Transcription
INTERNAL AUDIT DEPARTMENTAnnual Risk Assessment & Audit PlanFor Fiscal Year 2021-22Audit No. 2001Report Date: May 21, 2021OC Board of SupervisorsCHAIRMAN ANDREW DO1st DISTRICTVICE CHAIRMAN DOUG CHAFFEE4th DISTRICTSUPERVISOR KATRINA FOLEY2nd DISTRICTSUPERVISOR DONALD P. WAGNER3rd DISTRICTSUPERVISOR LISA A. BARTLETT5th DISTRICT
DEPARTMENT4. Health Care Agency/Public Guardian5. John Wayne AirportNUMBER OF HIGH-RISK/HIGH-PRIORITY AREAS2AUDIT AREARevolving Funds (HR)Information Technology (HR)4Purchasing & Contracts (HR)Cash Receipts & AccountsReceivable (HR)Cash Disbursements & Payables(HP)Payroll (HP) (time permitting)6. OC CommunityResources4Fee-Generated Revenue (HR)Purchasing & Contracts (HR)Revolving Funds (HR) (timepermitting)Contract Compliance (HP)7. OC Waste & Recycling1Cash Receipts/Credit CardProcessing (HP) (time permitting)8. Probation1Information Technology (HR)9. Registrar of Voters1Information Technology (HR)10. Treasurer-Tax Collector1Revolving Funds (HR)TOTAL HIGH-RISK/HIGHPRIORITY AREAS24Due to limited staffing resources, our Audit Plan only includes audits addressing 18 of the 24 highrisk or high-priority areas. If hours become available in Fiscal Year 2021-22, we will incorporate theremaining four high-risk areas and two other high priority/department-requested (time permitting)audits into the Audit Plan. The remaining high-risk and time permitting audits that have not beenincorporated by the end of Fiscal Year 2021-22, will be included in our Fiscal Year 2022-23 AuditPlan.We look forward to a successful year of providing professional, reliable, and objective audit andadvisory services to the Board of Supervisors, County Executive Office, and County departments. Ifyou have any questions, please contact me at 714.834.5442 or Assistant Director Scott Suzuki at714.834.5509.
TABLE OF CONTENTSAnnual Risk Assessment & Audit PlanFor Fiscal Year 2021-22Audit No. 2001Executive Summary1Introduction1Results2Risk Assessment2General Risk Assessment2Information Technology Risk Assessment3FY 2021-22 Audit Plan3Appendix A: Audit Plan Methodology10Appendix B: Acronyms13Attachment A: Internal Audit Department Organization Chart14Attachment B: Risk Assessment Schedule for Fiscal Year 2021-2215Attachment C: Schedule of 10-Year Prior Audit Coverage16ANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001
INTERNAL AUDIT DEPARTMENTEXECUTIVE SUMMARYINTRODUCTIONThe mission of the Internal Audit Department is to provide highly reliable, independent, objectiveevaluations, and business and financial consulting services to the Board of Supervisors (Board)and County management to assist them with their important business and financial decisions.We support and assist the Board and County management in the realization of their businessgoals and objectives. Our contribution to this effort is testing and reporting on the effectiveness oftheir internal control systems and processes as these relate to safeguarding the County’s assetsand resources, reasonable and prudent financial stewardship, accurate recording and reporting,and achieving the County’s goals and objectives.The Internal Audit Department utilizes professional standards for the development of the AuditPlan. The Institute of Internal Auditors (IIA) International Standards for the Professional Practiceof Internal Auditing require the chief audit executive to establish a risk-based approach todetermine the priorities for internal audit activities. Our methodology is to perform focused auditsthat address the most critical areas of operations and to provide a quick turnaround time to thedepartment. We strive to minimize the disruption to department operations through this approach.We completed a risk assessment to identify and measure risk and prioritize potential audits forthe Audit Plan. We are committed to auditing business activities/processes identified: (1) as highrisk by our risk assessment process or (2) high priority by Board, CEO, or department headrequest. Our approach is to provide coverage of the most critical and sensitive aspects of theactivity identified. We may make exceptions to this approach when there are carryover auditsfrom the prior year, where there has been recent audit coverage, or if our professional judgmentdetermines otherwise.Our Fiscal Year 2021-22 Risk Assessment identified 24 high-risk or high-priority areas in 10County departments as illustrated in the chart below.ANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001PAGE 1 OF 16
