the regional municipality of peel audit and risk … · 2015-02-09 · arc-2015-1 -2- february 5,...

THE REGIONAL MUNICIPALITY OF PEEL

AUDIT AND RISK COMMITTEE AGENDA ARC - 1/2015 DATE: February 5, 2015 TIME: 9:00 AM – 11:00 AM LOCATION: Regional Council Chamber, 5th Floor 10 Peel Centre Drive, Suite A

Brampton, Ontario MEMBERS: F. Dale; C. Fonseca; M. Medeiros; K. Ras; R. Starr; A. Thompson 1. ELECTION OF CHAIR AND VICE CHAIR

2.

DECLARATIONS OF CONFLICTS OF INTEREST

3.

APPROVAL OF AGENDA

4.

DELEGATIONS

5.

REPORTS

5.1.

Audit and Risk Committee Orientation (Oral)

Presentation by Michelle Morris, Acting Director, Internal Audit

5.2.

Quality Assessment Results (For information)

Presentation by Lorraine Graham-Watson, Commissioner of Corporate Services, of the 2014 Quality Assessment Award

5.3.

Audit and Risk Committee and Internal Audit Charters

5.4.

2015 Internal Audit Risk Based Work Plan

5.5.

2015 Integrated Risk Management Work Plan

ARC-2015-1 -2- February 5, 2015

5.6.

Audit of the Pilot Project to Outsource Land Acquisition Services

5.7.

Common Risks and Opportunities - Analysis of Internal Audit Reports 2011/2014 (For information)

5.8.

Summary of Global Risks 2014 (For information)

6.

COMMUNICATIONS

7.

IN CAMERA MATTERS

8.

OTHER BUSINESS

9.

NEXT MEETING To be determined

10.

ADJOURNMENT

1

Audit and Risk Committee

Orientation

Presented by: The Internal Audit Division

February 5, 2015

5.1-1

2

Agenda

1. Introduction

2. How Internal Audit is Organized

3. The Three Lines of Defense Model

4. Focus Areas of the Internal Audit

Division

5. Q & A

5.1-2

3

Introduction

• The Internal Audit division was established

at the Region of Peel in 1977

• Currently consists of 1 director, 2

managers, 1 integrated risk management

advisor, 5 senior auditors and 1 internal

audit coordinator

5.1-3

4

Introduction

5.1-4

5

How we are Organized

• Purpose

• Authority

• Responsibility

• Independence

• Objectivity

5.1-5

6

Internal Audit Division

5.1-6

7

The Three Lines of Defense Model

5.1-7

8

Operational Management

The First Line of Defense:

• Own and manage risk

• Understand, identify and develop

strategies to mitigate risks that may impact

service delivery

• Develop controls and monitor performance

5.1-8

9

Risk Management and

Compliance

The Second Line of Defense includes:

• Integrated Risk Management

• Compliance Oversight Functions

• Financial Controllership

5.1-9

10

Internal Audit

The Third Line of Defense:

• Internal Audit provides assurance on risk

management

• Charter establishes independence and

authority of audit function

• Audits conducted in accordance with

Standards

5.1-10

11

Senior Management and


Primary Stakeholders

• 3 lines of defense report to Senior

Management, Internal Audit also reports

directly to Audit and Risk Committee

(ARC)

• Responsible for setting objectives and

governance structures

5.1-11

12

External Audit and Regulators

External Line of Defense

• External parties provide assurance on

specific areas of risk management

• Can have reporting responsibilities to

senior management or the governing body

5.1-12

13

Focus Areas of Internal Audit

• Integrated Risk Management

• Assurance

• Consulting

• Fraud

5.1-13

14

Integrated Risk Management

• Internal Audit leads the IRM program for the

Region on behalf of management

• Annual work plan, approved by ARC, outlines

risk assessment projects and IRM program

support work for the year

• Management and Internal Audit report results of

risk assessments conducted to ARC using a risk

dashboard

5.1-14

15

Assurance

• Annual work plan developed based on

organization risk assessment

• Work plan, approved by ARC, outlines audit

projects for the year

• Projects conducted to evaluate effectiveness of

risk management practices

• Assurance is provided in audit reported to ARC

for each project

5.1-15

16

Consulting/ Advisory Services

• Internal Audit provides consulting services to add

value and provides objective advice

• Consulting assignments are usually special requests

• Client defines the engagement objective and scope

• Results are reported to client

• Internal Audit participates on various advisory

committees

5.1-16

17

Fraud Prevention Program

Fraud Prevention Program includes the following:

• Investigating fraud allegations reported to

Internal Audit

• Providing guidance and expert advice to

management relating to fraud investigations

• Reporting fraud allegations and risks to Audit

and Risk Committee annually

5.1-17

18

Fraud Prevention Program

(cont.) • Draft Fraud Prevention Policy

• Fraud risk assessment

• Training and awareness sessions for fraud

prevention

5.1-18

19

Q & A

5.1-19

REPORT Meeting Date: 2014-02-05


For information

DATE: December 23, 2014

REPORT TITLE: QUALITY ASSESSMENT RESULTS

FROM: Michelle Morris, Acting Director, Internal Audit

OBJECTIVE

To inform the Audit and Risk Committee of the results of the 2014 Quality Assessment of the Internal Audit division. REPORT HIGHLIGHTS

Self-assessment results show that the Internal Audit division is in conformance with the Institute of Internal Auditor’s Standards and Code of Ethics. Independent validation concurred fully with results of the self-assessment. The division received the top rating achievable. The self-assessment process identified process improvement opportunities to strengthen the division’s effectiveness and the value of activities and services provided.

DISCUSSION 1. Background

Internal Audit (IA) conducted a self-assessment of current business practices against the Institute of Internal Auditor’s (IIA) Standards which is referred to as a quality assessment. The objective of the quality assessment (QA) was to assess Internal Audit’s conformity to the IIA’s International Standards for the Professional Practice of Internal Auditing (Standards). The self-assessment process that was followed was developed by the IIA. An independent assessor was hired through the IIA to provide an external validation of our self-assessment. The external validation also included interviewing senior management throughout the Region to obtain feedback on the services that Internal Audit provides. In accordance with the Standards, the Director, Internal Audit must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity, which must include both internal and external assessments. External assessments must be conducted at least every five years by a qualified independent assessor or assessment team from outside the organization. The next external assessment of the Internal Audit division will be conducted in 2019.

5.2-1

December 23, 2014 QUALITY ASSESSMENT RESULTS

- 2 -

2. Results

The overall opinion of the independent external assessor is that the Region of Peel’s Internal Audit division attained the highest rating possible of ‘Generally Conforms’ to the IIA Standards and to the IIA Code of Ethics. Appendix I provides a breakdown of conformance to individual Standards including applicable definitions. Appendix II is the ‘Independent Validation Statement’ provided by the external assessor confirming results of the validation of the self-assessment. The self-assessment process identified process improvement opportunities to strengthen the division’s effectiveness and the value of activities and services provided, which are as follows:

1. IA developed a three year business plan that covered the period 2011–2013. An internal audit business plan aligned with the organization’s strategic direction represents a better practice for the internal audit function. A business plan articulates the function’s mandate: how they can add value to the Region; and, the strategy for fulfilling their mandate. The prior plan provided a good foundation to move forward and enhance existing processes.

The Director, Internal Audit will develop an updated Internal Audit business plan that is

aligned to the Corporate Services business plan and the Region’s Strategic Plan. The plan

will take into consideration the noted topics and will provide staff a clear line of sight of how

the work done by the IA function supports the overall goals and objectives of the Region.

2. The IIA Standards requires that Director, Internal Audit periodically reviews the internal audit charter. The Internal Audit division’s current charter states that the charter is to be reviewed ‘at least annually’. Services and processes provided by Internal Audit have evolved and the internal audit charter needs to be updated to include: integrated risk management; the fraud program; and, consulting activities. In addition consideration should be given to providing Audit Committee with budget vs. actual comparisons for the Audit Work Plan, Integrated Risk Management, and Fraud activities.

