-7433 ACCOMMODATIONS FOR THE DISABLED: If you require any special disability related accommodations, please contact the Orange County Sanitation District (OC San) Clerk of the Board’s office at (714) 593-7433 at least 72 hours prior to the scheduled meeting. Requests must specify the nature of the disability and the type of accommodation requested. AGENDA POSTING: In accordance with the requirements of California Government Code Section 54954.2, this agenda has been posted outside the main gate of the OC San's Administration Building located at 10844 Ellis Avenue, Fountain Valley, California, and on the OC San’s website at www.ocsan.gov not less than 72 hours prior to the meeting date and time above. All public records relating to each agenda item, including any public records distributed less than 72 hours prior to the meeting to all, or a majority of the Board of Directors, are available for public inspection in the office of the Clerk of the Board. AGENDA DESCRIPTION: The agenda provides a brief general description of each item of business to be considered or discussed. The recommended action does not indicate what action will be taken. The Board of Directors may take any action which is deemed appropriate. MEETING AUDIO: An audio recording of this meeting is available within 24 hours after adjournment of the meeting at https://ocsd.legistar.com/Calendar.aspx or by contacting the Clerk of the Board at (714) 593-7433. NOTICE TO DIRECTORS: To place items on the agenda for a Committee or Board Meeting, the item must be submitted in writing to the Clerk of the Board: Kelly A. Lore, MMC, (714) 593-7433 / klore@ocsan.gov at least 14 days before the meeting. FOR ANY QUESTIONS ON THE AGENDA, BOARD MEMBERS MAY CONTACT STAFF AT: General Manager: Jim Herberg, jherberg@ocsan.gov / (714) 593-7300 Asst. General Manager: Lorenzo Tyner, ltyner@ocsan.gov / (714) 593-7550 Asst. General Manager: Rob Thompson, rthompson@ocsan.gov / (714) 593-7310 Director of Human Resources: Celia Chandler, cchandler@ocsan.gov / (714) 593-7202 Director of Engineering: Kathy Millea, kmillea@ocsan.gov / (714) 593-7365 Director of Environmental Services: Lan Wiborg, lwiborg@ocsan.gov / (714) 593-7450 Director of Operations & Maintenance: Riaz Moinuddin, rmoinuddin@ocsan.gov / (714) 593-7269 OC ~SAN ORANGE COUNTY SANITATION DISTRICT AUDIT AD HOC COMMITTEE Regular Meeting Agenda Wednesday, July 20, 2022 CALL TO ORDER & PLEDGE OF ALLEGIANCE Chair Glenn Parker ROLL CALL: PUBLIC COMMENTS: Your participation is always welcome. Specific information as to how to participate in a meeting is detailed in the Special Notice attached to this agenda. In general, OC San offers several ways in which to interact during meetings: you may join the meeting live via Teams on your computer or similar device or web browser, join the meeting live via telephone, view the meeting online, and/or submit comments for consideration before or during the meeting. You may provide verbal comment in real time during the meeting. In order to provide a verbal comment, please raise your hand (directions provided in the Special Notice attached to this agenda) or alert the Clerk of the Board before or during the public comment period. You may submit your comments and questions in writing for consideration in advance of the meeting by using the eComment feature available online at: https://ocsd.legistar.com/Calendar.aspx or sending them to OCSanClerk@ocsan.gov with the subject line “PUBLIC COMMENT ITEM # (insert the item number relevant to your comment)” or “PUBLIC COMMENT NON-AGENDA ITEM”. You may also submit comments and questions for consideration during the meeting by using the eComment feature available online at: https://ocsd.legistar.com/Calendar.aspx. The eComment feature will be available for the duration of the meeting. All written public comments will be provided to the legislative body and may be read into the record or compiled as part of the record. INFORMATION ITEMS: 1.2022-2403INTERNAL AUDIT UPDATE: RISK ASSESSMENT RECOMMENDATION: Information Item. Originator:Lorenzo Tyner Agenda Report OC San - Risk Assessment Report - Final Presentation - Risk Assessment Update Attachments: OTHER BUSINESS AND COMMUNICATIONS OR SUPPLEMENTAL AGENDA ITEMS, IF ANY: Page 1 of 2 AUDIT AD HOC COMMITTEE Regular Meeting Agenda Wednesday, July 20, 2022 ADJOURNMENT: Adjourn the Audit Ad Hoc Committee meeting. Page 2 of 2 AUDIT AD HOC COMMITTEE Agenda Report Administration Building 10844 Ellis Avenue Fountain Valley, CA 92708 (714) 593-7433 File #:2022-2403 Agenda Date:7/20/2022 Agenda Item No:1. FROM:James D. Herberg, General Manager Originator: Lorenzo Tyner, Assistant General Manager SUBJECT: INTERNAL AUDIT UPDATE: RISK ASSESSMENT GENERAL MANAGER'S RECOMMENDATION RECOMMENDATION: Information Item. BACKGROUND Orange County Sanitation District (OC San) selected the audit firm of Eide Bailly LLP to provide audits of various OC San programs and processes as selected by the Audit Ad Hoc Committee. Most recently, the Audit Ad Hoc Committee selected an organization wide risk assessment. The auditors will provide an update of those efforts. Additionally, staff and the auditors will present potential topics for future audit selection. RELEVANT STANDARDS ·Conduct audits to determine if OC San operations are being conducted in an economical and efficient manner ·Conduct audits to establish whether specific government programs are effective in meeting their stated goals and objectives ·Conduct audits to determine if OC San is following policies and procedures in conducting operations PRIOR COMMITTEE/BOARD ACTIONS N/A ATTACHMENT The following attachment(s) may be viewed on-line at the OC San website (www.ocsan.gov) with the complete agenda package: ·Internal Audit Report ·Presentation Orange County Sanitation District Printed on 7/13/2022Page 1 of 1 powered by Legistar™ OC6SAN