INTERNAL AUDIT DEPARTMENTRESULTSOur Fiscal Year 2021-22 Audit Plan includes 18 scheduled audits, nine of which are new auditsand nine (seven high risk two high-priority department requests) are carried over from FiscalYear 2020-21.87NEW HIGH-RISKAUDITSSCHEDULED CARRYOVERHIGH-RISKAUDITSSCHEDULED1 42 CARRYOVERHIGH-PRIORITYREQUESTSCHEDULED18 2TIME PERMITTINGHIGH-RISK AUDITS 19 HIGH-RISK AUDITSNEW HIGHPRIORITYAUDITSSCHEDULEDTIME PERMITTING DEPARTMENTREQUESTED5HIGH-PRIORITY OR DEPARTMENTREQUESTED AUDITSAUDITSSCHEDULED6 TIMEPERMITTINGAUDITS24TOTAL AUDITSIN PLANDue to limited staffing resources, our Audit Plan only includes audits addressing 18 of the 24 highrisk or high-priority areas. There are nine carryover audits, three were time permitting audits wedid not get to, two were department requested delays due to COVID-19, two were due to reducedstaffing resources available due to a leave-of-absence, one was due to a department request overtiming issues, and one was due to our professional judgement. If hours become available in FiscalYear 2021-22, we will incorporate the remaining four high-risk areas and the two time permittingdepartment-requested audits into the Audit Plan. Any audits that have not been incorporated bythe end of Fiscal Year 2021-22 will be included in our Fiscal Year 2022-23 Audit Plan.RISK ASSESSMENTGENERAL RISK ASSESSMENTThe Internal Audit Department performed a general risk assessment that included discussion withmembers of the Board, the County Executive Office, and department executive managementregarding risks affecting them. We distributed risk assessment questionnaires for input on risksand areas of audit interest in department business operations. We ranked and tabulated theresults to develop a risk-based Audit Plan. Because of limited staffing resources, we evaluatedall audit requests based on our risk assessment criteria. Special request audits from the Boardand department heads were considered for inclusion in the Audit Plan.We designed our risk-based Audit Plan to address what we considered to be the highest priorityareas, while limiting the scope of work to what could realistically be accomplished with availablestaff resources. Our risk ratings were based on current information that fluctuates frequently giventhe nature, diversity, size, and impact of County operations on the public.ANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001PAGE 2 OF 16
INTERNAL AUDIT DEPARTMENTA department with a high-risk score indicates the services or functions it is responsible for are ahigh-risk activity because of factors such as having a large amount of expenditures and/orrevenues, having a high level of liquid assets such as cash, management’s assessment of thecontrol environment, or a high degree of public interest. A high-risk score indicates that ifsomething were to go wrong, it could have a greater impact. A high-risk score does not mean thata business process is being managed ineffectively or that internal control is not adequate.INFORMATION TECHNOLOGY RISK ASSESSMENTDue to the complexities and widespread use of information technology throughout Countyoperations, a separate IT risk assessment was performed to augment the general riskassessment. The IT risk assessment was conducted with a comprehensive IT survey. Wedistributed the survey for input on risks and areas of IT audit interest in departments’ businessoperations and summarized the results. A risk-ranking value was assigned to each department toillustrate each risk indicator.A department with a high-risk score indicates the services or functions it is responsible for are ahigh-risk activity because of factors such as departments maintaining and managing systems thatprocess sensitive information, contract with third party vendors, on-site server rooms that hostcritical systems, large number of privileged user access, and/or remote access users as a resultof COVID-19.As with the general risk assessment, a high-risk