State of Hawaiiboe.hawaii.gov/Meetings/Notices/Meeting Material Library/AC_Agend… · Assessment and Audit Plan (the “Re-Assessment”) for the State of Hawaii, Department of Education

State of HawaiiDepartment of Education

Updated Risk Assessment and Internal Audit PlanJuly 1, 2019 – June 30, 2022

Subject to approval by the Board of Education at theMay 2, 2019 Audit Committee Meeting

This report is prepared solely for the internal use of the Board of Education and management of the State of Hawaii,

Department of Education.

This audit has been performed in accordance with the International Standards for the Professional Practice of Internal Auditing

Table of Contents

Executive Summary 3

Proposed Updated Internal Audit Plan 10

Appendices 30

Page

EXECUTIVE SUMMARY

3

Executive Summary – Introduction

This report presents the results of the Internal Audit Office’s (“IA”) efforts to perform an update of the Risk Assessment and Audit Plan (the “Re-Assessment”) for the State of Hawaii, Department of Education. The proposed Internal Audit Plan (“Audit Plan”) covers the three fiscal years between July 1, 2019 and June 30, 2022. The previous updated risk assessment and internal audit plan was presented in May 2018. The re-development and execution of this Audit Plan is important in meeting the mission of the Internal Audit Office – “to provide independent and objective assurance and consulting services designed to add value and improve the Department of Education’s (“DOE”) operations.”

Professional standards developed by the Institute of Internal Auditors (“IIA”) require that the Audit Plan be developed based on an assessment of risk. The Re-Assessment is a subjective process used to identify and evaluate various risks, internal and external, that could impact the achievement of the DOE’s goals and strategies. As the Audit Plan continuously evolves due to new circumstances or events which occur throughout the year, a re-assessment of the Audit Plan must be performed.

Internal Auditing is a valuable resource to an organization’s executive management, governing bodies (audit committees), and other stakeholders in helping them achieve their business and operational goals and objectives, as well as strengthening internal controls and governance. All risk assessments identify a group of high risks, as risk is constantly evolving; however, knowing the areas to audit and where to commit resources is key to the success of IA.

The Audit Plan was developed based on the results of the Re-Assessment, which included general high level interviews with members of management and the Board of Education (“BOE”), our knowledge of the DOE’s business risks, an evaluation of the results from projects completed during the past year, the current education system and regulatory environment, and an evaluation of the current internal control environment at the time of our analysis. IA assessed risk factors during the risk evaluation phase of the Re-Assessment and Audit Plan development process. A brief discussion of the Re-Assessment and Audit Plan development process is provided in Appendix A - Risk Assessment Re-Evaluation Process – Overview section of this report.

4

Executive Summary – Proposed Activity Hours

As a result of the Re-Assessment, 53 auditable areas for the DOE were deemed high risk. While these “high” risk areas would justify a significant Internal Audit effort, current resources available to address these risks are limited. Therefore, IA is proposing 3 assurance projects in fiscal year (“FY”) 2020, 3 assurance projects in FY 2021, and 3 assurance projects in FY 2022, which are also presented in detail on the following pages. The table below summarizes the hours of the proposed Audit Plan for the previous year (FY 2019) and the next three years (FY 2020 - FY 2022). As risks to the DOE change over time and as additional resources become available, management and the Audit Committee are encouraged to re-evaluate the Audit Plan periodically.

FY 2019 FY 2019 FY 2020 FY 2021 FY 2022

Proposed 2 Actual/Est. 3 Proposed 4 Proposed 5 Proposed 5

Assurance 5,470 5,255 4,260 4,800 4,800

IA Consulting & Monitoring 2,480 1,428 1,700 1,500 1,500

Fiscal Reviews & Other 3,600 3,708 3,600 3,600 3,600

Outside Consulting (SME) 0 40 6 100 100 100

Total 11,550 10,391 7 9,660 10,000 10,000

5

Proposed Internal Audit Activity Hours1

1 Activity hours do not include holiday, vacation, sick, and training hours.2 Hours based on a 12 month period and 7 staff members.3 Hours based on a 9 month period of actual hours and 1 quarter estimated as FY19 has not yet ended.4 Hours based on a 12 month period and 5.75 staff members5 Hours based on a 12 month period and 6 staff members

6 Outside consulting hours were low due to the rescheduling of IT projects requiring outside subject matter experts (SME) as a result of funding shortfall.7 Total activity hours were low due to unforeseen staff departure, sick leaves, and vacation leaves taken in FY 2019.

Executive Summary – Proposed Assurance Projects

6

ASSURANCE PROJECTS - FY 2020Project Timing Description Office

1 Q1 2020 Grant and Award Management Audit ODS2 Q2 2020 Data Integrity Review - Student Enrollment Follow-Up Audit (Apr 2013 Report) OITS3 Q4 2020 HawaiiPay System Post-Implementation Audit / Payroll Follow-Up Audit (Apr 2014 Report) OFS


4 Q1 2021 Use Of Facilities Audit OSFSS5 Q2 2021 Student Assessment Administrative Follow-Up Audit - Phase I (Mar 2015 Report) OSIP6 Q4 2021 Operational Audit of the Civil Rights Compliance Branch OTM


7 Q1 2022 Repair and Maintenance Audit OSFSS8 Q2 2022 Workers' Compensation Follow-Up Audit (Apr 2015 Report) OTM9 Q4 2022 Operational Audit of the Student Support Section OSSS / SCHOOLS

Executive Summary – Proposed Assurance Projects (Continued)

7

ASSURANCE PROJECT WATCHLIST (FUTURE PROJECTS & FOLLOW-UPS)Project Timing Description Office

10 N/A Decision Making Process Audit OTM11 N/A Professional Development (Travel) Audit OFS/SCHOOLS12 N/A Purchasing and Inventory Audit of the Facilities Maintenance Branch OSFSS13 N/A Operational Audit of the Hawaiian Education Program ODS14 N/A Student Transportation Services Implementation Follow-Up Audit (External Consulting Report) OSFSS15 N/A School Health Management Audit OSSS16 N/A Federal Survey - Impact Aid Audit OITS17 N/A Emergency Management Audit OSFSS / SCHOOLS18 N/A Summer School Audit - Official and Unofficial OCID19 N/A eTrition School Lunch System Post-Implementation Audit OSFSS / SCHOOLS20 N/A Operational Audit of the Budget Process OFS21 N/A Free and Reduced Lunch Eligibility Audit OSFSS22 PENDING Time & Attendance System Post-Implementation Audit / Leave Accounting Follow-Up Audit

#2 (Jan 2014 Report)OFS / SCHOOLS

23 N/A Fixed Assets Management Follow-Up Audit (Apr 2015 Report) OFS / SCHOOLS24 N/A Procurement & Contracting Process Follow-Up Audit #2 (Oct 2015 Report) OFS / SCHOOLS25 N/A Operational Follow-Up Audit of the Special Education Program (Jan 2016 Report) OSSS / SCHOOLS26 N/A Casual Hire Personnel Recruitment, Hiring & Payroll Processes Follow-Up Audit #2 (Jan

2017 Report)OTM / SCHOOLS

27 N/A School Food Services Follow-Up Audit #2 (Oct 2017 Report) OSFSS / SCHOOLS28 N/A Equipment and Fleet Maintenance Follow-Up Audit #2 (Jan 2018 Report) OSFSS29 N/A Ethics Follow-Up Audit (Feb 2018 Report) OTM30 N/A Construction Process and Internal Controls Follow-Up Audit #2 (June 2018 Report) OSFSS

Executive Summary – Changes to the Audit Plan

As a result of the re-evaluation process: Two (2) new projects were added

Project Timing Auditable Area Description

Purchasing and Inventory Audit of the Facilities Maintenance Branch Watchlist

OSFSSFacilities Maintenance -

Purchasing Services

Evaluate Facilities Maintenance Branch's (FMB) compliance with internal purchasing policies and procedures. Review the adequacy of current inventory management policies and procedures as they relate to tracking, monitoring, recording and disposing of inventory within FMB. Test the design of internal controls over purchasing and inventory in FMB and provide efficiency and effectiveness recommendations.

Summer School Audit - Official and Unofficial WatchlistOCID

Learning and Technology

Review, evaluate, and test the design, implementation, oversight, training, monitoring, and reporting of summer school programs in the Department, which includes both official and unofficial summer school programs. Review the Department's compliance with applicable laws and regulations. Provide recommendations based on leading practices to improve the efficiency and effectiveness of the Department's summer school programs.

