HomeMy WebLinkAboutCAO-08-031 - Audit Committee Update - 3rd Quarter 2008J
Krrr.~~.R
Chief Administrator's
Office
REPORT
Report To: Mayor Carl Zehr, Chair
and Members of the Audit Committee
Date of Meeting: September 15, 2008
Submitted By: Corina Tasker, Performance Measurement, Internal
Auditor
Prepared By: Corina Tasker, Performance Measurement, Internal
Auditor
Wards} Involved: ALL
Date of Report: September 9, 2008
Report No.: CAO-08-031
Subject: Audit Committee Update - 3rd Quarter 2008
RECOMMENDATION:
None. For information only.
BACKGROUND:
The Audit Committee meets quarterly at which time the Performance Measurement & Internal
Auditor may present updates regarding the status of the work plan and any related matters.
Report CAO-08-031 serves as a general update to the Audit Committee.
REPORT:
2008 Work Plan Update
Within 2008 the following work has been completed by the staff of the Performance
Measurement and Internal Audit section (1 full time permanent, 1 contractor) including
significant input on most of the internal audit work from the Organizational Development
Facilitator.
Internal Audit
• Facilities Management organizational and functional review
• Inventory controls review
• Breithaupt Centre Administration review
• Engineering roles and responsibilities review
• Delta Project risk assessment
• CMF Project risk assessment
• King Street Streetscape Project risk assessment
Page 1 of 4
Performance Measurement
• 2007 Annual Status Report
• Compass Kitchener report card
• Municipal Performance Measurement Program (MPMP) reporting
Within the 2008 work plan there are two reviews which were requested by the Audit Committee.
Although not complete yet, a status report of these two projects is described below.
Human Resources Division Comprehensive Review
This review began in February 2008 at the request of the Audit Committee. To date the review
team has done extensive research both internally and externally, conducted interviews with HR
staff, customers, Council, and union executives, benchmarked against several municipalities
and local private sector firms, and have completed detailed process mapping for the
Recruitment process. With all of the research now complete, work has begun to write the final
report. It is estimated to be completed and presented to staff by early October, with a
presentation to the Audit Committee following in November.
Special Events Strategic Review
This review began in June 2008 at the request of the Audit Committee. The work is being
undertaken by an outside consultant team with input from staff and stakeholders. To date the
consultants have completed the majority of their stakeholder interviews and focus groups as
well as reviewing the strategic vision for the division. They are currently working on completing
their interviews, benchmarking with other municipalities, identifying issues and generating their
report. The draft report is expected to be complete in October, with a presentation to Council
expected in December.
Evolution of Performance Measurement and Internal Audit
The position of Performance Measurement and Internal Auditor was created in 2004. Since that
time the role has changed significantly and merits informing the Audit Committee of those
changes.
In the beginning the role was focused primarily on the development of a divisional level
performance measurement program. While there were some internal audits or reviews
completed, their focus was on improving effectiveness of the organization rather than on risk
identification or management.
The section first turned its mind to the concept of risk management in March 2007 when a
consultant was hired to develop a framework for Enterprise Risk Management. The report
recommended an approach to capturing our key corporate risks, a rating scale to assess the
level of impact and probability of each risk, and a process for managing the risks through
mitigation plans and monitoring. The output from this engagement is being used today in
individual project risk assessments as described below. However, a comprehensive corporate
wide risk register was not completed at that time due to budget and resource constraints.
Page 2of 4
Also during 2007 the demand for internal audit services was steadily growing as management
recognized the value that internal reviews could provide in that they offer an objective
assessment of the division, work processes or issues, as well as solid recommendations. At the
same time, the section was tasked with the coordination of the first ever Departmental Business
Plans. In tandem with this project staff worked on creating the first Annual Status Report which
reported the Key Performance Indicators (KPI) for all seven themes within the City's Strategic
Plan including operational and MPMP KPI's. The divisional level performance measurement
programs were then made optional rather than mandatory. Due to the increase in workload a
one-year contract position was approved starting in August 2007 and later extended to the end
of 2008.
In July 2007 we began to place more focus on the importance of risk management through the
implementation of risk assessments as a part of every major City project going forward. A
consultant was hired to perform the first risk assessment of the Delta project during the
beginning stages of work. A project risk register was developed with relative probabilities and
impacts assigned to each risk as well as recommended mitigation strategies. The project team
has incorporated a discussion of these risks as a standing item on their weekly meeting
agendas in orderto manage the issues.