score indicates that if something were to gowrong, it could have a greater impact. A high-risk score does not mean that an IT process is beingmanaged ineffectively or that internal control is not adequate. The survey allowed an increasedunderstanding of the department’s IT environment. The result was a comprehensive andprioritized risk-based heat map of IT risks for development of the IT component of our Audit Plan.FY 2021-22 AUDIT PLANOur Audit Plan is based on 12,460 productive hours to be provided by seven audit professionalsand two supervising audit managers. Audit hours for the director of Internal Audit and assistantdirector are not included in the above total, and time for the audit managers is adjusted to allowfor administrative duties. Some audits we identified as high risk are listed on the Audit Plan as“time permitting” audits. If hours become available, we will begin performing those audits.Otherwise, these audit areas will remain as high risk (unless on-going risk assessment dictatesotherwise) and will be included in next year’s Audit Plan.Our Audit Plan is submitted, reviewed, and approved by the Audit Oversight Committee prior tothe beginning of each fiscal year. Our audit services are focused on improving internal control instandard business processes/cycles common to all departments with our primary emphasis onfinancial accounts and transactions. Examples of audits in our Audit Plan include Internal ControlAudits and Information Technology Audits. Please see the table below for a description of theseprimary service areas, related objectives, and hours allocated to the service area.ANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001PAGE 3 OF 16
INTERNAL AUDIT DEPARTMENTSERVICEInternalControl AuditsOBJECTIVEReview effectiveness and efficiency of departmental operationsincluding the safeguarding of assets, reporting (internal andexternal, financial and non-financial), and compliance withlaws, regulations, and procedures as related to the 2013Committee of Sponsoring Organizations of the TreadwayCommission (COSO) Internal Control – Integrated sReview IT controls such as general controls over computeroperations, access to programs and data, disasterrecovery/business continuity, program development, programchanges, and provide advisory services for vementConduct facilitated workshops utilizing a balanced approach todiscuss strengths, concerns and what the team can do toimprove business processes. The process draws upon theexpertise of employees and managers and encourages a teamapproach to identifying issues and problem solving.2002%ContractComplianceAuditsAudit the records of businesses with leases at John WayneAirport, OC Community Resources, and OC Public Works toensure the correct amount of rent is paid to the County basedon a percentage of gross revenue, and that internal controls areadequate to ensure the integrity of records used to report grossrevenues.2802%BoardRequests &ContingencyReserveHours reserved for special request audits from the Board,position vacancies, and other unforeseen events.1,82615%OtherActivities &AdministrationInvestigate cash losses; provide advisory services andtechnical assistance to departments on business, accounting,internal control, compliance, and policy and procedural issues;perform the annual risk assessment; compile and presentExternal Audit Activity Reports to the AOC; compile andpresent oversight reporting to the AOC and Board; completespecial projects.1,54012%TOTALS12,460100%For each engagement in the Audit Plan, we have listed the department, preliminary auditobjectives, and estimated hours to complete the audit. Please refer to Appendix A for more detailson the Audit Plan methodology.The Audit Plan is subject to change for such events where the director of the Internal AuditDepartment, or Board majority assesses it is warranted to substitute, postpone, or cancel ascheduled audit due to timing, priority, resources, and/or other risk considerations. Suchmodifications will be noted in the Quarterly Status Reports submitted to the AOC. The acceptanceof the Quarterly Status Report by the AOC authorizes any changes noted.ANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001PAGE 4 OF 16