New Projects

8

Executive Summary – Changes to Auditable Areas

As a result of the re-evaluation process, the following changes detailed below were noted to the prior year’s auditable areas.

9

Auditable Areas Office Changes

Alternative Learning Center OSSS Addition to the Office of Student Support Services

School Food Services - Farm to School OSFSS Addition to the School Food Services Branch in the Office of School Facilities and Support Services

Hawaiian Education Programs ODS Program moved to ODS from OS

Monitoring, Accountability & Compliance ODS Program moved to ODS from OS

Communications Services OSIP Program moved to OSIP from OS

Community Engagement OSIP Program moved to OSIP from OS

School Transformation OSIP Program moved to OSIP from ODS

Civil Rights Investigations & Compliance OTM Program moved to OTM from OS

Medicaid OSSS Formerly known as "Healthcare Contracts and Reimbursement Program"

Auxiliary Services - School Repair and Maintenance OSFSS Formerly known as "School Playgrounds & Projects" and "School Support Section"

Educator Quality Section OTM Formerly known as "Highly Qualified Teacher Section"

Data Governance and Analysis Branch OSIP Increased from "Medium" to "High" Risk

Auxiliary Services - School Repair and Maintenance OSFSS Increased from "Medium" to "High" Risk

Learning and Technology OCID Increased from "Medium" to "High" Risk

Assessment and Accountability Branch OSIP Decreased from "High" to "Medium" Risk

Budget Execution, Management & Monitoring OFS Decreased from "High" to "Medium" Risk

Reporting, Analysis & Reconciliation OFS Decreased from "High" to "Medium" Risk

Budget Preparation OFS Decreased from "High" to "Medium" Risk

New Auditable Areas

Office/Name Changes to Auditable Areas

Changes to Risk Rating

PROPOSED UPDATED INTERNAL AUDIT PLAN

10

Internal Audit Plan Period: July 1, 2019 through June 30, 2020 – FY 2020

Internal Audit Plan

The following represents the detailed Internal Audit Plan for the first fiscal year.

11

Project Auditable Area(s) Risk(s) Timing Est. Hrs.ASSURANCE

Grant and Award Management AuditReview the adequacy of current grant/award management policies and processes as they relate to the spending, reporting, program implementation, and monitoring of grants/awards received by the DOE. This audit will also include an assessment of controls over how requirements of the funding source are met and that federal and state dollars are spent in accordance with applicable laws and regulations. Consideration will be given to recommendations provided by external auditor's OMB Uniform Guidance (fka OMB Circular A-133 Single Audit).

Q1 FY 2020 600

PRIMARY FOCUS: Operational/Compliance

Data Integrity Review - Student Enrollment Follow-Up AuditFollow-up to Internal Audit’s Data Integrity Review - Student Enrollment to assess the implementation of Management’s Plans as described in the Final Report (FY 2013).

500

PRIMARY FOCUS: Operational/Financial

HawaiiPay System Post-Implementation Audit / Payroll Follow-Up AuditEvaluate the HawaiiPay System implementation, confirm business processes, ensure systems are aligned with business and project goals, identify continuous process improvement opportunities, and validate operational effectiveness of key internal controls. Follow-up to Internal Audit’s Payroll Review to assess the implementation of Management’s Plans as described in the Final Report (FY 2014).

OFSPayroll

Compliance RiskEfficiency RiskCycle Time Risk

Change Readiness Risk

Q4 FY 2020 650


Q2 FY 2020

ODSMonitoring,

Accountability & Compliance

Compliance RiskResource Allocation RiskRegulatory Reporting Risk

Opportunity Cost Risk

OITSSystems DevelopmentSoftware Development

Life Cycle, Project Strategy & Planning,Data Validation, IT

Security & Data Protection

Integrity RiskAccess Risk

Alignment Risk

Internal Audit Plan: FY 2020 (continued)

Internal Audit Plan (Continued)

12


School Based AuditsConduct Student Activity Fund Audits (Non-Appropriated) and School Monitoring Reviews (Appropriated) to ensure collected funds are deposited properly, expenditures are approved and appropriate, transactions are supported by proper documentation, and DOE policies and procedures are followed for the 256 schools in the statewide DOE school district. School based audits for Student Activity Fund Audits are performed for the following areas: Account Analysis, Bank Reconciliation, Petty Cash, Non-Appropriated Cash Receipts, Non-Appropriated Cash Disbursements, Adjustments, Compensating Internal Controls, Donations, Fundraising, Investments, Clubs/Sport Teams, utilizing Questionnaires, Annual Checklists, and PY's Corrective Action Implementation. School based reviews for School Monitoring Reviews are performed for the following areas: Appropriated Cash Receipts, Appropriated Cash Disbursements, Inventory, School Bus, School Lunch, Casual Hire/Payroll, Payroll Leaves, P-Cards, Use of Facilities, and utilizing Questionnaires.

Various Throughout 2,510

TOTAL PROPOSED ASSURANCE HOURS: FY 2020 4,260

Compliance RiskOpportunity Cost Risk

Internal Audit Plan: FY 2020 (continued)Project Auditable Area(s) Risk(s) Timing Est. Hrs.

IA CONSULTING, MONITORING, FISCAL REVIEWS & OTHER

Monitoring Based on Management Action PlansFollow-up on management action plans to the observations noted in the completed audits.

Various Alignment RiskEfficiency Risk

Throughout 200

Data Mining & Baseline Monitoring ProjectsPerform continuous monitoring projects utilizing data mining software to identify internal control weaknesses in business function areas. Continue Annual Checklist Monitoring, and other. Perform Continuous Auditing Reviews for Casual Employment, Overtime Expenditures, Inventory, and Outstanding Deposits.


Internal Control & Operational Efficiency ConsultationProvide consulting services to the Department for internal control planning and operational improvement initiatives.


Various 300

IT Internal Audit Risk AssessmentCo-source with an IT subject matter expert to perform an IT Internal Audit risk assessment to identify, quantify and prioritize the key risks affecting the current operating environment, as well as planned strategic initiatives and potential future operating environments. The risk assessment process is intended to allow Internal Audit to focus on existing and emerging risks for which management and/or mitigation are critical to the DOE’s success.

Alignment RiskEfficiency RiskSecurity Risk

Technological Innovation Risk

Q1 FY 2020 200

PRIMARY FOCUS: Operational/Information Technology

TOTAL PROPOSED IA CONSULTING & MONITORING HOURS: FY 2020 1,700

Accounting Information RiskCompliance Risk

Opportunity Cost RiskResource Allocation Risk

OITS


13



14

Project Auditable Area(s) Risk(s) Timing Est. Hrs.IA CONSULTING, MONITORING, FISCAL REVIEWS & OTHER

Fiscal Reviews Conduct fiscal reviews of allegations concerning DOE fund or asset misappropriation, and other areas where requested.

Various Various Risks Throughout 800

Fraud & Ethics Hotline - Confidential Reporting MechanismAdminister a confidential reporting mechanism to report suspected fraudulent activities and violations of federal and state laws, rules, regulations, and departmental policies, procedures, regulations, rules, and guidance, as well as violations of the DOE's Ethics and Code of Conduct.

OS Organizational Culture RiskLeadership Risk

Throughout 800

Function Administration FY 2020Reporting and Communication Throughout 400 External, State, Attorney General, Legislative & Consultant Audit/Review/Investigation Coordination Throughout 600 Other Administration including budget preparation, meetings and other Throughout 600 Risk Assessment and Internal Audit Plan for FY 2021 (Update) Q3 FY 2020 400

TOTAL PROPOSED FISCAL REVIEWS & OTHER HOURS: FY 2020 3,600

TOTAL OUTSIDE CONSULTING (SME) HOURS: FY 2020 100

TOTAL PROPOSED HOURS: FY 2020 9,660

Internal Audit Plan Period: July 1, 2020 through June 30, 2021 – FY 2021Project Auditable Area(s) Risk(s) Timing Est. Hrs.

ASSURANCE

Use of Facilities AuditReview, evaluate, and test the design of the "use of facilities" processes within the Department. Review the Department's compliance with policies and procedures for use of facilities. Determine if the "use of facilities" is financially feasible, manageable in terms of risk, and is fair and equitable. Provide recommendations based on leading practices to improve the efficiency and effectiveness of the processes.

OSFSSAuxiliary Services - CIP

Fiscal Section

Q1 FY 2021 600

PRIMARY FOCUS: Compliance/Financial

Student Assessment Administrative Follow-Up Audit - Phase IFollow-up to Internal Audit’s Student Assessment Administration Phase I Review to assess the implementation of Management’s Plans as described in the Final Report (FY 2015).

