HomeMy WebLinkAbout07-20-2022 Audit Ad Hoc Committee Complete Agenda Packet
ORANGE COUNTY SANITATION DISTRICT
SPECIAL NOTICE REGARDING CORONAVIRUS (COVID-19) AND ATTENDANCE AT PUBLIC MEETINGS
Governor Newsom signed Assembly Bill (AB) 361 on September 16, 2021, which, in part, addresses the conduct of public meetings in light of the continued State of Emergency order.
Effective October 1, 2021, AB 361 suspends the requirements located in California Government Code, Section 54953, Subdivision (b), Paragraph (3) specifically pertaining to the conduct of public meetings. As such, the Orange County Sanitation District (OC San) Board of Directors has determined that due to the size of OC San’s Board of Directors (25), and the health and safety of the members, the Board of Directors will be participating
in meetings of the Board telephonically and via Internet accessibility. PUBLIC PARTICIPATION
Your participation is always welcome. OC San offers several ways in which to interact during meetings. You will find information as to these opportunities below. ONLINE MEETING PARTICIPATION
You may join the meeting live via Teams on your computer or similar device or web browser by using the link below: Click here to join the meeting
We suggest testing joining a Teams meeting on your device prior to the commencement of the meeting. For recommendations, general guidance on using Teams, and instructions on joining a Teams meeting, please click here.
Please mute yourself upon entry to the meeting. Please raise your hand if you wish to speak during the public comment section of the meeting. The Clerk of the Board will call upon you by using the name you joined with. Meeting attendees are not provided the ability to make a presentation during the meeting.
Please contact the Clerk of the Board at least 48 hours prior to the meeting if you wish to present any items. Additionally, camera feeds may be controlled by the meeting moderator to avoid inappropriate content.
OC ~SAN
ORANGE COUNTY SANITATION DISTRICT
HOW TO PARTICIPATE IN THE MEETING BY TELEPHONE To join the meeting from your phone: Dial (213) 279-1455 When prompted, enter the Phone Conference ID: 326 580 801#
All meeting participants may be muted during the meeting to alleviate background noise. If you are muted, please use *6 to unmute. You may also mute yourself on your device. Please raise your hand to speak by using *5 during the public comment section of the meeting. The Clerk of the Board will call upon you by using the last 4 digits of your phone
number as identification. NOTE: All attendees will be disconnected from the meeting at the beginning of Closed Session. If you would like to return to the Open Session portion of the meeting, please login or dial-in to the Teams meeting again and wait in the Lobby for admittance. VIEW THE MEETING ONLINE ONLY The meeting will be available for online viewing only at:
https://ocsd.legistar.com/Calendar.aspx HOW TO SUBMIT A COMMENT
You may provide verbal comment in real time during the meeting. In order to provide a verbal comment, please raise your hand as described above or alert the Clerk of the Board before or during the public comment period. You may also submit your comments and questions in writing for consideration in advance
of the meeting by using the eComment feature available online at: https://ocsd.legistar.com/Calendar.aspx or sending them to OCSanClerk@ocsan.gov with the subject line “PUBLIC COMMENT ITEM # (insert the item number relevant to your comment)” or “PUBLIC COMMENT NON-AGENDA ITEM”.
You may also submit comments and questions for consideration during the meeting by using the eComment feature available online at: https://ocsd.legistar.com/Calendar.aspx. The eComment feature will be available for the duration of the meeting. All written public comments will be provided to the legislative body and may be read into
the record or compiled as part of the record. TECHNICAL SUPPORT PRIOR TO AND DURING MEETINGS
For technical assistance before and during the meeting, please call 714-593-7431. For
any other questions and/or concerns, please contact the Clerk of the Board’s office at 714-593-7433. Thank you, in advance, for your patience in working with these technologies. We appreciate your interest in OC San!
July 13, 2022
NOTICE OF REGULAR MEETING
AUDIT AD HOC COMMITTEE
ORANGE COUNTY SANITATION DISTRICT
Wednesday, July 20, 2022 – 4:00 P.M.
ACCESSIBILITY FOR THE GENERAL PUBLIC
Your participation is always welcome. Specific information as to how to
participate in this meeting is detailed in the Special Notice attached to
this agenda. In general, OC San offers several ways in which to interact
during meetings: you may join the meeting live via Teams on your
computer or similar device or web browser, join the meeting live via
telephone, view the meeting online, and/or submit comments for
consideration before or during the meeting.
The Regular Meeting of the Audit Ad Hoc Committee of the Orange County
Sanitation District will be held at the above location and in the manner
indicated on Wednesday, July 20, 2022 at 4:00 p.m.
0 ~SAN 10844 Ellis Avenue
Fountain Valley, CA 92708
714.962.2411
ORANGE COUNTY SANITATION DISTRICT www.ocsan.gov
Our Mission: To protect public health and the environment by
providing effective wastewater collection, treatment, and recycling.
Serving:
Anaheim
Brea
Buena Park
Cypress
Fountain Valley
Fullerton
Garden Grove
Huntington Beach
Irvine
La Habra
La Palma
Los Alamitos
Newport Beach
Orange
Placentia
Santa Ana
Seal Beach
Stanton
Tustin
Villa Park
County of Orange
Costa Mesa
Sanitary District
Midway City
Sanitary District
Irvine Ranch
Water District
Yorba Linda
Water District
ROLL CALL AUDIT AD HOC COMMITTEE
Meeting Date: July 20, 2022 Time: 4:00 p.m.
