FOR ACTION

TO: Operations, Finance and Administration Committee

FROM: Scott Zaczkowski, Director - Internal Audit (612-467-0526)

SUBJECT: MAC Internal Audit Department Proposed 2022 Annual Audit Plan

DATE: October 27, 2021

FOR ACTION

Summary

Attached for your review is the 2022 MAC Internal Audit Department Annual Audit Plan.

Action Requested

Recommend to the full Commission approval of the 2022 MAC Internal Audit Department Annual Audit Plan.

Background

In accordance with the MAC Internal Audit Charter and the Standards for the Professional Practice of Internal Auditing, the MAC Internal Audit Department is directed to develop an annual audit plan and present it to the Commission for approval. The plan is developed based on an annual risk assessment of current organization financial risk levels.

OF&A 11/01/2021 Business Item 3.1.

Page 1 of 10

MAC INTERNAL AUDIT DEPARTMENT 2022 Annual Audit Plan

1

The mission of the MAC Internal Audit Department is to provide reasonable assurance that the organization has an effective internal control structure in place and to furnish Commissioners and Management Staff with independent analysis, appraisals, recommendations, and relevant comments regarding the Commission’s compliance with financial and internal control policies and procedures. In addition, the Internal Audit Department performs analysis and testing of the financial performance of the Commission’s revenue and expense contracts and other activities to provide assurance of adequate compliance with key finance related contract provisions.

Department Structure, Independence and Responsibilities: The Internal Audit Department’s structure as well as its role and responsibilities were formalized by the Commission in the Internal Audit Charter. The department reports functionally to the Operations, Finance and Administration Committee of the Commission and reports administratively to the Executive Director/CEO. This reporting structure allows the Internal Audit Function to operate with sufficient independence from senior management to provide objective analysis and conclusions. Internal Audit staff has full and unrestricted access to all MAC properties, information and personnel. Audit selection and planning is accomplished by department staff under the direction of the Commission. Audit results are reported directly to the Commission and to senior management. Department roles and responsibilities are laid out in the Internal Audit Charter that was approved by the Commission in 2007 and revised in 2013, 2018 and 2019. The audit charter addresses the issues of auditor professionalism through adherence to the internal audit professional standards, assigns department responsibilities, requires the reporting of significant audit issues to the Commission and requires that the Commission approve the Annual Audit Plan. Audit Professional Standards:

The MAC Internal Audit Department follows the Standards for the Professional Practice of Internal Auditing as prescribed by the Institute of Internal Auditors. The audit standards provide guidance to professional auditors in the areas of independence, objectivity, proficiency, due professional care, continuing professional development, quality assurance, engagement planning, management and supervision, and communication of audit results. MAC Internal Audit is required to perform annual self‐assessments of the compliance of its work with applicable professional standards with periodic independent validation of those assessments required at five‐year intervals. Representatives of the Institute of Internal Auditors complete an Internal Audit Quality Assessment of the MAC Internal Audit Department every five years and a report of results is provided to the Commission. The last assessment conducted in December 2018 showed that the MAC Internal Audit Department was in compliance with the Standards for the Professional Practice of Internal Auditing.


Page 2 of 10

2

Internal Audit Staffing Resources: The Internal Audit Department is staffed with a Director, an Information Systems Audit Coordinator and two Senior Internal Auditors. Current staff is well qualified and has extensive audit experience both with MAC and with other governmental and private entities. One staff member is a Certified Public Accountant, one is a Certified Information Systems Auditor, three are Certified Fraud Examiners, one is a Certified Internal Auditor and one holds a Certification in Risk Management Assurance (CRMA). Auditor Training: MAC has annually invested in the training of audit staff and in developing and maintaining staff professional certifications. Training is focused in the areas of technology, fraud detection, audit methodology and professional ethics. Auditors attend regular training sessions to gain new knowledge that can be applied to the implementation of the annual audit plan. Regular training is also accomplished so that staff can maintain professional certifications by meeting applicable training requirements. Internal Audit Planning Process: With limited resources and staffing, the Internal Audit Department assigns auditors and develops audit testing based on the assessed risk of errors, non‐compliance or misstatement in each business area. The business areas within MAC vary greatly in the levels of financial risk that they present to the organization. The following factors are considered and were used in the development of the risk assessment which is used as a guide in determining the levels and types of audit procedures that will be used.

