The Corporation of the City of Windsor · with the Corporation of the City of Windsor ... Ford City Business Improvement Association ... Value creation/ enhancement Departmental

The Corporation of theCity of Windsor

Detailed 2014-2016 InternalAudit Plan

June 2014

PricewaterhouseCoopers LLP

To Windsor City Council

Our Services were performed and this Report was developed in accordance with our engagement letter dated April 18,2013 and are subject to the terms and conditions included therein.

Our Services were performed in accordance with IIA Professional Practices Framework (“IIAPPF"). Accordingly, we areproviding no opinion, attestation or other form of assurance with respect to our work and we did not verify or audit anyinformation provided to us.

Our work was limited to the specific procedures and analysis described herein and was based only on the informationmade available through May 1, 2014. Accordingly, changes in circumstances after this date could affect the findingsoutlined in this Report.

This information has been prepared solely for the use and benefit of, and pursuant to a client relationship exclusivelywith the Corporation of the City of Windsor (“City”). PwC disclaims any contractual or other responsibility to othersbased on its use and, accordingly, this information may not be relied upon by anyone other than the City.

Windsor, Ontario

May 12, 2014

2


Table of Contents

Detailed Plan

1. Introduction

2. Key Updates to the Plan

3. Auditable Entities

4. Key Risk Themes

5. Risk Ratings

6. Risk Culture – Employee Survey

7. 2014-2016 Internal Audit Plan

Appendices

8. Appendix A: Methodology and Approach

9. Appendix B: Risk Definitions

10. Appendix C: Risk Profile

3

PwC

City of Windsor Internal Audit Plan

Introduction

4


Introduction

This Internal Audit Plan has been updated to incorporate the following auditable entities:

• Committee of Adjustment;

• Ottawa Street Business Improvement Area; and

• Pillette Village Business Improvement Area.

In addition, 8 internal audit projects, including 4 ABC projects are confirmed. The prior year’s risk assessment wasvalidated with management during a risk validation and draft plan presentation held with the CLT, or designates.

This plan represents the proposed project coverage for the next 3 years for the annual cycle of June1 through to May30. The next slide provides an overview of the annual timeline proposed.

5


2014-15 timeline overview

May14’

June July Aug Sept Oct Nov Dec Jan Feb Mar Apr May June15’

Approval ofrolling 3 year

plan for 2014/15

Q1 report toECC

Q2 Report toECC *

Q3 report toECC

Q4 report toECC

6

Planning, development and approval of 3 year plan

Proposed timing of internal audit work

Review and adjustment of 2014/15 audit plan

Proposed City Council touch points. We commit to meeting with the City Council at least 4 times a year, but will arrangeadditional meetings if necessary for plan approvals, delivery of reports, and other key milestones. Quarterly reports willinclude observations to date, status of management actions, and internal audit performance dashboard.

Approval ofrolling 3 year

plan for 2015/16

* The Second Quarter Report to ECC is expected to be presented in January 2015 since there is no ECC meeting in themonth of December.

PwC


Key Updates to the Plan

7


Key Updates to the Plan

This Internal Audit Plan has been updated in consideration for the following:

1. No new risks have been identified since the last revised Internal Audit plan approved on February24, 2014. Accordingly, sections of this Internal Audit plan which have not changed since February2014 include Section 4, 5, 6 9.

2. 4 City processes and 4 ABCs confirmed and included in the 2014/15 audit plan.

3. 4 new City projects identified and planned for year three of the Internal Audit Plan.

4. Updated approximate general calculation of coverage of our annual and 3 year plan efforts.These coverage estimates and market comparable have been included in the plan. IA effortcoverage analysis has been updated to reflect the coverage of the entity as a result of the projectsto be executed in the next year and next 3 years.

5. Handi-Transit is removed from the listing of auditable entities.

8

PwC


Auditable Entities

9


Auditable EntitiesCity of Windsor – Council and Strategic Planning

City of Windsor – Economic Development & Public Safety

City of Windsor – Social Development, Health, Recreation & Culture

City of Windsor – Environmental Protection & Transportation

City of Windsor – Public Engagement & Human Services

City of Windsor – Finance & Technology

Windsor Canada Utilities Ltd.

Enwin Utilities Ltd

Enwin Energy Ltd

Windsor Utilities Commission

Your Quick Gateway

Windsor Detroit Tunnel Corp.

Windsor Police Service

Windsor Public Library

Committee of Adjustment

Windsor Essex County Health Unit

10

Tourism Windsor Essex Pelee Island

Windsor Essex Community Housing Corporation

Huron Lodge Committee of Management

Essex Windsor Solid Waste Authority

Windsor Licensing Commission

Downtown Windsor Business Improvement Association

Erie Business Improvement Association

Ford City Business Improvement Association

Olde Riverside Business Improvement Association

Olde Sandwich Towne Business Improvement Association

Walkerville Business Improvement Association

Wyandotte Towne Centre Business Improvement Association

Windsor Essex County Economic Development Corp

Transit Windsor

Roseland Golf & Curling Club Ltd.