Adjourn: COMMITTEE MEMBERS (4)
Glenn Parker, Chair (Brea)
Anthony Kuo, Vice-Chair (Irvine)
Marshall Goodman (La Palma)
Patrick Harper (Fountain Valley) OTHERS
Brad Hogin, General Counsel
STAFF
Jim Herberg, General Manager
Lorenzo Tyner, Assistant General Manager
Wally Ritchie, Controller Kelly Lore, Clerk of the Board
I I
I I
ORANGE COUNTY SANITATION DISTRICT Effective 03/07/2022 BOARD OF DIRECTORS Complete Roster AGENCY/CITIES
ACTIVE DIRECTOR
ALTERNATE DIRECTOR
Anaheim
Stephen Faessel
Gloria Ma’ae Brea Glenn Parker Cecilia Hupp Buena Park Art Brown Connor Traut Cypress Paulo Morales Anne Hertz-Mallari Fountain Valley Patrick Harper Ted Bui Fullerton Jesus J. Silva Nick Dunlap Garden Grove Steve Jones John O’Neill Huntington Beach Kim Carr Dan Kalmick Irvine Anthony Kuo Farrah N. Khan
La Habra Rose Espinoza Steve Simonian La Palma Marshall Goodman Nitesh Patel Los Alamitos Ron Bates NONE Newport Beach Brad Avery Joy Brenner Orange Kim Nichols Chip Monaco Placentia Chad Wanke Ward Smith Santa Ana Johnathan Ryan Hernandez Nelida Mendoza Seal Beach Sandra Massa-Lavitt Schelly Sustarsic Stanton David Shawver Carol Warren Tustin Ryan Gallagher Austin Lumbard Villa Park Chad Zimmerman Robert Collacott Sanitary/Water Districts
Costa Mesa Sanitary District
Bob Ooten
Art Perry Midway City Sanitary District Andrew Nguyen Mark Nguyen Irvine Ranch Water District John Withers
Douglas Reinhart
Yorba Linda Water District Brooke Jones Ted Lindsey County Areas
Board of Supervisors Donald P. Wagner
Doug Chaffee
AUDIT AD HOC COMMITTEE
Regular Meeting Agenda
Wednesday, July 20, 2022 - 4:00 PM
Board Room
Administration Building
10844 Ellis Avenue
Fountain Valley, CA 92708
(714) 593-7433
ACCOMMODATIONS FOR THE DISABLED: If you require any special disability related accommodations, please
contact the Orange County Sanitation District (OC San) Clerk of the Board’s office at (714) 593-7433 at least 72
hours prior to the scheduled meeting. Requests must specify the nature of the disability and the type of
accommodation requested.
AGENDA POSTING: In accordance with the requirements of California Government Code Section 54954.2, this
agenda has been posted outside the main gate of the OC San's Administration Building located at 10844 Ellis
Avenue, Fountain Valley, California, and on the OC San’s website at www.ocsan.gov not less than 72 hours
prior to the meeting date and time above. All public records relating to each agenda item, including any public
records distributed less than 72 hours prior to the meeting to all, or a majority of the Board of Directors, are
available for public inspection in the office of the Clerk of the Board.
AGENDA DESCRIPTION: The agenda provides a brief general description of each item of business to be
considered or discussed. The recommended action does not indicate what action will be taken. The Board of
Directors may take any action which is deemed appropriate.
MEETING AUDIO: An audio recording of this meeting is available within 24 hours after adjournment of the
meeting at https://ocsd.legistar.com/Calendar.aspx or by contacting the Clerk of the Board at (714) 593-7433.
NOTICE TO DIRECTORS: To place items on the agenda for a Committee or Board Meeting, the item must be
submitted in writing to the Clerk of the Board: Kelly A. Lore, MMC, (714) 593-7433 / klore@ocsan.gov at least 14
days before the meeting.
FOR ANY QUESTIONS ON THE AGENDA, BOARD MEMBERS MAY CONTACT STAFF AT:
General Manager: Jim Herberg, jherberg@ocsan.gov / (714) 593-7300
Asst. General Manager: Lorenzo Tyner, ltyner@ocsan.gov / (714) 593-7550
Asst. General Manager: Rob Thompson, rthompson@ocsan.gov / (714) 593-7310
Director of Human Resources: Celia Chandler, cchandler@ocsan.gov / (714) 593-7202
Director of Engineering: Kathy Millea, kmillea@ocsan.gov / (714) 593-7365
Director of Environmental Services: Lan Wiborg, lwiborg@ocsan.gov / (714) 593-7450
Director of Operations & Maintenance: Riaz Moinuddin, rmoinuddin@ocsan.gov / (714) 593-7269
OC ~SAN
ORANGE COUNTY SANITATION DISTRICT
AUDIT AD HOC COMMITTEE Regular Meeting Agenda Wednesday, July 20, 2022
CALL TO ORDER & PLEDGE OF ALLEGIANCE
Chair Glenn Parker
ROLL CALL:
PUBLIC COMMENTS:
Your participation is always welcome. Specific information as to how to participate in a meeting is detailed in the
Special Notice attached to this agenda. In general, OC San offers several ways in which to interact during
meetings: you may join the meeting live via Teams on your computer or similar device or web browser, join the
meeting live via telephone, view the meeting online, and/or submit comments for consideration before or during
the meeting.
You may provide verbal comment in real time during the meeting. In order to provide a verbal comment, please
raise your hand (directions provided in the Special Notice attached to this agenda) or alert the Clerk of the Board
before or during the public comment period.
You may submit your comments and questions in writing for consideration in advance of the meeting by using the
eComment feature available online at: https://ocsd.legistar.com/Calendar.aspx or sending them to
OCSanClerk@ocsan.gov with the subject line “PUBLIC COMMENT ITEM # (insert the item number relevant to
your comment)” or “PUBLIC COMMENT NON-AGENDA ITEM”.
You may also submit comments and questions for consideration during the meeting by using the eComment
feature available online at: https://ocsd.legistar.com/Calendar.aspx. The eComment feature will be available for
the duration of the meeting.
All written public comments will be provided to the legislative body and may be read into the record or compiled as
part of the record.
INFORMATION ITEMS:
1.2022-2403INTERNAL AUDIT UPDATE: RISK ASSESSMENT
RECOMMENDATION:
Information Item.
Originator:Lorenzo Tyner
Agenda Report
OC San - Risk Assessment Report - Final
Presentation - Risk Assessment Update
Attachments:
OTHER BUSINESS AND COMMUNICATIONS OR SUPPLEMENTAL AGENDA ITEMS, IF
ANY:
Page 1 of 2
AUDIT AD HOC COMMITTEE Regular Meeting Agenda Wednesday, July 20, 2022
ADJOURNMENT:
Adjourn the Audit Ad Hoc Committee meeting.
Page 2 of 2
AUDIT AD HOC COMMITTEE
Agenda Report
Administration Building
10844 Ellis Avenue
Fountain Valley, CA 92708
(714) 593-7433
File #:2022-2403 Agenda Date:7/20/2022 Agenda Item No:1.
FROM:James D. Herberg, General Manager
Originator: Lorenzo Tyner, Assistant General Manager
SUBJECT:
INTERNAL AUDIT UPDATE: RISK ASSESSMENT
GENERAL MANAGER'S RECOMMENDATION
RECOMMENDATION:
Information Item.
BACKGROUND
Orange County Sanitation District (OC San) selected the audit firm of Eide Bailly LLP to provide
audits of various OC San programs and processes as selected by the Audit Ad Hoc Committee.
Most recently, the Audit Ad Hoc Committee selected an organization wide risk assessment. The
auditors will provide an update of those efforts. Additionally, staff and the auditors will present
potential topics for future audit selection.