1. Inherent Risks – Different types of transactions vary significantly in the level of inherent risk associated with those transactions. For example, revenue that is obtained through the collection of fixed rental amounts or revenues that are calculated by MAC using Commission approved rates to recover certain costs (i.e. Airline Rates and Charges) would present a much lower risk of misstatement or error to MAC than rent obtained as a percentage of variable revenue collected by tenants or revenue obtained through variable collections made by staff or external parties such as parking revenues. The level, complexity and frequency of audit testing varies significantly based on the assessment of risks that are inherent in each type of transaction.

2. Control Testing – A review of existing controls and related processes is significant in determining what level of audit testing is needed to reduce risks of errors or misstatements to an acceptable level. Controls over cash collections or disbursements can take many forms and vary greatly in their overall effectiveness. Determining the effectiveness of controls and the residual risk that remains after the controls are applied is key to developing effective and well‐focused audit procedures. Key considerations include determining whether controls are preventive or detective.


Page 3 of 10

3

Preventive controls are set up to prevent errors and fraud from occurring. These can take the form of controls built into accounting systems that simply will not allow certain entries to the system or greatly restrict which staff can make certain entries and adjustments. Examining system access to determine whether it is restricted to the lowest reasonable level and reviewing transactions that are produced in business areas impacted by the controls is key to determining the effectiveness of controls and the levels of further audit testing that are needed.

Detective controls do not restrict actions but rather provide a way for management to effectively monitor the actions of staff and identify inaccurate or inappropriate transactions. Detective controls can be very effective if used properly but are reliant on the diligence of managers in reviewing information and making judgments about the appropriateness of staff activities and then acting on those judgments.

In general, preventive controls are much more effective than detective controls. When preventive controls are in place, the auditor’s responsibility is to periodically review the preventive controls to ensure that they have not been altered in a way that would weaken them. When a financial process is reliant on detective controls, it becomes the auditor’s responsibility to review the effectiveness of those controls at appropriate intervals to ensure that supervisory staff is performing the steps needed to retain the effectiveness of the controls.

3. Past History –

MAC auditors have a wealth of experience in the working with various MAC business areas and use that knowledge in determining which areas to test and how to properly design those tests. In addition, many of the types of risks that MAC faces are not unique to MAC but exist in other organizations including other airports across North America and around the world. MAC auditors often receive information and input through training opportunities, professional conferences and through peers in other organizations. Knowledge and experience derived from many sources has been used to develop and refine MAC audit procedures.

4. Materiality – Assessing the dollar amounts of resources related to a particular business area and the impact to MAC if those resources were compromised is an important consideration.

5. Reputation – While dollar amounts and related materiality are important, MAC Auditors must also consider the potential impact of loss or misstatement regardless of the dollars involved. As a public entity, it is critical to MAC to be viewed by the public as a reliable and ethical custodian of important public assets. Situations involving fraud or misstatement related to public funds or other assets, regardless of the dollar amount involved, can have a very detrimental impact on MAC’s reputation. MAC auditors often examine activities and transactions that have elevated risk levels even if the dollar amounts involved are relatively small.


Page 4 of 10

4

6. External Audit Coverage – MAC is required to hire independent auditors to perform an annual financial statement audit along with Single Audit procedures related to federal programs. In addition, MAC falls under the jurisdiction of the Minnesota Office of the Legislative Auditor. In developing and implementing our internal audit procedures, it is important to gain an understanding of and consider the work of these independent auditors in developing our own internal audit procedures. The independent auditor’s objectives in performing their audits vary significantly from Internal Audit’s objectives, but in some areas our objectives could overlap. It is important to consider and coordinate our work with the external auditors to avoid duplication of efforts to provide maximum value to MAC. These external audit professionals are a valuable resource for Internal Audit in refining our audit scope.

Internal Audit Approach: Starting in 2013, the Commission authorized the MAC Internal Audit Department to implement a continuous audit approach to develop a more comprehensive and efficient internal audit activity. Continuous auditing is a departure from conventional audit activities that had been used in the past in that it involves frequent audit analysis and testing over a wide range of financial activities. Testing is accomplished at regular frequent intervals in each area within the selected audit scope. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities. The following are key elements in the Continuous audit approach:

1. Understanding the Audit Universe Every organization has a unique set of risks and controls which must be thoroughly understood in order to perform effective internal audit procedures. MAC’s key risks and controls are outlined in the MAC Risk Assessment. Audit resources need to be focused primarily in areas that present elevated risks of financial errors or misstatement.