500


Operational Audit of the Civil Rights Compliance Branch Review, evaluate, and test the design, operating effectiveness and oversight of the process and internal controls over investigations performed by the Civil Rights Compliance Branch. Review the Department's compliance with applicable laws and regulations. Provide recommendations based on leading practices to improve the efficiency and effectiveness of the processes.

OTMCivil Rights

Investigations & Compliance

Efficiency RiskCompliance Risk

Communications RiskAlignment Risk

Authority/Limit Risk

Q4 FY 2021 600


OSIPAssessment and

Accountability Branch

Q2 FY 2021

Compliance RiskEfficiency Risk

Authority/Limit RiskPlanning Risk


Integrity RiskSecurity Risk

Compliance RiskAccess Risk

Alignment Risk


The following represents the detailed Internal Audit Plan for the second fiscal year.

15








16



17




Throughout 200





Various 300










Throughout 800






18

Internal Audit Plan Period: July 1, 2021 through June 30, 2022 – FY 2022Project Auditable Area(s) Risk(s) Timing Est. Hrs.

ASSURANCE

Repair and Maintenance AuditAssess the efficiency and effectiveness of key business processes and controls over the Department's regular preventive maintenance and repairs to DOE school buildings and facilities. Ensure policies, practices, and controls are adequate to plan and manage facility activities including the appropriate management of departmental spending. Include a review of the R&M funding between Neighbor Island schools (DAGS) and Oahu schools (FMB) to assess if there are inequities. Where applicable, this audit will follow-up on the results of previous report findings and studies.

Budget and Planning RiskEfficiency Risk

Performance Gap RiskHealth & Safety Risk

Cycle Time Risk

Q1 FY 2022 600


Workers' Compensation Follow-Up AuditFollow-up to Internal Audit’s Workers' Compensation Review to assess the implementation of Management’s Plans as described in the Final Report (FY 2015).

500


Operational Audit of the Student Support SectionEvaluate the design, implementation, oversight, training, monitoring, and reporting of student support programs throughout the Student Support Section, including but not limited to School Based Behavioral Health and Title III. Review the Department's adherence to ESSA and compliance with applicable laws and regulations. Determine if procedures and standards of practice are effectively shared among all of the program managers.

OSSSStudent Support

SchoolsStudent Instruction

Efficiency RiskLeadership Risk

Performance Gap RiskCompliance Risk

Knowledge Capital Risk

600


OTMWorkers' Compensation

& Employee Benefits


Human Resources RiskIntegrity Risk

OSFSSFacilities Maintenance - Repair & Maintenance

Operations,Facilities Maintenance -

Purchasing Services

Q4 FY 2022

Q2 FY 2022


The following represents the detailed Internal Audit Plan for the third fiscal year.

19



20








21




Throughout 200





Various 300










Throughout 800






22

Internal Audit Plan: Assurance Project Watchlist


The following represents the detailed Assurance Project Watchlist for future scheduling.

23

Project Auditable Area(s) Risk(s) TimingASSURANCE

Decision Making Process AuditReview and evaluate the design of the business process and internal controls over decision making and disciplinary action for employee misconduct. Provide recommendations for improvement to enhance effectiveness and efficiency.

OTMLabor Relations Section

Communications RiskEfficiency Risk

Human Resources RiskPerformance Gap Risk

Watchlist


Professional Development (Travel) AuditReview and evaluate the Department's professional development practices to ensure that it has adequate guidance and controls to maintain compliance with applicable travel policies and procedures. Test the professional development travel approval process within the Department, as it relates to due diligence, management oversight, and reasonableness. Provide recommendations based on leading practices to improve the efficiency and effectiveness of the Department's professional development travel guidance.

OFSVendor Payments

SchoolsTraining & Development

Compliance RiskEfficiency RiskCycle Time Risk

Opportunity Cost RiskEmployee Fraud Risk

Unauthorized Use Risk

Watchlist


Purchasing and Inventory Audit of the Facilities Maintenance BranchEvaluate Facilities Maintenance Branch's (FMB) compliance with internal purchasing policies and procedures. Review the adequacy of current inventory management policies and procedures as they relate to tracking, monitoring, recording and disposing of inventory within FMB. Test the design of internal controls over purchasing and inventory in FMB and provide efficiency and effectiveness recommendations.

OSFSSFacilities Maintenance -

Purchasing Services

Authority/Limit RiskChange Readiness Risk

Efficiency RiskPerformance Gap Risk

Watchlist


Internal Audit Plan: Assurance Project Watchlist (continued)


24


Operational Audit of the Hawaiian Education ProgramEvaluate the design, oversight, training and monitoring of Hawaiian Education programs. Determine if (1) objective of the Hawaiian Education Program are aligned with the program's strategic plan and are measurable, (2) adequate guidance with goals and objectives of the program are established with measurable outcomes, and (3) operations are effective, efficient and in compliance with laws and regulations (where applicable). Determine whether the recommendations provided by the State Auditor's 2008 report were implemented properly.

ODSHawaiian Education

Programs



Watchlist


Student Transportation Services Implementation Follow-Up Audit (External Consulting Report)Review the following areas to determine whether management has properly implemented recommendations provided by the Office of the Auditor's Management Audit of the Department of Education's School Bus Transportation Services (FY13): (1) the design of procedures and controls are executed properly, (2) internal control procedures are adequate for monitoring contract compliance in all areas of operations and administration, (3) assess the effectiveness and determine the results of performance measures and goals established for contractors providing student transportation services. Specific recommendations include: proper planning for school bus services statewide, proper administering of school bus service contracts, development of a manual, development and implementation of policies and procedures, and proper procurement of transportation services.

OSFSSStudent Transportation

Services

Budget & PlanningEfficiency Risk

Compliance RiskAlignment Risk

Watchlist


School Health Management Audit Evaluate the Department's compliance with polices, procedures, and applicable laws and regulations for school health. Determine the Department's adherence to respective MOUs, MOAs, and federal funds compliance. Test the design of the Department's internal controls over the school health process and provide efficiency and effectiveness recommendations.

OSSSSchool Health

Compliance RiskPrivacy RiskAccess Risk

Health & Safety Risk

Watchlist




25


Federal Survey - Impact Aid Audit Evaluate the Department's compliance with applicable policies and procedures for collection and reporting processes of the "Federal Survey." Review, evaluate, and test the design of the entire "Federal Survey" process within the Department. Provide recommendations to improve the processes, which includes increasing the participation of our military families to ensure the Department takes full advantage of federal funding.

OITSFederal Survey - Impact

Aid

Compliance RiskAlignment Risk

Regulatory Reporting RiskBusiness Portfolio Risk

Watchlist


Emergency Management Audit Review and evaluate the design of DOE's Emergency Management Plan, ensure that the plan is in compliance with State and Federal guidelines. Review and evaluate the guidance and training materials provided to the field and test that schools are in compliance with these procedures. PRIMARY FOCUS: Operational/Compliance

OSFSSSafety, Security &

Emergency Preparedness Program

SchoolsSafety, Security &

Emergency Preparedness Program

Catastrophic Loss RiskBusiness Interruption Risk

Security RiskInfrastructure Risk

Health and Safety Risk

Watchlist

Summer School Audit - Official and UnofficialReview, evaluate, and test the design, implementation, oversight, training, monitoring, and reporting of summer school programs in the Department, which includes both official and unofficial summer school programs. Review the Department's compliance with applicable laws and regulations. Provide recommendations based on leading practices to improve the efficiency and effectiveness of the Department's summer school programs.

Change Readiness RiskEfficiency Risk

Compliance RiskCommunications Risk

Alignment Risk

Watchlist


OCIDLearning and Technology



26


eTrition School Lunch System Post-Implementation AuditEvaluate the effectiveness of the eTrition School Lunch System application to ensure that the intended objectives of implementing the system were met. Confirm business processes, ensure systems are aligned with business and project goals, identify continuous process improvement opportunities, and validate operational effectiveness of key internal controls. Evaluate the design of procedures and controls over input, processing, and output to ensure: (1) information captured is complete and accurate and (2) information generated is accurate, reliable, and timely.

Integrity RiskAccess RiskSecurity Risk

Cycle Time Risk

Watchlist

PRIMARY FOCUS: Information Technology

Operational Audit of the Budget Process

Review, evaluate, and test the design of the governance, risk management and control processes over budget planning, preparation, implementation and monitoring. Review the Department's compliance with applicable laws and regulations. Ensure management and the Board are provided with sufficient information to properly monitor the budget. Provide recommendations based on leading practices to improve the efficiency and effectiveness of the processes.

