internal audit self-assessment with independent validation
TRANSCRIPT
Internal Audit Self-Assessment
with Independent Validation
INTERNAL AUDIT REPORT
Audit Control Number: 17-04 June 21, 2017
Issued: August 16, 2017
LOUISIANA DEPARTMENT OF EDUCATION BUREAU OF INTERNAL AUDIT
Baton Rouge, LA
NOTICE Under provisions of state law, this report is a public document. A copy of this report has been submitted to the Superintendent of Education, members of the Board of Elementary and Secondary Education, and other officials as appropriate or required by law. A copy of this report has been made available for public inspection in the Bureau of Internal Audit at the Louisiana State Department of Education.
Louisiana Department of Education Bureau of Internal Audit
1201 N. Third Street Claiborne Building, Suite 5-160
P.O. Box 94094 Baton Rouge, Louisiana 70804-9094
Director of Internal Audit Dudley J. Garidel, Jr. CPA
Auditor-In-Charge Beryle J. Patin CPA
Professional Intern Connor J. Krone
August 16, 2017 Board of Elementary and Secondary Education John White, Superintendent of Education Louisiana Department of Education
The Bureau of Internal Audit [BIA] has completed the Quality Assessment Review [QAR] Self-Assessment with Independent Validation of the Louisiana Department of Education [LDE] BIA. The results are contained in the attached report.
Respectfully submitted,
Dudley J. Garidel, Jr. CPA Director of Internal Audit
DJGJr:BP Enclosures Distribution: Board of Elementary and Secondary Education (11) John White, Superintendent of Education Bridget Devlin, LDE Chief of Staff Beth Scioneaux, Deputy Superintendent of Management and Finance Shan Davis, BESE Executive Director Marsha Guedry CPA, Internal Audit Administrator, Division of Administration Yvette Beamon CPA Divison of Administration Internal Audit Louisiana Legislative Auditor
TABLE OF CONTENTS
EXECUTIVE SUMMARY ..................................................................................... 1 BACKGROUND……………………………………………………….…………. 2 PROJECT SCOPE & OBJECTIVES .................................................................... 2 PROJECT RESULTS ............................................................................................. 3 OBSERVATIONS & RECOMMENDATIONS………………………………... 3 EVALUATION SUMMARY: QUALITY ASSESSMENT………Attachment A RATING DEFINITIONS…………………………………………...Attachment B INDEPENDENT VALIDATION STATEMENT & RESPONSE Attachment C
Audit Control Number: 17-01 June 21, 2017 Page 1
EXECUTIVE SUMMARY As required by the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing (Standards), the Louisiana Department of Education (LDE) Bureau of Internal Audit (BIA) conducted a self-assessment of its internal audit activity for the period July 1, 2006 through June 30, 2016. The mission and scope of the BIA is to:
• Conduct objective and independent audits with the LDE;
• Determine whether the LDE programs have operated in compliance with applicable state and federal laws and regulations;
• Provide a risk driven internal audit function for the LDE programs; and
• Examine and evaluate the:
quality of program and managerial performance in carrying out assigned responsibilities to achieve LDE stated goals and objectives;
adequacy and effectiveness of the Department's internal control structure [LDE management is responsible for creating and maintaining the LDE internal control structure, whereas the BIA evaluates internal control structure and recommends necessary improvements];
reliability and integrity of information;
security of the state’s assets; and
compliance with applicable laws and regulations.
The objectives of the self-assessment were to:
• Assess the internal audit activity of BIA to determine conformance with the Standards,
• Evaluate internal audit activity to its effectiveness in carrying out the bureau's mission as set forth in its charter, and
• Identify opportunities to enhance management and work processes within the BIA as well as add value to LDE operations.
The results of this self-assessment indicate the BIA 'Generally Conforms' to the Institute of Internal Auditors' Standards and Code of Ethics, although a more in-depth discussion and explanation is contained in the pages which follow.
Audit Control Number: 17-01 June 21, 2017 Page 2
BACKGROUND The State Superintendent of Education defines the BIA role and responsibilities as part of the oversight function. The BIA is located in the Office of the Superintendent. The State Superintendent of Education, or designee, supervises the Director of Internal Audit. The Director of Internal Audit has dual-reporting responsibility to the BESE and the Superintendent of Education. In addition, the Director of Internal Audit has functional responsibility for all external audit programs within the department. The mission and scope of the BIA is to:
• Conduct objective and independent audits with the LDE;
• Determine whether the LDE programs have operated in compliance with applicable state and federal laws and regulations;
• Provide a risk driven internal audit function for the LDE programs; and
• Examine and evaluate the:
quality of program and managerial performance in carrying out assigned responsibilities to achieve LDE stated goals and objectives;
adequacy and effectiveness of the Department's internal control structure [LDE management is responsible for creating and maintaining the LDE internal control structure, whereas the BIA evaluates internal control structure and recommending necessary improvements];
reliability and integrity of information; and security of the state’s assets.