Pillette Village Business Improvement Association

Ottawa Street Business Improvement Association

Essex Region Conservation Authority

Included in scope of current IA plan Non-participating ABCs

PwC


Key Risk Themes

11


Risk Themes

12

ExternalRisks

InternalRisks

ChangeRisks

Political

Economic factors

Socio-Cultural

Legislative

Pandemic/Hazards

StrategicGovernancePlanning & resource

allocationPublic relationsPublic policyReputationThird party

performanceInfrastructureEnvironmentalConflicting PrioritiesTransparency

OperationalService deliveryMaterial resourcesInformation for

decision makingSecurity & privacyTechnology costTechnology enablementTechnology experienceAsset protectionValue creation/

enhancementDepartmental

coordinationOperational oversight

OrganizationalStructure/cultureAccountabilityScalabilityHuman resourcesSuccession planning/

capacityLabour relations

FinancialCapital

structureTreasury/

liquidityAccounting &

reportingFraud &

corruptionLoss /theft of

assetsFunding

oversight

Legal/ComplianceComplianceEnvironmentalPublic policyLitigation

StrategicMajor initiativesSourcing/ cessation

OperationalProgram deliveryImplementation/

transitionBenefits realization/

sustainability

OrganizationalReadiness

FinancialCost/time

Legal/ComplianceAlignment

Terrorism

Funding Public relations/expectations Technology Public safety

Vandalism

The following risk universe groups risks identified during our risk assessment based on risk type, as follows: External,Internal and Change related risks. These impact and likelihood of these risks were assessed by management using therisk ratings in section 5 during a survey and subsequent workshop. Definitions for each risk are included in Appendix B.


Key Risk Themes

13

We summarized and grouped risks identified during our risk assessment based on risk type, as follows: External,Internal and Change related risks. Red items indicate a high risk, yellow a medium risk and green a low risk (noneidentified by management). We did not validate the risks identified or assign a weighting of the severity of the risksmentioned at this juncture. Likelihood of these risks occurring and the potential impact on the City are assessed in theRisk Profile presented in Section 10.

ExternalRisks

InternalRisks

ChangeRisks

Political

Economic factors

Socio-Cultural

Legislative

Pandemic/Hazards

StrategicGovernancePlanning & resource

allocationPublic relationsPublic policyReputationThird party

performanceInfrastructureEnvironmentalConflicting PrioritiesTransparency

OperationalService deliveryMaterial resourcesInformation for decision

makingSecurity & privacyTechnology costTechnology enablementTechnology experienceAsset protectionValue creation/

enhancementDepartmental

coordinationOperational oversight

OrganizationalStructure/cultureAccountabilityScalabilityHuman resourcesSuccession

planning/capacity

Labour relations

FinancialCapital

structureTreasury/

liquidityAccounting &

reportingFraud &

corruptionLoss /theft of

assetsFunding

oversight

Legal/ComplianceComplianceEnvironmentalPublic policyLitigation

StrategicMajor initiativesSourcing/

cessation

OperationalProgram deliveryImplementation/

transitionBenefits realization/

sustainability

OrganizationalReadiness

FinancialCost/time

Legal/ComplianceAlignment

Terrorism

Funding Public relations/expectations Technology Public safety

Vandalism

PwC


Risk Ratings

14


Risk Ratings - Approach

Ratings were used to prioritize the identified risks as well as rank the internal audits designed to address the risks. Inassigning a risk rating for the inherent risks identified, two factors – likelihood and impact – were considered beforeconsidering the effectiveness of the existing control environment. The likelihood rating represents the probability thatan event or risk could occur. The likelihood of the risk occurring before the effect of risk mitigation actions and thestrength of internal controls was based on the definitions in the chart below.

The impact rating represents the City exposure from a financial, regulatory or reputation perspective should the event orrisk occur. The average of two impacts was considered – corporate impact and citizen impact. The impact of the risk onthe corporation and citizen responsibilities before the effect of risk mitigation actions and the strengths of internalcontrols was based on the definitions below:

15



Based on the results of the interviews, our review of prior risk assessments, knowledge of the industry risks andknowledge of the City business, the impact of each identified risk was categorized as “higher”, “medium” or “lower” asdefined in the chart below on the right.

16

Based on the assessment of likelihood and impact, an overall risk rating was assigned. This assessment was made priorto consideration of the strength of internal controls, risk monitoring activities, or processes surrounding the risk area.Overall Risk Assessment ratings help prioritize the risks. Higher risk areas require more immediate attention by the City– either in the form of internal audit projects, management attention or other risk monitoring activities. This approachis outlined on the next page.



17

Higher Risk•Almost certain & mediumimpact•Almost certain & high impact•Likely & high impact

Moderate Risk• Almost certain & low impact•Likely & medium impact•Not likely & high impact

Low Risk•Likely & low impact•Not likely & low impact•Not likely & medium impact

AlmostCertain

Likely

NotLikely

Low Medium High

Impact

Lik

eli

ho

od


Risk Ratings - Results

18

1. Political2. Legislative &

regulatory3. Funding4. Public reaction/

expectation5. Socio-Cultural6. Economic factors7. Terrorism8. Vandalism9. Pandemics/Hazards10. Technology11. Public Safety12. Governance13. Planning & resource

allocation14. Public relations15. Public policy16. Reputation17. Third party

performance18. Environmental19. Conflicting

priorities/demands20. Transparency21. Infrastructure22. Service delivery23. Material resources24. Information for

decision making25. Security and privacy26. Technology

enablement27. Technology cost

AlmostCertain

Likely

NotLikely

Low Medium High

Impact

Lik

eli

ho

od

28. Technologyexperience

29. Inter-Departmentalcoordination

30. Asset protection31. Value creation/

enhancement32. Structure/culture33. Human resources34. Succession

planning/capacity35. Labour relations36. Accountability37. Scalability38. Capital structure39. Treasury/liquidity40. Accounting and

reporting41. Fraud & corruption42. Loss/theft of assets43. Compliance44. Environmental45. Public policy46. Ligation47. Major initiatives48. Sourcing/Cessation49. Program delivery50. Implementation/

Transition51. Benefits realization/

sustainability52. Readiness53. Time/Cost54. Alignment55. Funding oversight56. Operational oversight

Filled circles indicate where an internal audit project is proposed to evaluate and validate risk management activities.