ORANGE COUNTY SANITATION DISTRICT Enterprise Risk Assessment July 2022 ORANGE COUNTY SANITATION DISTRICT Submitted By: Eide Bailly LLP Doug Sluyk, CIA, CISA Manager, Risk Advisory Services Audrey Donovan, CIA, CGAP, CRMA Senior Manager, Risk Advisory Services Roger Alfaro, CPA, CITP Partner eidebailly.com OC SAN – ENTERPRISE RISK ASSESSMENT TABLE OF CONTENTS RISK ASSESSMENT ______________________________________________ 3 RISK ASSESSMENT – HEAT MAP ___________________________________ 7 RISKS IDENTIFIED _______________________________________________ 8 APPENDIX A – INTERNAL AUDIT TOPICS ___________________________ 13 OC SAN – ENTERPRISE RISK ASSESSMENT 3 | eidebailly.com RISK ASSESSMENT Eide Bailly uses guidance provided by the International Professional Practices Framework (IPPF) published by the Institute of Internal Auditors. Standards of the IPPF address planning and indicate that Internal Audit plans should be risk‐based plans which determine the priorities of the internal audit activity, consistent with the organization’s goals. The internal audit activity’s plan of engagements must be based on a documented risk assessment. These risk assessments should be performed annually to determine in conjunction with preparing audit plans. The input of senior management and the Audit Committee must be considered in this process. This report describes how Internal Audit analyzed Orange County Sanitation District’s (OC San or District) risk environment and prioritized audit areas. The contents of this report are based on the following:  Risk, control and governance largely determine the ability for OC San to achieve its objectives.  Management is responsible for assessing risk by analyzing conditions that can impair OC San’s ability to achieve its objectives.  OC San management is responsible for managing risk by implementing internal controls and providing reasonable assurance that they are operating as intended. What is an Enterprise Risk Assessment? Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on the district. The process starts with identifying risks associated with business objectives linked through all levels of the district whether it is entity or process level.  Entity level is the cornerstone for effective control. These objectives provide guidance on what the entity wants to achieve and should be consistent with budget, strategy, and business plans.  Process level should align with entity level objectives but differ in that they relate directly to goal setting with specific targets and deadlines. It provides guidance for management focus. The first approach is for Internal Audit to assess risks to programs and departments in a silo approach, this is designed to identify audits of a single department, program, or process. Another approach is to assess risk across the entire organization to identify the risks to achieving overall objectives. An organizational view of risk gauges which risks are directly aligned to achieving strategic objectives. Risk Assessment Methodology The risk assessment is the first step in determining which areas of the District have high risk factors that should be considered for further internal audit review. Eide Bailly developed a risk assessment approach specifically tailored for the departments, people and processes of the District. We began by conducting the planning and scoping phase to facilitate the direction of the risk assessment, developing the risk types and developing the measures and risk scores. Planning & Scoping Phase: We began by understanding the District’s operations and performing the following risk assessment activities:  Performed interviews and discussions with Board, Senior Management and District personnel.  Reviewed information provided by the District, such as organizational charts and regulatory reporting; OC SAN – ENTERPRISE RISK ASSESSMENT 4 | eidebailly.com  Reviewed external financial auditor’s results;  Assessed current and historical financial performance;  Reviewed Strategic Plan and goals;  Reviewed Committee Minutes including: Administrative, Operations, Steering, Legislative and Publics Affairs, and Audit Ad Hoc;  Eide Bailly’s Internal Audit team’s general knowledge and observations of the District; and  Consideration of past internal audits performed along with remediation status of risk(s) identified. Risk Categories: We identified and defined the applicable risks and created a risk framework. Risks identified are related to an event or condition that can negatively affect the ability of the District achieving its objectives. Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities. This risk assessment incorporated the top ten (10) risks applicable to OC San: 1. Strategic risks: are the risks that would result in failing to achieve business objectives. 2. Governance/Stakeholder risk: relates to board and management performance regarding ethics, community stewardship, and organizational reputation. It is directly related to the behavior of the executives who are project sponsors and stakeholders. Risks derived from the attitude and actions of executive management related to accountability, transparency and continuous improvement. This measure presumes that risk is decreased based on effective internal controls, management oversite and audit frequency, both internal and external audits. This risk is easier to mitigate and manage with proper stakeholder engagement. 3. Financial risk: includes budgetary, revenue, and expense risk. Budget risk is the potential for the estimates or assumptions built into a budget to turn out to be inaccurate. All budgets are based on future looking forecasts that typically involve a degree of uncertainty. This uncertainty is factored in as a risk. Revenue risk is associated with the financial reporting being inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations. Expense risk is the financial risk arising out of unexpected or unanticipated increases in operating expenses. 