The BIA is comprised of two full-time audit positions and one part-time professional intern audit position. The Director of Internal Audit (Director) is responsible for overall supervision of the BIA and its staff, but also individually conducts such projects as are necessary from time to time. The Auditor-In-Charge (AIC) is responsible to conduct audit projects, both individually and with the assistance of the professional intern. When working with the Professional Intern as a team, the AIC is responsible for supervising the Professional Intern during the course of the project. The Professional Intern (Intern) is responsible for maintaining the BIA databases related to school districts and pass-through federal funding. In addition, the Intern will conduct or assist in such audit projects as may be assigned by the Director of Internal Audit.
PROJECT SCOPE AND OBJECTIVES The objectives of the self-assessment were to:
• Assess the internal audit activity of BIA to determine conformance with the Standards,
Audit Control Number: 17-01 June 21, 2017 Page 3
• Evaluate internal audit activity for effectiveness in carrying out the bureau's mission as set forth in its charter, and
• Identify opportunities to enhance management and work processes within the BIA as well as add value to LDE operations.
As part of the preparation for the self-assessment background information and documents using Appendix A0 from the IIA Quality Assessment Manual, Copyright 2013, as a guide, were collected. As part of the evaluation, the annual risk assessment, audit plan, and other documents prepared by the BIA were reviewed. In addition, a sample of audit engagements was selected and audit documentation from the selected engagements during the review period was reviewed to determine conformance with the standards.
PROJECT RESULTS The results of this self-assessment indicate the BIA 'Generally Conforms' to the Institute of Internal Auditors' Standards and Code of Ethics, although a more in-depth discussion and explanation is contained in the pages which follow. See Attachment A for a detailed list of conformance with individual Standards. For the series 1300 Standards regarding a Quality Assurance and Improvement Program (QAIP) there are some areas rated as partially conforms and one area noted as does not conform. While there are quality assurance measures in place, the QAIP program has recently been formalized and additional measures have been put in place to meet the intent of the Standards. Following this self-assessment the BIA will implement procedures to conduct the evaluation summary annually to ensure that Standards are being followed. In addition, the annual evaluation will help to determine areas to be strengthened within BIA the activity. Further discussion regarding areas for improvement is contained in the 'OBSERVATIONS & RECOMMENDATIONS' section below. Comments and recommendations presented in this report are intended to build upon and enhance the existing foundation already in place within the BIA.
OBSERVATIONS & RECOMMENDATIONS Although the BIA 'Generally Conforms' with the Standards, the procedures performed indicate several areas exist which have significant opportunities for improvement, as discussed below. ATTRIBUTE STANDARDS: 1000 - 1322 STANDARD 1000 - PURPOSE, AUTHORITY, AND RESPONSIBILITY The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.
Audit Control Number: 17-01 June 21, 2017 Page 4
Standard 1010 Internal Audit Charter and Definition of Internal Auditing Requirement: The Internal Audit Charter must recognize of the Definition of Internal Auditing, the Code of Ethics, and the Standards. Opportunity for Improvement: The BIA does have a Statement of Responsibilities (Charter) which was adopted in 2006 to comply with Standards in effect at the time. Subsequently, however, the BIA has not updated the Charter to comply with current standards. Recommendation: In order to comply with current Standards the BIA must update the current Charter to meet all requirements of the Standards. Director of Internal Audit (Director) Response: After completing this Self-Assessment the BIA will update the Charter to comply with current Standards. The updated Charter will be presented to the Superintendent of Education and BESE for approval and signature. STANDARD 1300 - QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Requirement: The chief audit executive must develop and maintain a quality assurance and improvement program (QAIP) which covers all aspects of the internal audit activity. Opportunity for Improvement: The BIA policies and procedures manual (PPM), adopted in 2006, includes a QAIP. This section of the PPM, however, has not been updated to include all current developments related to such a program, including the requirement to communicate the results of the QAIP to senior management and the governing board. Recommendation: The BIA update should update its PPM to contain a QAIP which complies with all requirements of the current Standards related to a QAIP. Director's Response: After completing this Self-Assessment the BIA will update its PPM to contain a QAIP which will conform to and comply with all requirements of the current Standards related to a QAIP. Standard 1320 Reporting on the Quality Assurance and Improvement Program (QAIP) Requirement: The chief audit executive must communicate the results of the QAIP to senior management and the board. Opportunity for Improvement: The BIA Director has not formally communicated the results of self-assessment procedures conducted as part of the QAIP to senior management on an annual basis. Recommendation: The BIA Director should communicate the results of the QAIP procedures to senior management and the BESE annually. Director's Response: The BIA Director meets weekly with the LDE Chief of Staff and reports the scope and status of BIA projects but has not formally communicated results to the BESE. The Director will begin formally communicating the results of QAIP procedures to BESE in accordance with the Standards.