RELEVANT STANDARDS
·Conduct audits to determine if OC San operations are being conducted in an economical and
efficient manner
·Conduct audits to establish whether specific government programs are effective in meeting
their stated goals and objectives
·Conduct audits to determine if OC San is following policies and procedures in conducting
operations
PRIOR COMMITTEE/BOARD ACTIONS
N/A
ATTACHMENT
The following attachment(s) may be viewed on-line at the OC San website (www.ocsan.gov) with the complete agenda
package:
·Internal Audit Report
·Presentation
Orange County Sanitation District Printed on 7/13/2022Page 1 of 1
powered by Legistar™
OC6SAN
ORANGE COUNTY SANITATION DISTRICT
Enterprise Risk Assessment
July 2022
ORANGE COUNTY SANITATION
DISTRICT
Submitted By:
Eide Bailly LLP
Doug Sluyk, CIA, CISA
Manager, Risk Advisory Services
Audrey Donovan, CIA, CGAP, CRMA
Senior Manager, Risk Advisory Services
Roger Alfaro, CPA, CITP
Partner
eidebailly.com
OC SAN – ENTERPRISE RISK ASSESSMENT
TABLE OF CONTENTS
RISK ASSESSMENT ______________________________________________ 3
RISK ASSESSMENT – HEAT MAP ___________________________________ 7
RISKS IDENTIFIED _______________________________________________ 8
APPENDIX A – INTERNAL AUDIT TOPICS ___________________________ 13
OC SAN – ENTERPRISE RISK ASSESSMENT
3 | eidebailly.com
RISK ASSESSMENT
Eide Bailly uses guidance provided by the International Professional Practices Framework (IPPF) published
by the Institute of Internal Auditors. Standards of the IPPF address planning and indicate that Internal Audit
plans should be risk‐based plans which determine the priorities of the internal audit activity, consistent
with the organization’s goals. The internal audit activity’s plan of engagements must be based on a
documented risk assessment. These risk assessments should be performed annually to determine in
conjunction with preparing audit plans. The input of senior management and the Audit Committee must be
considered in this process.
This report describes how Internal Audit analyzed Orange County Sanitation District’s (OC San or District)
risk environment and prioritized audit areas. The contents of this report are based on the following:
Risk, control and governance largely determine the ability for OC San to achieve its objectives.
Management is responsible for assessing risk by analyzing conditions that can impair OC San’s
ability to achieve its objectives.
OC San management is responsible for managing risk by implementing internal controls and
providing reasonable assurance that they are operating as intended.
What is an Enterprise Risk Assessment?
Risk assessment is a systematic process for utilizing professional judgments to evaluate probable adverse
conditions and/or events and their potential effects on the district. The process starts with identifying risks
associated with business objectives linked through all levels of the district whether it is entity or process
level.
Entity level is the cornerstone for effective control. These objectives provide guidance on what the
entity wants to achieve and should be consistent with budget, strategy, and business plans.
Process level should align with entity level objectives but differ in that they relate directly to goal
setting with specific targets and deadlines. It provides guidance for management focus.
The first approach is for Internal Audit to assess risks to programs and departments in a silo approach, this
is designed to identify audits of a single department, program, or process. Another approach is to assess
risk across the entire organization to identify the risks to achieving overall objectives. An organizational
view of risk gauges which risks are directly aligned to achieving strategic objectives.
Risk Assessment Methodology
The risk assessment is the first step in determining which areas of the District have high risk factors that
should be considered for further internal audit review. Eide Bailly developed a risk assessment approach
specifically tailored for the departments, people and processes of the District. We began by conducting the
planning and scoping phase to facilitate the direction of the risk assessment, developing the risk types and
developing the measures and risk scores.
Planning & Scoping Phase:
We began by understanding the District’s operations and performing the following risk assessment
activities:
Performed interviews and discussions with Board, Senior Management and District personnel.
Reviewed information provided by the District, such as organizational charts and regulatory
reporting;
OC SAN – ENTERPRISE RISK ASSESSMENT
4 | eidebailly.com
Reviewed external financial auditor’s results;
Assessed current and historical financial performance;
Reviewed Strategic Plan and goals;
Reviewed Committee Minutes including: Administrative, Operations, Steering, Legislative and
Publics Affairs, and Audit Ad Hoc;
Eide Bailly’s Internal Audit team’s general knowledge and observations of the District; and
Consideration of past internal audits performed along with remediation status of risk(s) identified.
Risk Categories:
We identified and defined the applicable risks and created a risk framework. Risks identified are related
to an event or condition that can negatively affect the ability of the District achieving its objectives.
Risks are generally thought to be associated with taking actions; however, risks can also occur when no
action is taken in the form of missed opportunities. This risk assessment incorporated the top ten (10)
risks applicable to OC San:
1. Strategic risks: are the risks that would result in failing to achieve business objectives.
2. Governance/Stakeholder risk: relates to board and management performance regarding ethics,
community stewardship, and organizational reputation. It is directly related to the behavior of the
executives who are project sponsors and stakeholders. Risks derived from the attitude and actions
of executive management related to accountability, transparency and continuous improvement.
This measure presumes that risk is decreased based on effective internal controls, management
oversite and audit frequency, both internal and external audits. This risk is easier to mitigate and
manage with proper stakeholder engagement.
3. Financial risk: includes budgetary, revenue, and expense risk. Budget risk is the potential for the
estimates or assumptions built into a budget to turn out to be inaccurate. All budgets are based on
future looking forecasts that typically involve a degree of uncertainty. This uncertainty is factored
in as a risk. Revenue risk is associated with the financial reporting being inaccurate, incomplete, or
untimely due to a variety of factors including the pace of change, the amount of uncertainty, the
presence of a large error, or the pressure on management to meet certain expectations. Expense
risk is the financial risk arising out of unexpected or unanticipated increases in operating expenses.
4. Regulatory risk: are associated with a variety of federal, state, local laws and regulations. Failure to
follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or
legal action.
5. Business/Operational risk: is the possibility of business operations failing due to inefficiencies or
breakdown in internal process, policies, people and systems.
6. Information Technology risk: is a subset of operational risk that is a risk to information technology,
data or applications that negatively impact business operations. Additionally, technology risk is any
potential for technology failures to disrupt business operations such as information security, cyber
security incidents or service outages.
7. Safety risk: assesses risk in terms of keeping employees and citizens safe from hazards in the
workplace. The measure takes into consideration that protecting the safety and health of citizens
and employees is the highest priority and most significant responsibility of OC San. Losses arising
from acts related to employment, health or safety laws or agreements, payment of personal injury
claims, or from diversity / discrimination events.