Filled circles indicate where an internal audit project addressed the risk in a previous year.

Transparent circles indicate broad, inherent risks. These risks should be closely monitored by the management and re-evaluated on an periodic basis to determine whether it is appropriate and feasible to include them in the subsequentyear’s Internal Audit plan

#

1

2

3

4

5

6

7

8

9

10

1112

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

2930

31

32

33

34

35

36

37

38

39

40

41

42

43

43

45

46

47 48

49

50

51

52

53

54

55 56

#

Further detail on Internal Audit projects can befound in the Risk Profile in Section 10.

#

PwC


Risk Culture – Employee Survey

19



A key component of our Enterprise Risk Assessment was to understand management's view of the risks and the riskculture at City of Windsor. To meet this objective we surveyed 25 non-executive level managers, all of which were CityDepartment personnel and did not include ABC management, (with a response rate of 84%) to further understand theirview on risks facing City of Windsor to ensure there is a consistent understanding across management of what isimportant. It should be noted that this survey was initially performed in June 2013 and not changes have been notedsubsequent to June 2013. Overall, the survey provided comfort that both executive management and middlemanagement share similar views on risk.

In addition, we asked very specific questions regarding the risk culture at City of Windsor. The table on the followingpage summarizes the results of the risk culture portion of the survey.

Certain observations can be made from the results of the risk culture survey. We have summarized these observationsbelow.

Some positive themes of the City of Windsor culture that the survey highlighted include:

• Employees have comfort that they can safely communicate issues to senior leadership

• Employees have contentment with guidance and direction provided by leadership

• Understanding of perceived risk that employees can take on behalf of City of Windsor

• Concurrence of adequate controls around information security and overall business processes

Themes where the City of Windsor should pay attention to increase perceived culture include:

• Impact of turnover and the ability to adequately achieve set objectives

• Investment in the long term

• Inadequacy of technology and communication infrastructure in maximizing job effectiveness

• Inefficient and ineffective communication between units

• Inconsistent compensation standards

20



21

PwC


2014-2016 Internal Audit Plan

22



An overall Internal Audit strategy for the City was determined in light of the business strategy as well as the currentcontrols maturity, the overall inherent risks, the ranking of the risks, the perceived adequacy of controls and any controlinitiatives underway. In developing our plan, consideration was given to the nature of the risk and the ability of InternalAudit to add value beyond work that is already being performed by management.

23

All successful internal auditfunctions go throughseveral stages of evolutionbased on the organizationsneed. The model to the rightshows a continuum of focusbased on stakeholderexpectations and thematurity factors discussedabove. There is no singlemodel for Internal Audit,rather its function is derivedfrom the current needs ofthe organization and itsdesign should be to meetthe risk managementpriorities of the businessand stakeholders' needs andexpectations.

Our stakeholder discussions have indicated the desire for the City Internal Audit to initially focus on a more valueprotection mode initially with an evolution of a more balanced focus over time. Our proposed 2014-2016 Internal Auditplan takes this into account with a move over time towards the dotted line on the illustration above, but with a constantconsideration of financial control risk.



The proposed Internal Audit plan is the final step of the Risk Assessment and can be found on the subsequent pages ofthis report. Internal Audit should focus its annual audit plan principally on activities, processes or areas of the City thatare perceived to present the greatest risk to the achievement of the City strategic or business objectives or where controlsor other mitigating control practices may not be as effective as desired. The proposed 3 year audit plan beginning June2014 attempts to cover a portion of most of the identified risks that are rated “higher” on the risk assessment matrix.

In addition, to gain coverage over the auditable entities not yet included in the risk assessment – the 26 agencies,boards and commissions (ABCs) - there will be roughly 4 projects for the ABCs per year to attain a portion of coverageof each ABC over 7 years. Another round of ABC risk assessment is expected to occur prior to year 3 of the plan.

We propose Internal Audit will adopt a continuous risk assessment process whereby internal audit areas andcorresponding risk profiles will be revisited as the City business changes. This will result in ongoing risk discussionswith members of management and adjustments to the Internal Audit plan as needed. The frequent risk discussions willallow for timely identification of changes in the risk environment and closer alignment of Internal Audit projects withthese risks and the changing business needs.

The following table outlines the proposed internal audit projects:

24


2014/15 Internal Audit Project SummaryAnnually Recurring Projects

25

Internal Audit Area Description

Planning

Risk Assessment and AnnualPlan Development

Identify value drivers, facilitate or leverage management’s corporate risk andcontrol self assessment and draft a 3 year rotational internal audit plan.

Management and reporting

Status & PerformanceReporting

Provide quarterly reports to Council, CLT and SMT on internal auditperformance and project status. Monthly status and liaisonreporting/coordination.

Attendance at Key CityMeetings

Attendance at or review of selected Council, CLT and SMT meetings/sessions toprovide information or enhance internal audit’s risk and operations awareness.

Recurring projects

Prior Findings Follow-Up Follow up on management’s resolution of prior findings on a quarterly basis.

Inbound Call Investigation Receive, log and apply call resolution decision framework and provide statusreporting to CLT and Council.