OFSBudget Preparation,Budget Execution,

Management & Monitoring



Authority/Limit RiskBudget and Planning Risk

Watchlist


Free and Reduced Lunch Eligibility AuditReview the controls in place to ensure that the free and reduced lunch data is accurate, complete, and consistent. Test and validate the data quality for a sample of yearly reports and that DOE processes are in line with requirements set forth by USDOE.

OSFSSSchool Food Services -

USDA Compliance

Integrity RiskAccess Risk

Performance Gap RiskCompliance Risk

Watchlist



Fiscal ManagementSchools

IT Coordination



27


Time & Attendance System Post-Implementation Audit / Leave Accounting Follow-Up Audit #2Evaluate the Time & Attendance System implementation, confirm business processes, ensure systems are aligned with business and project goals, identify continuous process improvement opportunities, and validate operational effectiveness of key internal controls. Follow-up to Internal Audit’s Leave Accounting Follow-Up Review to assess the implementation of Management’s Plans as described in the Final Report (FY 2014).

OFSLeave Accounting

SchoolsLeave Accounting

Capital Availability RiskCompliance RiskCycle Time RiskEfficiency Risk

Change Readiness RiskTechnological Innovation Risk

Pending System Update


Fixed Assets Management Follow-Up AuditFollow-up to Internal Audit’s Fixed Assets Management Review to assess the implementation of Management’s Plans as described in the Final Report (FY 2015).

Watchlist

PRIMARY FOCUS: Financial

Procurement & Contracting Process Follow-Up Audit #2Follow-up to Internal Audit’s Procurement & Contracting Processes Follow-Up Review to assess the implementation of Management’s Plans as described in the Final Report (FY 2016). PRIMARY FOCUS: Compliance/Financial

WatchlistOFSProcurement &

Contracting,Vendor Payments

SchoolsProcurement & Fiscal


Performance Gap RiskChange Readiness Risk

Scalability Risk

OFSFixed Assets &

InventorySchoolsInventory

Authority/Limit RiskEfficiency Risk

Performance Gap Risk



28


Operational Follow-Up Audit of the Special Education ProgramFollow-up to Internal Audit’s Operational Review of the Special Education Program to assess the implementation of Management’s Plans as described in the Final Report (FY 2016). PRIMARY FOCUS: Operational

Watchlist

Casual Hire Personnel Recruitment, Hiring & Payroll Processes Follow-Up Audit #2 WatchlistFollow-up to Internal Audit’s Casual Hire Personnel Recruitment, Hiring & Payroll Processes Follow-Up Review to assess the implementation of Management’s Plans as described in the Final Report (FY 2017).

PRIMARY FOCUS: Operational

School Food Services Follow-Up Audit #2Follow-up to Internal Audit’s School Food Services Follow-Up Review to assess the implementation of Management’s Plans as described in the Final Report (FY 2018).

Watchlist



Fiscal ManagementSchoolsCafeteria

Authority/Limit RiskEfficiency Risk

Performance Gap Risk

OTMRecruitment &

Employment SectionSchools

Casual Hire & Casual Substitute

Organizational Culture RiskHuman Resources RiskPerformance Gap RiskKnowledge Capital Risk

Alignment Risk

OSSSStudent Support,

Special Needs, Special EducationSchools

Special Education, EL & 504

Efficiency RiskLeadership Risk

Authority/Limit RiskKnowledge Capital Risk

Alignment Risk



29


Equipment and Fleet Maintenance Follow-Up Audit #2Follow-up to Internal Audit’s Equipment and Fleet Maintenance Follow-Up Review to assess the implementation of Management’s Plans as described in the Final Report (FY 2018).

OSFSSFacilities Maintenance - Repair & Maintenance

Operations

Budget & Planning RiskEfficiency Risk

Performance Gap RiskAlignment Risk


Watchlist


Ethics Follow-Up AuditFollow-up to Internal Audit's Ethics Review to assess the implementation of Management's Plans as described in the Final Report (FY 2018). PRIMARY FOCUS: Operational/Compliance

OTM Organizational Culture RiskLeadership RiskCompliance Risk

Watchlist

Construction Process and Internal Controls Follow-Up Audit #2Follow-up to Internal Audit's Construction Process and Internal Controls Follow-Up Review to assess the implementation of Management's Plans as described in the Final Report (FY 2018). PRIMARY FOCUS: Operational/Compliance

OSFSSFacilities Development -

Planning, Facilities Development - Project Management, Facilities

Development - Construction Management

Performance Gap RiskBudget & Planning Risk

Efficiency RiskScalability Risk

Knowledge Capital RiskAlignment Risk

Capital Availability RiskOpportunity Cost Risk

Watchlist

APPENDICES

30

Appendix A – Risk Assessment Re-Evaluation ProcessAppendix B – Relevant Risk Definitions: Quadrant IAppendix C – Relevant Risk Definitions: Other Quadrants

Appendix A – Risk Assessment Re-Evaluation Process

The purpose of this report is to present the results of IA’s efforts to perform an update of the Risk Assessment to assist with the development of an updated Audit Plan for the DOE. The Re-Assessment re-evaluates the identification and analysis (typically in terms of impact and likelihood) of relevant risks to the achievement of DOE’s goals, strategies, and objectives, forming the basis for determining how those risks should be managed.

This Re-Assessment and resulting Audit Plan has been developed to ensure that the DOE has sufficient and continuous internal audit coverage of those areas judged as having a relatively higher risk profile or that otherwise require internal audit attention for management or regulatory reasons. For purposes of this Re-Assessment, the term “internal audit” will refer collectively to traditional internal audits of financial and operational areas along with compliance and information technology-related reviews.

As previously mentioned, the Re-Assessment and Audit Plan was developed based on interviews with management; members of the BOE; review of the current industry environment; an evaluation of completed projects during the past year; knowledge of the DOE’s business risks; and a high-level evaluation of the current internal control environment at the time of our review. IA ranked risks based on several risk factors identified during the Risk Evaluation, which included an evaluation of the various auditable areas and their impact on the DOE’s goals and objectives. A summary of changes to the auditable areas from the previously approved Risk Assessment is presented on pages 40 - 43.

This Re-Assessment does not include an IT Risk Assessment as there has been significant changes within the IT group, personnel, project initiatives, etc. However, IA plans to co-source using an IT subject matter expert to perform an IT Internal Audit Risk Assessment during FY 2020 to revise previously identified projects to address the new risks identified. A description of the IT Internal Audit Risk Assessment is presented on page 13.

A Re-Assessment is performed annually to ensure continual monitoring of changing risk factors, financial and operational changes, and management turnover. 31

Appendix A – Risk Assessment Re-Evaluation Process –Overview

AUDITUNIVERSE

RISKIDENTIFICATION

RISK EVALUATION & RISK MAPPING

AUDIT PLANDEVELOPMENT

Risk Management

StrategicStaffing/P

eopleBusiness Process Technology Fraud

Inherent Risk Score

Management & Controls

Residual Risk Score

Final Risk

RatingMarketing/New Product Development L M M H H 110 N 110 MediumPlanning & Budgeting H H H H H 150 E 80 LowRisk Management M M M M M 100 E 30 LowPurchasing H H H H H 150 P 115 MediumMANAGEMENT

Inherent Risk Factors

Understand changes to the DOE’s Audit Universe

Update Key Risks, Concerns & Issues

Analyzed changes in education industry & current internal & external environmentsIdentified new and emerging risks relevant to DOEInterviewed Senior Management and Board of Education to update understanding of the DOE’s key risks

Prioritize Key Risks, Concerns & Issues Identified

Re-assessed inherent and residual risk factors to develop composite risk scoreRe-ranked each auditable area by risk scoreSelect high-risk/high-importance auditable areas

Create Responsive Internal Audit Plan

Re-focused the Audit Plan on the key control processesDeveloped a balanced Internal Audit project plan comprised of financial, operational and compliance audits, and where applicable special projectsEnsured audit coverage of significant risk areas

Our re-evaluation process begins with the results of prior year’s updated Risk Assessment. Risks are re-evaluated given changes to the DOE’s external and internal environments as well as the results of audits conducted in the FY 2018 & 2019 Audit Plan. The following is a summary of our re-evaluation process:

By developing an understanding of the key risks and issues at the DOE, IA developed a focused plan, which will coordinate management, internal audit & external Subject Matter Expert (SME) resources to ensure maximum risk coverage.