8. Resource‐Related risk: is the set of unexpected events that have a negative effect on operations
OC SAN – ENTERPRISE RISK ASSESSMENT
5 | eidebailly.com
due to lack of resources. Resources include time, skills, money, tools and people.
9. Supplier risks: some of these risks include a) reputational risk – due to a service or supply
interruption, a supplier safety or quality failure, or a supplier’s business practices; b) resilience risk
– a supplier failure results in an interruption to customer service; c) regulatory risk – non‐
compliance with the regulatory requirements associated with sourcing or outsourcing; d)
commercial risk – the risk of financial loss or cost overruns for poorly management sourcing
arrangements, supplier failures or inaccurate billing from sourcing outsourcing arrangements.
10. Reputational risks: potential negative public relations impacts caused by the level of visibility
and/or public interest in conjunction with financial or operational performance exposure resulting
in the District's reputation being impaired or damaged. Reputation risk includes the risk that the
District may be subject to lawsuit, poor management of an operational crisis, specific reputation
issue or District not meeting stakeholder expectations.
Risk Factors / Impact:
These factors refer to relevant and meaningful information that significantly, moderately or negligibly
affect how the risk is managed, prioritized relative to other risks, monitored and reported. These
include results of prior assessments (internal audit engagements), size and significance of department
operations, major changes to operations, significant compliance requirements, dollar exposure, volume
of transactions, susceptibility to fraud, and internal control systems.
Below are the impact factors assessed:
i.1 Size of Audit Unit: Size and complexity of the department, including number of personnel, critical
and complex processes.
i.2 Compliance with Regulations: Extent of department regulatory compliance requirements; federal,
state, local.
i.3 Reputation: Extent of reputational damage which may result based upon the role, size, and nature
of the department.
i.4 Business Operations: Extent which the department's operations may result in continuous
operations.
i.5 Financial: Extent which financial impact may result from department, includes materiality, and
volume of transactions.
Risk Scores:
To determine the relative significance of each risk we measure the risk as a combination of the
likelihood or probability of it occurring and the impact if it does occur. Risk scores are summarized by
assigning numbers to both likelihood and impact and multiplying these numbers based on weighted
factors. The high number is assigned to the high likelihoods / impacts, and the low number to the low
likelihoods / impacts. However, judgment is involved in evaluating whether a risk’s likelihood and
impact are low, medium, or high. Judgment along with the numerical ranking system balance the
finality and certainty that exists in the scoring model.
Likelihood: represents the possibility that a given event will occur. Likelihood can be expressed
using qualitative terms (frequent, likely, possible, unlikely, rare), as a percent probability, or as
a frequency.
Impact: refers to the extent to which a risk event might affect the organization. We define
impact using a combination of impact considerations, given that certain risks may impact the
organization financially while other risks may have a greater impact to reputation or health and
safety.
OC SAN – ENTERPRISE RISK ASSESSMENT
6 | eidebailly.com
For likelihood, each of the 10 risk types were assigned a risk ranking score between 0 – 25 to arrive at
an “overall likelihood score”. Likelihood scoring is defined in the table below.
Risk Ranking
Score
Level of
Risk
Level of
Severity Risk Defined
0 ‐ 8 Low Acceptable
Minimal financial reporting or operational risk, requires
low level of resources, routine control and accounting
issues.
9 ‐ 16 Medium Serious
Poses a moderate financial reporting or operational
risk, will involve less resources, involves fewer complex
controls and accounting issues.
17 ‐ 25 High Critical
Poses a significant financial reporting or operational
risk, will most likely require ongoing sustained
resources, includes accounting issues or balances that
include significant estimates or judgements.
Additionally, the “impact factors” were assigned a score of: 1 – low, 2 – medium, 3 – high.
The likelihood and impact scores are multiplied together for a total overall risk score. The total scores
were sorted in ascending order from highest – most risky, to lowest – least risky and divided into four
(4) categories:
High Risk: scores greater than 1,000
Moderate to High Risk: scores of 700 to 999
Low to Moderate Risk: scores of 500 to 699
Low Risk: scores less than 499
See Risk Assessment – Heat Map on subsequent page for listing of numerical ranking of departments
based on the likelihood of the 10 risk types and impact of the five (5) risk factors for overall
likelihood/impact score.
See Risks Identified, starting on page 8 of the report for risks defined by standard business
processes/cycles. This break out by business process defines the risks within each functional area or
department. Processes with a high risk are prioritized within the audit plan, followed by medium risk
processes. See Appendix B for Internal Audit Topics.
A high‐risk score does not mean that a department is ineffectively managed, that sufficient controls are
not in place, or that the function is not performing properly. A high‐risk score simply means that a
negative event in that area would be particularly damaging or more likely to occur in the absence of
effective controls.
The OC San’ s Audit Ad‐Hoc Committee, senior management, and leadership are the responsible
authority to prioritize which risks get the most attention and resources. Those charged with
governance know their entity best and how best to manage the risks identified.
OC SAN – ENTERPRISE RISK ASSESSMENT
7 | eidebailly.com
RISK ASSESSMENT – HEAT MAP
Risk Categories Risk Factors / Impacts
# Department
R.
0
1
‐
St
r
a
t
e
g
i
c
R.
0
2
‐
Go
v
e
r
n
a
n
c
e
R.
0
3
‐
Fi
n
a
n
c
i
a
l
R.
0
4
‐
Re
g
u
l
a
t
o
r
y
R.
0
5
‐
Op
e
r
a
t
i
o
n
a
l
R.
0
6
‐
In
f
o
Te
c
h
R.
0
7
‐
Sa
f
e
t
y
R.
0
8
‐
Re
s
o
u
r
c
e
R.
0
9
‐
Su
p
p
l
i
e
r
R.
1
0
‐
Re
p
u
t
a
t
i
o
n
a
l
Overall
Likelihood
Score
i.
1
‐
De
p
a
r
t
m
e
n
t
Si
z
e
i.
2
‐
Co
m
p
l
i
a
n
c
e
i.
3
‐
Re
p
u
t
a
t
i
o
n
i.
4
‐
Bu
s
i
n
e
s
s
Op
s
i.