Unallocated Effort reserved in accordance with recommended practices to address adhocqueries in the year.

Previous YearProjects

Projectsbeyond 3 years

Projects within3-year planLegend

RecurringProjects


2014-2016 Internal Audit Project Summary

Rotational Projects – City Departments

26

Internal Audit Area 2013/14 2014/15 2015/16 2016/17

Provide governance and strategic leadership to the Corporation and ensure policies of theMunicipality are implemented

X

Purchasing, payables, tendering, procurement and third party management integrated witha hotline call follow up

X

Manage information security X

Recommend annual operating and capital budgets X

Succession planning and management X

Manage infrastructure X

Manage changes to information systems X

Manage capital structure X

Manage the daily operations of service delivery X

Fraud Risk Management X

Governance of information technology to support the business objectives and strategies X

Protecting the Environment X

Oversight of major City projects and initiatives X

Property billing and tax collection services X

Legal & Risk Management Services X

Further description of the 2014/15 projects and the risks they are aligned with is included on pages 33-34.



Rotational Projects – Agencies, Boards & Commissions/HotlineInvestigation

27

Internal Audit Area 2013/14

2014/15

2015/16

2016/17

2017/18

2018/19

2019/20

Transit Windsor X

Your Quick Gateway X

Windsor Detroit Tunnel Corporation X

Essex Windsor Solid Waste Authority X

Windsor Public Library X

Windsor Essex Community Housing Corporation X

Huron Lodge X

Windsor Utilities Commission X

Enwin Utilities Ltd X

Enwin Energy Ltd/Windsor Canada Utilities Ltd. X

Further description of the 2014/15 projects and the risks they are aligned with is included on page 35.



Rotational Projects – Agencies, Boards & Commissions/HotlineInvestigation

28

Internal Audit Area 2013/14

2014/15

2015/16

2016/17

2017/18

2018/19

2019/20

Windsor Police Service X

Roseland Golf & Curling Club X

Windsor Essex County Economic Development Corp X

Tourism Windsor Essex Pelee Island X

Committee of Adjustment X

Windsor Licensing Commission X

Downtown Windsor Business Improvement Association X

Erie Business Improvement Association X

Ford City Business Improvement Area X

Olde Riverside Business Improvement Area X

Olde Sandwich Towne Business Improvement Area X

Ottawa Street Business Improvement Area X

Pillette Village Business Improvement Area X

Walkerville Business Improvement Area X

Wyandotte Towne Centre Business Improvement Association X

Further description of the 2014/15 projects and the risks they are aligned with is included on page 35.


ABC Audit Approach

In many instances the issues and risks of both the City and the ABCs are similar in their inherent nature. Given thefinite resources to be applied in assessing the appropriate risk management and internal practice across 35 differentauditable entities Internal Audit is recommending a structured approach to incorporating ABCs into the Internal AuditPlan.

For each ABC Internal Audit proposed to conduct one of 3 potential types of reviews:

1. Expanded Review of Specified Objectives

2. Targeted Review of Specified Objectives

3. Selected Review of High Risk Area

The Expanded and Targeted Review of Specified Objectives will focus on predetermined key City business objectiveswhere the ABCs have a direct impact. The type of project (Expanded/Targeted) will be aligned to the nature, size andrelationship of the ABC to the City. We have outlined the key areas for both the Expanded and Targeted Review ofSpecified Objectives in the following table:

29


ABC Audit Approach con’tTopic Targeted Review

of Specified

Objectives

Expanded

Review of

Specified

Objectives

City Reporting relationship & agreement X X

Compliance with city reporting relationship X X

Tone at the top X X

Policy framework and evidence of compliance X X

Regular reporting to City X X

Shared services X

Integrity of management information X X

Succession planning X

Funding/budget process X

Fraud risk management protocols X X

Cash management process X X

Media monitoring and escalation X X

IT governance X

Change management X

Information and data security X

30

Select Reviews of High Risk Areas will be Internal Audit project tailored to High Risk areas that warrant attention duethe nature of the risk or where the project effort level is expected to result in an improved risk posture for the City as acorporation.


Internal Audit Coverage Summary for 3 Year Plan

The coverage factors in the following table represent the highest potential coverage.Actual coverage obtained may be less than the stated values because projects may onlyaddress high risk processes and/or key controls.

31

Area Annual CoverageFactor will be less

than

3 Year CycleCoverage factorwill be less than

Corporate Process Coverage: 1.5% 5%

High Risks Considered* 10% 36%

ABC entity touch points: 15% 46%

ABC coverage: Indeterminable Indeterminable

* It is important to note that a common target for Internal Audit coverage in a 3-5year plan is to address 80-100% of the high risk considerations plus emergingissues and management and professional standards requirements.


2014/15 Internal Audit Project Summary

32

Internal Audit Activity Allocation (Hours)

Planning 250

1. Risk Assessment and Annual Plan Development 250

Management and reporting 350

2. Status & Performance Reporting 120

3. Attendance at Key City Meetings 230

Projects (11) 1,900

4. Prior Findings Follow-Up 120

5. Inbound Call Investigation 80

6. Recommend annual operating and capital budgets 250

7. Succession planning and management 175

8. Manage infrastructure 175

9. Manage changes to information systems 250

10. Windsor Detroit Tunnel Corporation 230

11. Essex Windsor Solid Waste Authority 190

12. Windsor Public Library 190

13. Windsor Essex Community Housing Corporation 190

14. Unallocated 50

Total 2,500


2014/15 Internal Audit Project Description

33

Internal Audit Area Description/Related Risks

Manage infrastructure Evaluate the process and controls in effect surrounding the planning andimplementation of replacing and restoring infrastructure.