32

Identified new and/or changes to the DOE’s auditable areasValidated that the population is current and well defined, appropriate, current and complete

Environmental Services UnitStudent Transportation Services

School Food Services - Farm to School

Hawaiian Education ProgramsMonitoring, Accountability & Compliance

Change & Patch Management (Applications, Databases, & Infrastructure)

Medicaid

Problem Management (IT Help Desk)

Data ValidationFederal Survey - Impact Aid

Student Support

Project Governance

School Health

IT Managers and Tech Coordinators

Special Education

Security Configuration Management

Alternative Learning Center

Special NeedsApplications/Database Management

Systems Development

Disaster RecoveryInfrastructure Construction

Infrastructure MaintenanceOffice of Hawaii Child Nutrition ProgramsData Retention/Backup

Office of Student Support Services Identity & Access Management

Budget Execution, Management & MonitoringBudget Preparation

Procurement & Contracting

Career Readiness Leave AccountingVendor Payments Project Strategy & Planning

Threat & Vulnerability ManagementLearning SupportPayroll IT Security & Data ProtectionStandards Support

Fixed Assets & Inventory

Complex Areas/SchoolsOffice of Curriculum and Instructional Design Office of Fiscal Services Office of Information Technology

Services

ExtracurricularLearning and Technology Software Development Life Cycle (SDLC)Reporting, Analysis & Reconciliation

Cash Management

School Food Services - Technical Support

Management Support Services Section

School Food Services - USDA Compliance

Facilities Maintenance - Vehicle Inventory

Certificated and Classified Pros

Safety, Security & Emergency Preparedness Program

Educator Quality Section

School Food Services - Fiscal Management

Teacher Induction Center

Facilities Maintenance - Repair & Maintenance Engineering

Negotiations Section

Facilities Maintenance - Repair & Maintenance OperationsPerformance Management SectionComplex Areas/Schools

Facilities Development - Planning

Classification & Compensation Section

Facilities Development - Project Management

Professional Development & Educational Research Institute

Facilities Maintenance - Purchasing Services

Training & Development SectionOffice of the Deputy Superintendent

Facilities Development - Business Services Section

Recruitment & Employment SectionAssessment and Accountability Branch

Auxiliary Services - Reprographics Section

Civil Rights Investigations & Compliance

Policy, Innovation, Planning and Evaluation Branch

Department of Education Audit Universe

Office of the Superintendent Office of School Facilities & Support Services Office of Talent Management Office of Strategy, Innovation, and Performance

Internal Audits & Fiscal Reviews Auxiliary Services - CIP Fiscal Section

Investigations Section

Data Governance and Analysis Branch

Community Engagement

Facilities Development - Construction Management

Educator Effectiveness System Section

Auxiliary Services - School Repair and Maintenance

Labor Relations Section

School TransformationWorkers' Compensation & Employee Benefits

Communications Services

Auxiliary Services - Project ControlRecords & Transactions Section

Appendix A – Risk Assessment Re-Evaluation Process –Audit Universe

For the update to the Audit Universe, IA identified new and/or changes to the key auditable areas. In addition, IA validated that the population of auditable areas were well defined, appropriate, current, and complete. This validation was accomplished based primarily on interviews with key management personnel. The Audit Universe for the DOE State Office is detailed below and the Complex Areas/Schools auditable areas are detailed on the following page.

33

Recruitment & Employment Section

Assessment and Accountability Branch














School Transformation

Workers' Compensation & Employee Benefits Section



Complex Areas/Schools
















Teacher Induction CenterFacilities Maintenance - Repair & Maintenance Engineering


Facilities Maintenance - Repair & Maintenance OperationsPerformance Management Section


Services


Cash Management




Office of Hawaii Child Nutrition ProgramsData Retention/Backup




Applications/Database ManagementSystems Development


Infrastructure Maintenance





Medicaid



Student Support

Project Governance

School Health


Special Education



Special Needs

See next slide.

New or changes from the previously approved RiskAssessment (see pages 40 - 43):- New Auditable Area /

Change to Auditable Area

Note: The Audit Universe is based on the anticipation of changes to offices due to the Department’s reorganization.

Appendix A – Risk Assessment Re-Evaluation Process –Audit Universe (Continued)

The Complex Areas/Schools auditable areas are detailed below:

Recruitment & Employment Section

Assessment and Accountability Branch














School Transformation

Workers' Compensation & Employee Benefits Section



















Teacher Induction CenterFacilities Maintenance - Repair & Maintenance Engineering


Facilities Maintenance - Repair & Maintenance OperationsPerformance Management Section


Services


Cash Management




Office of Hawaii Child Nutrition ProgramsData Retention/Backup




Applications/Database ManagementSystems Development


Infrastructure Maintenance





Medicaid



Student Support

Project Governance

School Health


Special Education



Special Needs

34

See next slide.

Risk ManagementTraining & Development

CafeteriaRegistrar

Groundskeeping, Custodial ServicesIT Coordination

School Health AssistantsAfter School Programs

Budget Academic & Financial Planning & Compliance ACFIN

InventoryStudent Instruction

Athletics

Special Education, EL & 504Homeless Concerns, Migrant Students

School Level External CommunicationsProcurement & Fiscal


Casual Hire & Casual SubstituteLeave Accounting

Safety, Security & Emergency Preparedness ProgramSchool Inspections

Appendix A – Risk Assessment Re-Evaluation Process –Risk Identification

Current Events

Interviews

Relevant Documents

Understanding of Current Events – Based upon discussions and review of relevant documents, the following are a few of the major current events:

Conducted Interviews – IA interviewed 29 members of senior management and 1 member from the Board of Education.

Reviewed Relevant Documents – IA reviewed a variety of significant reports and documents that were prepared by management or issued by regulators or consultants including, but not limited to: External Financial Audits, State & Federal Audits, Strategic Plans, Reorganization Documents, Project Plans, External Studies and Management Letters.

After finalizing the Audit Universe, IA confirmed and identified relevant risks to the DOE during the Risk Identification phase and performed the following steps:

Obtained an understanding of current events impacting the DOE.Interviewed members of senior management and the Board of Education.Reviewed relevant reports and documents.

35

New State Payroll System New School Lunch System Planned Reorganizations

Updated Strategic Plan Every Student Succeeds Act Leadership Changes

Appendix A – Risk Assessment Re-Evaluation Process –Risk Identification (Continued)

A component of the Risk Identification phase was an identification of relevant risks utilizing an Enterprise-wide Risk Model representing the universe of possible risks. The following is the listing of risks classified into three major areas of environment risks, process risks and information for decision-making risks. Certain risks within the Risk Model were not applicable, and others were modified to better fit the DOE as deemed necessary. A description of all relevant risks are defined in more detail in Appendix B and C.

36


Another component of the Risk Identification process (illustrated below) involved assessing relevant risks for significance and likelihood of an occurrence to negatively impact the critical organizational areas of the DOE. The highly significant and likely risks (Quadrant I) were identified and are listed on page 38.

Relevant RisksIdentified

Risk 1Risk 2Risk 3Risk 4Risk 5Risk 6Risk 7Risk 8Risk 9Risk 10Risk 11Risk 12Risk 13Risk 14Risk 15

Relevant RisksIdentified

Risk 1Risk 2Risk 3Risk 4Risk 5Risk 6Risk 7Risk 8Risk 9Risk 10Risk 11Risk 12Risk 13Risk 14Risk 15

Achievement of Vision, Strategy and

Objectives

Reliability of Financial &

Regulatory Reporting

Process Efficiency and Effectiveness

Compliance

CriticalOrganizational Areas

Significance

Likelihood

EvaluationCriteria

37

LikelihoodLow High

Sign

ifica

nce

Low

Hig

h

IIIV III

I


LikelihoodLow High

Sign

ifica

nce

Low

Hig

h

IIIV III

IAccounting Information RiskAuthority/Limit RiskBudget and Planning RiskCapital Availability RiskChange Readiness RiskCommunications RiskCompliance RiskCycle Time RiskEfficiency RiskHuman Resources RiskInfrastructure RiskIntegrity RiskKnowledge Capital Risk

Leadership RiskOpportunity Cost RiskOrganizational Culture RiskPerformance Gap RiskPrivacy RiskResource Allocation RiskScalability RiskSecurity RiskTechnological Innovation Risk

As previously noted, IA identified and ranked risks relevant to the DOE. The following represents the high risks (Quadrant I) identified for the DOE. Quadrant I risks are defined in detail in Appendix B. All other relevant risks in the three remaining Quadrants (II, III, and IV) are defined in Appendix C.