INTERNAL AUDIT DEPARTMENTAUDITPRELIMINARY AUDIT OBJECTIVESHOURSHigh-Risk AuditsInternal Control AuditsSupervising Audit Manager:Michael Dean, Senior Audit Manager1. CEO Cash Disbursements & Payables(2012)To assess internal control over cashdisbursements and accounts payable toensure payments are properly reviewed andauthorized, valid, supported, timely; and arecompliant with County policy.2202. OCCR Fee-Generated RevenueTo assess internal control over fee studies andfee development processes for establishingcost-recovery fees charged to the public.4803. JWA Purchasing & ContractsTo assess procurement processes (other thanhuman services) to ensure compliance with theContract Policy Manual.4804. OCCR/OC Parks/OC Dana Point HarborPurchasing & Contracts (2015)To assess contractor compliance with theDana Point Master Lease (Public PrivatePartnership) and efficiency of the leaseadministration by OCCR.480To assess internal control over revolving fundexpenditures to ensure they are proper and incompliance with County and departmentalpolicy.1,0808. CEO PayrollTo assess internal control over payrollprocessing to ensure payroll is accurate,authorized, reviewed, and duties are properlysegregated.3609. CEO Fiduciary Funds & SpecialRevenue Funds (2018)To assess internal control over fiduciary orspecial revenue funds to ensure sources anduses of funds are proper and in compliancewith County and departmental policy,procedures, and laws.480To assess internal control over cash receipts toensure receipts are safeguarded, deposited,and reconciled with County records440Carryover from FY 2020-21Carryover from FY 2020-215. A-C Revolving Funds6. HCA/PG Revolving Funds7. T-TC Revolving FundsCarryover from FY 2020-2110. JWA Cash Receipts & ReceivablesANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001PAGE 5 OF 16
INTERNAL AUDIT DEPARTMENTAUDITPRELIMINARY AUDIT OBJECTIVESHOURSHigh-Risk Audits (con’t)Information Technology AuditsSupervising Audit Manager:Jimmy Nguyen, IT Audit Manager II11. Health Care Agency Cybersecurity(1943)To assess controls over the IT environment,e.g., computer operations, access toprograms and data, program development,and program changes.12. ROV Cybersecurity (2042)1,72013. Probation Cybersecurity (2043)14. Auditor-Controller CAPS Security(2046)Carryovers from FY 2019-2015. Remote AccessTo assess IT controls over remote access.360The following high-risk engagements are timepermitting audits and will be completed asaudit resources become available:16. OCCR Revolving FundsTime Permitting Audit17. C-R CybersecurityTime Permitting Audit18. Third-Party IT SecurityTime Permitting Audit19. California Data Privacy ActTime Permitting AuditTo assess internal control over revolving fundexpenditures to ensure they are proper and incompliance with County and departmentalpolicy.0To assess controls over IT environment, e.g.,computer operations, access to programs anddata, program development, and programchanges.0To assess controls over IT environment forthird-party vendors that directly assist withmaintaining, managing, or supporting criticalsystems.0To assess controls over countywide keybusiness processes to ensure conformance tothe California Data Privacy Act.0Total High-Risk AuditsANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 20016,100PAGE 6 OF 16
INTERNAL AUDIT DEPARTMENTAUDITPRELIMINARY AUDIT OBJECTIVESHOURSTo assess internal control over cashdisbursements and accounts payable toensure payments are properly reviewed andauthorized, valid, supported, timely; and arecompliant with County policy.440To assess selected information technologygeneral controls over security management.360To assess whether lessee records adequatelysupport gross receipts reported to the countyand compliance with lease terms.280High-Priority Department RequestedAudits20. JWA Cash Disbursements & Payables(2013)Carryover from FY 2019-2021. HRS Data Portal Access (2045)Carryover from FY 2019-2022. Ocean Institute Contract ComplianceTotal High-Priority Department RequestedAudits1,080Department Requested Audits23. JWA PayrollTime Permitting Audit24. OCWR Credit Card ProcessingTime Permitting AuditTo assess internal control over payrollprocessing to ensure payroll is accurate,authorized, reviewed, and duties are properlysegregated.0To assess internal control over credit cardprocessing to ensure secure data processing,storage, and transmittal.0Total Department Requested Audits0Follow-Up AuditsFollow-Up Internal Control AuditsFollow-Up Information Technology AuditsFollow-up on management’s implementation ofaudit recommendations provided in prior auditreports.Total Follow-Up AuditsANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 20018137011,514PAGE 7 OF 16