5
‐
Fi
n
a
n
c
i
a
l
Overall
Likelihood
Score
Overall
Likelihood
/ Impact
Score
1 Environmental Services
Administration 10 3 3 20 15 3 20 25 7 20 126 3 3 3 3 2 14 1,764
2 Collection Facilities, Operations &
Maintenance (Plant #1 & #2) 5 3 3 25 15 3 20 3 3 20 100 2 3 3 3 2 13 1,300
3 Information Technology 10 3 3 3 14 20 5 15 15 20 108 1 2 3 3 2 11 1,188
4 Engineering Administration 10 3 3 10 15 3 20 25 3 3 95 2 2 2 3 2 11 1,045
5 Risk Management, Safety, Security 5 3 3 10 10 3 20 10 3 20 87 2 2 3 3 2 12 1,044
6 O&M Administration 10 3 3 25 10 3 5 25 3 3 90 2 3 2 2 2 11 990
7 Construction Management 5 3 15 20 15 3 20 3 3 3 90 2 2 2 3 2 11 990
8 Financial Management 5 25 15 3 3 3 5 3 15 20 97 2 1 2 2 3 10 970
9 Human Resources 10 20 3 3 3 3 20 20 3 20 105 2 2 2 2 1 9 945
10 Resource Protection 5 3 3 20 3 3 5 3 15 3 63 3 3 3 3 2 14 882
11 Laboratory, Monitoring & Compliance 5 3 3 20 3 3 5 3 15 3 63 3 3 3 3 2 14 882
12 Fleet Services 5 3 3 25 15 3 20 3 3 3 83 2 2 2 2 2 10 830
13 Project Management 5 3 15 20 3 3 5 3 15 3 75 2 2 2 3 2 11 825
14 Design 5 3 3 20 3 3 5 3 15 3 63 2 2 2 3 2 11 693
15 Public Affairs 10 20 3 3 3 3 20 5 3 20 90 1 1 3 1 1 7 630
16 Contracts, Purchasing & Materials
Management 5 3 15 3 15 3 5 3 15 3 70 1 1 1 3 2 8 560
17 Consolidated Services 5 3 3 3 3 3 5 3 3 3 34 2 3 3 3 3 14 476
18 Administrative Services 5 20 3 3 3 3 5 3 3 3 51 2 2 2 1 1 8 408
19 Board Services 10 20 3 10 3 3 5 3 3 3 63 1 1 2 1 1 6 378
20 Planning 5 3 3 3 3 3 5 3 3 3 34 2 2 2 3 2 11 374
Total Risk Category 135 150 108 249 157 77 220 164 148 179 39 42 47 50 38
OC SAN – ENTERPRISE RISK ASSESSMENT
8 | eidebailly.com
RISKS IDENTIFIED
Risk Assessment Results:
From the risk assessment Heat Map the 10 “risk categories” are listed below in order of highest to lowest
risk along with the detailed risks supporting the individual department and overall “likelihood” score. For
example, from the Heat Map the “risk category” with the highest risk is “Regulatory”, as shown below in #1.
For each risk category there is a corresponding “risk description”, “risk factors” identified from the risk
assessment process and results, and the “departments” identified.
Processes with a high risk are prioritized within the audit plan. See Appendix B for Internal Audit Topics.
# Risk Description Departments
(high/medium likelihood)
Risk Category – Regulatory (R.04): are associated with a variety of federal, state, local laws and regulations.
Failure to follow prescribed directives may result in substantial fines, restrictions, loss of business, and/or legal
ti 1. Regulatory Compliance
Identification and adherence to emerging regulations;
Polyfluoroalkyl Substances (PFAS)
Regulatory Compliance Air
Lab Accreditation
Critical Asset Replacement – Lab Building, Marine Vessel
Source Control
Regulatory Compliance includes factors such as, significant
compliance requirements, major changes to operations, and
extent of procedures.
Increased scrutiny and oversight by the EPA to address PFAS
chemicals and contamination clean up.
Increased risk around regulatory reporting requirements to
ensure complete, accurate and timely notifications of
violations (water, solid and air).
OC San has two (2) aged assets which are critical to adhere
to regulatory requirements, a Laboratory Building and
Marine Vessel.
Entities within District discharge chemicals and
contaminates which enter OC San’s treatment facilities.
Environmental Services
Administration
Collection Facilities, Operations &
Maintenance (Plant #1 & #2)
Engineering administration
Risk Management, Safety, Security
O&M Administration
Construction Management
Resource Protection
Laboratory, Monitoring &
Compliance
Fleet Services
Project Management
Design
Board Services
OC SAN – ENTERPRISE RISK ASSESSMENT
9 | eidebailly.com
Risk Category – Safety (R.07): risk in terms of keeping employees and citizens safe from hazards in the workplace.
Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of
personal injury claims, or from diversity/discrimination events.
2. Safety & Security
Safety Protocols
Physical Security Protocols
High‐risk area due to human injury or death in the event of
a control failure.
Although OC San has effective safety and security controls
in place, monitoring through internal practices and
regulatory reviews, a safety or security control failure could
result in a significant and devastating outcome to
employees and critical assets.
Environmental Services
Administration
Collection Facilities, Operations &
Maintenance (Plant #1 & #2)
Engineering Administration
Risk Management, Safety, Security
Construction Management
Fleet Services
Public Affairs
Risk Category – Reputational (R.10): potential negative public relations impacts caused by the level of visibility
and/or public interest in conjunction with financial or operational performance exposure resulting the District's
reputation being impaired or damaged.
3. Reputational
Integrity of regulatory reporting
Legislation and societal changes
OC San is at risk of changes in political environment and
public sentiments including regulations related to
purchasing from domestic versus international suppliers.
OC San is at risk of negative reputational impact if
inaccuracy or lack of transparency related to reporting of
results, violations and external communications.
Environmental Services
Administration
Collection Facilities, Operations &
Maintenance (Plant #1 & #2)
Information Technology
Risk Management, Safety, Security
Financial Management
Human Resources
Public Affairs
Risk Category – Resource Related (R.08): is the set of unexpected events that have a negative effect on operations
due to lack of resources. Resources include time, skills, money, tools and people.
4. Human Resources
Resource Plan Optimization
Succession Management
Recruitment
Collective Bargaining Agreements in negotiation (6)
OC San personnel are critical to perform District operations
and have specialized and institutional knowledge.
Annually retirements impact business operations. (March
2022, 40 retirees, turnover of 6%).
State of employment across all industries, workforce
shortage may result in recruitment challenges.
Collective Bargaining agreements (negotiations in progress
at time of assessment).
Environmental Services
Administration
Information Technology
Engineering Administration
Risk Management, Safety, Security
Human Resources
OC SAN – ENTERPRISE RISK ASSESSMENT
10 | eidebailly.com
Risk Category – Business / Operational (R.05): is the possibility of business operations failing due to inefficiencies
or breakdown in internal process, policies, people and systems.
5. Inflation and supply chain issues including limited
availability of chemicals and supplies creates a risk to
business operations, budgeting, and expense management
processes.