The Director, Internal Audit will develop a process to ensure that the IA Charter is reviewed at least annually or when significant changes are made; and further that sections will be added covering IA’s involvement in IRM; the fraud program; as well as consulting activities. Progress updates will be reported to Audit Committee.

3. The Internal Audit division has a defined Quality Assurance Improvement Process (QAIP) in

place. Opportunities exist to strengthen current monitoring practices; one of which includes conducting the assessment against the appropriate tools from the QAIP manual and reporting the results to Audit Committee on an annual basis.

The Director, Internal Audit will assess the QAIP tools and implement the use of those tools that are appropriate for the function and will ensure that an annual reporting process is adopted.

4. The Region of Peel has a process in place to review the corporate Code of Conduct with

internal audit staff on an annual basis. All employees of the IA division are Certified Internal Auditors; which from a Standards perspective requires acknowledgement of and compliance with the IIA Code of Ethics and its four guiding principles. Periodically reviewing the

5.2-2

December 23, 2014 QUALITY ASSESSMENT RESULTS

- 3 -

profession’s code of conduct with staff will ensure that internal auditors apply and uphold the principles. The Director, Internal Audit will establish a process to periodically review the IIA’s Code of Ethics in conjunction with staff’s annual review of the Region’s Code of Conduct. The internal audit manual will be updated to reflect this process change.

5. The IIA Standards require that internal auditors base conclusions and engagement results on appropriate analyses and evaluations including the use of analytical procedures and data analytics where applicable. The opportunity was identified for IA staff to expand their knowledge in the use of data analytics and related software.

The Director, Internal Audit will establish a process to strengthen staff knowledge and proficiency in the use of analytical procedures and to further assess needs on an on-going basis.

CONCLUSION

Through the self-assessment and independent external validation process, the Region of Peel’s Internal Audit division has demonstrated a quality standard that recognizes conformity to modern internal audit practices. The division received the top overall rating of ‘Generally Conforms’. Identified opportunities for improvement will strengthen the division’s effectiveness and enhance its value. The next external assessment of the Internal Audit division will be conducted in 2019.

Michelle Morris Acting Director, Internal Audit Approved for Submission:

D. Szwarc, Chief Administrative Officer APPENDICES

1. Appendix I - Standards of Conformance Evaluation Summary 2. Appendix II - Independent Validation Statement For further information regarding this report, please contact Michelle Morris at ext. 4247 or [email protected] Authored By: Joan Appleton, CPA, CGA, CIA, CMRA and Sean Lee, CPA, CGA, CIA, CISA, CGAP, CRMA, PMP

5.2-3

APPENDIX I Quality Assessment Results

ATTACHMENT A STANDARDS CONFORMANCE

EVALUATION SUMMARY

REGION OF PEEL INTERNAL AUDIT DIVISION

(“ ” Evaluator’s Decision)

GC PC DNC

OVERALL EVALUATION

ATTRIBUTE STANDARDS

1000 Purpose, Authority, and Responsibility

1010 Recognition of the Definition of Internal Auditing, the Code of

1100 Independence and Objectivity

1110 Organizational Independence

1111 Direct Interaction with the Board

1120 Individual Objectivity

1130 Impairment to Independence or Objectivity

1200 Proficiency and Due Professional Care

1210 Proficiency

1220 Due Professional Care

1230 Continuing Professional Development

1300 Quality Assurance and Improvement Program

1310 Requirements of the Quality Assurance and Improvement

1311 Internal Assessments

1312 External Assessments

1320 Reporting on the Quality Assurance and Improvement

1321 Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”

1322 Disclosure of Nonconformance

PERFORMANCE STANDARDS

2000 Managing the Internal Audit Activity

2010 Planning

2020 Communication and Approval

5.2-4

11063

Rectangle



GC PC DNC

2030 Resource Management

2040 Policies and Procedures

2050 Coordination

2060 Reporting to Senior Management and the Board

2070 External Service Provider and Organizational Responsibility

2100 Nature of Work

2110 Governance

2120 Risk Management

2130 Control

2200 Engagement Planning

2201 Planning Considerations

2210 Engagement Objectives

2220 Engagement Scope

2230 Engagement Resource Allocation

2240 Engagement Work Program

2300 Performing the Engagement

2310 Identifying Information

2320 Analysis and Evaluation

2330 Documenting Information

2340 Engagement Supervision

2400 Communicating Results

2410 Criteria for Communicating

2420 Quality of Communications

2421 Errors and Omissions

2430 Use of “Conducted in conformance with the International Standards for the Professional Practice of Internal Auditing”

2431 Engagement Disclosure of Nonconformance

2440 Disseminating Results

5.2-5

11063

Rectangle



GC PC DNC

2450 Overall Opinions

2500 Monitoring Progress

2600 Management’s Acceptance of Risks

IIA Code of Ethics

Definitions GC – “Generally Conforms” means the assessor has concluded that the relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, comply with the requirements of the individual Standard or element of the Code of Ethics in all material respects. For the sections and major categories, this means that there is general conformity to a majority of the individual Standards or elements of the Code of Ethics, and at least partial conformity to the others, within the section/category. There may be significant opportunities for improvement, but these should not represent situations where the activity has not implemented the Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated objectives. As indicated above, general conformance does not require complete/perfect conformance, the ideal situation, “successful practice,” etc. PC – “Partially Conforms” means the evaluator has concluded that the activity is making good-faith efforts to comply with the requirements of the individual Standard or element of the Code of Ethics, section, or major category, but falls short of achieving some major objectives. These will usually represent significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control of the activity and may result in recommendations to senior management or the board of the organization. DNC – “Does Not Conform” means the evaluator has concluded that the activity is not aware of, is not making good-faith efforts to comply with, or is failing to achieve many/all of the objectives of the individual Standard or element of the Code of Ethics, section, or major category. These deficiencies will usually have a significant negative impact on the activity’s effectiveness and its potential to add value to the organization. These may also represent significant opportunities for improvement, including actions by senior management or the board.

5.2-6

11063

Rectangle

APPENDIX II - 1 -

November 11, 2014 Quality Assessment Review Results

The Institute of Internal Auditors (The IIA) was engaged to conduct an independent validation of Region’s of Peel’s (ROP) quality self-assessment. The primary objective of the validation was to verify the assertions made in the ROP self-assessment report, concerning adequate fulfillment of the organization’s basic expectations of the internal audit department and its conformity to International Standards for the Professional Practice of Internal Auditing (Standards). Other matters that might have been covered in a full independent assessment, such as an in-depth analysis of leading practices, governance, consulting services, and use of advanced technology, were excluded from the scope of this independent validation by agreement with the chief audit executive (CAE). Qualifications/Scope

In acting as Validator, I am fully independent of ROP and have the necessary knowledge and skills to undertake this engagement. The scope of the on-site validation, conducted during the period November 23-25, 2009 consisted primarily of a review and testing of the procedures and results of the self-assessment. In addition, interviews were conducted with the members of the ROP Audit Subcommittee and executive/operating management team – and the ROP internal audit staff. Overall Assessment/ Validation Results

I concur fully with the conclusions in the ROP quality self-assessment report and the ratings in the ROP Standards Conformance Evaluations Summary. Implementation of all the recommendations contained in the self-assessment report will improve the effectiveness and enhance the value of the IA activity and ensure its full conformity to the Standards. Additional Observations

The ROP IA group is developing plans to improve the efficiency, effectiveness and value of their activities and services. The following observations recap our thoughts on several key opportunities. They reinforce the opportunities already identified by IA and highlight leading practices used by other progressive IA groups. These are for your consideration and discussion – no response is required.

Risk Assessment and Audit Plans

Many leading IA groups are now using a “process or program” based audit universe (versus “auditable activities”) to provide them with a better risk assessment perspective. It has also become a common practice to budget for management requests/advisory service projects to enable IA to improve their coverage of emerging risk issues/opportunities.