INTERNAL AUDIT DEPARTMENTAUDITPRELIMINARY AUDIT OBJECTIVESHOURSBusiness Process ImprovementWorkshopsConduct facilitated workshops utilizing abalanced approach to discuss strengths,concerns and what the team can do to improvebusiness processes.200VTI System Replacement (2048)To advise on System Development Life Cycle(SDLC) internal control including projectmanagement, system nversion,documentation & training, segregation ofduties, and change management.40To advise on SDLC internal control includingproject management, system functionality/integration testing, interfaces, data conversion,documentation & training, segregation ofduties, and change management.40To advise on SDLC internal control includingproject management, system functionality/integration testing, interfaces, data conversion,documentation & training, segregation ofduties, and change management.40Participate in Countywide Cybersecuritymeetings related to various workgroups andcommittees.80Advisory EngagementsCarryover from FY 2020-21T-TC Quantum Upgrade (1647)Department RequestCarryover from FY 2020-21Property Tax System Implementation(1754)Department RequestCarryover from FY 2020-21Countywide CybersecurityTotal Advisory Engagements400Other Activities & AdministrationSpecial Projects500Annual Risk Assessment & Audit Plan forFiscal Year 2022-23360Board of Supervisors & Audit OversightCommittee Support160External Audit Reporting200On-Demand Department AdvisoryServices80Cash Loss Investigations80ANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001PAGE 8 OF 16
INTERNAL AUDIT DEPARTMENTOther Activities & Administration (con’t)TeamMate Administration80Countywide Cost-Allocation Plan80Total Other Activities & AdministrationBoard-Requested Audits1,540580Contingency Reserve1,246TOTAL HOURS12,460ACKNOWLEDGEMENTWe appreciate the courtesy extended to us by departments that completed our requested surveysand met with Internal Audit staff. The information provided by departments was instrumental inpreparing our risk assessment.PROJECT TEAMScott Suzuki, CPA, CIA, CISA, CFEMichael Dean, CPA, CIA, CISAJimmy Nguyen, CISA, CFE, CEHScott Kim, CPA, CISA, CFEGianne Morgan, CIAZan Zaman, CPA, CIA, CISAMari Elias, DPAANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001Assistant DirectorSenior Audit ManagerIT Audit Manager IIIT Audit Manager IAudit ManagerAudit ManagerAdministrative Services ManagerPAGE 9 OF 16
INTERNAL AUDIT DEPARTMENTAPPENDIX A: AUDIT PLAN METHODOLOGY1. DEFINE AUDIT UNIVERSEThere are several approaches to defining all the potential areas subject to risk assessment andaudits, or the “audit universe”. We defined the County audit universe as 19 departments excludingInternal Audit, OC Ethics Commission, and Office of Independent Review.We further defined our audit universe by eight standard business processes/cycles (see Table 1below) including information technology common to all departments. This results in an audituniverse consisting of 152 auditable business processes (19 departments, eight businessprocesses/cycles).Table 1. County Audit UniverseBUSINESS PROCESS/CYCLE(FINANCIAL ACTIVITY FOR FY 2019-20)1. Cash Receipts & AccountsReceivable 16.6 Billion2. Cash Disbursements &Payables 6.1 Billion3. Fee-Generated Revenue 900 Million4. Purchasing & Contracts 1.6 Billion5. Revolving Funds 10.3 Million6. Payroll 2.3 Billion7. Fiduciary Funds & SpecialRevenue Funds 1.8 Billion8. Information Technology (IT)DESCRIPTIONReview controls over receipting, recording, transferring,depositing, safeguarding, and reconciling of monies received indepartments.Verifying receipt of goods and services, supervisory reviews ompleteness and accuracy of payments, proper reconciliations,and safeguarding of assets.Review department fee studies and