Environmental Services
Administration
Collection Facilities, Operations &
Maintenance (Plant #1 & #2)
Information Technology
Engineering Administration
Risk Management, Safety, Security
O&M Administration
Fleet Services
Contracts, Purchasing & Materials
Management
Risk Category – Governance/Stakeholder (R.02): relates to board and management performance regarding ethics,
community stewardship, and organizational reputation.
6. Governance
Proper tools, structure, training
Anonymous reporting
Reputational risks may arise from adverse communications
regarding the transparency, structure of board
assignments, training and governance structure.
The risk of a reportable event going undetected resulting
in operational risk or reputational damage may occur if
effective anonymous reporting tools for fraud, waste and
abuse are not available to all employees and affiliated
parties.
Financial Management
Human Resources
Public Affairs
Administrative Services
Board Services
Risk Category – Supplier (R.09): risks include:
a) reputational risk – due to a service or supply interruption, a supplier safety or quality failure, or a suppliers
business practice.
b) resilience risk – a supplier failure results in an interruption to customer service.
c) regulatory risk – non‐compliance with the regulatory requirements associated with sourcing or outsourcing.
d) commercial risk – the risk of financial loss or cost overruns for poorly management sourcing arrangements,
supplier failures or inaccurate billing from sourcing outsourcing arrangements.
7. Business / operational, reputational and financial risks may arise
from supply chain shortages including the limited availability of
chemicals, maintenance & operational supplies, and information
technology components.
Information Technology
Financial Management
Resource Protection
Laboratory, Monitoring &
Compliance
Project Management
Design
OC SAN – ENTERPRISE RISK ASSESSMENT
11 | eidebailly.com
Risk Category – Strategic (R.01): are the risks that would result in failing to achieve business objectives.
8. Internal and external events that can deter or prevent the
organization from accomplishing set business objectives.
The potential impact of strategic decisions, or of a
defective or inappropriate strategy that results in; lack of
responsiveness to industry changes or risks related to
future plans, e.g. entering new markets or expanding
existing services.
Environmental Services
Administration
Information Technology
Engineering Administration
Risk Management, Safety, Security
O&M Administration
Human Resources
Public Affairs
Board Services
Risk Category – Financial (R.03): includes budgetary, revenue, and expense risk.
Budget risk is the potential for the estimates or assumptions built into a budget to turn out to be inaccurate. All
budgets are based on future looking forecasts that typically involve a degree of uncertainty. This uncertainty is
factored in as a risk.
Revenue risk is associated with the financial reporting being inaccurate, incomplete, or untimely due to a variety of
factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on
management to meet certain expectations.
Expense risk is the financial risk arising out of unexpected or unanticipated increases in operating expenses.
9.a. Capital Improvements
Transactions
Internal Labor
Capital Improvements are significant expenditures for OC
San. OC San has $11B in assets and 220 active Capital
Improvement projects.
Valid and accurate internal labor capitalization costs are
critical inputs to financial and managerial reports.
Construction Management
Financial Management
Project Management
Contracts, Purchasing & Materials
Management
9.b. Expense & Budget Management
Continuous Improvement
Expense management (insurance, overtime)
Fictitious vendor review
Risks arise if continuous improvements through process
assessments and evaluations of control effectiveness do
not occur.
Expense management process reviews ensure appropriate
controls, policies and procedures, and processes to
manage expenses.
Analytics and assessments may detect fraud and identify
preventative controls.
9.c. Revenue Management
Annexations Parcel Verification
CFCC Program
Risk of revenue erosion may result if processes do not
ensure completeness and accuracy of annexations and
CFCC program with partnering cities.
OC SAN – ENTERPRISE RISK ASSESSMENT
12 | eidebailly.com
Risk Category – Information Technology (R.06): is a subset of operational risk that is a risk to information
technology, data or applications that negatively impact business operations. Additionally, technology risk is any
potential for technology failures to disrupt busines operations such as information security, cyber security incidents
or service outages.
10. Information Technology General Controls
Access & Vulnerability
Change Management
Life Cycle
Penetration Testing
Information Technology (IT) risks have been reduced
based on recent audits and associated results, however
risks remain due to current environment across all
industries.
Information Technology
OC SAN – ENTERPRISE RISK ASSESSMENT
13 | eidebailly.com
APPENDIX A – INTERNAL AUDIT TOPICS
1 During our assessment, it was noted that Homeland Security was scheduled to perform a penetration test. Our
audit would include a review of the results.
2 OC San Internal Audit Plan – rotation item, Year 5 (2024)
2022 Proposed Audits/
Department
1.
Regulatory Compliance
Environmental Services Administration, Collection Facilities Operations and Maintenance (Plant #1 & #2),
Laboratory, Monitoring & Compliance, and Resource Protection – evaluate processes and procedures to
ensure internal controls over regulatory compliance is complete, accurate and timely to meet regulatory
requirements. Additionally, to evaluate the source control (pretreatment program) processes and procedures
to review and inspect chemical disposal practices and associated discharge. Lastly, to assess the process for
identifying emerging regulations to ensure Regulatory Compliance.
2.
Information Technology General Controls
Information Technology Department – evaluate the design and operating effectiveness of IT General
Controls (ITGC), to ensure the integrity of the data and processes that the systems support. Additionally,
perform an assessment of the maturity model of IT controls and evaluate areas including: Access &
Vulnerability, Change Management and System Development Life Cycle (SDLC).1
3.
Safety & Security Protocols
Risk Management & Safety Departments – evaluate safety and security protocols, monitoring exceptions,
incident reporting, remediation of findings and internal and public reporting protocols throughout OC San,
including Environmental Services, Collection Facilities, Operations & Maintenance (Plant #1 & #2), Human
Resources, Fleet Services and Public Affairs.
4.
Supply Chain Management
Engineering Administration, O&M Administration, and Construction Management – evaluate supply chain
controls for Engineering Administration, Operations & Maintenance and Construction management practices
and activities to mitigate inflation and supply chain issues including limited availability of chemicals and
supplies. Perform an assessment of the budgeting, and expense management processes related to these
departments procurement of materials and supplies.
5.
Capital Improvements (CIP) Administration: Construction
Construction Management and Financial Management – review internal controls and procedures over bid
and solicitation process for construction projects2 to ensure controls over conflict of interest, selection panel
approval, and solicitation are performed in accordance with state and local laws. Lastly, to evaluate internal
labor capitalization for completeness and accuracy.
OC SAN – ENTERPRISE RISK ASSESSMENT
14 | eidebailly.com
3 OC San Internal Audit Plan – rotation item, Year 4 (2023)
4 OC San Internal Audit Plan – rotation item, Year 3 (2022)
6.