ATTACHMENT B

INDEPENDENT VALIDATION STATEMENT

5.2-7

11063

Rectangle

11063

Rectangle

5.2-8

11063

Rectangle

11063

Rectangle


Audit Committee

DATE: January 7, 2015

REPORT TITLE: AUDIT AND RISK COMMITTEE AND INTERNAL AUDIT CHARTERS


RECOMMENDATION

That the Audit Committee be renamed the Audit and Risk Committee; And further, that the proposed Audit and Risk Committee and Internal Audit Charters described in the report of the Acting Director, Internal Audit titled, “Audit and Risk Committee and Internal Audit Charters” be approved. REPORT HIGHLIGHTS

The Charters outline the role and responsibilities of the Audit and Risk Committee and the Internal Audit function. Both Charters have been updated to: describe Internal Audit’s role in facilitating the Integrated Risk Management process on

behalf of management recognize Internal Audit’s formalized involvement in fraud investigations and reporting outline the Committee’s involvement in fraud disclosure to the external auditor reflect the new name of the Audit and Risk Committee DISCUSSION 1. Background

Audit and Risk Committee and Internal Audit Charters are an important component of organizational governance. The Audit and Risk Committee Charter defines the Committee’s roles, responsibilities, authority and administrative requirements. The Internal Audit Charter establishes Internal Audit’s position in the Region and defines overall purpose, authority and responsibility. The Charters are regularly reviewed to ensure they reflect current organizational practices, professional standards and industry better practices. The Audit and Risk Committee Charter and the Internal Audit Charter were last revised in October 2011.

5.3-1

January 7, 2015 AUDIT AND RISK COMMITTEE AND INTERNAL AUDIT CHARTERS

- 2 -

2. Changes and Comments

Audit and Risk Committee Charter The Audit and Risk Committee Charter (Appendix I) is designed to provide guidance to Regional Council members on how the Committee will assist the Council carrying out of their governance, accountability and controllership responsibilities. This is done by receiving information about and advising on whether risks are being appropriately addressed through strong governance, a risk management framework, and an effective internal audit function. The Roles and Responsibilities section was updated to include the Audit and Risk Committee’s role in reviewing information on fraud allegations and fraud risk and responding to questions from the external auditor about fraud. Changes to the Audit and Risk Committee Charter were made throughout the document to update for the new name of the Committee and update references to the committee now called the Enterprise Programs and Services Committee. Internal Audit Charter The Internal Audit Charter (Appendix II) describes the purpose, authorities and responsibilities of the internal audit activity and the scope and nature of the services it provides. The Charter establishes what the Director, Internal Audit is accountable to provide to the Audit and Risk Committee in terms of reporting. It also outlines what services Internal Audit is responsible to provide to the organization, grouped into four categories: Assurance Other Audit Services Integrated Risk Management Administration To support meeting these accountabilities and responsibilities, the Internal Audit Charter also provides the approved authorities the Director and staff of Internal Audit have and the scope of coverage their work applies to. In addition, the Charter outlines the requirements the internal audit activity must follow to comply with professional standards and implement a quality assurance and improvement program. The Internal Audit Charter was updated to describe Internal Audit’s role in facilitating the Integrated Risk Management process on behalf of management and role in conducting and reporting risk assessments. Further revisions were made to recognize Internal Audit’s increased involvement in fraud investigations and reporting. Changes to the Internal Audit Charter were made throughout the document to update for the new name of the Committee.

5.3-2

January 7, 2015 AUDIT AND RISK COMMITTEE AND INTERNAL AUDIT CHARTERS

- 3 -

CONCLUSION

The Audit and Risk Committee and Internal Audit Charters represent better practice and support good public sector governance. These documents reflect the important oversight and assurance roles and responsibilities of both the Audit and Risk Committee and Internal Audit activity.

Michelle Morris, Acting Director, Internal Audit Approved for Submission:


Appendix I - Audit and Risk Committee Charter Appendix II - Internal Audit Charter For further information regarding this report, please contact Michelle Morris, extension 4247. Authored By: Jennifer Weinman, CPA CA, CIA, CRMA and Joan Appleton CPA CGA, CIA, CRMA

5.3-3

Audit and Risk Committee Charter

Revised February, 2015

1. OBJECTIVE The objective of the Audit and Risk Committee is to assist Regional Council and associated Boards and Agencies in the discharge of their governance, accountability and controllership responsibilities by advising that risks are being appropriately addressed through strong governance, a risk/control and compliance framework, appropriate stewardship and an effective internal audit activity. This includes reviewing and advising on: • The integrity, quality and transparency of the Region’s financial, management and

operational information.

• The effectiveness of the financial and management reporting processes.

• The effectiveness of risk management and control processes and practices.

• The performance of the internal audit activity and assessing the effectiveness of the external audit function.

• Ethical business conduct and compliance with the Region of Peel’s Employee Code of

Conduct.

2. AUTHORITY

The Audit and Risk Committee receives its authority to exercise its responsibilities under resolution from Regional Council. The Audit and Risk Committee acts as a forum for communication among Regional Council, senior management and the external/internal auditors. The Audit and Risk Committee within the scope of its roles and responsibilities is authorized to: • Authorize investigations into any matters it deems necessary.

• Obtain any information it needs from internal/external audit and management.

• Request the attendance of any employee or external party at Audit and Risk Committee

meetings.

• Discuss any matters with the Director, Internal Audit.

5.3-4Appendix I Audit and Risk Committee and Internal Audit Charter

3. ROLES AND RESPONSIBILITIES

The responsibilities of the Audit and Risk Committee may be revised by Regional Council resolution. In each of its specific areas of responsibility, the Audit and Risk Committee, through Internal Audit or other means, has a responsibility to receive and evaluate information related to areas of risk or vulnerability within the Region of Peel and the agreed upon management actions to effect change in these areas. Risk Management and Control Framework Based on information provided by Internal Audit and other Regional business functions: • Review if management has a risk management framework and the associated

procedures for effective identification and management of the Region’s financial, operational, strategic, reputation and compliance risks.

• Review the impact of the risk management framework on the control environment. • Review and evaluate policies and processes to manage significant risks or exposures

and steps taken to monitor risks.

• Review and approve the Corporate Risk Profile.

• Review if management’s approach to maintaining an effective control framework, including external parties such as contractors and advisors, is sound and effective.

• Review that funds transferred to the Regional financed external organizations and

agencies are accounted for and used in a manner consistent with Regional goals and objectives [Internal Audit does not have the authority to audit these external organizations unless approved by the applicable governing board. Internal Audit does have responsibility to provide assurance that such funds are consistently managed to the standards of care prescribed by the Region].

• Review processes to determine if the organization has in place relevant policies and

practices and whether these are periodically reviewed and updated and that they are complied with.

• Review information and reports that assess key themes and issues affecting risk and

control from a Regional perspective.

• Review that management has taken steps to embed a culture which is committed to ethical and legal behaviour including compliance with laws, legislation and regulation.

• Review administration of and compliance with the Region’s Employee Code of Conduct

including the processes for educating and communicating the Code to Regional personnel.


• Review follow-up procedures on management action plans. Review explanations for

those not yet implemented.

Internal Audit Activities

• Approve the risk based internal audit plan recommended by the Director of Internal Audit.

• Approve the integrated risk management plan recommended by the Director of Internal

Audit.

• Receive audit or engagement reports identifying the key issues and the actions taken to address the issues.

• Review the status of management action plans.

• Review and approve the Internal Audit Charter and discuss if the appropriate authority,

access and reporting arrangements are in place.

• Review audit plan status.

• Review results of the annual client satisfaction survey.

• Review results of the annual fraud survey on fraud risk and fraud allegations.

• In conjunction with the Director, Internal Audit, review Internal Audit’s compliance with the Standards for the Professional Practice of Internal Auditing, including adequate quality assurance practices, appropriate staffing and effective operational management.

• Review the adequacy of resources to allow Internal Audit to carry out its responsibilities,

including completion of the annual and longer term audit plans.

• Ensure clear and independent communication and reporting lines exist between the Director, Internal Audit and the Audit and Risk Committee.