Risks: Legislative and regulatory, Funding, Public Relations and expectations,Vandalism, Public Safety, Reputation, Conflicting priorities/demands,Infrastructure, Service delivery, Technology Enablement, Technology cost, Assetprotection, Capital structure, Treasury/liquidity, Loss/theft of assets,

Manage changes to informationsystems

Evaluate the process and controls in effect when planning and implementinginformation systems.

Risks: Information for decision making, Security and privacy, Technologyenablement, Technology cost, Technology experience, Asset protection,Implementation/transition


2014/15 Internal Audit Project Description

34

Internal Audit Area Description/Related Risks

Recommend annual operating andcapital budgets

Evaluate the process and controls in effect when planning and developingbudgets.

Risks: Funding, Public Relations and expectations, Economic factors,Governance, Planning and resource allocation, Public policy, Reputation,Conflicting priorities/demands, Transparency, Service delivery, Information fordecision making, Capital structure, Treasury/liquidity, Major initiatives,Sourcing/cessation, Time/cost

Succession planning andmanagement

Evaluate the process and controls in effect to identify, manage, monitor andmitigate succession planning risks or single points of failure.

Risks: Succession planning,/capacity, Service delivery, Program delivery,Governance, Structure/culture, Human Resources


ABC Audit Approach con’tTopic Targeted Review

of Specified

Objectives

Expanded

Review of

Specified

Objectives

Windsor Detroit Tunnel Corporation X

Essex Windsor Solid Waste Authority X X

Windsor Public Library X X

Windsor Essex Community Housing Corporation X X

35

Risks for targeted reviews: Operational oversight, Funding oversight, Program delivery, Governance,Structure/culture, Legislative & regulatory, Public reaction/expectation, Governance, Planning & resource allocation,Reputation, Service Delivery, material resources, Information for decision making, Security and privacy, Inter-departmental co-ordination, Asset protection, Value creation, Structure/culture, Labour relations, Accountability,Scalability, Treasury/liquidity, Fraud & corruption, Loss/theft of assets, Compliance, Sourcing/cessation, Programdelivery, Benefits realization/sustainability, Compliance, Transition/implementation

Risks for expanded reviews: Operational oversight, Funding oversight, Succession planning/capacity, Servicedelivery, Program delivery, Governance, Structure/culture, Human Resources, Legislative & regulatory, Publicreaction/expectation, Governance, Planning & resource allocation, Reputation, Third party performance, ServiceDelivery, material resources, Information for decision making, Security and privacy, Inter-departmental co-ordination, Asset protection, Value creation, Structure/culture, Labour relations, Accountability, Scalability,Treasury/liquidity, Fraud & corruption, Loss/theft of assets, Compliance, Sourcing/cessation, Program delivery,Benefits realization/sustainability, Compliance, Transition/implementation

PwC


Appendix A – Methodology andApproach

36


Methodology and Approach

Our risk assessment methodology involved an identification of the strategy, goals and objectives of the City and therelated risks that could potentially impair the achievement of those objectives. A key objective of this risk assessment isto align the Internal Audit plan with the most critical risks facing the City. The key activities performed initiallyin June 2013 and subsequently in May 2014 are as follows:

June 2013:

• Reviewed relevant information regarding the City including financial statements and other internal reports andinformation.

• interviews of approximately 25 executive management team members and 30 ABC management team memberswere conducted. These representatives were from all departments and agencies, boards and commissions.

• Administered a comprehensive risk survey to a cross section of approximately 17 management team members.

• Performed a value driver analysis to gain understanding of key company strategy and the value creating processwith highest impact on achieving that strategy.

• Summarized the risks identified to capture the most significant risk categories.

• Analyzed and rated the risks to assess the likelihood of each identified risk occurring and its potential impact.

• Performed a high-level assessment of the control environment surrounding the identified risks.

• Reviewed our inventory ("Audit Universe") of key risks, business processes, activities, applications and businessunits, which are potentially subject to audit, and updated the Audit Universe, if necessary.

37


Methodology and Approach con’d

May 2014:

• Internal Audit met with CLT members to validate prior years internal audit planning risk assessment andidentified any significant changes in risk positioning , new risks and areas of management concern. Nosignificant changes were identified.

• Recommended to senior leadership through this report, a three year Internal Audit plan to address theidentified risks subject to audit and to cover other areas within the Audit Universe on a multi-year, rotationalbasis.

From our review and the interviews, surveys and workshop with members of the SMT and CLT team we developed aRisk Profile (included on page 18) using a color-coded scheme to assess the severity of the risks related to the Citymost significant value creating processes. The matrix provides a framework for directing internal audit resources to theareas of higher risk and for estimating the level of Internal Audit resources required to monitor the risks. It includes anassessment of the severity of the risks (based on likelihood and impact [Corporate and Citizen]) and the effectiveness orperceived maturity of the controls in place to mitigate the risks (a controls assessment). The risks included in the matrixwere either those mentioned by our interview and survey participants (some risks more frequently than others) oridentified in other risk projects by management. They have not been corroborated through testing or the gathering ofother evidence. It is likely that the matrix does not include all the risks the City faces, but the risks noted appear toinclude the most widely recognized. These initial assessments are subject to review and adjustment by CorporateLeadership and the City Council.