38

Quadrant I Risks

Appendix A – Risk Assessment Re-Evaluation Process –Risk Evaluation

After calculating and updating the risk score for each auditable area, IA ranked them into high (red), medium (yellow) or low (green) risk areas. The Audit Universe for the DOE State Office has been color coded below to reflect the ranking of risks.

Applications/Database Management

Alternative Learning CenterChange & Patch Management (Applications,

Databases, & Infrastructure)Medicaid Problem Management (IT Help Desk)

Student Support Project GovernanceSchool Health IT Managers and Tech Coordinators

Special Education Security Configuration ManagementSpecial Needs Threat & Vulnerability Management

Budget Preparation Data Retention/Backup

Office of Student Support Services Cash Management Data ValidationFederal Survey - Impact Aid

Budget Execution, Management & Monitoring Project Strategy & PlanningReporting, Analysis & Reconciliation Systems Development

Learning Support Payroll Infrastructure MaintenanceOffice of Hawaii Child Nutrition Programs IT Security & Data Protection

Career Readiness Leave Accounting Disaster RecoveryStandards Support Fixed Assets & Inventory Infrastructure Construction


Extracurricular Procurement & Contracting Identity & Access ManagementLearning and Technology Vendor Payments Software Development Life Cycle (SDLC)

Facilities Development - Business Services Section Management Support Services SectionFacilities Maintenance - Repair & Maintenance Engineering


Office of Curriculum and Instructional Design Office of Fiscal Services Office of Information Technology

Services

Facilities Maintenance - Vehicle InventoryCertificated and Classified ProsEnvironmental Services Unit

Educator Quality SectionSchool Food Services - Technical Support Teacher Induction Center


Monitoring, Accountability & Compliance

School Food Services - Fiscal Management Records & Transactions SectionHawaiian Education Programs

School Food Services - USDA Compliance Performance Management Section

Complex Areas/Schools* Safety, Security & Emergency Preparedness Program Classification & Compensation Section

Auxiliary Services - Project ControlProfessional Development & Educational Research

InstituteAuxiliary Services - School Repair and Maintenance Training & Development Section

Office of the Deputy Superintendent

Facilities Maintenance - Purchasing ServicesNegotiations Section Community Engagement

Student Transportation Services Educator Effectiveness System Section

Facilities Development - Project Management Labor Relations Section School Transformation

Facilities Maintenance - Repair & Maintenance Operations

Workers' Compensation & Employee Benefits Section Communications Services

Facilities Development - Construction Management Recruitment & Employment Section Assessment and Accountability Branch

Facilities Development - Planning Civil Rights Investigations & CompliancePolicy, Innovation, Planning and Evaluation

Branch



Internal Audits & Fiscal Reviews Auxiliary Services - CIP Fiscal Section Investigations Section Data Governance and Analysis Branch

See page 43

39

* Refer to respective charts

Note: The Risk Evaluation is based on the anticipation of changes to offices due to the Department’s reorganization.

Appendix A – Risk Assessment Re-Evaluation Process –Risk Evaluation (Continued)

The following tables represent the risk ratings by office for the DOE – 53 auditable areas are considered high risk; 43 areas at the DOE State Office and 10 at the Complex Areas/Schools (page 43). We have also indicated risk ratings that have changed since the previous Risk Assessment,

indicating increase in risk rating and indicating a decrease in risk rating.

40

Office Auditable Areas 2018 Final Risk Rating 2019 Final Risk RatingODS Monitoring, Accountability & Compliance (Reorg from OS) High HighODS Hawaiian Education Programs (Reorg from OS) High HighOSIP Data Governance and Analysis Branch Medium HighOFS Procurement & Contracting High HighOFS Vendor Payments High HighOFS Leave Accounting High HighOFS Fixed Assets & Inventory High HighOFS Payroll High HighOTM Investigations Section High HighOTM Recruitment & Employment Section High HighOTM Civil Rights Investigations & Compliance (Reorg from OS) High HighOTM Labor Relations Section High HighOTM Workers' Compensation & Employee Benefits Section High High

OSFSS Auxiliary Services - CIP Fiscal Section High HighOSFSS Facilities Development - Construction Management High HighOSFSS Facilities Development - Planning High HighOSFSS Facilities Development - Project Management High HighOSFSS Facilities Maintenance - Purchasing Services High HighOSFSS Facilities Maintenance - Repair & Maintenance Operations High HighOSFSS Student Transportation Services High HighOSFSS Safety, Security & Emergency Preparedness Program High HighOSFSS Auxiliary Services - Project Control High HighOSFSS Auxiliary Services - School Repair and Maintenance (formerly known as Auxiliary Services -

School Support Section and Auxiliary Services - School Playgrounds & Projects) Medium High

OSFSS School Food Services - Fiscal Management High HighOCID Extracurricular High HighOCID Learning and Technology Medium HighOSSS Special Education High HighOSSS Special Needs High HighOSSS Student Support High HighOSSS School Health High HighOITS Identity & Access Management High HighOITS Software Development Life Cycle (SDLC) High HighOITS Disaster Recovery High HighOITS Infrastructure Construction High HighOITS Infrastructure Maintenance High HighOITS IT Security & Data Protection High HighOITS Project Strategy & Planning High HighOITS Systems Development High HighOITS Data Retention/Backup High HighOITS Data Validation High HighOITS Federal Survey - Impact Aid High HighOITS Security Configuration Management High HighOITS Threat & Vulnerability Management High High

ychen

Rectangle


The following table represents the remaining risk ratings for the DOE State Office. 23 auditable areas are considered medium risk.

41

Office Auditable Areas 2018 Final Risk Rating 2019 Final Risk RatingOSIP Assessment and Accountability Branch High MediumOSIP Policy, Innovation, Planning and Evaluation Branch Medium MediumOSIP School Transformation (Reorg from ODS) Medium MediumOFS Office of Hawaii Child Nutrition Programs Medium MediumOFS Budget Execution, Management & Monitoring High MediumOFS Reporting, Analysis & Reconciliation High MediumOFS Budget Preparation High MediumOTM Negotiations Section Medium MediumOTM Educator Effectiveness System Section Medium MediumOTM Classification & Compensation Section Medium MediumOTM Professional Development & Educational Research Institute Medium MediumOTM Training & Development Section Medium Medium

OSFSS School Food Services - USDA Compliance Medium MediumOSFSS Environmental Services Unit Medium MediumOSFSS Facilities Maintenance - Vehicle Inventory Medium MediumOSFSS School Food Services - Technical Support Medium MediumOCID Career Readiness Medium MediumOCID Standards Support Medium MediumOCID Learning Support Medium MediumOITS Project Governance Medium MediumOITS IT Managers and Tech Coordinators Medium MediumOITS Change & Patch Management (Applications, Databases, & Infrastructure) Medium MediumOITS Problem Management (IT Help Desk) Medium Medium


The following table represents the remaining risk ratings for the DOE State Office. 17 auditable areas are considered low risk.

42

Office Auditable Areas 2018 Final Risk Rating 2019 Final Risk RatingOS Internal Audits & Fiscal Reviews Low Low

OSIP Communications Services (Reorg from OS) Low LowOSIP Community Engagement (Reorg from OS) Low LowOFS Cash Management Low LowOTM Records & Transactions Section Low LowOTM Performance Management Section Low LowOTM Certificated and Classified Pros Low LowOTM Educator Quality Section (formerly known as Highly Qualified Teacher Section) Low LowOTM Teacher Induction Center Low LowOTM Management Support Services Section Low Low

OSFSS Facilities Development - Business Services Section Low LowOSFSS Facilities Maintenance - Repair & Maintenance Engineering Low LowOSFSS School Food Services - Farm to School (new) N/A LowOSFSS Auxiliary Services - Reprographics Section Low LowOSSS Alternative Learning Center (new) N/A LowOSSS Medicaid (formerly known as Healthcare Contracts and Reimbursement Program) Low LowOITS Applications/Database Management Low Low


The scoring and risk ranking methodology used for DOE State Office was also applied to Complex Areas/Schools to determine a final risk score and rating for each auditable area.

The following table represents the final risk rankings for the auditable areas at the Complex Areas/Schools.