External Audit Activities • Recommend for Council approval the appointment of the external auditor for the Region

of Peel and Peel Housing Corporation for a five year term.

• Recommend for Council approval the terms of engagement and fees of the audit external auditor.

• Recommend for Council approval the scope and approach of the annual external audit

plan.


• Review the independence and qualifications of the external auditor.

• Review matters brought forward that in the external auditor’s professional judgment may have a bearing on independence.

• Review the annual management letters by the external auditors and make

recommendations to Regional Council and Peel Housing Corporation Board where necessary.

• Consider the external auditor’s judgments about the quality and appropriateness of the

Region’s accounting principles as applied in the Region of Peel and Peel Housing Corporation financial reporting.

• Respond to the external auditor’s questions related to the Committee’s view of fraud

risk, fraud allegations and the Committee’s role in the Region’s fraud program.

• Monitor the coordination of the internal and external audit functions.

Financial and Management Reporting and Financial Statements

• Provide assurance to Regional Council and Peel Housing Corporation Board that information reported by management at the Region of Peel and Peel Housing Corporation reasonably portrays the financial condition, results of operations, plans and long-term commitments of those organizations.

• Review Region of Peel and Peel Housing Corporation financial statements and

recommend approval by Regional Council and the Peel Housing Corporation Board (for example Annual Financial Statements).

• Review management reports which may accompany published financial statements.

• Review with external auditors and management the results of the audit and, if

necessary, any qualification to the audit opinion.


4. AUDIT AND RISK COMMITTEE TERMS OF REFERENCE

Reporting Function

The Audit and Risk Committee will serve in an advisory capacity by making recommendations to Regional Council and Peel Housing Corporation Board. The Audit and Risk Committee will be required to report after each meeting to a subsequent meeting of the Enterprise Programs and Services Section of Regional Council and the Peel Housing Corporation Board, as required.

Membership

The Audit and Risk Committee shall be comprised of five members; the Regional Chair (ex-officio), the Chair and Vice-Chair of the Enterprise Programs and Services Section of Regional Council and includes at least one member from each area municipality.

Term of Appointment

The Term of Appointment of Audit and Risk Committee members will be for a period of 24 months, which coincides with the term of appointment for the Chair and Vice Chair of the Enterprise Programs and Services Section of Regional Council. Regional Council will ensure each area municipality are represented by appointing an additional member(s) not represented by the Chair and Vice-Chair of the Enterprise Programs and Services Section of Regional Council. Election of Chair and Vice-Chair

The Audit and Risk Committee will elect from its members a Chair and Vice-Chair, and

this election will be held at the Audit and Risk Committee’s first meeting of a new term. There are two 24 month terms during the 48 month municipal election term, therefore the election of Chair and Vice-Chair will be held twice. Quorum

Quorum shall compromise a majority of the Audit and Risk Committee members.

Interim Changes Should a member of the of Committee resign before the Term of Appointment expires, a replacement will be appointed by Regional Council to serve the remaining time of the Term of Appointment.

Meetings


The Audit and Risk Committee will be required to meet at least three times each year,

and at other times as needed, or at the call of the Audit and Risk Committee Chair. The Audit and Risk Committee meetings will be open meetings, and all reports and

minutes will be available to the public. For the consideration of confidential matters, the Audit and Risk Committee has the authority under Resolution 2000-426 to go In Camera.

Audit and Risk Committee Resources

Audit and Risk Committee resources will be provided by the Commissioner of Corporate Services, the Regional Clerk, the Director of Internal Audit and the external auditors. A designate of the Regional Clerk will serve as the secretary to the Audit and Risk Committee and provide administrative support.

Review of Audit and Risk Committee Charter

The Charter will be reviewed every year. Suggested changes will be reported to the Audit and Risk Committee for their consideration and Regional Council approval.


5.3-10Appendix II Audit and Risk Committee and Internal Audit Charter


Audit Committee


REPORT TITLE: 2015 INTERNAL AUDIT RISK BASED WORK PLAN


RECOMMENDATION That the 2015 work plan as outlined in the report of the Acting Director, Internal Audit, dated December 17, 2014, titled “2015 Internal Audit Risk Based Work Plan” be approved.

REPORT HIGHLIGHTS

Projects for 2015 have been identified using corporate wide risk assessment information gathered during interviews of all Commissioners and Directors. Consideration was given to aligning projects with the Strategic Plan. The 2015 Work Plan will continue to be dynamic and flexible based on emerging risks and issues identified throughout the year.


The Internal Audit Division has a professional responsibility to develop audit work plans that reflect the changes and risks within the Region. As a result, some projects originally scheduled for 2014 have been deferred and are now included in the 2015 Work Plan. The 2015 Internal Audit Risk Based Work Plan (Appendix I) was developed based on the 2014 corporate wide risk assessment information on emerging risks and issues that were gathered during interviews with the Commissioners and Directors in the fall of 2014. The rationale for each audit project is included in Appendix I. Appendix I includes two tables. Table 1 provides details of the new projects that are planned to commence during 2015. Table 2 lists the projects from the 2014 Risk Based Work Plan that are continuing in 2015. In addition, the audit planning process will continue to be dynamic and flexible. Changes to the 2015 Work Plan may be required throughout the year to reflect emerging risks and issues as they unfold. Internal Audit will keep Audit Committee and EMT updated on any required changes to the 2015 Work Plan.

5.4-1

January 7, 2015 2015 INTERNAL AUDIT RISK BASED WORK PLAN

- 2 -

2. 2015 Work Plan Highlights and Comments

Where possible the 2015 Work Plan has been aligned with Strategic Plan. This ensures Internal Audit can conduct audits in a manner that is aligned with the way the Region provides programs and services for its constituents. In addition to conducting projects throughout the organization, the 2015 Work Plan sets aside time to respond to management requests for control advice, to provide integrated risk management services, to have involvement in committees and project governance committees and to conduct investigations as needed. Based on the projects included in the 2015 Internal Audit Risk Based Work Plan, Internal Audit will be able to independently and objectively carry out the work identified.

CONCLUSION

Internal Audit provides more value when audit observations and control advice focus on the right controls to manage the right or significant risks. To add value, Internal Audit has developed its 2015 Work Plan to reflect emerging risks and issues that are aligned with Strategic Plan themes and the way the Region provides programs and services. Completion of the Work Plan provides senior management and Audit Committee with reasonable assurance and comfort that sound management practices are in place and functioning as intended.



Appendix I – 2015 Work Plan Projects For further information regarding this report, please contact Jennifer Weinman. Authored By: Jennifer Weinman CPA CA, CIA, CRMA and Barb Morris CPA CMA, CIA, CFE

5.4-2

Table 1 - 2015 Work Plan Projects

Strategic Plan

Theme (Program)

Project

Rationale and Risks

Community Health

(Public Health)

Dental Programs

Rationale: The Region offers one-time dental services for eligible children and seniors who need treatment. Children are screened at school or at a Peel Dental Screening Clinic. The program plays an important role in maintaining and improving the health of Peel’s communities. This program, that involves reimbursement of fees to third parties, will be assessed to ensure management has controls in place to manage the risks of dealing with third party payment requests. Risk: Without effective and efficient processes, systems and applications, there is a risk that the dental program’s goals and objectives may not be achieved thus not maintaining or improving the health of Peel’s communities.

Community Health

(Public Health) Public Health Clinics

Rationale: Public Health Clinics offer a variety of services from a number of divisions, such as Healthy Sexuality Clinics; Breast Feeding, Dental and Immunization. The Clinics provide services to protect the public from reportable and sexually-transmitted diseases; and provides immunization through clinics and vaccine distribution to physicians. The work is highly regulated by Provincial legislation / standards. Risk: Inefficient / ineffective systems, processes and practices in operating the clinics may negatively impact the ability to provide services and programs as intended.

Social Development

(Community Development and Support)

Community Grants Funding

Rationale: Community Grants Funding administers applications for $6 million in funding. The area is also responsible for developing and maintaining the funding program guidelines. Risk: Ineffective application and decision process may result in unmet community needs and funds not being utilized as intended.

