1 / 104

Value Added Auditing

Value Added Auditing. Edwin Young, Office of the City Auditor City and County of Honolulu October 24, 2012. Traditional Auditing. Performed after a program , project, or system is established Audit relies on historical data Audit results are based on existing operations

kevlyn
Download Presentation

Value Added Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Value Added Auditing Edwin Young, Office of the City Auditor City and County of Honolulu October 24, 2012

  2. Traditional Auditing • Performed after a program , project, or system is established • Audit relies on historical data • Audit results are based on existing operations • Recommendations require changes to existing program • Recommendations may require rework

  3. What is front end auditing? Audits programs, projects, or systems before they exist Historical data may not exist Requires creative and innovative auditing Forward auditing involves prospective analysis based on assumptions and events that may occur (GAO)

  4. Audit Criteria • Does audit?: • add value to management efforts • provide external perspective to program • identifies issues and deficiencies not identified by management

  5. Audit Criteria • Does audit?: • re-affirm management decisions and actions • provide management some assurance on the work underway • focus management on controls and other improvements needed • improve the program, project, or system

  6. Audit Criteria • Auditor must preserve independence and objectivity • Front end auditor • has conflict of interest • cannot audit the program, project, or system after it is operational • potential conflicts of interest must be disclosed • may not be able to claim audit was performed in accordance with GAGAS

  7. 4 Case Studies • Front-end, value added audits: • Implementation of SAP Enterprise Resource Planning (ERP) System • City Takeover of County Airport • Review of Proposed City Environmental Services Center • City On-Line Camping Permit System • City Ambulance Operations

  8. Implementation of SAP Enterprise Resource Planning (ERP) System

  9. BACKGROUND • City of Palo Alto Revenues: $440.5 million • City expenditures: $460.8 million • Staffing: 1,017 FTEs

  10. BACKGROUND • Account Payable Checks: 13,000 • Utility Bills: 370,000 • Utility Charges: $220.8 million • Utilities include: electric, gas, water, wastewater collection, fiber optic, refuse, storm drain, and wastewater treatment

  11. BACKGROUND • July 2002: city selected and began implementing SAP Enterprise Resource Planning (ERP) system • SAP ERP supports city core business functions (accounting, finance, purchasing, human resources, and utilities • SAP ERP installation cost: $15 million • Annual operations and maintenance: $3 million

  12. AUDIT OBJECTIVES • Monitor the SAP ERP implementation • Determine if internal controls for the new SAP ERP system are adequate. • Determine if SAP ERP implementation follows best practices

  13. AUDIT RESULTS • Phase 1: auditor identified need for improved internal controls, access controls, audit trails, and authorization tables monitoring • Phase 2: auditor reported satisfactory project preparation, blueprint and design

  14. AUDIT RESULTS • Phase 3: Auditor reported problems: • Transaction and integration testing shows deficiencies; • Problems found during testing not resolved; • User inputs ignored;

  15. AUDIT RESULTS • Project managers plan to activate system (go on-line) by target date regardless of deficiencies • Managers plan to fix problems after system is activated • Concerns with system security • Lack of contingency planning for the transition from the existing system to the new system

  16. AUDIT RESULTS • Phase 3: Auditor advises not to activate system; • Auditor advice ignored by SAP ERP steering committee, program management office, and top level managers • Per auditor suggestion, City hired outside consultant to evaluate and test the new SAP ERP system • Outside consultant confirmed auditor findings

  17. AUDIT RESULTS • Outside consultant recommended the city should: • Follow best practices • Use audit logs, firewalls, encrypt cardholder data, use unique system administrator names, control the system change process, • Implement periodic vulnerability scans, ensure timely updates, implement NIST standards, comply with PCI-DSS requirements, and improve system security

  18. HOW THE AUDIT WAS DONE • SAP contract and scope of work reviewed • SAP management reports and vendor progress reports reviewed • Project plans reviewed • Contract administration files monitored

  19. HOW THE AUDIT WAS DONE • Auditor attended project meetings • Auditor participated in project testing • Auditor monitored project team and users activities • Auditor maintained open and daily communications with project team and users

  20. HOW THE AUDIT WAS DONE • Auditor identified best practices for system development • Auditor compared system development with best practices • Auditor became familiar with system development practices

  21. CITY OUTCOME • Phase 1 activated with few problems • Phase 2 project design was satisfactory • Phase 3: system activated despite auditor warnings.