Procurement Card Program Management
Contracts, Purchasing & Materials Management – evaluate the Purchasing Card (ProCard) processes and
controls over ProCard issuance, purchasing guidelines, and individual and department purchase compliance.
7.
Expense Management – Overtime
O&M Administration – assess OC San’s Public Works administration and use of overtime and identify areas
of risk and opportunities for potential savings.
8.
Revenue Management
Financial Management – to ensure controls are designed and operating effectively to minimize revenue
erosion through ensuring accuracy and completeness of Annexation and Capital Facilities Capacity Charge
(CFCC) program3. Additionally, to assess processes and controls including identification of annexations and
partnering city CFCC remittance.
9.
Accounts Payable Vendor Review
Financial Management and Contracts, Purchasing & Materials Management – evaluate processes and
controls to ensure validity and accuracy of vendor records. Evaluate the design and operating effectiveness of
vendor approval processes, including analytics to identify fictitious or duplicate vendors4 and payments.
10.
Employee Recruiting Process
Human Resources – to assess the efficiency and effectiveness of recruitment functions at OC San. Review and
evaluate the processes and controls associated with HR recruiting strategy, workforce planning, talent
readiness and succession planning. Additionally, benchmark against best‐in‐class agencies for hiring practices
including collective bargaining negotiations, on boarding, probationary, and vetting.
11.
Independent Contractor
Human Resources – to evaluate the “employment” status of independent contractors to ensure they are
legally “not an employee” in accordance with State of California labor laws.
12.
Fleet Services
Fleet Services Division – obtain an understanding of the business processes and procedures of the District’s
fleet operations in order to identify and assess the internal controls and processes to ensure Fleet Services is
operating efficiently and effectively.
OC SAN – ENTERPRISE RISK ASSESSMENT
15 | eidebailly.com
THE FOUNDATIO UCCESS
Caring for our external and internal clients with a passion to go the extra mile.
Respecting our peers and their individual contributions.
Conducting ourselves with the highest level of integrity at all times.
Trusting and supporting one another.
Being accountable for the overall success of the Firm,
not just individual or office success.
Stretching ourselves to be innovative and creative, while managing the related risks.
Recognizing the importance of maintaining a balance between work and home life.
Promoting positive working relationships.
And, most of all, enjoying our jobs ... and having fun!
EideBaill1®
What i s ·r s you ·res us.
eidebailly.com
7/13/2022
1
ORANGE COUNTY SANITATION DISTRICT
Audit Ad Hoc Committee Briefing July 20, 2022
ENTERPRISE RISK ASSESSMENT
Approach
Risk Ranking
Heat Map
Identified Audits
5-Year Internal Audit Plan –previous vs proposed
Questions
2
1
2
~►>>~
EideBaill~
~
CPAs & BUSINESS ADVISORS
EideBailly.
I...__.
7/13/2022
2
RISK ASSESSMENT APPROACH
•Research & Data Gathered (Organization Charts, Minutes, Regulatory Reports)
•Interviewed Governance & Key Stakeholders (GM’s, Directors, Management, Steering Committee)
•Assessed functional operations, internal processes & controls
•Identified Risk Types
•Ranked Risks – Likelihood & Impact
•Developed Risk Heat Map
•Prepared Audit Plan
3
RISK RANKING
High
• Poses a significant financial reporting risk.
• Will most likely require ongoing sustained resources.
• Complex accounting issues or balances that include significant estimates or judgement.
Medium
• Poses a moderate financial reporting risk.
• Will involve less resources.
• Involves less complex controls and accounting issues.
Low
• Minimal financial reporting risk.
• Require low level of resources.
• Routine control and accounting issues.
Major Systems Changes to Operations
Significant Changes in Customer Needs and Expectations
Significant Key Personnel Turnover or Growth
Special Management Interest
Susceptibility to Misuse, Misappropriation, or Fraud
Significant Compliance Requirements
Dollar Exposure
Volume of Transactions
Competence of Management and Staff
System of Internal Controls
Results of Last Audit
High Level of Decentralization
Likelihood Impact
4
3
4
Eide Bailly.
I..._-.--
EideBailly.
I..._-.--
7/13/2022
3
RISK ASSESSMENT HEAT MAP
Risk Categories Risk Factors / Impacts
#Department
R.
0
1
‐
St
r
a
t
e
g
i
c
R.0
2
‐
Go
v
e
r
n
a
n
c
e
R.
0
3
‐
Fin
a
n
c
i
a
l
R.
0
4
‐
Re
g
u
l
a
t
o
r
y
R.0
5
‐
Op
e
r
a
t
i
o
n
a
l
R.0
6
‐
In
f
o
Te
c
h
R.0
7
‐
Sa
f
e
t
y
R.0
8
‐
Re
s
o
u
r
c
e
R.0
9
‐
Su
p
p
l
i
e
r
R.1
0
‐
Re
p
u
t
a
t
i
o
n
a
l
Overall
Likelihood Score
i.1
‐
De
p
a
r
t
m
e
n
t
Si
z
e
i.2
‐
Co
m
p
l
i
a
n
c
e
i.
3
‐
Re
p
u
t
a
t
i
o
n
i.4
‐
Bu
s
i
n
e
s
s
Op
s
i.5
‐
Fin
a
n
c
i
a
l
Overall Impact
Score
Overall Likelihood /
Impact Score
1 Environmental Services Administration 10 3 3 20 15 3 20 25 7 20 126 3333214 1,764
2 Collection Facilities, Operations & Maintenance (Plant #1 &
#2) 53325 15 3 20 3320 100 2 333213 1,300
3 Information Technology 10 3 3 3 14 20 5151520 108 1 2 33211 1,188
4 Engineering Administration 10 3 3 10 15 3 20 25 33 95 2223 211 1,045
5Risk Management, Safety, Security 5331010320 10 3 20 87 2 2 33212 1,044
6O&M Administration 10 3 3 25 10 3 5 25 33 90 23 2 2 2 11 990
7Construction Management 531520 15 3 20 333 90 2223 2 11 990
8 Financial Management 5 25 15333531520 97 2 1 2 2 3 10 970
9Human Resources 10 20 333320 20 3 20 105 2 2 2 2 1 9 945
10 Resource Protection 53320 3353153 63 33332 14 882
11 Laboratory, Monitoring & Compliance 53320 3353153 63 33332 14 882
12 Fleet Services 53325 15 3 20 3 3 3 83 2 2 2 2 2 10 830
13 Project Management 531520 3353153 75 2223 2 11 825
14 Design 53320 3353153 63 2223 2 11 693
15 Public Affairs 10 20 333320 5320 90 1 1 3 1 1 7 630
16 Contracts, Purchasing & Materials Management 5 3153153 5 3153 70 1113 2 8 560
17 Consolidated Services 5333335333 34 23333 14 476
18 Administrative Services 5 20 3 3 3 3 5 3 3 3 51 2 2 2 1 1 8 408
19 Board Services 10 20 3103 3 5 3 3 3 63 11211 6 378
20 Planning 5333335333 34 2223 2 11 374
Total Risk Category 135 150 108 249 157 77 220 164 148 179 39 42 47 50 38
IDENTIFIED AUDITS
High Risk Audits
1)Regulatory Compliance
evaluate processes and procedures to ensure internal controls over regulatory compliance is
complete, accurate and timely to meet regulatory requirements. Additionally, to evaluate the
source control (pretreatment program) processes and procedures to review and inspect chemical disposal practices and associated discharge. Lastly, to assess the process for identifying
emerging regulations to ensure Regulatory Compliance.