2. Data Access

The continuous audit approach became possible with the availability of large volumes of financial data generated by various business systems and with the use of sophisticated analytical software that is capable of analyzing large volumes of data. MAC auditors can directly link to various MAC business systems and download all relevant transactions in each business area. In addition to MAC generated data, auditors obtain reports and data files for testing from a wide range of MAC business partners.

3. Understand Compliance Criteria Review key compliance criteria including policies, procedures, contracts and laws. Determine Commission and management directives and expectations. Determine what types of substantive testing will best serve to identify compliance issues.


Page 5 of 10

5

4. Analytical Procedures Review the population of transactions and gain an overall understanding of the elements that make up account balances. Run tests to summarize, stratify and classify data in various ways to determine the reasonableness of account balances in the current period against similar balances in prior periods or other relevant information. Break down and summarize transaction groups into their basic elements and assess the reasonableness of subgroup balances in relation to established norms. Develop historical data and analysis for comparison with future periods.

5. Substantive testing

Account and Report Balance Reconciliation – Summarize, organize, and compare data from various sources to relevant account balances, reports, payments and disbursement to test for accuracy.

Account Adjustments – Review adjustments to account balances for reasonableness, documentary support and management approval.

Sample testing – develop the means through data analytics or other methods to identify outlying transactions for further testing. Ensure that samples represent all material transaction types. Review test results with relevant management and staff to better understand the reasons for outlier transactions.

Trend analysis – review data trends and compare to historical data and other established criteria.

Exception testing – identify unusual or high‐risk transactions for separate testing and analysis.

Benford analysis – use analysis of transaction dollar amounts to identify sample groups of transactions that fall outside of normal numeric distributions. Review representative samples of outliers to identify reasons behind variances.

6. Audit Documentation

Audit testing results and evidence must be fully documented by each auditor. For this purpose, audit results are organized and stored electronically. Audit documents are reviewed by audit supervisors for accuracy and proper documentation.

7. Audit Reporting When audit testing is completed, fully documented, reviewed and approved an audit report is drafted for review by management and affected staff. A final report is submitted to the Commission for their review and approval.

8. Audit Issues Follow‐up The continuous audit process is repeated on a quarterly cycle. Much of the audit testing is completed on a monthly basis. Auditors consider past audit issues and concerns in developing audit testing in succeeding periods. Audit issues are reexamined and changes in processes that were made in response to past issues are reviewed.


Page 6 of 10

6

Audit Testing Areas

TRANSACTION TYPE

CONTINUOUS AUDIT CATEGORY

AUDIT TESTING PROCEDURES

Analytical review by account and revenue source

Sample compliance testing

Benford analysis of dollar amounts

Analyze trends and compare to prior periods

Reconcile collections to revenue recorded on the parking system

Reconcile parking system revenue to primary accounting system

Test exception and reduction transactions

Compare rates charged to authorized rates

Test accuracy of charges to customers

Test parking system sales reports for accuracy

Test parking sales adjustments for accuracy and authorization

Reconcile collections to revenue recorded on the MAVIS system

Reconcile MAVIS system revenue to primary accounting system

Review no charge employee parking for compliance

Review system access rights

Validate that monthly payments reconcile to trip activity occuring within airport geo-fence

Validate that the monthly billing report (MBR) reconciles to the TNC wire payment

Validate that the TNC payments are uploaded into the MAC's accounting system accurately

Validate that all TNC transactions occur within the defined airport geo-fence boundary

Observe billable activity by recording license plate numbers and trace to data feed and MBR

Reconcile detailed transaction data to summarized revenue reports

Review transaction data for reasonableness and compare to prior periods

Inspect sales categories and transaction totals from each location for reasonableness

Review facilities charges reported and paid and compare to raw sales data

Review space rent and other payments required under each lease

Review sales reductions and adjustments

Peer-to-Peer: Compare monthly reports received from Turo with data files for completeness

Summarize and review sales data obtained from each operator

Reconcile summarized data to monthly operator sales reports

Reconcile subtenant sales reports to primary tenant sales reports and data

Review sales totals by date and location and compare to prior periods

Review rent calculations for compliance with lease terms

Review space rent, utilities and consortium fees for lease compliance

Summarize and review sales data obtained from each operator

Reconcile summarized data to monthly operator sales reports

Reconcile subtenant sales reports to primary tenant sales reports and data

Review sales totals by date and location and compare to prior periods

Review rent calculations for compliance with lease terms

Review space rent, utilities and consortium fees for lease compliance

Food andBeverage

Retail

RE

CE

IPT

S

AccountsReceivable

PublicParking

GroundTransportation

(Taxis, Shuttles,Employee Parking)