4. Regulatory risk: are associated with a variety of federal, state, local laws and regulations. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal action. 5. Business/Operational risk: is the possibility of business operations failing due to inefficiencies or breakdown in internal process, policies, people and systems. 6. Information Technology risk: is a subset of operational risk that is a risk to information technology, data or applications that negatively impact business operations. Additionally, technology risk is any potential for technology failures to disrupt business operations such as information security, cyber security incidents or service outages. 7. Safety risk: assesses risk in terms of keeping employees and citizens safe from hazards in the workplace. The measure takes into consideration that protecting the safety and health of citizens and employees is the highest priority and most significant responsibility of OC San. Losses arising from acts related to employment, health or safety laws or agreements, payment of personal injury claims, or from diversity / discrimination events. 8. Resource‐Related risk: is the set of unexpected events that have a negative effect on operations OC SAN – ENTERPRISE RISK ASSESSMENT 5 | eidebailly.com due to lack of resources. Resources include time, skills, money, tools and people. 9. Supplier risks: some of these risks include a) reputational risk – due to a service or supply interruption, a supplier safety or quality failure, or a supplier’s business practices; b) resilience risk – a supplier failure results in an interruption to customer service; c) regulatory risk – non‐ compliance with the regulatory requirements associated with sourcing or outsourcing; d) commercial risk – the risk of financial loss or cost overruns for poorly management sourcing arrangements, supplier failures or inaccurate billing from sourcing outsourcing arrangements. 10. Reputational risks: potential negative public relations impacts caused by the level of visibility and/or public interest in conjunction with financial or operational performance exposure resulting in the District's reputation being impaired or damaged. Reputation risk includes the risk that the District may be subject to lawsuit, poor management of an operational crisis, specific reputation issue or District not meeting stakeholder expectations. Risk Factors / Impact: These factors refer to relevant and meaningful information that significantly, moderately or negligibly affect how the risk is managed, prioritized relative to other risks, monitored and reported. These include results of prior assessments (internal audit engagements), size and significance of department operations, major changes to operations, significant compliance requirements, dollar exposure, volume of transactions, susceptibility to fraud, and internal control systems. Below are the impact factors assessed: i.1 Size of Audit Unit: Size and complexity of the department, including number of personnel, critical and complex processes. i.2 Compliance with Regulations: Extent of department regulatory compliance requirements; federal, state, local. i.3 Reputation: Extent of reputational damage which may result based upon the role, size, and nature of the department. i.4 Business Operations: Extent which the department's operations may result in continuous operations. i.5 Financial: Extent which financial impact may result from department, includes materiality, and volume of transactions. Risk Scores: To determine the relative significance of each risk we measure the risk as a combination of the likelihood or probability of it occurring and the impact if it does occur. Risk scores are summarized by assigning numbers to both likelihood and impact and multiplying these numbers based on weighted factors. The high number is assigned to the high likelihoods / impacts, and the low number to the low likelihoods / impacts. However, judgment is involved in evaluating whether a risk’s likelihood and impact are low, medium, or high. Judgment along with the numerical ranking system balance the finality and certainty that exists in the scoring model.  Likelihood: represents the possibility that a given event will occur. Likelihood can be expressed using qualitative terms (frequent, likely, possible, unlikely, rare), as a percent probability, or as a frequency.  Impact: refers to the extent to which a risk event might affect the organization. We define impact using a combination of impact considerations, given that certain risks may impact the organization financially while other risks may have a greater impact to reputation or health and safety. OC SAN – ENTERPRISE RISK ASSESSMENT 6 | eidebailly.com For likelihood, each of the 10 risk types were assigned a risk ranking score between 0 – 25 to arrive at an “overall likelihood score”. Likelihood scoring is defined in the table below. Risk Ranking Score Level of Risk Level of Severity Risk Defined 0 ‐ 8 Low Acceptable Minimal financial reporting or operational risk, requires low level of resources, routine control and accounting issues. 9 ‐ 16 Medium Serious Poses a moderate financial reporting or operational risk, will involve less resources, involves fewer complex controls and accounting issues. 