CC 07-20-2021 Item No. 26 Risk Assessment and Internal Audit Program_Staff PresentationCC 07-20-2021 Item No. 26
1
City of Cupertino
Risk Assessment and Internal Audit Plan
Council Meeting
July 20, 2021
Overview
I. Introduction
II. Internal Audit Program Components
III. Risk Assessment Process
IV. Risk Assessment Results
V. Potential Internal Audit Projects
VI. Recommended FY 21-22 Internal Audit Plan
2
1
2
7/19/2021
2
•The City retained Moss Adams LLP to serve as the designated Internal Auditor
and conduct projects focusing on:
◦Risks
◦Internal controls
◦Compliance
◦Performance
◦Best practices
•Work is being completed under appropriate industry standards
I. Introduction
3
3
4
II. Internal Audit Program Components
4
Internal Audit Plan
Risks Internal
Controls Compliance Performance
Accounting and financial reporting, asset management, capital programs,
compliance, economics and funding, fraud, governance, human resources, internal
controls, maintenance and operations, management, operations and service
delivery, organization and staffing, processes and procedures, procurement, public
safety, risk management, and technologyFunctions Components PlanCity Internal Audit Annual3
4
7/19/2021
3
5
III. Risk Assessment Process
PLANNING
We began planning our assessment by requesting a standard set of documents from the City,
including (but not limited to) prior risk assessments, audits, public website documents, and
financial reports. We used these documents to identify the first round of individuals to interview
and additional document needs based on business process/functional areas.
FACT-FINDING
Fact finding encompassed analyzing received documents, interviewing employees and City
Council members, and soliciting additional employee feedback via an online survey. During this
phase, we gathered information in order to gain a clear understanding of the City and the way it
operates to achieve its goals and purpose.
ANALYSIS
With the information collected and compiled, we performed a risk assessment that included a
comprehensive review and analysis of the various categories of risks. This analysis included
assessing current risk conditions and trajectory, the level of preparedness efforts to mitigate risks,
and the probability and potential impact a negative event may have on the City’s ability to achieve
its mission, vision, and strategic goals.
REPORTING
During this phase, we developed a draft report to engage in review and discussion with senior
leadership. Based on feedback, we finalized the report for delivery to the City Manager and
presentation to the Audit Committee.
5
6
III. Risk Assessment Process
RISK LEVEL Level of uncertainty that could impair functions and processes, in the absence of
any actions taken to alter either the risk’s likelihood or impact.
LIKELIHOOD Qualitative assessment of the probability of a negative event occurring, given the
current risk conditions.
IMPACT Level of potential impact of a negative event on strategy, people, operations,
systems, and resources.
PREPAREDNESS Level of preparedness through activities and resources to manage risks and
minimize and limit potential losses.
TRAJECTORY Trajectory of the risk level, given the current risk conditions.
RISK MITIGATION Potential strategies for reducing risk.
RESIDUAL RISK Possible remaining exposure after known risks have been mitigated through
specific actions.
6
5
6
7/19/2021
4
7
IV. Risk Assessment Results
RISK CATEGORY RISK ASSESSMENT EMPLOYEE SURVEY RESULTS
Procurement and Contracting High Low-to-Moderate
Governance Moderate-to-High Moderate
External Environment Moderate-to-High Moderate
Human Capital and Resources Moderate-to-High Moderate
Information Technology Moderate-to-High Low-to-Moderate
Planning and Strategy Moderate-to-High Moderate
Policies and Procedures Moderate-to-High Moderate
Capital Improvement Program Moderate Low-to-Moderate
Compliance and Financial Reporting Moderate Low-to-Moderate
Ethics and Fraud, Waste, Abuse Moderate Low-to-Moderate
Internal Controls Moderate Low-to-Moderate
Operations and Service Delivery Moderate Moderate
Organization and Staffing Moderate Moderate
Risk Programs Moderate Moderate
Accounting and Finance Low-to-Moderate Low-to-Moderate
Asset Management Low-to-Moderate Low-to-Moderate
Management and Leadership Low-to-Moderate Moderate
Public Safety and Security Low-to-Moderate Low-to-Moderate
Reputation and Public Perception Low-to-Moderate Low-to-Moderate
7
8
V. Potential Internal Audit Projects
•Procurement Operational Review
•Governance Policies Revisions
•Fraud, Waste, and Abuse (FWA) Program Development
•Policy Inventory and Plan
•Senior Center Operational Review
•Vendor Management Internal Controls Review
•Third-Party Contract Audit
•Capital Program Effectiveness Study
•Grants Management Process Review
•AR and Revenue Internal Controls Review
•Employee Performance Management Review
9
7
8
7/19/2021
5
9
VI. Recommended FY 21-22 Internal Audit Plan
1.Procurement Operational Review (high risk): Assess the City’s
procurement function, including structure, policies and procedures,
processes, tools, oversight, and training.
2.Policy Inventory and Plan (moderate to high risk): Perform an inventory of
financial policies, compare to best practices, and establish a prioritized
plan to develop/update priority policies.
3.Capital Program Effectiveness Study (moderate to high risk): Assess
processes, interdepartmental collaboration, and throughput for capital
planning and execution, including contract management and reporting.
4.Fraud, Waste, and Abuse (FWA) Program Development (moderate risk):
Develop a FWA program, including program design, hotline
implementation, ongoing hotline administration, and training.
12
10
VI. Recommended FY 21-22 Internal Audit Plan
# Project Budget 7-9/21 10-12/21 1-3/22 4-6/22
1 Procurement Operational Review $50,000
2 Policy Inventory and Plan $35,000
3 Capital Program Effectiveness Study $35,000
4 FWA Program** $25,000
Ongoing Program Management $5,000
FY 20-21 Budget* $50,000
FY 21-22 Budget $100,000
13
* FY 20-21 Total Budget $100,000, $50,000 remaining to carry forward after Enterprise Risk Assessment ($50,000)
** Ongoing annual costs to administer an Ethics hotline include approximately $2,000 for a hotline and $16,000 to
review, disseminate, and track reports received through the hotline. .
9
10
7/19/2021
6
The material appearing in this presentation is for informational purposes only
and should not be construed as advice of any kind, including, without limitation,
legal, accounting, or investment advice. This information is not intended to
create, and receipt does not constitute, a legal relationship, including, but nor
limited to, an accountant-client relationship. Although this information may have
been prepared by professionals, it should not be used as a substitute for
professional services. If legal, accounting, investment, or other professional
advice is required, the services of a professional should be sought.
Assurance, tax, and consulting offered through Moss Adams LLP. Wealth
management offered through Moss Adams Wealth Advisors LLC. Investment
banking offered through Moss Adams Capital LLC.
11