43

2018 Final Risk

Rating

2019 Final Risk

RatingSpecial Education, EL & 504 High HighCasual Hire & Casual Substitute High HighIT Coordination High HighProcurement & Fiscal High HighLeave Accounting High HighAthletics High HighCafeteria High HighInventory High HighSafety, Security & Emergency Preparedness Program High HighTraining & Development High HighStudent Instruction Medium MediumSchool Health Assistants Medium MediumHomeless Concerns, Migrant Students Medium MediumBudget Academic & Financial Planning & Compliance ACFIN Medium MediumSchool Inspections Medium MediumRegistrar Low LowAfter School Programs Low LowGroundskeeping, Custodial Services Low LowSchool Level External Communications Low LowRisk Management Low Low

Auditable Areas

Appendix A – Risk Assessment Re-Evaluation Process –Audit Plan Development

The updated Audit Plan is focused primarily on evaluating and testing key control processes mitigating the “High” Risk Ranked Auditable Areas and highly significant and likely risks impacting the DOE. The Audit Plan includes the following types of projects:

Assurance Projects: Established processes are in place and will be evaluated for design and operating effectiveness. In executing the projects, IA’s methodology will require the performance of a project level risk assessment, during which time significant and other additional relevant risks are evaluated and more detailed controls are identified to be considered for inclusion in the project scope.

Consulting & Monitoring Projects: The nature and scope of such projects are agreed upon with the section/branch and are intended to add value and improve operations from a risk perspective. Examples include consultation, recommendation(s), facilitation and training. This also includes Data Mining & Baseline Monitoring Projects. Consulting and monitoring projects shall not, in any circumstance, impair IA’s independence.

44

Appendix A – Risk Assessment Re-Evaluation Process –Audit Plan Development (Continued)

IA has completed 24 scheduled assurance projects since 2012, and there are four assurance projects currently in progress. Through the annual risk assessment process, IA has identified another 30 assurance projects that focus on addressing the high risks and specific concerns raised within the DOE. Nine assurance projects are scheduled for completion over the next three years, and the remaining 21 assurance projects are documented on a project watchlist so that they can be scheduled in the future. In addition, IA has identified five assurance, consulting & monitoring projects that should be performed continuously. The descriptions for the identified assurance projects and the identified assurance, consulting & monitoring projects are included in this Internal Audit Plan.

45

Student Transportation Services Implementation Follow-Up AuditSchool Health Management AuditFederal Survey – Impact Aid AuditEmergency Management AuditSummer School Audit – Official and UnofficialeTrition School Lunch System Post-Implementation AuditOperational Audit of the Budget ProcessFree and Reduced Lunch Eligibility AuditTime & Attendance System Post-Implementation

Audit / Leave Accounting Follow-Up Audit #2Fixed Assets Management Follow-Up AuditProcurement & Contracting Process Follow-Up Audit #2Operational Follow-Up Audit of the Special Education ProgramCasual Hire Personnel Recruitment, Hiring & Payroll Processes

Follow-Up Audit #2 School Food Services Follow-Up Audit #2Equipment and Fleet Maintenance Follow-Up Audit #2Ethics Follow-Up AuditConstruction Process and Internal Controls Follow-Up Audit #2School Based Audits (Continuous)Data Mining & Baseline Monitoring Projects (Continuous)Internal Control & Operational Efficiency Consulting

Projects (Continuous)Fiscal Reviews (Continuous)Fraud & Ethics Hotline (Continuous)

Procurement & Contracting Process Review (FY 2012)Casual Hire Personnel Recruitment, Hiring & Payroll

Processes Review (FY 2012)School Food Services Review (FY 2013)Data Integrity Review – Student Enrollment (FY 2013)eHR Post-Implementation Review (FY 2013)Student Information Privacy Review (FY 2014)Leave Accounting Follow-Up Review (FY 2014)Payroll Review (FY 2014)Equipment and Fleet Maintenance Review (FY 2014)Data Access Controls Review (FY 2015)Student Assessment Administrative Review –

Phase I (FY 2015)Workers’ Compensation Review (FY 2015)Fixed Assets Management Review (FY 2015)Procurement & Contracting Process Follow-Up

Review (FY 2016)Operational Review of the Special Education

Program (FY 2016)Hiring Practices Review (FY 2016)Vendor / Contract Management Review (FY 2017)Student Assessment Admin. Review Phase II (FY 2017)Casual Hire and Payroll Processes Follow-Up

Review (FY 2017)

Note: Parenthesis () note FYE of assurance projects completed. ** Scheduled for completion over the next three years (FY 2020 – FY 2022)

Investigation Process Review (In Progress)School Food Services Follow-Up Review (FY 2018)Equipment and Fleet Maintenance Follow-Up Review (FY 2018)Ethics Review (FY 2018)Capital Construction Oversight and Management

Implementation Follow-Up (External Report) (FY 2018)SIS Post-Implementation Review / Data Integrity Follow-Up

Review – Student Enrollment (FY 2019)Leave Without Pay Audit (In progress)Operational Audit of the Extracurricular Section (In progress)Data Access Controls Follow-Up Audit (In progress)Grant & Award Management Audit**Data Integrity Review – Student Enrollment Follow-Up Audit**HawaiiPay System Post-Implementation Audit / Payroll

Follow-Up Audit**Use of Facilities Audit**Student Assessment Administrative Follow-Up Audit– Phase I**Operational Audit of the Civil Rights Compliance Branch**Repair and Maintenance Audit**Workers’ Compensation Follow-Up Audit**Operational Audit of the Student Support Section**Decision Making Process AuditProfessional Development (Travel) AuditPurchasing and Inventory Audit of the Facilities Maintenance BranchOperational Audit of the Hawaiian Education Program

Appendix B – Relevant Risk DefinitionsQuadrant I Likelihood

Low High

Sign

ifica

nce

Low

Hig

h

IIIV III

I

46

Risk DefinitionAccounting Information Risk Financial accounting information used to manage business and operational processes is not properly integrated with

nonfinancial information focused on stakeholder satisfaction, measuring quality, reducing cycle time and increasing efficiency. The result is a myopic, short-term fixation on manipulating the outputs of processes to achieve financial targets, rather than fulfilling stakeholder expectations by controlling and improving processes.

Authority/Limit Risk The risk that people either make decisions or take actions that are not within their explicit responsibility or control or fail to take responsibility for those things for which they are accountable. Failure to establish or enforce limits on personnel actions may cause employees to commit unauthorized, illegal or unethical acts or assume unauthorized or unacceptable business risks.

Budget & Planning Risk Budgets and business plans are not realistic, based on appropriate assumptions, based on cost drivers and performance measures, accepted by management, or used as a monitoring tool.

Capital Availability Risk The Department does not have efficient access to the capital it needs to fuel its growth, operate programs, execute its strategies, and generate future returns.

Change Readiness Risk The people within the Department are unable to implement process and improvements quickly enough to keep pace with changes in the marketplace.

Communications Risk Communication channels (top-down and bottom-up or cross-functional) within the Department are ineffective and result in messages that are inconsistent with authorized responsibilities or established measures.

Compliance Risk As a result of a flaw in design or operation or due to human error, oversight or indifference, the Department's processes do not meet established requirements or do not comply with prescribed procedures and policies. Compliance risk can also result in failure to conform with laws and regulations at the federal, state and local level that apply to a business process.

Cycle Time Risk Elapsed time between the start and completion of a business process (or activity within a process) is too long because of redundant, unnecessary and irrelevant steps.

Efficiency Risk The process is inefficient in satisfying valid user and stakeholder requirements, resulting in redundancies and higher costs.

Human Resources Risk The personnel responsible for managing and controlling the Department or a particular business process do not possess the requisite knowledge, skills and experience needed to ensure that critical business and operational objectives are achieved and significant risks are reduced to an acceptable level.

Infrastructure Risk The risk that the Department does not have an effective information technology infrastructure (e.g., hardware, networks, software, people and processes) to effectively support the current and future needs of the organization in an efficient, cost-effective and well-controlled fashion.

Appendix B – Relevant Risk DefinitionsQuadrant I (continued) Likelihood

Low High

Sign

ifica

nce

Low

Hig

h

IIIV III

I

47

Risk DefinitionIntegrity Risk This risk encompasses all of the risk associated with the authorization, completeness, and accuracy of transactions as they

are entered into, processed by, summarized by and reported on by the various application systems deployed by the Department.

Knowledge Capital Risk Processes for capturing and institutionalizing learning across the Department are either nonexistent or ineffective, resulting in slow response time, high costs, repeated mistakes, slow competence development, constraints on growth and unmotivated employees.

Leadership Risk The risk that the people responsible for the important business and operational processes do not or cannot provide the leadership, vision, and support necessary to help employees be effective and successful in their jobs.