Additionally, in developing our audit plan for 2014/15, we also considered whether or not the risks linked to these keyprocesses were good candidates for current Internal Audit activity. In some cases, the risks identified are inherent in thebusiness and, therefore, it may be impractical, ineffective or inefficient to allocate Internal Audit resources to audit therisks. In these cases, these risks should be addressed by another risk monitoring function or management may considerdeveloping internal controls or processes to address these risks.

38

PwC


Appendix B – Risk Definitions

39


Risk Definitions

40

Domain Risk Definition

External Political The risk that political unrest, changes in office bearers, future elections (local, provincial andfederal) impair or significantly change/redirect the City’s mandate, operations or fundingmodels.

Legislative &regulatory

Changes or conflicts in legislation, the regulatory environment and laws or conflicts inlegislation impair or significantly change/redirect the City’s mandate, operations or fundingmodels.

Funding The risk that changes in funding models and allocations occurs resulting in an unplannedreduction in service or an inability to react in a timely manner.

Public reaction/expectation

The risk that services, policies and administrative directives do not meet citizen needs or requireundue attention and resource deployment.

Socio-Cultural Unemployment, migration of workers, socio-cultural needs, demographics and citizen/businessexpectations change and adapt requiring redirection in public policy, funding and managementattention.

Economic factors Changes in inflation, foreign exchange fluctuations, interest rates, employment rates, businessstartup/creation/departure impact current and future revenue streams and public needs.

Terrorism Intentional acts of terror occur resulting in the need for emergency services or increasedservices and funding from City sources.

Vandalism Intentional acts of vandalism occur resulting in the need for emergency services or increasedservices and funding from City sources.

Pandemics/

Hazards

The risk that a health or natural occurrence beyond management’s control impacts normaloperations and support services to municipal stakeholders. Factors to consider include:

Depletion of natural resources

Environmental degradation

Spillage

Pollution

Flooding/freezing/storm

Epidemics

Technology The risk that municipal adoption, avoidance or use of technology does not appropriately alignwith advancements in technology and public/stakeholder expectations or with potential valuecreation.

Public Safety The risk that public safety is impaired due to a failure of public services.


Risk Definitions

41


Internal –Strategic

Governance The risk that governance mechanisms fail to enable a culture of awareness, consistent valuesand reputational protection/enhancement.

Planning &resource allocation

Planning and resource allocation and decisions results in unnecessary expenditure, impairmentof value, misalignment of resources with priorities and is not adaptable to change.

Public relations Inappropriate or erroneous disclosure of information is made to the media/public resulting inunnecessary resource allocation, costs, public scrutiny and/or legal action.

Public policy Public policy objectives are not aligned with municipal stakeholder needs or fail to be attainedresulting in a failure of mandates and unnecessary costs.

Reputation Media, public perception, policy, resource allocation and/or funding issues result in impairedreputation decreasing public and business profile, operational ability and future revenuesources or increasing operating costs.

Third partyperformance

Third party providers failure to perform to the agreed to service levels, do not render theservice in time, do render the correct service or deliver inadequate/poor service resulting in lostrevenues, increased operational costs, lost time, public scrutiny, increased oversight orreputation risk. This risk also includes the misalignment of public service needs and privatesector profits.

Environmental Operational actions result in environmental exposures issues and non-compliance with policiesand expectations.

Conflictingpriorities/demands

The risk that differing priorities and demands between citizen, council, administration as wellas federal and provincial bodies creates a stalemate, inability to act, lost resources, servicedelays.

Transparency The risk that citizen, federal, provincial and business partner expectations with regards totransparency are not met, understood or attained.

Infrastructure The risk that infrastructure is not available, able to be maintained or suitable for current andoperational needs.


Risk Definitions

42

Domain Risk DefinitionInternal –Operational

Service delivery The risk that services delivery to citizens and businesses are not efficient and effective or arelacking in quality. The risk that services delivered does not provide value to those whom it isdelivered to.

Material resources Material resources needed to enable operations are not available, costly to attain, cannot beacquired in a timely manner, or are wasted.

Information fordecision making

Information for decision making not being available, accurate, stable, relevant or lackingintegrity resulting in faulty, erroneous and wrong decisions. Factors to consider include:

Availability of information

Stability of information

Integrity of information

Relevance of information

Retention

SafeguardingSecurity andprivacy

Information is improperly accessed, modified or disclosed resulting in impaired reputation,increased oversight and operational costs or legal action.

Technologyenablement

Enabling technology is not available, reliable, integrated, ineffective or obsolescent.

Technology cost Enabling technology solutions and infrastructure are not cost effective

Technologyexperience

Technology is not enabling operations or is impairing the citizen/business experience

Inter-Departmentalcoordination

Coordination between departments does not occur in a timely or effective manner resulting isservice delivery issues, increased costs and impaired reputation.

Asset protection Value preservation is lost, not known or missed resulting in a reduction in available capital,funding losses or unnecessary expenditures.

Value creation/enhancement

Value creation/enhancement opportunities are not known, missed or under exploited resultingin a reduction in available capital, potential revenue losses or unnecessary expenditures.