  22. CITY OUTCOME • Significant problems occurred: • Inaccurate monthly utility bills for many customers • Hundreds of customer complaints to city and City Council • Customer service overwhelmed • Long waits on the telephone

  23. CITY OUTCOME • Utility staff had to manually review 30,000 utility bills each month • Staff overtime increased • City suffered bad press and criticism from press, media, city council, city residents, and many others • City credibility affected

  24. CITY OUTCOME • Inaccurate billings affected accuracy of city ledgers and finance reports (general ledger, accounts receivable, etc.) • Accounting staff had to manually correct inaccuracies and spend overtime checking and resolving the inaccurate data • Additional staff hired to detect, correct, and resolve inaccurate billings and accounting data

  25. CITY OUTCOME • System solutions required retroactive changes to system in 17 critical areas • System errors took months to correct • Post operations corrections were very, very costly

  26. FOLLOW-UP AUDIT RESULTS • DIFFERENT AUDITOR PERFORMED FOLLOW-UP AUDIT ON SAP ERP SYSTEM • SAP SECURITY DEFECTS FOUND • SAP ERP system not secured • Security controls almost non-existent • Generic, default password not disabled • User access not restricted

  27. FOLLOW-UP AUDIT RESULTS • Auditor could access sensitive and confidential data • Auditor could change data for payroll, pay, employee promotions, employee status, and much more • NIST and PCI-DSS requirements violated • City vulnerable to significant losses and liabilities if data breached

  28. Case Study:City Takeover of County Airport SAN MARTIN AIRPORT (SOUTH COUNTY) REID-HILLVIEW AIRPORT PALO ALTO AIRPORT SANTA CLARA COUNTY

  29. BACKGROUND • City of Palo Alto leased land to Santa Clara County for a general aviation airport

  30. BACKGROUND • Lease Terms: • Over 100 acres • 50 years for total payment of $25 • Lease expires in April 2017 • County built airport • County to be reimbursed for capital costs • Airport revenue used to repay County for airport expenditures

  31. BACKGROUND • County operates 3 general aviation airports • County costs (county salaries, administrative costs and operating expenses) are prorated to each airport

  32. BACKGROUND • County business plan reports: • Airport deficits will continue, • Recommends drastically increasing airplane tie-down fees, and • Advises to limit capital investments to the airport

  33. AUDIT OBJECTIVES City Auditor asked to: • Review airport financial statements, • Evaluate County allocation of expenses and overhead, and • Determine financial viability of airport • I.e. Should the city take over operations of the County airport?

  34. HOW THE AUDIT WAS DONE • Compiled history of profits, losses, and outstanding advances • Reviewed financial statements and County accounting data • Analyzed County method for assigning costs and overhead to the 3 County airports

  35. HOW THE AUDIT WAS DONE • Compared operating revenues, expenses and income for all County airports • Analyzed depreciation schedules • Performed detailed review of County accounting records

  36. HOW THE AUDIT WAS DONE • Reviewed the airport and airport business lessee leases • Reviewed County-City joint agreements (for maintaining airport levees, etc.) • Created a spreadsheet model and recalculated the direct and pooled charges assigned to each airport

  37. HOW THE AUDIT WAS DONE • Reviewed the airport master plan and the County business plan for each airport • Examined previous consultant reports • Compared proposed rate increase with rates for other airports • Visited each County airport and its operations

  38. HOW THE AUDIT WAS DONE • Interviewed County and airport staff and executives • Interviewed members of the airport commission, land use commission, and joint airport committee

  39. AUDIT RESULTS • Palo Alto airport was profitable. • Airport generated more than $400,000 in net income since the airport was constructed • Profits were used to repay the County for its capital startup costs • Principal balance for original $1 million investment was down to $680,000

  40. AUDIT RESULTS • Airport carried over 30% of the pooled airport costs for all 3 County airports • County pooled and overhead costs were over 40% of the airport operating expenses • Operating income and profits for the other 2 County airports would be significantly reduced or become losses without PA airport

  41. AUDIT RESULTS • County expenses for realigning the airport road were incorrectly charged to the airport • County expenses for repairing the airport levees were improperly charged to the airport • Airport was charged for federal and state funded capital improvements

  42. AUDIT RESULTS • County overcharged airport for some expenses • Airport depreciation calculations were questionable • Airport cash flow was positive

  43. AUDIT RESULTS • The County outstanding balance was not accurate • The County balance as stated would be fully paid by the end of the lease (without the 30% increase in fees) • No formal City-County loan agreement existed • I.e. the airport was technically not required to repay the County investment

  44. AUDIT RESULTS • The proposed aircraft tie-down fees would be higher than nearby airports and could threaten the viability of the airport • Opportunities existed for increasing airport revenues once the County subleases to airport business owners expired

  45. CITY OUTCOME • County proposed fees hikes were reduced • City agreed to a moderate increase in the aircraft tie-down fee (provided the fees were competitive with nearby airports)

  46. CITY OUTCOME The City Council • Encouraged the County to continue operating the airport • Encouraged to County to maintain and improve the airport • Started negotiations to take over the airport

  47. Case Study:Review of Proposed City Environmental Services Center (ESC)

  48. Review of Proposed City Environmental Services Center (ESC) BACKGROUND • City of Palo Alto public works dept proposed 19 acre ESC center • Project would offer multiple services at landfill site • City Council appropriated $3.6 million for project

  49. BACKGROUND • Project changed from 1998 to 2004 • City staff updated alternatives in 2004 • City staff claimed new ESC center would save $1 million per year

More Related