Jun 05, 2018 Audit Committee Meeting

Download Transcript
[00:00:05]

>> chair rogers compton: A motion to adjourn. Seconded? >> notice of meeting on the agenda in the office of the chancellor for texas government code 5515182. This meeting is being broadcast over the internet by code 551520. >> okay. We'll get started. A lot of you to introduce I guess today.

1. Certification of Notice Posted for the Meeting

>> we'll have the chancellor certified. >> I certify that the minutes for this meeting was posted according to texas government code 551504. >> thank you. >> the director is unavailable today. He's traveling out of the country so -- >> you got to read that. They have a copy. >> I think he just read that. >> did he? >> yeah. >> he did. >> okay. I'm sorry. >> so if we could, the director is out of the country -- >> he doesn't really care, does

2. Presentation of the 3rd Quarter Report from Internal Audit for Quarter Ended May 31, 2018 Committee Action: Review Presenter: Paul Styrvoky

he? >> no, he's having more fun than we are having at the moment so I'm little upset about that. We have director styrvoky who is standing I. >> a little bit of background on yu, paul, if you would. >> thank you. Good afternoon trustees. It's an honor to be here. I've been employed by the district for 8 years in the role of I.T. Auditor. Today I'd like to introduce her. She's een with the district for four years. We also have lana griffin who has been with the district for four years as an auditor too. April fuller is a compliance specialist and she's been with the district in our department for three years, five years for the district total and hen rob is out of the country today. So it is my honor and privilege to share two things with you today. Our quarterly status report and then our annual plan for next year. We completed four add -- audits. >> you have to speak up. >> I'm sorry. The audit I completed was the information technology general control. We looked at the college loca locations. In particular we looked for change management procedures, back up procedures and rooms that house critical computers. We did not look at the closets upgraded and the most significant findings in that audit. The second audit that we completed was the student and exchange visitor program, the district has to comply with federal regulations in terms of how we admit nd enroll and maintain the eligibility for our students. We looked at 218 students out of a population of nearly 6,000. We looked at active and closed and completed and terminated. We found some minor issues with some documentation files in the course of the audit so there were no issues that require follow up on our part. Our third audit that we looked at was employee travel expenses and this is a regularly scheduled audit that we include every combreer. -- Every year. We comply with not only district policy and procedures but also irs regulations. We selected 111 reimbursements. We found some minor issues related to parking receipts and other timeliness but nothing that, again, that require any major follow up. >> how do you get to that 111? >> those are -- we looked at all of the significant administrators within the district, we look at vice presidents and presidents at the colleges and then we also use

[00:05:03]

the judgement for dollar sizes. Then I'd like to welcome trustee jameson. >> sorry for my trdiness. >> my name is paul styrvoky. I'm represented director gardines today. We are in the status report right now. We are talking about the richland collegiate high school. This is an annual audit selected by the board of trustees. We selected 50 students. Richland has made significant improvements over the years so we have no issues in this area. Currently we have the following audits n progress, we have finished basically the field work as it relates to physical inventory. It was somewhat delayed in terms of completing the inventory. Sort of went into the may time frame. At this point there's no major findings in terms of items, typical items we would write off in terms of computers and switches and medical equipment is typical from previous years. So there's working issues. We have gist -- just started the upward bond grant for richland college as well as the disaster recovery plan. We have pulled all of the locations for telecommuting and identified approximately 50 individuals who commute. We are in the process of scheduling interviews with the supervisors to iscuss how they are being monitored and tracked so the agreements they signed with the district are being satisfied. Any questions on what we've completed or what is in the report? >> a couple questions about the I.T. Stuff. Does the scope of your audit include a review of the security aspects of our operations and also our compliance with the private act? >> yes, it does. In fact, in the plan you'll see we specifically have an audit to address that. We have done that in previous years. >> I would imagine we may change. How does that impact the audit function and do you have full visibility into those changes? >> we do. We regularly get with tim marshon and his staff about our plan and our on going monitoring. >> last comment, no findings -- there's always some suggestions about things that could be done better but all four of these audits there's no findings so we are perfect. >> we are not perfect but we found issues that did not rise to the level of management comment. Certainly as an improvement are minor issues that came up during the audit. We communicated that to the vice presidents and presidents but nothing that was indicated to break down in internal controls. That's what we are looking for. >> nothing major that was just shocking? >> no. >> a question. My form says other, over payments and underpayments to faculty in 2016 and 2017 under faculty miles on incentive. >> I'll defer to rob on that. >> right. That's an audit that has been underway we talked with the board about it sometime ago and I believe that we are going to brief the board about that at one of the board planning sessions coming up on June 25th and 27th with some more information for that. It made its way on the agenda but it wasn't an item for today's audit or not intended to be. >> oh. >> we'll have something for you and we'll be reporting to you on June 25th on that. >> nd that was a very detailed analysis where we had looked at all the faculty that ere identified for the milestones and we went into the colleague system nd looked at paid and not paid. That analysis has already been done. Rob has been given an update. He will lead further discussions on that. >> because of this particular >> yeah. >> a question? Comments?

