1/18/2019

Audit Committee Item 6 | January 11, 2019 1

FY 2019 Internal Audit Program Semi-Annual Update

Audit Committee Item 6 | January 11, 2019

Overview

• The SANDAG Internal Audit Program performs avariety of audit services to assist managementwith the evaluation and improvement of theeffectiveness of its risk management, control,and governance processes

• The Internal Audit Staff consists of a PrincipalManagement Internal Auditor and a part-time SeniorManagement Internal Auditor

2

1/18/2019

Audit Committee Item 6 | January 11, 2019 2

Key Considerations

3

• During the first six months of FY 2019, the internal auditors completed two performance audits, one follow-up to a prior audit, and currently are working on nine assignments

• The completed audits identified areas for operational improvements

• The completed follow up shows that management has made progress with corrective actions

Completed Assignments

4

South Bay Expressway Toll Violations Report: August 17, 2018

Purpose

Assess and validate whether SBX complies with the applicable California toll evasion violation vehicle codes; and if internal procedures are adequate to process violations in a fair and consistent manner.

Overall Results

The audit revealed that SBX generally complies with the applicable California vehicle codes and has adequate internal procedures in place to handle toll violation processing; however, we also noted areas for improvements.

Findings

• SBX experienced lost revenue from its inability to process all trip transactions because of several operational factors.

• A significant number of out-of-state vehicles were not pursued as violators.

• SBX experienced a significant delay in its collection process resulting in missed opportunities for tax intercept refunds for delinquent violators.

1/18/2019

Audit Committee Item 6 | January 11, 2019 3

Completed Assignments

5

South Bay Expressway Toll Violations Report: August 17, 2018

Recommendations

• Consider performing a comprehensive review of its overall program;

• Review its FTB Tax Intercept participation to determine whether current and past practices complied with applicable requirements; and

• Work with the Contracts team to issue a contract with a vendor to obtain out-of-state registration information.

Management’s Response

SBX agreed with our recommendations and has already implemented actions to address some of the noted issues. SBX plans to take additional actions to further strengthen its business practices.

Completed Assignments

6

As-Built Plans Report: September 17, 2018

Purpose

The audit assessed whether Mobility Management and Project Implementation Department was complying with applicable policies and procedures.

Overall Results

The audit revealed that staff and consultants did not consistently follow the applicable as-built procedures.

Findings

• Untimely completion of final as-built plans;

• Lack of complete documentation;

• Inconsistent storage of hard and electronic copies; and

• No evidence that staff reviewed as-built plans to determine whether any portion of the plans should be classified as Sensitive Security Information (SSI).

1/18/2019

Audit Committee Item 6 | January 11, 2019 4

Completed Assignments

7

As-Built Plans Report: September 17, 2018

Recommendations

• Take steps to ensure its staff understand and fully comply with the as-built procedures included in the Manual;

• Review and revise the Manual accordingly; and

• Develop a process for staff to review and document SSI as it relates to as-built plans.

Management’s Response

MMPI agreed with our recommendations and has already implemented action to address one of the noted issues. MMPI plans to take additional actions to address the remaining issues.

Completed Assignments

8

Information Technology Security Controls Follow upAudit Report: March 23, 2018 Follow-up: November 15, 2018

Purpose

Follow up of actions taken by the SANDAG Operations and Administration Departments to address the recommendations contained in the performance audit

Audit Results

The audit revealed that SANDAG has many elements of an adequate IT security environment, but also lacks vital components that should be included in an effective agency-wide IT security program.

Findings

• SANDAG lacks a comprehensive risk assessment program;

• Necessary business continuity plans are not in place;

• SANDAG has been slow to finalize important deliverables from a recent agency-wide privacy assessment; and

• The integration of SANDAG’s IT governance structure can be better coordinated.

1/18/2019

Audit Committee Item 6 | January 11, 2019 5

Completed Assignments

9

Information Technology Security Controls Follow upAudit Report: March 23, 2018 Follow-up: November 15, 2018

Recommendations• Implement a comprehensive IT security risk assessment program;• Develop necessary business continuity processes that include business

continuity plans for critical IT systems; • Take necessary steps to address the 16 action items; and • Consider a centralized IT security governance structure.

Management’s Response

Operations agreed with our recommendations and has already implemented actions to address some of the noted issues. Involvement of SANDAG Executive Management will be needed for the successful implementation of additional corrective actions.

Follow-up Results

Overall, we concluded SANDAG has made progress with implementing many of its corrective actions and should be able to implement the remaining actions by June 30, 2019.

Work in Progress

10

Performance Audits

NCTD Bombardier Flagging Payments

Job Order Contracting (JOC)

Procurement Card/Travel Reimbursement

MuniServices

Cash Liquidity

Collection of Receivables

Follow Up

Small Business Program and Labor Compliance

Non-Audit Service

External Peer Review (California Department of Education)

Mid-Coast Project Review of DBE Payment Compliance

Audit Committee Item 7 | January 11, 2019 1

An action plan committed to listening to stakeholders, learning from experience, and leading continual improvement

Final Report

Audit Committee Item 7 | January 11, 2019

2

An action plan committed to listening to stakeholders, learning from experience, and leading continual improvement

Audit Committee Item 7 | January 11, 2019 2

3

Implementation timeline

4

Develop and implement practices to ensure the management, accuracy, and reliability of SANDAG data

Highlights

• Data accuracy

• Process transparency

• Department reorganization

Data governance

Audit Committee Item 7 | January 11, 2019 3

5

Regional forecasting practices

Implement tools and practices to improve the accuracy, reliability, dissemination, and transparency of SANDAG forecasts

Highlights

• Develop simplified forecasting tools

• Use ranges to express inherent uncertainty

• Involve outside experts in development and review

6

Improve communication of funding capacity, revenue projections, and project cost estimates

Highlights

• Cost estimating and Regional Plan cost and revenue presentations

• Program and project status

• Plan of Finance for Major Corridors andTransit Operations Funding Plan

Cost and revenue plans

Audit Committee Item 7 | January 11, 2019 4

7

Enhance operational oversight and review by establishing a Board-level audit program

Highlights

• Board Policy No. 039: Audit Policy AdvisoryCommittee and Audit Activities

• Initial meetings of the Audit Committee

• Recruitment of the Independent Performance Auditor

Independent performance audits

8

Prepare policies, procedures, and training for SANDAG employees regarding the creation, maintenance, and retention of public records

Highlights

• Policies revised, developed, and implemented

• All employees trained annually on public records management

Records management

Audit Committee Item 7 | January 11, 2019 5

9

Enhance internal and external informationsharing by ensuring SANDAG communications are straightforward, easy to understand, and reach a variety of audiences

Highlights

• Updated Board Policy No. 025: Public Participation Plan Policy

• Updated ethics training content

• Making information simpler and more accessible

Transparency initiatives

10

Proactively inform member agencies, stakeholders, and the public to increase awareness of SANDAG programs and projects

Highlights

• Report to Legislature on public transit

• Emphasis on outreach with/to local jurisdictions

• Providing more information to Board members/jurisdictions

Stakeholder communication

Audit Committee Item 7 | January 11, 2019 6

11

Conduct an independent review ofdepartment structure and staffingresources necessary for success

Highlights

• Management consultant to start work in spring 2019

Organization structure

12

Next steps

• Complete implementation of final action items

• Continue to incorporate improvements and effective practices into SANDAG operations

Audit Committee Item 7 | January 11, 2019 7

An action plan committed to listening to stakeholders, learning from experience, and leading continual improvement

Final Report

Audit Committee Item 7 | January 11, 2019