17 ‐ 25 High Critical Poses a significant financial reporting or operational risk, will most likely require ongoing sustained resources, includes accounting issues or balances that include significant estimates or judgements. Additionally, the “impact factors” were assigned a score of: 1 – low, 2 – medium, 3 – high. The likelihood and impact scores are multiplied together for a total overall risk score. The total scores were sorted in ascending order from highest – most risky, to lowest – least risky and divided into four (4) categories:  High Risk: scores greater than 1,000  Moderate to High Risk: scores of 700 to 999  Low to Moderate Risk: scores of 500 to 699  Low Risk: scores less than 499 See Risk Assessment – Heat Map on subsequent page for listing of numerical ranking of departments based on the likelihood of the 10 risk types and impact of the five (5) risk factors for overall likelihood/impact score. See Risks Identified, starting on page 8 of the report for risks defined by standard business processes/cycles. This break out by business process defines the risks within each functional area or department. Processes with a high risk are prioritized within the audit plan, followed by medium risk processes. See Appendix B for Internal Audit Topics. A high‐risk score does not mean that a department is ineffectively managed, that sufficient controls are not in place, or that the function is not performing properly. A high‐risk score simply means that a negative event in that area would be particularly damaging or more likely to occur in the absence of effective controls. The OC San’ s Audit Ad‐Hoc Committee, senior management, and leadership are the responsible authority to prioritize which risks get the most attention and resources. Those charged with governance know their entity best and how best to manage the risks identified. OC SAN – ENTERPRISE RISK ASSESSMENT 7 | eidebailly.com RISK ASSESSMENT – HEAT MAP Risk Categories Risk Factors / Impacts # Department R. 0 1 ‐ St r a t e g i c R. 0 2 ‐ Go v e r n a n c e R. 0 3 ‐ Fi n a n c i a l R. 0 4 ‐ Re g u l a t o r y R. 0 5 ‐ Op e r a t i o n a l R. 0 6 ‐ In f o Te c h R. 0 7 ‐ Sa f e t y R. 0 8 ‐ Re s o u r c e R. 0 9 ‐ Su p p l i e r R. 1 0 ‐ Re p u t a t i o n a l Overall Likelihood Score i. 1 ‐ De p a r t m e n t Si z e i. 2 ‐ Co m p l i a n c e i. 3 ‐ Re p u t a t i o n i. 4 ‐ Bu s i n e s s Op s i. 5 ‐ Fi n a n c i a l Overall Likelihood Score Overall Likelihood / Impact Score 1 Environmental Services Administration 10 3 3 20 15 3 20 25 7 20 126 3 3 3 3 2 14 1,764 2 Collection Facilities, Operations & Maintenance (Plant #1 & #2) 5 3 3 25 15 3 20 3 3 20 100 2 3 3 3 2 13 1,300 3 Information Technology 10 3 3 3 14 20 5 15 15 20 108 1 2 3 3 2 11 1,188 4 Engineering Administration 10 3 3 10 15 3 20 25 3 3 95 2 2 2 3 2 11 1,045 5 Risk Management, Safety, Security 5 3 3 10 10 3 20 10 3 20 87 2 2 3 3 2 12 1,044 6 O&M Administration 10 3 3 25 10 3 5 25 3 3 90 2 3 2 2 2 11 990 7 Construction Management 5 3 15 20 15 3 20 3 3 3 90 2 2 2 3 2 11 990 8 Financial Management 5 25 15 3 3 3 5 3 15 20 97 2 1 2 2 3 10 970 9 Human Resources 10 20 3 3 3 3 20 20 3 20 105 2 2 2 2 1 9 945 10 Resource Protection 5 3 3 20 3 3 5 3 15 3 63 3 3 3 3 2 14 882 11 Laboratory, Monitoring & Compliance 5 3 3 20 3 3 5 3 15 3 63 3 3 3 3 2 14 882 12 Fleet Services 5 3 3 25 15 3 20 3 3 3 83 2 2 2 2 2 10 830 13 Project Management 5 3 15 20 3 3 5 3 15 3 75 2 2 2 3 2 11 825 14 Design 5 3 3 20 3 3 5 3 15 3 63 2 2 2 3 2 11 693 15 Public Affairs 10 20 3 3 3 3 20 5 3 20 90 1 1 3 1 1 7 630 16 Contracts, Purchasing & Materials Management 5 3 15 3 15 3 5 3 15 3 70 1 1 1 3 2 8 560 17 Consolidated Services 5 3 3 3 3 3 5 3 3 3 34 2 3 3 3 3 14 476 18 Administrative Services 5 20 3 3 3 3 5 3 3 3 51 2 2 2 1 1 8 408 19 Board Services 10 20 3 10 3 3 5 3 3 3 63 1 1 2 1 1 6 378 20 Planning 5 3 3 3 3 3 5 3 3 3 34 2 2 2 3 2 11 374 Total Risk Category 135 150 108 249 157 77 220 164 148 179 39 42 47 50 38 OC SAN – ENTERPRISE RISK ASSESSMENT 8 | eidebailly.com RISKS IDENTIFIED Risk Assessment Results: From the risk assessment Heat Map the 10 “risk categories” are listed below in order of highest to lowest risk along with the detailed risks supporting the individual department and overall “likelihood” score. For example, from the Heat Map the “risk category” with the highest risk is “Regulatory”, as shown below in #1. For each risk category there is a corresponding “risk description”, “risk factors” identified from the risk assessment process and results, and the “departments” identified. Processes with a high risk are prioritized within the audit plan. See Appendix B for Internal Audit Topics. # Risk Description Departments (high/medium likelihood) Risk Category – Regulatory (R.04): are associated with a variety of federal, state, local laws and regulations. Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal ti 1. Regulatory Compliance  Identification and adherence to emerging regulations; Polyfluoroalkyl Substances (PFAS)  Regulatory Compliance Air  Lab Accreditation  Critical Asset Replacement – Lab Building, Marine Vessel  Source Control  Regulatory Compliance includes factors such as, significant compliance requirements, major changes to operations, and extent of procedures.  Increased scrutiny and oversight by the EPA to address PFAS chemicals and contamination clean up.  Increased risk around regulatory reporting requirements to ensure complete, accurate and timely notifications of violations (water, solid and air).  OC San has two (2) aged assets which are critical to adhere to regulatory requirements, a Laboratory Building and Marine Vessel.  Entities within District discharge chemicals and contaminates which enter OC San’s treatment facilities.  Environmental Services Administration  Collection Facilities, Operations & Maintenance (Plant #1 & #2)  Engineering administration  Risk Management, Safety, Security  O&M Administration  Construction Management  Resource Protection  Laboratory, Monitoring & Compliance  Fleet Services  Project Management  Design  Board Services OC SAN – ENTERPRISE RISK ASSESSMENT 9 | eidebailly.com Risk Category – Safety (R.07): risk in terms of keeping employees and citizens safe from hazards in the workplace. Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events. 