Operationsoversight

The risk that the Corporation does not sufficiently and appropriately monitor the operationaldecisions made by its’ ABCs


Risk Definitions

43


Internal –Organizational

Structure/culture Corporate culture and control environment fail to enable strategic objectives, corporate valuesor use of resources. Factors to consider include:

communication channels and effectiveness

cultural integration

ethics and values

goal alignment

management style

tone at the top

organizational structureHuman resources The risks that relate to the human resources of the City. Factors to include:

Integrity and honesty

Recruitment

Skills and competence

Employee wellness

Employee relations

Retention

Occupational health and safetySuccessionplanning/capacity

Management resources could fail to meet strategic and operational requirements due to limitedcapacity, departures and retirements with limited to no backup or alternative plans resulting ina loss of key competencies and skills.

Labour relations Labour relations actions or inaction results in service delivery failure, increased costs orincrease scrutiny.

Accountability Corporate and individual accountability is unclear, not understood or ignored resulting in afailure to achieve corporate objectives, efficient operations or an unnecessary loss of time.

Scalability Organizational structures, policies and operating models impair the ability to fluid react tochanging municipal demands and resourcing needs.


Risk Definitions

44


Internal -Financial

Capital structure The capital structure solutions impair investment requirements, public policy attainment oralignment with legislative requirements.

Treasury/liquidity Inadequate cash flow due to improper management, investment, collection, planning orwasteful spending.

Accounting andreporting

Impairment in financial statements or public reporting integrity.

Fraud & corruption The risk of occurrence of illegal or improper acts by employees resulting in a loss of the City’sassets or resources.

Loss/theft of assets Loss of financial value and/or resource to execute operations due to either theft or loss of a Cityasset.

Funds oversight The risk that the Corporation does not sufficiently and appropriately monitor the manner inwhich its’ ABCs utilize the funds they are allocated

Internal –Legal/Compliance

Compliance Failure to maintain an awareness of compliance requirements, monitor compliance, enforcecompliance, implement and maintain enabling mechanisms resulting in consequences of non-compliance – reputation, funding, fines, penalties, etc.

Environmental Environmental policy does not align with municipal and actual needs or public policy or thatactions taken are contrary to those policies and needs resulting in increased costs, reputationimpairment, loss of resources and increased scrutiny.

Public policy Failure to maintain awareness and compliance with provincial or federal public policyrequirements results in increased costs, reputation impairment, loss of resources and increasedscrutiny.

Litigation Risks that the City may suffer loss due to litigation and lawsuits against it. Losses may emanatefrom:

Claims by employees, the public, service providers and other third parties

Failure by the City to exercise certain rights to its advantage


Risk Definitions

45


Change Risks Major initiatives The risk that major initiatives are not aligned with strategic objectives or municipal need, thatthey are not identified and acted on a timely manner or that they result in excessive cost andtime overruns or ongoing sustainment expenditure beyond expectations.

Sourcing/Cessation The risk that services and solutions are not effectively identified for sourcing or cessation aspart of operational analysis resulting in increased cost, lost opportunity and unnecessaryexpenditures.

Program delivery The risk that program delivery is ineffective, results in failed projects, cost and time overruns orrecurring scope/cost/timing changes which can result in increased costs, reputationimpairment and increased scrutiny.

Implementation/Transition

The risk that although program delivery is successful there is a failure to implement the endresult as a sustainable solution that realize the original business case results due to poor changemanagement, adoption, ease of use or transition failure from project to ongoingprocess/program.

Benefitsrealization/sustainability

The risk that major initiatives and sourcing activities do not realize the original benefitsexpected or exceeds sustainable operations expectations. This includes the risk that whensourcing services or asset custody to external parties there are competing profit and serviceinterest that the City is accountable for.

Readiness Operational readiness to adopt, implement and sustain change and transformation impairs theeffective deployment of transformation resulting in failure, increased costs and reputationalimpairment.

Time/Cost Time/costs of changes and transformation exceed original business case, cost/benefitexpectations and ponging sustainment expectations resulting in increased expenditures and aloss of efficiency.

Alignment Changes and transformational activities doe result in failures in compliance or result in legalelements that are offside of existing requirements.

PwC


Appendix C – Risk Profile

46


Risk Profile

47

Impact

LikelihoodL M H

NL L AC

Risk RiskScore

Impact

Likelihood

Proposed IA Project 2013/14

2014/15

2015/16

2016/17

Political H M L None in the next 3 years

Legislative&Regulatory

H M L Provide governance and strategic leadership to theCorporation and ensure policies of the Municipality areimplemented

Manage information security

Manage third party performance

Manage infrastructure

Manage the daily operations of service delivery

Oversight of Major City InitiativesProtecting the EnvironmentLegal and Risk Management Services

X

X

X

X

X

XXX

Funding H H L Provide governance and strategic leadership to theCorporation and ensure policies of the Municipality areimplemented

Recommend annual operating and capital budgets

Sourcing and major initiatives


Manage capital structureOversight of Major City InitiativesProperty billing and tax collection

X

X

X

X

XXX


Risk Profile

48

Risk RiskScore

Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17

PublicRelations andExpectations

H H L Recommend annual operating andcapital budgets




Manage capital structure

Fraud Risk Management

Oversight of Major City Initiatives

X

X

X

X

X

X

X

Socio-Cultural

M M L None in the next 3 years

EconomicFactors

H M L Recommend annual operating andcapital budgets


Oversight of Major City InitiativesProperty billing and tax collection

X

X

XX

Terrorism M H NL Manage information security X


Risk Profile

49

Risk RiskScore

Impact Likelihood

Proposed IA Project 2013/14 2014/15 2015/16 2016/17

Vandalism H L AC Manage infrastructure X

Pandemic/Hazards

H H L Manage information security

Protecting the Environment

Legal and Risk ManagementServices

X

X

X

Technology M M L Governance of informationtechnology to support thebusiness objectives andstrategies