3. Presentation of the Audit Plan for Year 2018-19 from Internal Audit Committee Action: Review & Approve Presenter: Paul Styrvoky

>> all right. Moving onto the audit plan review. You have our audit plan for next fiscal year. This plan was prepared using prior years of risk assessment where we sent out a very

[00:10:01]

detailed spreadsheet. This year we followed up with a narrative questionnaire to the locations. We built in reoccurring audits and then we factored in areas. So I'll take a moment just to look through there. If you have any questions. >> you might just tell the committee and the board members that are present how you developed the plan, what you look at in terms of in addition to doing the risk assessment, how many hours are available and explain. >> 'll back up. We typically have a capability to do between 20 and 22 audits a year. Typically allow 30 a day per audit. By doing that we also have time to do special projects during the year, management requested audits, special investigations. We look at areas particularly for compliance with district policy and pocedures. So that's why, for example, the reoccurring audits for cash counts, physical assets and employee travel expenses and so forth are there. We did add some ones that we've done in the past this year where we had problems. I call your attention to audit number 12, the day teaching audit. There has been some controls changed in that area so we thought it would be prudent to follow up there. As well, one of the areas that we looked at many, many years ago were the tax sheltered annuities contributions in terms of complcompliance, making sure the district is not allowing employees to overly contribute to those investments as well as our district investments policies and procedures. In addition to our on going grant monitoring, we typically include two to three grants in our audit plan per year where we do a traditional audit and those would be items 21 and 22 on the plan. >> board policy requires the audit committee to recommend the board full approval for an audit for the coming fiscal year. So this proposed audit plan is found o be acceptable by the committee today. We'll be on the -- it's on the full agenda for the 4:00 meeting on the consent agenda for approval. So it would be -- it would be appropriate to the plan. You can ask any questions of paul with respect to that and then we will come out of here with a recommendation for the full board. >> number 7? Is that for a given one location or is that for more than one location? >> that would be for all district issued gasoline credit cards.Ca >> and that's what kind of percentage? >> yes, that would be 100%. Yeah, we would look at credit cards. Number one we look at the physical control of those cards because there's an inventory of who should have those and two we look at the utilization of those cards. For example in the past there was an issue with some that were not valid. We do a double analysis. Who has the cards, how they are used. >> there was a $17,000 oopsie. >> there were some significant problems. >> were there any other areas of audit that are not included in this year's -- >> not that I'm aware of. >> audit is part of minimizing risk, right, and could you recap a little bit about how we approach risk management from an enterprise point of view, what you see is the top three or four areas of risk exposure and whether we are aligning our internal audit to address those areas? >> well, we are endeavoring to do so. The approach that we've taken in in internal audit this year has been to take more of a risk management or risk assessment approach. This year I would defer to paul on the risk management but I think that we do direct the personnel in that area to ensure that we address those areas that are of the keenest interest in terms of assessing and evaluating risk. In terms of putting those out, I don't know what the surveys showed or the collaborations showed in terms of this. Paul, can you help me there in terms of the aireas that we