Social Development

(Affordable/Assisted Housing)

Preventing Homelessness in Peel Program

Rationale: Preventing Homeless In Peel Program provides the following assistance: landlord and tenant mediation, first and last month’s rent, funds for rental, mortgage and utility arrears and moving expenses. Families and Individuals who are residents of Peel can qualify to access these funds, some of which may also be Regional employees. Risk: There is a risk of perceived conflict of interest (objectivity) if Regional staff responsible for the oversight of the Preventing Homelessness in Peel Program also issue payments to Regional employees.

Social Development

(Ontario Works)

New Ontario Works System

Rationale: In November 2014, the Province of Ontario implemented a new computer system for the Ontario Works program. The system is new for all staff members and there may be process and control changes that need to be made. Risk: There is a risk that the business processes and controls may not have been revised to align with the new system requirements.

5.4-3Appendix I Internal Audit Risk Based Work Plan

Strategic Plan

Theme (Program)

Project

Rationale and Risks

Transportation

(TransHelp) TransHelp Operations

Rationale: TransHelp has revised a number of their processes for receiving/processing client payments and client trips as a result of a recent information privacy breach. The demand for TransHelp services has increased since the last Internal Audit in 2011 and is anticipated to increase year over year. TransHelp handles confidential client information that needs to be protected against the risk of a privacy breach or fraud. Risk: Areas that process payments or store confidential client information need to have effective controls to protect both employees and clients. Assessing the effectiveness and efficiency of controls will provide assurance that TransHelp is mitigating the risks associated with processing payments and working with vulnerable people.

Service Excellence

(Asset and Energy Management)

Fleet Audit Phase II

Rationale: Fleet Service’s purchases and services all Regional vehicles. Phase I audit reviewed Fleet Services inventory practices. Phase II will look at strategic objectives, the criteria for new vehicle purchases and compliance with legislation. Risk: Without an alignment between strategy and operations, there is a risk that the Regional resources may not be used effectively.

Service Excellence

(Asset and Energy Management)

New Purchasing By-Law RFP Review

Rationale: To be conducted as a result of a request from the Audit Committee to review purchasing objectives and compliance with new RFP authorization thresholds. Risk: Changes in authority levels delegated from Council to staff increase the risk that procurement transactions may not follow Regional processes.

Service Excellence

(Human Resources Management)

Hiring Practices

Rationale: As an equal opportunity employer, the Region follows applicable legislation and has developed and implemented a number of policies and procedures to ensure employees are hired in a fair and consistent manner. Risk: Employees may not be hired in a fair and consistent manner.

Service Excellence

(Corporate Governance and Leadership)

Advisory Services

Rationale: Risks and issues emerge and evolve throughout the year. Internal Audit sets aside time to handle special projects, assignments and advisory work. The objective is to be more proactive to client needs. In addition, Internal Audit may be asked to sit on Committees as a way to provide proactive advice.

Service Excellence


Fraud Program and Investigations

Rationale: The Region of Peel is committed to protecting its revenue, property, proprietary information and other assets. The Region will not tolerate any misuse or misappropriation of those assets. It is the Region’s intent to fully investigate any suspected acts of “fraud” as it is defined in the Fraud Prevention Policy. The Director, Internal Audit has the lead responsibility for management of the fraud program as defined in the policy.

Service Excellence


Follow-up on Internal Audit Reports

Rationale: To follow-up on outstanding audit observations and management action plans.


Table 2 - 2014 Audit Projects Continuing into 2015

Strategic Plan Theme

(Program)

Project

Rationale and Risks

Environmental

(Wastewater) Environmental Control Contract Review

Rationale: Lab testing was recently contracted out to a third party and the Region’s Environmental Control Laboratory closed. Risk: Without effective contract management practices in place, there is a risk that the third party vendor may breach contract terms and put the public and Region at risk.

Service Excellence

(Financial Management)

Treasury Services Rationale: Treasury Services oversees all facets of the Region's banking/investment functions. This includes cash, investment and debt management as well as managing banking relationships. The section follows applicable legislation. Policies and procedures related to cash management; debt management; and investment management have also been developed and implemented. Risk: There are risks associated with Regional assets that need to be effectively managed, monitored and reported on in order to ensure the Region’s assets are safeguarded.

Service Excellence

(Financial Management)

Overtime/Standby Phase II

Rationale: At times overtime work may be required in emergency situations or in other instances that require staff to work more than their standard daily / weekly hours of work. This overtime work is governed by Regional policies, procedures, collective agreements and applicable legislation. Risk: There are risks associated with the use of human and financial resources as well as complying with policies, procedures, collective agreements and applicable legislation that need to be efficiently and effectively managed.





REPORT TITLE: 2015 INTEGRATED RISK MANAGEMENT WORK PLAN


RECOMMENDATION

That the 2015 Integrated Risk Management Work Plan, as outlined in the report of the Acting Director, Internal Audit, titled “2015 Integrated Risk Management Work Plan” be approved.

REPORT HIGHLIGHTS

Projects for the 2015 Integrated Risk Management (IRM) Work Plan have been identified using corporate wide risk assessment information and takes into consideration current resources for IRM activities. The Work Plan is consistent with our approach to IRM taking both a strategic and operational view; however, the main focus for 2015 will be on embedding risk management principles within the development and execution of the Region’s Strategic Plan and Term of Council Priorities (ToCP). The Work Plan is divided into three segments which include strategic and operational projects and IRM program advancement activities. The Work Plan, similar to the Internal Audit Work Plan, is flexible and takes into consideration emerging risks and special requests.


Integrated Risk Management (IRM) was initially launched in late 2011. IRM is described as a process and framework for monitoring and assessing risk across various lines of business. IRM brings a systematic approach to managing and monitoring risk and can be used in the planning, budgeting and decision making processes. Risk is defined as the effect of uncertainty on the ability to meet organizational objectives. Risk is measured in terms of consequences (impact) and likelihood (probability) and can range from unlikely with no impact to highly likely with severe consequences. The objective of risk management is not to eliminate all risk but to manage its adverse effects while realizing potential opportunities in pursuit of organizational objectives.

5.5-1

January 7, 2015 2015 INTEGRATED RISK MANAGEMENT WORK PLAN

- 2 -

Significant steps have been taken to advance IRM within the Region of Peel (“Region”) and embed risk concepts into our planning, budgeting and decision making processes. The IRM infrastructure including the risk management framework and policy, risk categories, tools, and education modules have been developed and approved. A number of operational pilots were conducted in various program areas to identify, assess and plan for risks that may impact objectives. The pilots also enabled us to evaluate the effectiveness of the framework and its processes and make improvements where necessary or required. During 2014, our efforts were concentrated on working individually with ToCP owners and staff to help ensure a comprehensive assessment of risks and mitigation strategy of the ToCP’s. The risk lens was also used as an input to help inform a procurement decision, Paramedic budgeting and risk decisions and the development of a risk framework to manage the risks associated with building affordable housing using alternative business and partnership models. The IRM Work Plan for 2015 is developed based on corporate wide information and will focus on the development and execution of the Strategic Plan and Term of Council Priorities given that a new strategic planning cycle will commence with the new Term of Council.

2. 2015 Integrated Risk Management Work Plan and Comments

The Work Plan is divided into three segments which include strategic and operational projects and IRM program advancement activities. Each body of work is described below: Strategic Projects Strategic Projects consist of any risk management work committed to advancing the development and execution of the Region’s Strategic Plan and Term of Council Priorities.

Project Rationale

Strategic Plan Renewal 2015 to 2018 The changing environment in which the Region operates exposes it to internal and external risks. It is important that risk management is integrated in strategy development and execution to identify, assess and mitigate strategic and emerging risks.

Term of Council Priorities The risk lens can be used to help prioritize ToCP’s, once selected, risks to implementation should be identified, assessed and managed.

Integrated Planning Framework (IPF) Process Planning

The IPF Program is developing processes and tools to enable a systematic approach to planning and execution, budgeting and measurement. As this initiative will involve significant changes to existing processes and the development of new processes, it is important that the risks associated with these changes are effectively identified and managed.