Audit Control Number: 17-01 June 21, 2017 Page 5
PERFORMANCE STANDARDS: 2000 - 2600 STANDARD 2000 - MANAGING THE INTERNAL AUDIT ACTIVITY The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. Standard 2010 - Planning Requirement: The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process. Opportunity for Improvement: The BIA did not consider the input of senior management and BESE in annual risk assessment process. Recommendation: The BIA should consider the input of senior management and BESE in the annual risk assessment process. Director's Response: The BIA did consult with the LDE Chief of Staff during the annual risk assessment process but not with BESE. Future annual risk assessments will consider input from BESE as part of the process. Standard 2060 - Reporting to Senior Management and the Board Requirement: The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board. Opportunity for Improvement: Although the BIA does issue quarterly reports to BESE, the reports do not address significant risk exposures and control issues. Recommendation: The BIA should include significant risk exposure and control issues in the quarterly reports to BESE. Director's Response: The BIA does discuss such issues with the LDE Chief of Staff but will begin researching the best ways to include such issues in the quarterly reports to BESE. STANDARD 2300 - PERFORMING THE ENGAGEMENT Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement's objectives. Standard 2310 - Identifying Information Requirement: Internal auditors must identify sufficient, reliable, and useful information to achieve the engagement's objectives.
Audit Control Number: 17-01 June 21, 2017 Page 6
Opportunity for Improvement: BIA audit planning should ensure all necessary information is identified and sufficient procedures are included to obtain the information in order to achieve the engagement objectives. Recommendation: BIA engagement planning must be more detailed to ensure all necessary information for the engagement is identified Director's Response: The BIA understands and recognizes the important of the planning process. The BIA will develop an enhanced planning process to ensure engagements include all necessary information. Standard 2320 - Analysis and Evaluation Requirement: Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations. Opportunity for Improvement: Appropriate analyses and evaluations will result from a more thorough planning process at the beginning of an engagement. Recommendation: The BIA should develop an enhanced planning process in order to ensure appropriate analyses and evaluations for engagements. Director's Response: The BIA understands and recognizes the important of the planning process. The BIA will develop an enhanced planning process to ensure engagements include all necessary information. Standard 2330 - Documenting Information Requirement: Internal auditors must document relevant information to support the conclusions and engagement results. Opportunity for Improvement: During the review of BIA documents for selected engagements, instances were noted in which relevant supporting information was not sufficiently documented to support the conclusions and engagement results. It is the responsibility of the BIA to ensure sufficient documentation exists for all engagements. Recommendation: The BIA must ensure all engagements are sufficiently documented to support conclusions and results. Director's Response: The BIA agrees there were instances of insufficiently documented information in some engagements. The BIA will ensure all future engagements are properly and sufficiently documented to support conclusions and results. The recommendations, if any, in this report represent, in our judgment, those most likely to bring about beneficial improvements to the operations of the BIA. The varying nature of such recommendations, implementation costs, and potential impact on operations, however, should be considered in reaching decisions on necessary courses of action, if necessary.