Opportunity Cost Risk The use of funds in a manner that leads to the loss of economic value, including time value losses, transaction costs due to inappropriate or inefficient management of cash flows and other causes of loss of value.

Organizational Culture Risk The Department’s culture does not encourage management to realistically portray the potential outcomes of transactions, investments and projects and understand and portray the full picture for decision makers. The Department experiences dysfunctional behavior because management is either risk averse or incented to take risks beyond the Department’s risk appetite.

Performance Gap Risk A process does not perform at a high level because the practices designed into the process are inferior.

Privacy Risk Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information.

Resource Allocation Risk The Department's resource allocation process does not establish and sustain competitive advantage or maximize returns and/or benefits for relevant stakeholders.

Scalability Risk The inability to operate differently and more efficiently at larger volumes or amortize costs over greater volume, resulting in diseconomies of scale that threaten the Department’s ability to execute on their strategies and be competitive.

Security Risk The risk that a possible threat will use a vulnerability within an information system to cause disruption to the Department's assets, operations and/or objectives.

Technological Innovation Risk The Department is not leveraging advancements in technology in its business and operational model to achieve or sustain competitive advantage or is exposed to the actions of competitors or substitutes that do leverage technology to attain superior quality, cost and/or time performance in their services and processes.

Appendix C – Relevant Risk DefinitionsQuadrant II Likelihood

Low High

Sign

ifica

nce

Low

Hig

h

IIIV III

I

48

Risk DefinitionAccess Risk Access risk includes the risk that access to information (data or programs) or systems will be inappropriately granted or

refused. It encompasses the risks of improper segregation of duties, risks associated with the integrity of data and databases and risks associated with information confidentiality.

Alignment Risk The objectives and performance measures of the Department's business processes are not aligned with its overall objectives and strategies. The objectives and measures do not focus people on the right things and lead to conflicting, uncoordinated activities.

Availability Risk The risk that information will not be available when needed. This includes risks such as loss of communications (e.g., cut cables, telephone system outage, satellite loss), loss of basic processing capability (e.g., fire, flood, electrical outage) and operational difficulties (e.g., disk drive breakdown, operator errors).

Board Effectiveness Risk The board does not constructively engage management and provide anticipatory, proactive and interactive oversight of the Department’s activities and affairs, with integrity, vision, common sense and unquestioned independence.

Business Interruption Risk The Department's capability to continue critical operations and processes may be highly dependent on availability of certain raw materials, information technologies, skilled labor and other resources.

Catastrophic Loss Risk The inability to sustain operations, provide essential products and services, or recover operating costs as a result of a major disaster.

Customer Wants Risk The Department is not aware that customer needs and wants change. Such needs and wants may apply to desired quality, willingness to pay and/or speed of execution.

Environmental Risk Environmental risks expose organizations to potentially enormous liabilities. The exposure is twofold -- (1) liability to third parties for bodily injury or property damage caused by the pollution, and (2) liability to governments or third parties for the cost of removing pollutants plus severe punitive damages.

Financial Reporting Evaluation Risk

Financial reports issued to lenders, the public or other stakeholders include material misstatements or omit material facts, making them misleading.

Health & Safety Risk These risks expose the Department to potentially significant workers' compensation liabilities, financial loss, and negative publicity. The Department could potentially find themselves criminally liable for failure to provide a safe working environment for their employees.

Outsourcing Risk Outside service providers do not act within their defined limits of authority and do not perform in a manner consistent with the values, strategies and objectives of the Department.

Planning Risk The Department's business and operational strategies are not driven by creative and intuitive input or based on current assumptions about the external environment resulting in strategies that are out-of-date and unfocused.

Regulatory Reporting Risk Reports of operating and financial information required by regulatory agencies are incomplete, inaccurate, or untimely, exposing the Department to fines, penalties and sanctions.

Succession Planning Risk Leadership talent within the Department is not sufficiently developed to provide for orderly succession in the future.

Appendix C – Relevant Risk DefinitionsQuadrant III Likelihood

Low High

Sign

ifica

nce

Low

Hig

h

IIIV III

I

49

Risk DefinitionBusiness Portfolio Risk The risk that the Department will not maximize business performance by effectively prioritizing its programs and services, or

balancing its programs and/or services in a strategic context.

Contract Commitment Risk The Department does not have information that effectively tracks contractual commitments outstanding at a point in time, so that the financial implications of decisions to enter into incremental commitments can be appropriately considered by decision makers.

Customer Satisfaction Risk The Department's processes do not consistently meet or exceed customer expectations due to a lack of focus on the customer.

Employee Fraud & Third Party Fraud Risk

Fraudulent activities perpetrated by employees, customers, suppliers, agents, brokers or third-party administrators against the Department for personal gain expose the Department to financial loss.

Environmental Scan Risk The failure to monitor and stay in touch with a rapidly changing environment resulting in obsolete business and operational strategies.

Ethical Behavior Risk The Department, through its actions or inaction, demonstrates that it is not committed to ethical and responsible business behavior.

Internal Control Evaluation Risk Failure to accumulate sufficient relevant and reliable information to assess the design and operating effectiveness of internal control over financial reporting, resulting in inaccurate assertions by management in internal control reports.

Investment Valuation/Evaluation Risk

Management does not have sufficient financial information to make informed short-term and long-term investment decisions and link the risks accepted to the capital at risk. Management and key decision-makers are unable to reliably measure the value of a specific business, program or any of its significant segments in a strategic context.

Regulatory Risk Changes in regulations and actions by national or local regulators can result in increased competitive pressures and significantly affect the Department's ability to efficiently run its business and operations.

Unauthorized Use Risk The Department's employees (or others) use its physical and financial assets for unauthorized or unethical purposes.

Appendix C – Relevant Risk DefinitionsQuadrant IV Likelihood

Low High

Sign

ifica

nce

Low

Hig

h

IIIV III

I

50

Risk DefinitionBusiness Model Risk The Department has an obsolete business model and doesn't recognize it and/or lacks the information needed to make an up-

to-date assessment of its current model and build a compelling business case for modifying that model on a timely basis.

Cash Flow Risk Actual losses incurred as a result of the inability to fund the operational or financial obligations of the Department.

Illegal Acts Risk Management and employees individually or in collusion commit illegal acts, placing the Department, its directors and officers at risk to the consequences of their actions.

Image & Branding Risk The risk that the Department may lose customers (where applicable), key employees or its ability to compete, due to perceptions that it does not deal fairly with customers, suppliers and stakeholders, or know how to manage its business and operations.

Legal Risk The risk that the Department's transactions, contractual agreements and specific strategies and activities are not enforceable under applicable law.

Management Fraud Risk Management issues misleading financial statements with intent to deceive the public and the external auditor or engages in bribes, kickbacks, influence payments and other schemes for the benefit of the Department.

Measurement (Operations) Risk Process performance measures do not provide a reliable portrayal of operating performance and do not accurately reflect reality. The measures do not provide relevant information for decision making because they are not informative, understandable, believable, actionable, or indicators of change.

Measurement (Strategy) Risk Occurs when overall Departmental performance measures focus primarily on near-term financial results or are not consistent with and do not support business and operational strategies.

Appendix C – Relevant Risk DefinitionsQuadrant IV (continued) Likelihood

Low High

Sign

ifica

nce

Low

Hig

h

IIIV III

I

51

Risk DefinitionOrganization Structure Risk The Department's structure does not support change or the Department's business and operational strategies.

Partnering Risk Inefficient or ineffective alliance, joint venture, affiliate and other external relationships affect the Department’s capability to compete. These uncertainties arise due to choosing the wrong partner, poor execution, receiving more value than is given (ultimately resulting in loss of a partner) and failing to capitalize on partnering opportunities.

Performance Incentives Risk Unrealistic, subjective or unclear performance measures may cause management, supervisors and employees to act in a manner that is inconsistent with the Department's business and operating objectives, strategies, ethical standards and prudent business practice.

Product/Service Failure Risk The Department's operations create risk of customers receiving faulty or nonperforming products or services.

Sensitivity Risk Sensitivity risk results when management commits the Department's resources and expected cash flows from future operations to such an extent that it reduces the Department's tolerance for (or ability to withstand) changes in environmental forces that are totally beyond its control.

Stakeholder Relations Risk A decline in stakeholder confidence may impair the Department's ability to efficiently raise and/or obtain the necessary resources to run its operations. The Department will not have the same efficient access as competitors to the capital it needs to fuel its growth, execute its strategies, and generate future returns, where applicable.