2. Safety & Security  Safety Protocols  Physical Security Protocols  High‐risk area due to human injury or death in the event of a control failure.  Although OC San has effective safety and security controls in place, monitoring through internal practices and regulatory reviews, a safety or security control failure could result in a significant and devastating outcome to employees and critical assets.  Environmental Services Administration  Collection Facilities, Operations & Maintenance (Plant #1 & #2)  Engineering Administration  Risk Management, Safety, Security  Construction Management  Fleet Services  Public Affairs Risk Category – Reputational (R.10): potential negative public relations impacts caused by the level of visibility and/or public interest in conjunction with financial or operational performance exposure resulting the District's reputation being impaired or damaged. 3. Reputational  Integrity of regulatory reporting  Legislation and societal changes  OC San is at risk of changes in political environment and public sentiments including regulations related to purchasing from domestic versus international suppliers.  OC San is at risk of negative reputational impact if inaccuracy or lack of transparency related to reporting of results, violations and external communications.  Environmental Services Administration  Collection Facilities, Operations & Maintenance (Plant #1 & #2)  Information Technology  Risk Management, Safety, Security  Financial Management  Human Resources  Public Affairs Risk Category – Resource Related (R.08): is the set of unexpected events that have a negative effect on operations due to lack of resources. Resources include time, skills, money, tools and people. 4. Human Resources  Resource Plan Optimization  Succession Management  Recruitment  Collective Bargaining Agreements in negotiation (6)  OC San personnel are critical to perform District operations and have specialized and institutional knowledge.  Annually retirements impact business operations. (March 2022, 40 retirees, turnover of 6%).  State of employment across all industries, workforce shortage may result in recruitment challenges.  Collective Bargaining agreements (negotiations in progress at time of assessment).  Environmental Services Administration  Information Technology  Engineering Administration  Risk Management, Safety, Security  Human Resources OC SAN – ENTERPRISE RISK ASSESSMENT 10 | eidebailly.com Risk Category – Business / Operational (R.05): is the possibility of business operations failing due to inefficiencies or breakdown in internal process, policies, people and systems. 5.  Inflation and supply chain issues including limited availability of chemicals and supplies creates a risk to business operations, budgeting, and expense management processes.  Environmental Services Administration  Collection Facilities, Operations & Maintenance (Plant #1 & #2)  Information Technology  Engineering Administration  Risk Management, Safety, Security  O&M Administration  Fleet Services  Contracts, Purchasing & Materials Management Risk Category – Governance/Stakeholder (R.02): relates to board and management performance regarding ethics, community stewardship, and organizational reputation. 6. Governance  Proper tools, structure, training  Anonymous reporting  Reputational risks may arise from adverse communications regarding the transparency, structure of board assignments, training and governance structure.  The risk of a reportable event going undetected resulting in operational risk or reputational damage may occur if effective anonymous reporting tools for fraud, waste and abuse are not available to all employees and affiliated parties.  Financial Management  Human Resources  Public Affairs  Administrative Services  Board Services Risk Category – Supplier (R.09): risks include: a) reputational risk – due to a service or supply interruption, a supplier safety or quality failure, or a suppliers business practice. b) resilience risk – a supplier failure results in an interruption to customer service. c) regulatory risk – non‐compliance with the regulatory requirements associated with sourcing or outsourcing. d) commercial risk – the risk of financial loss or cost overruns for poorly management sourcing arrangements, supplier failures or inaccurate billing from sourcing outsourcing arrangements. 7. Business / operational, reputational and financial risks may arise from supply chain shortages including the limited availability of chemicals, maintenance & operational supplies, and information technology components.  Information Technology  Financial Management  Resource Protection  Laboratory, Monitoring & Compliance  Project Management  Design OC SAN – ENTERPRISE RISK ASSESSMENT 11 | eidebailly.com Risk Category – Strategic (R.01): are the risks that would result in failing to achieve business objectives. 8.  Internal and external events that can deter or prevent the organization from accomplishing set business objectives.  The potential impact of strategic decisions, or of a defective or inappropriate strategy that results in; lack of responsiveness to industry changes or risks related to future plans, e.g. entering new markets or expanding existing services.  Environmental Services Administration  Information Technology  Engineering Administration  Risk Management, Safety, Security  O&M Administration  Human Resources  Public Affairs  Board Services Risk Category – Financial (R.03): includes budgetary, revenue, and expense risk. Budget risk is the potential for the estimates or assumptions built into a budget to turn out to be inaccurate. All budgets are based on future looking forecasts that typically involve a degree of uncertainty. This uncertainty is factored in as a risk. Revenue risk is associated with the financial reporting being inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations. Expense risk is the financial risk arising out of unexpected or unanticipated increases in operating expenses. 