[00:15:01]

identified as highest risk from the enterprise? >> what we heard from the locations were things such as public safety and security, back up, many, any others. Then obviously the chapters, what was being dealt with, such as student banking payments when they are registers and so point. >> trustee ritter, to you point, the greatest areas of risk for an enterprise such as the district is the cyber attack, the security and privacy of the information that we maintain on our students and those students, faculty and staff as well. We are under, as we discussed previously, daily attack from those that would be bent on trying to access our system. So I think -- paul from the I.T. Perspective I think that that's one that's in our review of procedures and how we go about protecting the information being maintained. I would say from the general one of the key areas of risk e face as an enterprise. That's not unique in the district certainly, that's institution of the higher education in a whole has seen that over the past few years, being an area of primary exposure for risk and one we had to ddress and continue to address. >> I'm glad you brought that up. If you look at item number 20 in the plan, we specifically having worked with our cyber security function over the last year or so have identified that s a high risk area and we are building coverage into that area, risk coverage analysis. Of expertise. >> glad you're on that. >> other questions, comments in -- comments? Okay. >> I think it would be helpful to get a sense from the committee about the plan, recommendations to the board. >> do we have a motion? >> so moved. >> second? A second? All in favor? >> >> can I make a suggestion? >> perhaps. >> I think it would be helpful to the board or the committee to hear a presentation on enterprise risk as a predicate to an internal audit plan. >> I agree 100%. We've been trying to move -- as we move into this next item I'll talk about the areas where we are trying to enhance he approach that we take to the development of the annual audit plan, the resources we depend upon. The risk management approach is one that certainly does practice and one that we should be adhering to and involving other stake holders. As paul indicated with the internal audit, it started with a risk assessment process last year, improved upon that -- I say improved upon but expanded that approach with a survey process in development and one that we think we can continue to make improvements onto make sure that we are bringing to the board and to the audit committee and the board as a whole the best, most effective plan we could have for internal audit operations for the next fiscal year. With that we are looking at bringing exactly that kind of a program or presentation to the board so that they are aware of their obligations in respect to looking at risk management. It does touch everything that you do as board members and that the district does operationally as well. >> I know you said that's an area of your expertise. Do we have the staff to keep up with the rapidly changing cyber security issues that occur on a daily basis, the hourly basis? >> I do. I would defer -- marshall. >> based on the previous amount of activity that this entailed, we have put to john and a number of staff changes that we believe that has to be had to that staff. We are also asking and it will probably come through the board a number of tools that we need in place to allow our staff to do this work. A lot of pattern matching. Right now we are doing that manually. It takes time to get through some of the activities. One went out through the last three or four internal audits plus our monitoring , our staff

[00:20:04]

is more and more engaged in doing. That increases >> I think, tim, it's fair to say that we are certainly seeing an increase in the number of people trying to access our systems more than in prior years. >> we've taken a multiphased approach to this in the district. We did what the board -- we have cyber insurance a couple of budgets ago. We continue to maintain that. That's identified for us that we need to have these enhanced resources in house as well. I've been involved in those discussions as well. We do look at this as an area of primary importance because of the level here. It makes us a target of opportunity. >> just a note, the key risk continues to be the people over technology who leave their passwords or other things around. That puts us at the greatest risk. >> we continue to work on those as well. I will be coming with proposals for the district in terms of factors on things that we can do to put in place to make ourselves even more secure. >> getting back to risk assessment, we used to get a periodic report, the board did, in terms of risk assessment, area they inquired about and staff that ordered grants what did they know and what did they not know and then it would get reported to us and how it was addressed. I don't know, maybe starting that again because it was very informative and it made sure in terms of it coming -- in terms of training or whatever. >> I believe, trustee, you're referring to something we did before called the self-assessment. That's something -- >> I can't remember the term. >> I'm recalling my history with the group and I think that's a good idea that we should take another look at it. >> I'm not sure why we quit giving that but it just helped us really be informed on that. I don't know hen it quit. >> that makes sense. >> thank you.