X

X

Public Safety M M L Manage infrastructure


X

X


Risk Profile

50

Risk RiskScore

Impact Likelihood Proposed IA Project 2013/14 2014/15

2015/16

2016/17

Governance H M/H L Provide governance and strategicleadership to the Corporation andensure policies of the Municipality areimplemented


Succession planning and management





Governance of information technologyto support the business objectives andstrategies

X

X

X

X

X

X

X

X


Risk Profile

51

Risk RiskScore


Planning &resourceallocation

H M/H L Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented

Recommend annual operatingand capital budgets





Governance of informationtechnology to support thebusiness objectives andstrategies

X

X

X

X

X

X

X

PublicRelations



Risk Profile

52

Risk RiskScore


Public Policy M M L Recommend annual operatingand capital budgets


X

X

Reputation M M L Provide governance andstrategic leadership to theCorporation and ensurepolicies of the Municipality areimplemented

Recommend annual operatingand capital budgets


Manage third partyperformance


Manage the daily operationsof service delivery


X

X

X

X

X

X

X


Risk Profile

53

Risk RiskScore


Third PartyPerformance

H M AC Manage information security



Manage the daily operations ofservice delivery

X

X

X

X

Environmental H M/H L Manage third party performance

Protecting the Environment

X

X

ConflictingPriorities/demands

M M L Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented




X

X

X

X


Risk Profile

54

Risk RiskScore


Transparency M M L Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented



X

X

X

Infrastructure H H AC Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented



X

X

X


Risk Profile

55

Risk RiskScore


Service Delivery H H AC Recommend annual operatingand capital budgets







Governance of informationtechnology to support thebusiness objectives andstrategies

X

X

X

X

X

X

X

X

MaterialResources

H M/H L Manage third party performance

Oversight of major initiatives

X

X


Risk Profile

56

Risk RiskScore


Informationfor decisionmaking

M M L Provide governance and strategicleadership to the Corporation andensure policies of the Municipality areimplemented




Manage changes to information systems

Governance of information technology tosupport the business objectives andstrategies

X

X

X

X

X

X

Securityand Privacy

M M L Manage information security





X

X

X

X


Risk Profile

57

Risk RiskScore


TechnologyEnablement

M M L Manage infrastructure


Governance of informationtechnology to support the businessobjectives and strategies

X

X

X

TechnologyCost

M M L Manage infrastructure (2014/15)

Manage changes to informationsystems (2014/15)

Governance of informationtechnology to support the businessobjectives and strategies (2015/16)

X

X

X

TechnologyExperience




Governance of informationtechnology to support the businessobjectives and strategies

X

X

X

X


Risk Profile

58

Risk RiskScore

Impact Likelihood

Proposed IA Project 2013/14 2014/15 2015/16 2016/17

InterdepartmentalCoordination

M M L Provide governance and strategicleadership to the Corporation and ensurepolicies of the Municipality areimplemented



X

X

X

Asset Protection M M L Manage information security





X

X

X

X

X

Value Creation/Enhancement

M M L Manage third party performance X

Structure/Culture H M L Provide governance and strategicleadership to the Corporation and ensurepolicies of the Municipality areimplemented



X

X

X


Risk Profile

59

Risk RiskScore


Human Resources H M L Succession planning andmanagement

Oversight of major City Initiatives

X

X

SuccessionPlanning/Capacity

H M AC Succession planning andmanagement

X

Labor Relations H M/H L Succession planning andmanagement



X

X

X

Accountability M M L Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented





X

X

X

X

X


Risk Profile

60

Risk RiskScore


Scalability M M L Succession planning and management


X

X

Capital Structure H H AC Recommend annual operating and capitalbudgets



X

X

X

Treasury/Liquidity

H M/H L Recommend annual operating and capitalbudgets




Property Billing and Collection Services

X

X

X

X

X

Accounting andReporting


Fraud andCorruption

H H AC Manage information security



X

X

X


Risk Profile

61

Risk RiskScore


Loss/Theft ofAssets





X

X

X

X

Compliance M M L Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented




X

X

X

X

Environmental M M L Protecting the Environment X

Public Policy M M L None in the next 3 years

Ligation H H L Fraud Risk Management X


Risk Profile

62

Risk RiskScore


Major Initiatives H H AC Recommend annual operating andcapital budgets

Major initiatives

X

X

Sourcing/Cessation H H AC Recommend annual operating andcapital budgets



X

X

X

Program Delivery M M L Succession planning and management


X

X

Implementation/Transition

M M L Succession planning and management




X

X

X

X


Risk Profile

63

Risk RiskScore


BenefitsRealization/Sustainability

M M L Succession planning andmanagement




X

X

X

X

Readiness M M L Succession planning andmanagement


X

X

Time/Cost M M L Recommend annual operating andcapital budgets


X

X


Risk Profile

64

Risk RiskScore


Alignment M M L Governance of informationtechnology to support thebusiness objectives andstrategies

X

Fundingoversight

M M L ABC projects to beexecuted over the next 7years

Operationaloversight

M M L ABC projects to beexecuted over the next 7years


© 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers toPricewaterhouseCoopers LLP, an Ontario limited liability partnership, which is a member firm ofPricewaterhouseCoopers International Limited, each member firm of which is a separate legalentity.

65

Documents

The Corporation of the City of Windsor · with the Corporation of the City of Windsor ... Ford City Business Improvement Association ... Value creation/ enhancement Departmental