9.a. Capital Improvements  Transactions  Internal Labor  Capital Improvements are significant expenditures for OC San. OC San has $11B in assets and 220 active Capital Improvement projects.  Valid and accurate internal labor capitalization costs are critical inputs to financial and managerial reports.  Construction Management  Financial Management  Project Management  Contracts, Purchasing & Materials Management 9.b. Expense & Budget Management  Continuous Improvement  Expense management (insurance, overtime)  Fictitious vendor review  Risks arise if continuous improvements through process assessments and evaluations of control effectiveness do not occur.  Expense management process reviews ensure appropriate controls, policies and procedures, and processes to manage expenses.  Analytics and assessments may detect fraud and identify preventative controls. 9.c. Revenue Management  Annexations Parcel Verification  CFCC Program  Risk of revenue erosion may result if processes do not ensure completeness and accuracy of annexations and CFCC program with partnering cities. OC SAN – ENTERPRISE RISK ASSESSMENT 12 | eidebailly.com Risk Category – Information Technology (R.06): is a subset of operational risk that is a risk to information technology, data or applications that negatively impact business operations. Additionally, technology risk is any potential for technology failures to disrupt busines operations such as information security, cyber security incidents or service outages. 10. Information Technology General Controls  Access & Vulnerability  Change Management  Life Cycle  Penetration Testing  Information Technology (IT) risks have been reduced based on recent audits and associated results, however risks remain due to current environment across all industries.  Information Technology OC SAN – ENTERPRISE RISK ASSESSMENT 13 | eidebailly.com APPENDIX A – INTERNAL AUDIT TOPICS 1 During our assessment, it was noted that Homeland Security was scheduled to perform a penetration test. Our audit would include a review of the results. 2 OC San Internal Audit Plan – rotation item, Year 5 (2024) 2022 Proposed Audits/ Department 1. Regulatory Compliance Environmental Services Administration, Collection Facilities Operations and Maintenance (Plant #1 & #2), Laboratory, Monitoring & Compliance, and Resource Protection – evaluate processes and procedures to ensure internal controls over regulatory compliance is complete, accurate and timely to meet regulatory requirements. Additionally, to evaluate the source control (pretreatment program) processes and procedures to review and inspect chemical disposal practices and associated discharge. Lastly, to assess the process for identifying emerging regulations to ensure Regulatory Compliance. 2. Information Technology General Controls Information Technology Department – evaluate the design and operating effectiveness of IT General Controls (ITGC), to ensure the integrity of the data and processes that the systems support. Additionally, perform an assessment of the maturity model of IT controls and evaluate areas including: Access & Vulnerability, Change Management and System Development Life Cycle (SDLC).1 3. Safety & Security Protocols Risk Management & Safety Departments – evaluate safety and security protocols, monitoring exceptions, incident reporting, remediation of findings and internal and public reporting protocols throughout OC San, including Environmental Services, Collection Facilities, Operations & Maintenance (Plant #1 & #2), Human Resources, Fleet Services and Public Affairs. 4. Supply Chain Management Engineering Administration, O&M Administration, and Construction Management – evaluate supply chain controls for Engineering Administration, Operations & Maintenance and Construction management practices and activities to mitigate inflation and supply chain issues including limited availability of chemicals and supplies. Perform an assessment of the budgeting, and expense management processes related to these departments procurement of materials and supplies. 5. Capital Improvements (CIP) Administration: Construction Construction Management and Financial Management – review internal controls and procedures over bid and solicitation process for construction projects2 to ensure controls over conflict of interest, selection panel approval, and solicitation are performed in accordance with state and local laws. Lastly, to evaluate internal labor capitalization for completeness and accuracy. OC SAN – ENTERPRISE RISK ASSESSMENT 14 | eidebailly.com 3 OC San Internal Audit Plan – rotation item, Year 4 (2023) 4 OC San Internal Audit Plan – rotation item, Year 3 (2022) 6. Procurement Card Program Management Contracts, Purchasing & Materials Management – evaluate the Purchasing Card (ProCard) processes and controls over ProCard issuance, purchasing guidelines, and individual and department purchase compliance. 7. Expense Management – Overtime O&M Administration – assess OC San’s Public Works administration and use of overtime and identify areas of risk and opportunities for potential savings. 8. Revenue Management Financial Management – to ensure controls are designed and operating effectively to minimize revenue erosion through ensuring accuracy and completeness of Annexation and Capital Facilities Capacity Charge (CFCC) program3. Additionally, to assess processes and controls including identification of annexations and partnering city CFCC remittance. 9. Accounts Payable Vendor Review Financial Management and Contracts, Purchasing & Materials Management – evaluate processes and controls to ensure validity and accuracy of vendor records. Evaluate the design and operating effectiveness of vendor approval processes, including analytics to identify fictitious or duplicate vendors4 and payments. 