fee-developmentprocesses, methodologies, and assumptions used forestablishing cost-recovery fees charged to the public for“Licenses, Permits and Franchises,” and “Charges for Services,”and ensure they are submitted to the Board for treview/approval processes, ensuring terms of contracts weremet prior to issuing payments, reviewing justification of solesource contracts,andmonitoring CPO’soversightresponsibilities.Validating compliance with the County Accounting Manual,ensuring revolving cash fund disbursements are proper,approved, monitored, and safeguarded.Review timekeeping practices, premium and overtime paypractices, payroll unit supervision and payroll reports, CentralPayroll’s role in processing payroll, and monitoring forunauthorized payroll changes.Validating the purpose/objectives of fiduciary funds and specialrevenue funds, ensuring sources and uses of the funds are inaccordance with County policy or laws and regulations, andreconciliations are prepared timely and completely to safeguardfunds.Review controls over IT and cybersecurity including generalcontrols, application controls, system development, networksecurity, and computer operations.ANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001PAGE 10 OF 16
INTERNAL AUDIT DEPARTMENT2. APPLY WEIGHTED RISK FACTORSOur Risk Assessment Schedule for FY 2021-22 (see Attachment B) shows the 152 auditablebusiness processes and assigned risk ratings. We consider the following factors in assigning risklevels: Financial Activity (40%). Assessed department financial information for each auditablebusiness process. Department Changes (15%). Assessed factors such as management and/or organizationalchanges, significant increases or decreases in staffing and workloads, new or eliminatedprograms, and significant changes in laws and regulations or IT. Operating Environment (15%). Assessed factors related to changes in the operatingenvironment such as public image, laws and regulations, safety and environmental issues,sensitivity to economic factors, major crises, pending litigation, and business continuity. Last Audit Performed (30%). Identified all Internal Control Audits, Financial Audits &Mandates, and Information Technology Audits conducted in the last 10 years. Areas with norecent or prior audits are assessed higher risk (see Attachment C).3. CATEGORIZE RESULTSUsing the above criteria and professional judgment, an overall risk is assigned to each auditablebusiness process as High Risk, Moderate Risk, or Low Risk. The overall risk levels assigneddetermine the focus of our audit resources and audit priorities.Risk levels for the 152 auditable business processes we identify in our Risk Assessment Schedulefor FY 2021-22 (see Attachment B) are as follows: 17 (11%) are High Risk119 (78%) are Moderate Risk16 (11%) are Low RiskNote, there are 19 high-risk audits in the 17 high-risk processes as the single CEO IT high-riskbox represents three separate audits.4. IDENTIFY ENGAGEMENTS AND ALLOCATE AVAILABLE RESOURCESOur Audit Plan is based on 8,614 available audit hours (12,460 productive hours less 200 hoursfor business process improvement, 280 hours for contract compliance audits, 1,040 hours forother activities and administration, 580 hours for Board requested audits, 500 hours for specialprojects, and 1,246 hours for contingency reserve) to be provided by seven audit professionalsand two supervising audit managers. We ensure the ratio of gross hours to available audit hoursaligns with industry norms. The contingency reserve is for position vacancies and otherunforeseen events.We judgmentally select the highest risk audits we can realistically address with existing resources.Because of budget and staffing constraints, we evaluate all audit requests based on our riskassessment criteria. Audits that cannot be accommodated are noted for future consideration.ANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001PAGE 11 OF 16
INTERNAL AUDIT DEPARTMENTOur follow-up audit process ensures that our audit recommendations are implementedsatisfactorily. Our first follow-up audit generally begins about six months following the release ofan audit report. If necessary, a second follow-up audit will generally be conducted about sixmonths following the issuance of the first follow-up audit report.ANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001PAGE 12 OF 16