2)Information Technology General Controls
evaluate the design and operating effectiveness of IT General Controls (ITGC), to ensure the
integrity of the data and processes that the systems support. Additionally, perform an assessment of the maturity model of IT controls and evaluate areas including; Access & Vulnerability, Change
Management and System Development Life Cycle (SDLC).
3) Safety & Security Protocols
evaluate safety and security protocols, monitoring exceptions, incident reporting, remediation of
findings and internal and public reporting protocols throughout OC San, including Environmental
Services, Collection Facilities, Operations & Maintenance (Plant #1 & #2), Human Resources,
Fleet Services and Public Affairs.
4)Supply Chain Managementevaluate supply chain controls for Engineering Administration, Operations & Maintenance and
Construction management practices and activities to mitigate inflation and supply chain issues
including limited availability of chemicals and supplies. Perform an assessment of the budgeting, and expense management processes related to these department’s procurement of materials
and supplies.
Medium Risk Audits
5)Capital Improvements (CIP) Administration (rotation item)
review controls and procedures over bid and solicitation process for construction projects, conflict of
interest, selection panel approval, and solicitation are performed in accordance with state and local
laws. Evaluate internal labor capitalization for completeness and accuracy.
6)Procurement Card Program Management (audit in process)evaluate the Purchasing Card (ProCard) processes and controls over ProCard issuance, purchasing
guidelines, and individual and department purchase compliance.
7)Expense Management – Overtime
assess Public Works administration and use of overtime and identify areas of risk and opportunities
for potential savings.
8)Revenue Management (rotation item)
ensure controls are designed and operating effectively to minimize revenue erosion through ensuring
accuracy and completeness of Annexation and Capital Facilities Capacity Charge (CFCC) program.
Assess processes and controls including identification of annexations and partnering city CFCC remittance.
9)Accounts Payable Vendor Review (rotation item)
evaluate processes and controls to ensure validity and accuracy of vendor records. Evaluate the
design and operating effectiveness of vendor approval processes, including analytics to identify fictitious or duplicate vendors and payments
10)Employee Recruiting Process
assess the efficiency and effectiveness of recruitment functions at OC San. Review and evaluate the
processes and controls associated with HR recruiting strategy, workforce planning, talent readiness
and succession planning. Benchmark against best-in-class agencies for hiring practices including
collective bargaining negotiations, on boarding, probationary, and vetting.
11)Independent Contractor
evaluate the “employment” status of independent contractors to ensure they are legally “not an
employee” in accordance with State of California labor laws.
12)Fleet Services
assess the internal controls and processes to ensure Fleet Services is operating efficiently & effectively.
6
5
6
7/13/2022
4
5 – YEAR INTERNAL AUDIT PLAN
A) Risk Assessment ‐At the Beginning of Each Engagement A) Risk Assessment ‐At the Beginning of Each Engagement
Rotation Items Rotation Items
1) Review of Sole Source Contracts
2)Cyber Security (Twice)*1)Cyber Security
3)Review of Risk of Ficticious Vendors/Employees*2)Accounts Payable Vendor Review (including Fictitious Vendors / Employees)
4)Capital Facilities Capacity Charges ‐Cities Review*3)Revenue Management (Capital Facilities Capacity Charges ‐Cities Review)
5) Capital Improvement Program (CIP) ‐Contracts, Policies, Procedures*4)Capital Improvement Program (CIP) ‐Administration
A) Risk Assessment A) Risk Assessment(completed)
B) Open ‐Based on Risk Assessment and Committee Input. B)Procurement Card Program Management #6(in process)
C)Expense Management ‐Overtime #7
A)Review of Sole Source Contracts ‐Rotation Item A)Regulatory Compliance #1
B) Cyber Security ‐Rotation Item B) Information Technology General Controls #2orCyber Security(Rotation Item)
C) Open ‐Based on the Risk Assessment and Committee Input C)Revenue Management ‐(Capital Facilities Capacity Charge & Annexation) #8 (Rotation Item)
A) Review of Risk of Fictitious Vendors / Employees‐Rotation Item *A) Safety & Security Protocols #3
B) Open ‐Based on the Risk Assessment and Committee Input B)Supply Chain Management #4
C)Accounts Payable Vendor Review (including Fictitious Vendors / Employees)#9 (Rotation item)
A)Capital Facilities Capacity Charge ‐Review of Cities ‐Rotation Item *A)Capital Improvements (CIP) Administration #5 (Rotation Item)
B)Cyber Security ‐Rotation Item*B) Employee Recruiting Process #10
C)Independent Contractor #11
A)Capital Improvement Program (CIP)‐Contracts, Policies, Procedures, etc. ‐Rotation Item *A)Cyber Security(Rotation Item)orInformation Technology General Controls#2
B) Open ‐Based on the Risk Assessment and Committee Input B)Fleet Services#12
C)Revenue Management ‐(Capital Facilities Capacity Charge & Annexation)#8 (Rotation Item)
*Included on Proposed Audit Plan. Audits in blue were "Previously Presented" & included on "Proposed" Audit Plan.
Year 5
PREVIOUSLY PRESENTED PROPOSED
AD HOC AUDIT SCHEDULE
Year 1
Year 2
Year 3
Year 4
This presentation is presented with the understanding that the information contained does not constitute legal, accounting or other professional advice. It is not intended to be responsive to any individual situation or concerns,
as the contents of this presentation are intended for general information purposes only. Viewers are urged not to act upon the information contained in this presentation without first consulting competent legal, accounting or other professional advice regarding implications of a particular factual situation. Questions and additional information can be submitted to your Eide Bailly representative, or to the presenter of this session.
QUESTIONS?
7
8