5.5-2


- 3 -

Project Rationale

Corporate Risk Profile Provide Audit Committee and senior management with key risks facing the organization, their impacts, and plans in place to manage these risks.

Development of Risk Appetite and Risk Tolerances levels

Determining the acceptable levels of risk that the Region is willing to take or not in pursuit of its strategic and operational decisions and will include both qualitative and quantitative measures.

Operations Projects Operational projects include risk assessments conducted at the program, service, project or process level. Projects were selected based on interviews with Commissioners and Directors and also takes into consideration available resources for IRM.

Project Rationale

Privacy (carry over 2014) Assess the risks associated with privacy, Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), Personal Health Information Protection Act (PHIPA) and mitigation plans in place to deal with these risks.

Climate Change Working with the Conservation Authorities, development of a risk methodology that meets the needs of the Conservation Authority while providing Regional Council that risks associated with the Climate Change Strategy are identified, assessed, and effectively managed.

Real Property Transformation To identify and assess the risks associated with the Real Property Transformation initiative.

IRM Program Advancement Bodies of work in this category include program enhancements and updates, roll out of the IRM policy, training and education and risk advisory services. Training and education will continue to be offered by Internal Audit on a request basis.

5.5-3


- 4 -

CONCLUSION

The IRM Work Plan is flexible and takes into consideration emerging risks and issues that may arise throughout the year. The IRM Work Plan is consistent with our approach of taking both a strategic and operational view; however, the main focus for 2015 will be on embedding risk management principles within the development and execution of the Region’s Strategic Plan and Term of Council Priorities (ToCP) as a new strategic planning cycle will commence with the new Term of Council.


D. Szwarc, Chief Administrative Officer For further information regarding this report, please contact Michelle Morris, extension 4247. Authored By: Michelle Morris, CPA, CGA, FCCA, CIA, CRMA

5.5-4




REPORT TITLE: AUDIT OF THE PILOT PROJECT TO OUTSOURCE LAND

ACQUISITION SERVICES


RECOMMENDATION

That the report titled “Audit of the Pilot Project to Outsource Land Acquisition Services”, in conjunction with the report of the Commissioner, Corporate Services, titled “Budget 2015 Proposal in Support of Land Acquisition Capacity for Public Works Capital Projects” be considered as part of the 2015 Regional Budget.

REPORT HIGHLIGHTS The audit found that the processes followed by Legal Services and Public Works to assess

the pilot project to outsource land acquisition services were both objective and reasonable. All of the financial factors, assumptions and data used in the ‘outsourcing’ assessment and in the comparison of ‘in-house’ costs for similar projects were valid, complete and accurate and supported the overall financial conclusions reached during the assessment and comparison by Legal Services and Public Works. We also noted that land acquisition costs for a sample of independently selected projects for comparison by Internal Audit were in the same range as the costs of the projects selected for comparison by Legal Services and Public Works. There are no remedial actions required by management as a result of this audit.


Internal Audit conducted an audit of the pilot project to outsource land acquisition services. The audit was conducted as a result of a request from executive management. In 2010, a pilot ‘outsourcing’ project to assist with the backlog of acquiring land needed to complete Public Works capital projects was introduced. This pilot ‘outsourcing’ approach was applied to two linear projects involving multiple property owners. Two vendors were selected using a competitive procurement process with the vendors being fully accountable to provide, coordinate and manage all professional services required to acquire the land needed. The vendors were required to follow the same processes followed by Regional staff when acquiring land and to be accountable for the outcomes. The vendors were also responsible

5.6-1

January 26, 2015 AUDIT OF THE PILOT PROJECT TO OUTSOURCE LAND ACQUISITION SERVICES

- 2 -

for the acquisition of all properties within the designated timelines and budget of the pilot ‘outsourcing’ project. This included, but was not limited to, appraisal, negotiation, legal and expropriation services. The pilot ‘outsourcing’ project concluded in late 2013. An evaluation and assessment of the pilot ‘outsourcing’ project and approach was subsequently conducted in 2014 by Legal Services and Public Works.

2. Audit Objectives and Scope

The audit focused on providing assurance that the process followed by Legal Services and Public Works to assess the pilot project to outsource land acquisition services was reasonable. More specifically, the audit focused on: Validating the findings from the pilot project assessment that supports the budget

request for additional resources, and Comparing internal land acquisition costs, for a sample of similar sized capital projects, to the outsourced land acquisition costs in order to determine the most cost effective method to acquire land.

The scope of the audit specifically excluded providing assurance on qualitative factors or assurance about the quality of internal land acquisition services versus external land acquisition services. This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

3. Observations

The audit found that the processes followed by Legal Services and Public Works to assess the pilot ‘outsourcing’ project were reasonable and objective. All of the financial factors, assumptions and data used in the pilot ‘outsourcing’ project assessment and in the comparison of ‘in-house’ costs for similar projects were valid, complete and accurate and supported the overall financial conclusions reached during the assessment and comparison by Legal Services and Public Works. Internal Audit also reviewed an independent sample of similar sized projects that were not selected as part of the assessment and comparison by Legal Services and Public Works. It was noted that the costs associated with these independently selected projects by Internal Audit were in the same range as the costs of the projects selected for comparison by Legal Services and Public Works. No deviations or unusual items were noted during the audit of the pilot ‘outsourcing’ project.

5.6-2

January 26, 2015 AUDIT OF THE PILOT PROJECT TO OUTSOURCE LAND ACQUISITION SERVICES

- 3 -

CONCLUSION

The audit found that the processes followed by Legal Services and Public Works to assess the pilot ‘outsourcing’ project were both objective and reasonable. All of the relevant internal and external financial data was taken into consideration by Legal Services and Public Works as part of the overall assessment and comparison to ‘in-house’ costs. There are no remedial actions required by management as a result of this audit.


D. Szwarc, Chief Administrative Officer For further information regarding this report, please contact Michelle Morris, extension 4247. Authored By: Michelle Morris, CPA, CGA, FCCA, CIA, CRMA and Frank Medeiros, CIA, CRMA

c. Legislative Services

5.6-3


Audit Committee

For Information


REPORT TITLE: COMMON RISKS AND OPPORTUNITIES - ANALYSIS OF INTERNAL

AUDIT REPORTS 2011/2014


OBJECTIVE

To provide the Audit and Risk Committee with an assessment of the common risks and opportunities from Internal Audit reports issued from 2011 to 2014.

REPORT HIGHLIGHTS

The top four risks and opportunities from the report analysis include: o Opportunities to leverage technology and reduce manual processes to manage

business information needs. o Development or update of program strategy objectives and performance

measures to reflect the changing business environment. o Strengthening process controls including updating and implementing

management techniques. o Strengthening policies and procedures including the elimination of policies no

longer relevant and implementing policies that will support updated processes and practices. In 2014, Management launched six Enabling Strategies, two of which may address the

risks and opportunities identified in this report, specifically, Excellence in Integrated Strategy Development and Execution and Excellence in Using Information Assets and Technology to Improve Services. Observations raised in the individual audits are addressed by management on a program by program basis.


In 2011, The Director, Internal Audit issued a report titled “Common Themes and Issues, Analysis of Internal Audit Reports 2007/2010”. The report captured audit results from the years 2007 to 2010 to identify systemic issues. The top three themes identified through this analysis were similar to the four common risks and opportunities presented in this report. This report captures all audits presented to Audit Committee from the period of 2011 to 2014. As a result, 22 audit reports with a total of 153 observations were analyzed. Each

5.7-1

January 22, 2015 COMMON RISKS AND OPPORTUNITIES - ANALYSIS OF INTERNAL AUDIT REPORTS 2011/2014

- 2 -

observation was classified under a risk theme. This report speaks to the four common risks and opportunities that were tabulated to be the most common. A review of the risks and opportunities identified in the audits from 2011 to 2014 found that two common risk themes identified in 2011 have continued: those dealing with policies and procedures, and technology. The third theme reported in 2011 – absence of/or ineffective risk management controls, was not one of the top four risks and opportunities identified. The current assessment found two other common risk themes to be more prevalent: those related to strategic planning, and effective business processes not adopted or followed.