INTERNAL AUDIT DEPARTMENTAPPENDIX B: udit Oversight CommitteeC-RClerk-RecorderCEOCounty Executive OfficeCPOCounty Procurement OfficeHCAHealth Care Agency/Public GuardianJWAJohn Wayne AirportOCCROC Community ResourcesOCWROC Waste & RecyclingROVRegistrar of VotersT-TCTreasurer-Tax CollectorANNUAL RISK ASSESSMENT & AUDIT PLAN FOR FISCAL YEAR 2021-22AUDIT NO. 2001PAGE 13 OF 16
INTERNAL AUDITATTACHMENT A: ORGANIZATION CHARTAs of 5/01/2021Board of SupervisorsAudit OversightCommitteeAggie AlonsoCPA, CIA, CRMADirector & CAEMari EliasDPAAdministrative ServicesManagerScott SuzukiCPA, CIA, CISA, CFEAssistant DirectorMichael DeanCPA, CIA, CISASenior Audit ManagerZan ZamanCPA, CIA, CISAAudit ManagerStephany PantigosoSenior AuditorGabriela CabreraSenior AuditorPROFESSIONAL CERTIFICATIONS/GRADUATE DEGREECertified Public Accountant (CPA)Certified Internal Auditor (CIA)Certified Information Systems Auditor (CISA)Certified Fraud Examiner (CFE)Certified Ethical Hacker (CEH)Certification in Risk Management Assurance (CRMA)Deputy Purchasing Agent (DPA)VacantAudit Manager IIGianne MorganCIAAudit ManagerAlejandra HernandezSenior AuditorJimmy NguyenCISA, CFE, CEHIT Audit Manager IIScott KimCPA, CISA, CFEIT Audit Manager IUnder RecruitmentSenior AuditorPAGE 14 OF 16
High-Risk Processes:Moderate-Risk Processes:Low-Risk Processes:Total Auditable Business Processes/Cycles:3. Child Support Services4. Clerk of the Board5. Clerk-Recorder6. County Counsel7. County Executive Office8. District Attorney-PublicAdministrator9. Health Care Agency/PublicGuardian10. John Wayne Airport11. OC Community Resources12. OC Public Works13. OC Waste & Recycling14. Probation Department15. Public Defender16. Registrar of Voters17. Sheriff-Coroner18. Social Services Agency19. Treasurer-Tax MMMMH1711916152LMMLMLLHMMMHHH (1)MMMMMMMMMMMMHHMMMMMMHHHMMHLM11% High-risk audit areas (as determined by risk assessment)78% Moderate-risk audit areas (as determined by risk assessment)11% Low-risk audit areas (as determined by risk assessment)(1) There are 19 high-risk audits in the 17 high-risk processes as the CEO high-risk box represents three high risk audits (Remote Access Security, California Data Privacy Act, and Third-Party IT MMMMMMMMLMMMHMMMCOMMENTSReflects all cash receipt transactions posted to8010 Cash Account by the department thatprocessed the transaction. A/R reported as yearend balances.Reflects all cash disbursements includingautomatic (A/P) disbursements, manualdisbursements, and EFT/Wire disbursements.Reflects revenue from cost-recovery fees(licenses, permits, franchises and charges forservices) that are charged to the public and requireBOS approval.Reflects all purchases and contracts processed bydepartments including purchase orders, priceagreements, and negotiated contracts.Reflects the total revolving fund replenishments toall departments.Reflects total payroll for our audit population of alldepartments shown.Reflects year-end balances in Agency Funds andPrivate Purpose Trust Funds designated forrestricted purposes and use.Includes IT controls and cybersecurity includinggeneral controls, application controls, systemdevelopment, network security, and computeroperations.Revolving FundsSee Appendix A for Audit Plan MethodologyDR Department requestsCO Carryover auditsTP Time-permitting auditsMCybersecurity (CO)AUDITS ON FY 2021-22 PLANMCybersecurity (CO)INFORMATION TECHNOLOGYMCredit Card Processing (DR/TP)FIDUCIARY & SPECIAL REVENUE FUNDS 1.8 billionMFee-Generated RevenuePurchasing & Contracts (CO)Revolving Funds (TP)Contract Compliance (DR)PAYROLL 2.3 billionMCash Receipts & Accounts ReceivableCash Disbursements & Payables (DR/CO)Payroll (DR/TP)Purchasing & ContractsREVOLVING FUNDS 10.3 millionMRevolving FundsCybersecurity (CO)PURCHASING & CONTRACTS 1.6 b
the beginning of each fiscal year. Our audit services are focused on improving internal control in standard business processes/cycles common to all departments with our primary emphasis on financial accounts and transactions. Examples of audits in our Audit Plan include Internal Control Audits and Information Technology Audits.