10. Employee Recruiting Process Human Resources – to assess the efficiency and effectiveness of recruitment functions at OC San. Review and evaluate the processes and controls associated with HR recruiting strategy, workforce planning, talent readiness and succession planning. Additionally, benchmark against best‐in‐class agencies for hiring practices including collective bargaining negotiations, on boarding, probationary, and vetting. 11. Independent Contractor Human Resources – to evaluate the “employment” status of independent contractors to ensure they are legally “not an employee” in accordance with State of California labor laws. 12. Fleet Services Fleet Services Division – obtain an understanding of the business processes and procedures of the District’s fleet operations in order to identify and assess the internal controls and processes to ensure Fleet Services is operating efficiently and effectively. OC SAN – ENTERPRISE RISK ASSESSMENT 15 | eidebailly.com THE FOUNDATIO UCCESS Caring for our external and internal clients with a passion to go the extra mile. Respecting our peers and their individual contributions. Conducting ourselves with the highest level of integrity at all times. Trusting and supporting one another. Being accountable for the overall success of the Firm, not just individual or office success. Stretching ourselves to be innovative and creative, while managing the related risks. Recognizing the importance of maintaining a balance between work and home life. Promoting positive working relationships. And, most of all, enjoying our jobs ... and having fun! EideBaill1® What i s ·r s you ·res us. eidebailly.com 7/13/2022 1 ORANGE COUNTY SANITATION DISTRICT Audit Ad Hoc Committee Briefing July 20, 2022 ENTERPRISE RISK ASSESSMENT Approach Risk Ranking Heat Map Identified Audits 5-Year Internal Audit Plan –previous vs proposed Questions 2 1 2 ~►>>~ EideBaill~ ~ CPAs & BUSINESS ADVISORS EideBailly. I...__. 7/13/2022 2 RISK ASSESSMENT APPROACH •Research & Data Gathered (Organization Charts, Minutes, Regulatory Reports) •Interviewed Governance & Key Stakeholders (GM’s, Directors, Management, Steering Committee) •Assessed functional operations, internal processes & controls •Identified Risk Types •Ranked Risks – Likelihood & Impact •Developed Risk Heat Map •Prepared Audit Plan 3 RISK RANKING High • Poses a significant financial reporting risk. • Will most likely require ongoing sustained resources. • Complex accounting issues or balances that include significant estimates or judgement. Medium • Poses a moderate financial reporting risk. • Will involve less resources. • Involves less complex controls and accounting issues. Low • Minimal financial reporting risk. • Require low level of resources. • Routine control and accounting issues. Major Systems Changes to Operations Significant Changes in Customer Needs and Expectations Significant Key Personnel Turnover or Growth Special Management Interest Susceptibility to Misuse, Misappropriation, or Fraud Significant Compliance Requirements Dollar Exposure Volume of Transactions Competence of Management and Staff System of Internal Controls Results of Last Audit High Level of Decentralization Likelihood Impact 4 3 4 Eide Bailly. I..._-.-- EideBailly. I..._-.-- 7/13/2022 3 RISK ASSESSMENT HEAT MAP Risk Categories Risk Factors / Impacts #Department R. 0 1 ‐ St r a t e g i c R.0 2 ‐ Go v e r n a n c e R. 0 3 ‐ Fin a n c i a l R. 0 4 ‐ Re g u l a t o r y R.0 5 ‐ Op e r a t i o n a l R.0 6 ‐ In f o Te c h R.0 7 ‐ Sa f e t y R.0 8 ‐ Re s o u r c e R.0 9 ‐ Su p p l i e r R.1 0 ‐ Re p u t a t i o n a l Overall Likelihood Score i.1 ‐ De p a r t m e n t Si z e i.2 ‐ Co m p l i a n c e i. 3 ‐ Re p u t a t i o n i.4 ‐ Bu s i n e s s Op s i.5 ‐ Fin a n c i a l Overall Impact Score Overall Likelihood / Impact Score 1 Environmental Services Administration 10 3 3 20 15 3 20 25 7 20 126 3333214 1,764 2 Collection Facilities, Operations & Maintenance (Plant #1 & #2) 53325 15 3 20 3320 100 2 333213 1,300 3 Information Technology 10 3 3 3 14 20 5151520 108 1 2 33211 1,188 4 Engineering Administration 10 3 3 10 15 3 20 25 33 95 2223 211 1,045 5Risk Management, Safety, Security 5331010320 10 3 20 87 2 2 33212 1,044 6O&M Administration 10 3 3 25 10 3 5 25 33 90 23 2 2 2 11 990 7Construction Management 531520 15 3 20 333 90 2223 2 11 990 8 Financial Management 5 25 15333531520 97 2 1 2 2 3 10 970 9Human Resources 10 20 333320 20 3 20 105 2 2 2 2 1 9 945 10 Resource Protection 53320 3353153 63 33332 14 882 11 Laboratory, Monitoring & Compliance 53320 3353153 63 33332 14 882 12 Fleet Services 53325 15 3 20 3 3 3 83 2 2 2 2 2 10 830 13 Project Management 531520 3353153 75 2223 2 11 825 14 Design 53320 3353153 63 2223 2 11 693 15 Public Affairs 10 20 333320 5320 90 1 1 3 1 1 7 630 16 Contracts, Purchasing & Materials Management 5 3153153 5 3153 70 1113 2 8 560 17 Consolidated Services 5333335333 34 23333 14 476 18 Administrative Services 5 20 3 3 3 3 5 3 3 3 51 2 2 2 1 1 8 408 19 Board Services 10 20 3103 3 5 3 3 3 63 11211 6 378 20 Planning 5333335333 34 2223 2 11 374 Total Risk Category 135 150 108 249 157 77 220 164 148 179 39 42 47 50 38 IDENTIFIED AUDITS High Risk Audits 1)Regulatory Compliance evaluate processes and procedures to ensure internal controls over regulatory compliance is complete, accurate and timely to meet regulatory requirements. Additionally, to evaluate the source control (pretreatment program) processes and procedures to review and inspect chemical disposal practices and associated discharge. Lastly, to assess the process for identifying emerging regulations to ensure Regulatory Compliance. 2)Information Technology General Controls evaluate the design and operating effectiveness of IT General Controls (ITGC), to ensure the integrity of the data and processes that the systems support. Additionally, perform an assessment of the maturity model of IT controls and evaluate areas including; Access & Vulnerability, Change Management and System Development Life Cycle (SDLC). 