2. Overview and Purpose

Individual audit reports are useful in advising management on risks and control issues that may affect the successful operation of a program, process or function. Typically, action plans help mitigate future risk through the implementation of control improvements. Individual audit reports do not always address broader risk and control themes due to their focused nature. Similar issues may arise over a series of reports that could point to a more systemic or reoccurring set of issues indicating that a more holistic perspective of risk and control is needed. The purpose of this analysis is to help identify the reoccurring themes. This analysis can help management become more aware of organizational risk themes and management practices that may need to be implemented to address the issues.

3. Analysis

An effective measure of determining a reoccurring theme is the frequency where a risk or opportunity is identified. Overall, individual issues appearing in audit reports may not necessarily be serious with the action plans providing the mechanism to manage future risk. However, issues collectively identified over a number of reports can point to more systemic problems. Themes identified are more valuable when they can identify a trend thus providing knowledge to correct systemic or emerging risk areas. Observations raised are addressed by management on a program by program basis. Management has selected six Term of Council Enabling Priorities (ToCEP) for the organization. The number of planned initiatives and competing priorities in the organization signaled a need for a more focused approach to define and drive the critical enabling priorities needed at this time to achieve organizational excellence. These priorities focus the organization on doing the right things at the right time to advance desired community outcomes.

5.7-2


- 3 -

For the period analyzed, the top four risks and opportunities are: Opportunities to leverage technology and reduce manual processes to manage

business information needs.

Leveraging automation and the use of technology was the principle driver of this theme. Audit reports indicated that either there were too many manual processes or there were multiple automated systems supporting the same processes. Information was being reentered into multiple systems which increases the likelihood of errors and promotes operational inefficiencies. Over the long run, ineffective processes can contribute to more errors affecting reporting reliability and increased inefficiencies.

Development or update of program strategy objectives and performance measures.

The common theme found either a need to revise program strategy due to changing conditions or an absence of program strategy objectives and/or performance measures. Organizational change, such as program realignments, staff changes or new initiatives, is most likely the primary reason for this risk. Organizational change can upset the alignment of processes to program strategy.

Strengthening process controls including updating and implementing management techniques.

A gap exists in process controls; the controls were outdated or absent, being the principle driver of this risk. Audit reports indicated controls in processes were absent or weak. Some programs experienced their first audit which prompted a review of processes through a risk and control lens. This resulted in the identification of a number of opportunities for improvement. Creating effective business processes starts with customer needs analysis, appropriate stakeholder input, risk identification and control implementation.

Strengthening policies and procedures.

This common opportunity involved either out of date policies or the absence of guidelines or procedures. Organization change is most likely the underlying reason for this theme. Policies become increasingly obsolete as the organization changes and often policies are not updated to reflect these changes. In addition, some policies and procedures are “implicit”; they have become imbedded in organizational culture and are passed down from staff to staff. The absence of policies and procedures or the absence of guidelines can increase the risk of organizational sustainability from a continuity perspective. In addition, outdated policies and procedures can contribute to inefficiency and affect organizational innovation. Well documented and understood key policies support effective organizational governance.

Two of the Enabling Strategies may address the common risk and opportunities: Excellence in Integrated Strategy Development & Execution and, Excellence in Using Information Assets & Technology to Improve Service.

5.7-3


- 4 -

Excellence in Integrated Strategy Development and Execution is intended to deliver client-focused services through stronger capabilities in development and execution of strategies at the corporate, departmental and divisional levels. Properly aligning resources and competency in project management with leaders who set and communicate clear direction and effectively manage change may have positive consequences for the common themes pertaining to strategy and governance. Excellence in Using Information Assets and Technology to Improve Service is intended to deliver client focused service. The goal is for these digital services to be straight forward and convenient and provide accurate and timely management information. As more and more processes include some aspect of digital technology, this term of council enabling priority may impact the processes and technological common themes. Both of these key initiatives are in progress.

CONCLUSION

Overall, individual issues appearing in audit reports may not necessarily be significant by themselves. However, issues collectively identified over a number of reports can point to opportunities to enhance controls across the organization. Risks and opportunities identified are more valuable when they can identify a trend thus provide knowledge to address emerging risks. Management is aware of these themes and has a number of initiatives that will help mitigate all or parts of the four common risks and opportunities identified. Internal Audit will continue to identify risk and opportunities to determine if there are any significant changes as the organization moves through its transformational initiatives.


D. Szwarc, Chief Administrative Officer For further information regarding this report, please contact Michelle Morris, extension 4247. Authored By: Jennifer Weinman, CPA CA, CIA, CRMA and Barb Morris, CPA CMA, CIA, CFE

5.7-4


Audit Committee

For Information


REPORT TITLE: SUMMARY OF GLOBAL RISKS 2014


OBJECTIVE

To provide Audit Committee with a summary from the information adapted from the “Global Risks 2014, Ninth Edition”, World Economic Forum, Switzerland, 2014 report. REPORT HIGHLIGHTS

The Global Risks 2014 report is produced by the World Economic Forum on an annual basis with the 2014 version being the Ninth edition. The report captures 31 global risks with leaders from business, government, academia and non-governmental and international organizations ranking risks in order of likelihood and impact. The report provides management at the Region of Peel and the Audit Committee with information to proactively assess the likelihood and impact that global risks may have on the Region’s strategic objectives.


The World Economic Forum is an independent international organization committed to improving the state of the world by engaging business, political, academic and other leaders of society to shape global, regional and industry agendas. The World Economic Forum is a not-for-profit foundation incorporated in 1971 and is located in Geneva, Switzerland. Since 2006, the World Economic Forum has been producing the Global Risk report with the 2014 report representing the ninth edition. This latest edition has identified 31 global risks. The report defines global risk as an occurrence that causes significant negative impact for several countries and industries over a time frame of up to 10 years. The objective of the Global Risk 2014 report is stated as follows: “The world faces risks that can be addressed only by long-term thinking and collaboration among business, governments and civil society. The Global Risks 2014 report aims to support this process by: Exploring the nature of systemic risks

5.8-1

January 22, 2015 SUMMARY OF GLOBAL RISKS 2014

- 2 -

Mapping the 31 global risks according to the level of concern they arouse, their likelihood and potential impact, as well as the strength of the interconnections between them Looking in-depth at the ways in which three constellations of global risk – centred on youth, cyberspace and geopolitics – could interplay and have systemic impact”.

2. Overview and Purpose

The objective of this summarized version of the Global Risks 2014 report is to provide management at the Region of Peel and the Audit Committee with information to proactively assess the likelihood and impact that global risks may have on the Region’s strategic objectives, Term of Council Priorities both current and future, Term of Council Enabling Strategies and implications to the programs and services we offer and to help determine if mitigation strategies in place address those risks that can significantly impact the Region’s success. The intent is not to manage all risks but to gain an understanding of the external environment from a global risk perspective that can influence our strategic direction.

3. Approach

The World Economic Forum conducted the Global Risk Perception Survey of leaders from business, government, academia and non-governmental and international organizations between October and November 2013. In order to capture the voice of the youth, the survey also included the World Economic Forum’s community of Global shapers with the under 30’s accounting for approximately one-quarter of the respondents. This report summarizes the top 10 global risks of highest concern for 2014 and specifically focuses on three risks as determined by the respondents that were not captured as part of the 31 global risks. It is important to note that although the risks are ranked sequentially most risks are interconnected, for example, fiscal crises in key economies would be tightly connected to structurally high unemployment or underemployment, and should be considered holistically.

4. Analysis

The following ten Global Risks were ranked as highest concern by respondents for 2014.