Audit Control Number: 17-01 June 21, 2017 Page 7
This assessment was conducted in accordance with The Standards for the Professional Practice of Internal Auditing and the Code of Ethics issued by the Institute of Internal Auditors. By provisions of state law, this report is a public document and has been distributed to appropriate public officials. ________________________________ Dudley J. Garidel, Jr. CPA Director of Internal Audit
Attachment A
Louisiana Department of Education - Bureau of Internal Audit
Evaluation Summary: Quality Assessment
Attachment A
Evaluation Summary: Quality Assessment
(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform)
Quality Assessment Evaluation Summary—Overall Evaluation GC PC DNC
OVERALL EVALUATION X
Quality Assessment Evaluation Summary—Major/Supporting
Standards GC PC DNC
1000 Purpose, Authority, and Responsibility X
1010 Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter
X
1100 Independence and Objectivity X
1110 Organizational Independence X
1111 Direct Interaction with the Board X
1120 Individual Objectivity X
1130 Impairment to Independence or Objectivity X
1200 Proficiency and Due Professional Care X
1210 Proficiency X
Quality Assessment Evaluation Summary—Major/Supporting Standards GC PC DNC
1220 Due Professional Care X
1230 Continuing Professional Development X
1300 Quality Assurance and Improvement Program X
1310 Requirements of the Quality Assurance and Improvement Program X
1311 Internal Assessments X
1312 External Assessments X
1320 Reporting on the Quality Assurance and Improvement Program X
1321 Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”
X
1322 Disclosure of Nonconformance X
2000 Managing the Internal Audit Activity X
2010 Planning X
2020 Communication and Approval X
2030 Resource Management X
2040 Policies and Procedures X
2050 Coordination X
2060 Reporting to Senior Management and the Board X
2070 External Service Provider and Organizational Responsibility for Internal Auditing N/A. BIA does not use outside external sources
2100 Nature of Work X
2110 Governance X
Quality Assessment Evaluation Summary—Major/Supporting Standards GC PC DNC
2120 Risk Management X
2130 Control X
2200 Engagement Planning X
2201 Planning Considerations X
2210 Engagement Objectives X
2220 Engagement Scope X
2230 Engagement Resource Allocation X
2240 Engagement Work Program X
2300 Performing the Engagement X
2310 Identifying Information X
2320 Analysis and Evaluation X
2330 Documenting Information X
2340 Engagement Supervision X
2400 Communicating Results X
2410 Criteria for Communicating X
2420 Quality of Communications X
2421 Errors and Omissions X
2430 Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”
X
2431 Engagement Disclosure of Nonconformance X
2440 Disseminating Results X
Quality Assessment Evaluation Summary—Major/Supporting Standards GC PC DNC
2450 Overall Opinions X
2500 Monitoring Progress X
2600 Communicating the Acceptance of Risks X
The IIA’s Code of Ethics X
Attachment B
Louisiana Department of Education - Bureau of Internal Audit
Rating Definitions
Attachment B Rating Definitions Rating definitions were presented in Appendix E of the Institute of Internal Auditor’s Quality Assessment Manual. These rating definitions were used during the self-assessment evaluation as documented in Attachment A and are described below. “Generally Conforms” - the assessor has concluded the following:
• For individual standards, that the internal audit activity conforms to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or elements of the Code of Ethics (both Principles and Rules of Conduct) in all material respects.
• For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity achieves general conformity to a majority of the individual standards and/or elements of the Code of Ethics, and at least partial conformity to others, within the section/category.
• For the internal audit activity overall, there may be opportunities for improvement, but these should not represent situations where the internal audit activity has not implemented the Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated objectives.
“Partially Conforms” - the assessor has concluded the following:
• For individual standards, the internal audit activity is making good faith efforts to conform to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or element of the Code of Ethics (both Principles and Rules of Conduct) but falls short of achieving some major objectives.
• For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity partially achieves conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics.
• For the internal audit activity overall, there will be significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control of the internal audit activity and may result in recommendations to senior management or the board of the organization.
“Does Not Conform” - the assessor has concluded the following:
• For individual standards, the internal audit activity is not aware of, is not making good faith efforts to conform to, or is failing to achieve many/all of the objectives of the standard (e.g., 1000, 1010, 2000, 2010, etc.) and/or elements of the Code of Ethics (both Principles and Rules of Conduct).
• For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity does not achieve conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics.
• For the internal audit activity overall, there will be deficiencies that will usually have a significant negative impact on the internal audit activity’s effectiveness and its potential to add value to the organization. These may also represent significant opportunities for improvement, including actions by senior management or the board.
Attachment C
Louisiana Department of Education - Bureau of Internal Audit
Independent Validation Statement
and Response
June 30, 2017 Marsha V. Guedry, CPA Internal Audit Administrator Louisiana Division of Administration PO Box 94095 Baton Rouge, LA 70804-9095 SUBJ: Independent Validation Statement - Louisiana Department of Education [LDE] Quality Assessment Review Dear Ms. Guedry: First let me extend my sincere appreciation to you and your staff who participated in the Independent Validation of our Quality Assessment Review - Self Assessment for the period ended June 30, 2016. It was an interesting learning experience for us all. Regarding the four additional observations denoted LDE-QAR-1 through 4 in your Independent Validation Statement I will go right to the heart of these matters. The Louisiana Department of Education - Bureau of Internal Audit concurs with these four observations. We will immediately begin adopting and implementing necessary procedures to address these issues. While the small size of our staff and current work obligations precludes me from giving an estimated date of completion, you may rest assured we will do everything possible to implement corrective measures as quickly as possible. I will notify you periodically as to our progress. Sincerely, Dudley J. Garidel, Jr. CPA Director of Internal Audit C: Bridget Devlin, LDE Chief of Staff