Auto Rental(On-Airport and

Peer-to-PeerCar Sharing)

Ground Transportation

(TNCs - Uber/Lyft)


Page 7 of 10

7

Audit Testing Areas (continued)

TRANSACTION TYPE



Analytical review by account and payee

Sample compliance testing

Benford analysis of dollar amounts

Analyze trends and compare to prior periods

Map vendor locations to analyze payment trends

Reconcile bank records with expenditures recorded on MAC's accounting system

Perform analysis to detect inappropriate purchases

Review transactions that exceed normal purchase limits

Test for split purchases that would violate purchasing policy

Summarize and review purchases by merchant, category, business unit and cardholder

Review travel and business expense purchases for compliance with policies

Map vendor locations to analyze payment trends

Investigate unusual purchases and trends

Review payroll transactions by employee and business unit

Review payroll transactions by pay type

Review payments to ensure that they were made to authorized employees

Review payroll transactions for compliance with Human Resources policies.

Review payroll transactions for compliance with Organized Labor agreements.

Review payrate adjustments for proper authorization and compliance

Review paid leave transactions for compliance with HR Policies and Labor Agreements.

Review Workforce Director payroll subsystem.

Investigate differences and unusual trends

Reconcile active employee lists to benefit provider enrollment reports

Reconcile employee payroll withholding to Commission authorized rates

Reconcile benefit eligible retiree listings to retiree benefit enrollments

Reconcile retiree benefit payments to authorized rates and investigate differences

Review employee benefit enrollments for compliance with HR Policies.

Review employee benefit enrollments for compliance with Organized Labor Agreements.

Analyze purchase requisitions of compliance with policies

Review professional service authorizations and related payments

Review capital project authorizations and related payments

Summarize purchase totals by business unit and account and compare to prior periods

Review blanket purchase orders and compare to purchasing card transactions


AccountsPayable

DIS

BU

RS

EM

EN

TS

Purchasing Card Payments

EmployeePayroll

EmployeeBenefits

Procurement


Page 8 of 10

8

Audit Testing Areas (continued)

TRANSACTION TYPE



Review adjustments for proper documentation, approval and reasonableness

Review adjustments by user for reasonableness

Investigate unusual transactions and trends

Review employee access to business systems. This includes providing feedback to supervisors and managers when changes to access are being considered.

Identify system access that does not match job duties. Review entries to various components of the main finance application by User ID to ensure users are only generating transactions relevant to their job duties.

Review access changes for proper documentation, approval and testing

Review employee terminations for appropriate and timely removal of system access

Review system changes for proper documentation, approval and testing. Ensure changes comply with policies and procedures.

Review monthly bank reconciliations of bank records to account balances

Review reconciling items for reasonableness

Ensure that reconciling items are cleared in a timely manner


Review monthly investment reconciliations performed by the MAC Finance Dept.

Verify that sufficient collateral pledged for MAC Investments

Review compliance with MAC Investment Policy

JournalEntries

InformationSystems

Operating Bank Account

GE

NE

RA

L A

CC

OU

NT

ING

Investments


Page 9 of 10

9

Special Audit Projects and New Audit Areas Special Projects Currently Underway:

Inventory and Minor Assets (fieldwork stage – planned completion: February 2022)

APD Property Room (fieldwork stage – planned completion: February 2022)

Badging Systems Review (fieldwork stage – planned completion: May 2022)

Silver Ramp Parking Expansion Project (follow‐up stage)

Environmental Controls System Review (follow‐up stage)

Consulting Engagements Currently Underway:

Concessions Point of Sale Data Platform Implementation (Commercial Management & Airline Affairs)

Parking Yield Management System Implementation (Landside)

JMS Parking System Implementation (Landside)

MAC Data Governance Implementation (Information Technology)

For 2022, there are several business areas that will be considered for additional audit procedures:

Concessions Point of Sale (continuous audit development)

Turo Pilot Project (continuous audit development)

Construction Audit (specific project to be determined, co‐sourced)

MAC Information Technology Policy Exception Review

Replacement of Workforce Director payroll scheduling subsystem (consulting)

The following projects may be considered in the future:

Leasing at Reliever Airports

Fixed Assets

CitiWorks System Review

MAC Business Continuity / Disaster Recovery

Hotel Related Concessions (review controls related to revenue streams)

Airport Concessions Disadvantaged Business Entity (ACDBE) Program Review

Airport Development Disadvantaged Business Entity (DBE) Program Review


Page 10 of 10

Documents

FOR ACTION