1. Fiscal crises in key economies 2. Structurally high unemployment/underemployment 3. Water crises 4. Severe income disparity 5. Failure of climate change mitigation and adaptation 6. Greater incidences of extreme weather events (e.g. floods, storms, fires) 7. Global governance failure 8. Food crises 9. Failure of a major financial mechanism/ institution 10. Profound political and social instability

The three risks in focus were derived by asking respondents the following two questions: Which risk of major concern is missing from the list of 31 risks? And which additional issues could potentially emerge as a risk of major global concern in the future? The following three risks in focus include:

5.8-2


- 3 -

1. Instabilities in an increasingly multipolar world. Changing demographics, growing middle classes, fiscal restraints will place increasing demands on domestic governments.

2. Generation lost? The next generation, those coming of age in the 2010s will face high unemployment and unstable job situations thereby limit their abilities to meet their full economic potential.

3. Digital disintegration. With an increase reliance on internet use for commercial practices, the threat remains for cyber-attacks. The internet would cease to be a trusted medium for communication and commerce.

Economic, societal and environmental risks dominate the list of global risks that respondents were most concerned about. Fiscal crises emerged as the top issue and continues to persist. This may be as a result of the lasting impact of the 2007 – 2008 financial crises which has left advanced economies with high levels of public debt and deficits. The report breaks down risks into five broad global categories and is in-line with the Regional risk categories. Internal Audit has contrasted the risk categories from the World Economic Forum against the Regional risk categories for ease of reading.

Risks

World Economic Forum Region of Peel Economic Risk

Fiscal and liquidity crisis, failure of a major financial mechanism or institution, oil-price shocks, chronic unemployment and failure of physical infrastructure on which economic activity depends

Economic Risk

Risk and opportunities affecting the Region’s ability to meet its financial commitments, including changing government funding strategies, internal budget pressures and the performance of multi-level government economies

Environmental Risk

Include both natural disasters, such as earthquakes and geomagnetic storms, and man-made risks such as collapsing ecosystems, freshwater shortages, nuclear accidents and failure to mitigate or adapt to climate change

Environmental Risk

Risk and opportunities relating to the Region’s environmental policies and plans including energy efficiency, pollution, recycling, landfill requirements, climate change and emissions

Geopolitical Risk

Covers the areas of politics, diplomacy, conflict, crime and global governance. These risks range from terrorism, disputes over resources and war to governance being undermined by corruption, organized crime and illicit trade

Political Risk

Risks and opportunities associated with the political environment including changing federal and/or provincial governments. In addition, the risks of not delivering on federal or provincial government policy or to meet local administration’s political commitments

Societal Risk

Captures risks related to social stability, such as severe income disparities, food crisis and

Social Risk

Risk and opportunities associated with the effects of changing demographics including

5.8-3


- 4 -

Risks

World Economic Forum Region of Peel

dysfunctional cities, and public health, such as pandemics, antibiotic-resistant bacteria and the rising burden of chronic disease

population growth rates, changes in immigration policies, aging population rates and local cultural issues

Technological Risk

Covers major risks related to the growing centrality of information and communication technologies to individuals, businesses and governments. These include cyber-attacks, infrastructure disruptions and data loss

Technology/ Information Management Risk

Risk and opportunities associated with the capacity of the Region to deal with technological change. The ability to use technology to address changing demands. Includes the consequences of not using technology to help achieve objectives, the risks associated with security and privacy and inability to effectively collect and use information

Detailed information of each risk is attached as Appendix I - Risks of Highest Concern. CONCLUSION

The World Economic Forum produces the Global Risks 2014 report based on the perceptions of world leaders and youth respondents. The information contained in the report can help to inform management and the Audit Committee on the potential likelihood and impact that global risks may have on the Region’s strategic objectives, Term of Council Priorities both current and future, Term of Council Enabling priorities and implications to the programs and services we offer. The information contained in this report should be treated as advisory. It is not intended to conclude on the effectiveness of mitigation strategies in place at the Region of Peel.



1. Summary of Global Risks - Risks of Highest Concern For further information regarding this report, please contact Michelle Morris at extension 4247 or via email at [email protected]. Authored By: Michelle Morris, CPA, CGA, FCCA, CIA, CRMA from information adapted from “Global Risks 2014, Ninth Edition”, World Economic Forum, Switzerland, 2014 report.

5.8-4

APPENDIX I Summary of Global Risks 2014

2

Top Ten Risks

Risk Risk Type Description

1. Fiscal crises in key

economies

Economic This risk was identified as the highest

concern for 2014. Contributing factors to

this risk include the continued high levels

of public debt and deficit levels countries

continue to carry. Fiscal crises can

severely affect the stability of the global

economy.

2. Structurally high

unemployment/

underemployment

Economic Structurally high unemployment and

underemployment appears second

highest concern. People both in

advanced and emerging economies are

struggling to find jobs. Youth and

minorities are especially vulnerable.

Youth unemployment rates in some

countries are around 50 per cent (Greece,

Spain and South Africa).

3. Water crises Environmental Water crises were identified as the

highest ranking environmental risk. There

is a growing awareness of the global

water crisis as a result of

mismanagement and increased

competition for already scare water

resources from economic activity and

population growth. This risk is

interconnected with greater incidences of

extreme weather events.

4. Sever income disparity Societal This societal risk is closely associated

with structurally high unemployment and

underemployment. This risk raises

concerns about the Great recession and

the squeezing effect on the middle class

in developed nations contrasted with

reduced income levels in emerging and

developing countries.

5.8-5


3

Top Ten Risks


5. Failure of climate

change mitigation and

adaptation

Environmental Uncertain and changing weather patterns

have resulted in this environmental risk

being ranked at fifth on the list. This risk

is interconnected with greater incidences

of extreme weather events.

6. Greater incidences of

extreme weather events

(e.g. floods, storms,

fires)

Environmental Extreme weather events such as floods,

droughts, earthquakes, heavy rainfalls,

forest fires have resulted in this risk being

ranked as sixth. Though classified as an

environmental risk, the effects of this risk

include damage to private and public

property and the food supply.

Additionally, emerging and developing

nations may have limited capacity to deal

with costs associated with the cleanup of

extreme weather events.

7. Global governance

failure

Geopolitical Though not ranked as the top risk, global

governance failure is viewed by

respondents as the risk most connected

to all the other risks.

8. Food crises Societal Food crises ranked eighth in the list and

are tightly interconnected with water

crises, extreme weather events, and

climate change. Additionally as

populations continue to grow, this risk in

terms of likelihood and impact will

continue to escalate.

9. Failure of a major

financial mechanism/

institution

Economic Failure of a financial mechanism and

institution, fiscal crises and liquidity crises

are strongly interconnected with further

connections to unemployment,

underemployment, income disparity and

political and social instability. An example

of this was evidenced by the failure of a

financial institution resulting in liquidly

5.8-6


4

Top Ten Risks


crises affecting multiple national

economies. High levels of unemployment

resulted, widened income disparity, social

and political tensions such as the ‘occupy

movement’.

10. Profound political and

social instability

Societal This societal risk made the top ten and

includes risks associated with the

breakdown of social structures, decline of

trust in public institutions, and lack of

leadership resulting in social unrest,

conflict and extremism. This risk is

interconnected to global governance

failure, structurally high unemployment

and underemployment, fiscal crises in key

economies and severe income disparity.

Three Risks in Focus


1. Instabilities in an

increasing multipolar

world

Societal Changing demographics, growing middle

classes, ageing population and fiscal

constraints will place increasing domestic

demands on governments thereby

increasing requirements for internal

reform and shaping international

relationships.

2. Generation lost? Economic The generation coming of age in 2010s

face high unemployment and precarious

job situations thus limiting their ability to

build a future and raises the risk of social

unrest. In developed nations, students

are graduating with high debt levels and

education that mismatch current

employment demands. This points to a

5.8-7


5

Three Risks in Focus


need to adapt and integrate professional

and academic education.

3. Digital disintegration Technological The underlying dynamic of the online

environment is that it is easier to attack

than defend. The world may only be one

disruptive technology away from attackers

gaining an advantage meaning the

internet would cease to be a trusted

medium for communication and

commerce.

5.8-8

the regional municipality of peel audit and risk … · 2015-02-09 · arc-2015-1 -2- february 5,...

Documents