4. Discussion Regarding Process for Search of New Director of Internal Audit Presenter: Rob Wendland

>> item 4. >> that's a nice segway into it. Thank you, paul for being here for rafael. He is traveling today. He has announced his retiremen effective August 31st. So we in looking at the departure of rafael and his fine service to the direct -- district over that period of time, it's time for us to ive into an analysis into the internal audit operations, what our capacities are, what we are doing and benchmarking those against best practices and where internal audit should be if it's not there and where it needs to be in the future. We are looking for a successor for rafael. To assist us we engaged graham thornton who has an outside auditor for the direct for the last several years and they have a special area of practice that3 assists entities with best practices for internal audits. They have been engaged for the last several weks, engaging with paul and others in audit and other key stakeholders in business and some of the board members have been contacted, I appreciate your involvement with that. They are going to do an assessment. They have not completed their work but hey re going to do an assessment to identify not only what our present capacities are and the strengths that we have in internal audit but where e need to be for an enterprise of this size. If you will, to the graham thornton folks, there was no third rail they had to avoid in terms of taking an assessment and looking at us. That's with all the fine folks we have. If there's doing things, either a reporting structure, organizational structure, anything of that nature, this is the time for us to take a look at that as we look to identifying a successor for rafael and where we need to be staffing, the competent approach we take. Again, I'll be in over my head quickly when I start talking about these things, but there are operational internal control type audits like paul has been describing that we do on a regular basis very effectively but we don't really do performance audits in the district. We we haven't historically done audits to say is this program performing like it's supposed to be performing. That might require some competencies or capacities that we don't presently have or that

[00:25:02]

we haven't tapped thus far. We want to look at all of that as we move into the role of succeeding somebody who has been here 30 years and done fine service for the district but then actually pulling out internal audit abilities to best serve the district in the most effective way. That's a long way of saying they are engaged, they intend to come out with an assessment report here very shortly. I didn't expect it and I don't want it today. That will then provide a frame work for us developing a search for some best -- or the most operation that has not been involved here before. They won't be doing the search for us but they'll assist us in developing the criteria for the search, the competencies we want to identify in the next director of internal audit. As you can imagine, there's technological changes. There's areas that we can look at in terms of practice that we can leverage and make ourselves even ore effective. Indeed they will tell us if we have the number of staff that we need in that area or if we need more staff or different kind of staff. We thought this was a good time in internal audit to take a look at it. That's what we tasked graham thornton to do to assist us. So they have been working very diligently. I fully expect a report in short order and then I will update the board and the committee as we go forward. One of the things, in my mind with the folks at graham thornton, they said what kind of training do you have for your board members and your audit committee members in particular about their obligations as audit committee members and/or board members in terms of development with respect to some of these areas, assessment risk, intern prize -- internal risk. I said we have not done that for our board or committee members. They said you should be. They are going to identify resources to assist the board in identifying their role for internal audit, risk management and others in endeavors they do for the district. I think they are going to come back with some very sound recommendations. I'm confident. I know that paul is working. The graham thornton people actually called him out in a meeting with me and said that he's been an incredible resource to them, getting them historical documents. So paul should be commended for that as well. >> thank you. It's best for our students to be successful. >> footnote, as part of our responsibilities as a board, we get that information from graham thornton to educate, I would appro appreciate that. >> I will show them that. I think that will harmonize in what you are doing in terms of the board's self-evaluation process. Every resource we can bring to the board making the board more effective. We will certainly do that. Similarly for all of us in the district, internal audit and all the other departments, anything that we can do to make that operation more effective and more benefit as paul said it's ultimately for those that we serve that we be as efficient and capable as possible in all

5. Review of Chancellor’s Travel Report Committee Action: No Action Required

these areas. >> item 5. Approval of -- >> there's no action required on that. I think you probably have that. >> on the first item what does rc stand for? >> it's a coalition of about 20 -- excuse me, urban colleges. I actually don't know what the r stands for either. >> okay. >> you might have to change your name soon. >> I believe that that covers everything that we intended to cover with the audit committee today. >> any questions or comments? >> thank you very much. >> thank you. >> anything else?

* This transcript was compiled from uncorrected Closed Captioning.