3) Safety & Security Protocols evaluate safety and security protocols, monitoring exceptions, incident reporting, remediation of findings and internal and public reporting protocols throughout OC San, including Environmental Services, Collection Facilities, Operations & Maintenance (Plant #1 & #2), Human Resources, Fleet Services and Public Affairs. 4)Supply Chain Managementevaluate supply chain controls for Engineering Administration, Operations & Maintenance and Construction management practices and activities to mitigate inflation and supply chain issues including limited availability of chemicals and supplies. Perform an assessment of the budgeting, and expense management processes related to these department’s procurement of materials and supplies. Medium Risk Audits 5)Capital Improvements (CIP) Administration (rotation item) review controls and procedures over bid and solicitation process for construction projects, conflict of interest, selection panel approval, and solicitation are performed in accordance with state and local laws. Evaluate internal labor capitalization for completeness and accuracy. 6)Procurement Card Program Management (audit in process)evaluate the Purchasing Card (ProCard) processes and controls over ProCard issuance, purchasing guidelines, and individual and department purchase compliance. 7)Expense Management – Overtime assess Public Works administration and use of overtime and identify areas of risk and opportunities for potential savings. 8)Revenue Management (rotation item) ensure controls are designed and operating effectively to minimize revenue erosion through ensuring accuracy and completeness of Annexation and Capital Facilities Capacity Charge (CFCC) program. Assess processes and controls including identification of annexations and partnering city CFCC remittance. 9)Accounts Payable Vendor Review (rotation item) evaluate processes and controls to ensure validity and accuracy of vendor records. Evaluate the design and operating effectiveness of vendor approval processes, including analytics to identify fictitious or duplicate vendors and payments 10)Employee Recruiting Process assess the efficiency and effectiveness of recruitment functions at OC San. Review and evaluate the processes and controls associated with HR recruiting strategy, workforce planning, talent readiness and succession planning. Benchmark against best-in-class agencies for hiring practices including collective bargaining negotiations, on boarding, probationary, and vetting. 11)Independent Contractor evaluate the “employment” status of independent contractors to ensure they are legally “not an employee” in accordance with State of California labor laws. 12)Fleet Services assess the internal controls and processes to ensure Fleet Services is operating efficiently & effectively. 6 5 6 7/13/2022 4 5 – YEAR INTERNAL AUDIT PLAN A) Risk Assessment ‐At the Beginning of Each Engagement A) Risk Assessment ‐At the Beginning of Each Engagement Rotation Items Rotation Items 1) Review of Sole Source Contracts 2)Cyber Security (Twice)*1)Cyber Security 3)Review of Risk of Ficticious Vendors/Employees*2)Accounts Payable Vendor Review (including Fictitious Vendors / Employees) 4)Capital Facilities Capacity Charges ‐Cities Review*3)Revenue Management (Capital Facilities Capacity Charges ‐Cities Review) 5) Capital Improvement Program (CIP) ‐Contracts, Policies, Procedures*4)Capital Improvement Program (CIP) ‐Administration A) Risk Assessment A) Risk Assessment(completed) B) Open ‐Based on Risk Assessment and Committee Input. B)Procurement Card Program Management #6(in process) C)Expense Management ‐Overtime #7 A)Review of Sole Source Contracts ‐Rotation Item A)Regulatory Compliance #1 B) Cyber Security ‐Rotation Item B) Information Technology General Controls #2orCyber Security(Rotation Item) C) Open ‐Based on the Risk Assessment and Committee Input C)Revenue Management ‐(Capital Facilities Capacity Charge & Annexation) #8 (Rotation Item) A) Review of Risk of Fictitious Vendors / Employees‐Rotation Item *A) Safety & Security Protocols #3 B) Open ‐Based on the Risk Assessment and Committee Input B)Supply Chain Management #4 C)Accounts Payable Vendor Review (including Fictitious Vendors / Employees)#9 (Rotation item) A)Capital Facilities Capacity Charge ‐Review of Cities ‐Rotation Item *A)Capital Improvements (CIP) Administration #5 (Rotation Item) B)Cyber Security ‐Rotation Item*B) Employee Recruiting Process #10 C)Independent Contractor #11 A)Capital Improvement Program (CIP)‐Contracts, Policies, Procedures, etc. ‐Rotation Item *A)Cyber Security(Rotation Item)orInformation Technology General Controls#2 B) Open ‐Based on the Risk Assessment and Committee Input B)Fleet Services#12 C)Revenue Management ‐(Capital Facilities Capacity Charge & Annexation)#8 (Rotation Item) *Included on Proposed Audit Plan. Audits in blue were "Previously Presented" & included on "Proposed" Audit Plan. Year 5 PREVIOUSLY PRESENTED PROPOSED AD HOC AUDIT SCHEDULE Year 1 Year 2 Year 3 Year 4 This presentation is presented with the understanding that the information contained does not constitute legal, accounting or other professional advice. It is not intended to be responsive to any individual situation or concerns, as the contents of this presentation are intended for general information purposes only. Viewers are urged not to act upon the information contained in this presentation without first consulting competent legal, accounting or other professional advice regarding implications of a particular factual situation. Questions and additional information can be submitted to your Eide Bailly representative, or to the presenter of this session. QUESTIONS? 7 8