In April 2008, bi-weekly corporate risk updates to the CAO were implemented. These included
any major risks from the Delta project as well as any other top-of-mind risks affecting the
corporation that had emerged. Subsequently, similar monthly updates to the GM's were
implemented in July. To date the addition of items to this corporate risk register has been ad
hoc. However, it is our intention that it will be fully developed with consideration of all types of
risks across all departments in the fall of 2008. More information on this is included below.
In April 2008 a consultant was hired to perform the project risk assessment of the CMF project.
In order to build skill in-house and move away from the use of consultants for this type of work,
section staff participated in the process and created their own risk register in tandem with the
consultants. The resulting risk registers were almost identical, proving that staff were capable of
doing this work in the future. This will save the corporation roughly $100,000 per project (not
including staff time).
In August 2008 the section staff performed the project risk assessment for the King Street
Streetscape project using the skills learned from the previous two projects.
Enterprise Risk Management Approach
In order to move the concept of risk management forward to the next level, staff will be working
on the following activities in the coming months. First, work will be done to create a corporate
Risk Management Policy, the purpose of which is to define the roles, responsibilities and
accountabilities for risk, define the risk appetite and tolerance thresholds, and to articulate rules
and standards that staff should be using when creating risk registers. This policy will be coming
back to Audit Committee for approval when complete. Following approval, a communication to
staff will start the process of instilling risk management as a management tool at all levels of the
corporation.
Second, work will be done to fully develop the corporate risk register including linking this to the
business plans. In theory, we should be able to review the Strategic Plan at the corporate level
and identify any risks that affect the achievement of the high level goals and objectives.
Following from this is the expectation that each level of the organization will then look at the
goals and objectives from their departmental or divisional business plans and identify risks
affecting their work. Communication and training will accompany this roll out.
Page 3of 4
Third, the section will continue to conduct risk assessments on all large City projects and
provide regular updates to the CAO and GM's.
In summary, the focus within the section has shifted from performance measurement to risk
management and internal audit. Although demand continues to grow for internal audit services,
the staffing complement will return to just one full time staff when the contract position expires at
the end of 2008. Therefore, the addition of one full time permanent position will be requested
through the 2009 budget process. More information on this will be presented at that time.
FINANCIAL IMPLICATIONS
None at this time
COMMUNICATIONS:
None
Corina Tasker, CMA
Performance Measurement & Internal Auditor
Page 4of 4
Audit Committee
September 15, 2008
Agenda
• Status of 2008 Work Plan
• Evolution of Performance
Measurement & Internal Audit
Role
• Compliance Review
2008 Work Plan Update
Internal Audit
• Facilities Management Review
• Inventory Controls Review
• Breithaupt Centre Administration
Review
• Engineering roles & responsibilities
• Delta Project risk assessment
• CMF Project risk assessment
• King Street risk assessment
Work Plan con't
Performance Measurement
• 2007 Status Report
• Compass Kitchener report card
• MPMP reporting
Project Status - HR Review
• Started in Feb / 08
• Extensive research, interviews,
benchmarking, process
mapping complete
• Working on report generation
• Estimated completion early
Oct/08 (Nov audit committee)
Project Status -Special
Events Review
• Started in June / 08
• Stakeholder interviews, focus
groups, review of strategic vision
complete
• Working on benchmarking,
interviews, issue identification,
report generation
• Draft report expected Oct / 08
• Presentation to Council expected
Dec /08
Evolution of Performance
Measurement & Internal
Audit Role
• Created August 2004
• Main focus was performance
measurement
-Divisional level program
• Some internal audit /reviews
completed
-Comprehensive or organizational
reviews; limited focus on risk
Evolution con't
• March 2007 -consultant hired to
recommend approach to Enterprise
Risk Management (ERM)
• Demand for internal audit services
growing
• Coordinated creation of
Departmental Business Plans
• Divisional performance
measurement no longer mandatory
• Annual Status Report created
Evolution con't
• Risk identification and management
takes more focus
- July 2007 -consultant hired to perform
risk assessment of Delta project
- April 2008 -regular risk updates to
CAO and GM's implemented
- June 2008 -consultant hired to perform
risk assessment of CMF project
- August 2008 -Internal Audit staff
perform risk assessment of King St
Project
Enterprise Risk
Management Approach
• Creation of a Risk Management
policy
• Fully develop Corporate risk
register linked to business plans
• Continue risk assessments for
large projects
• Continue risk updates to CAO
and GM's
Evolution Summary
• More focus on risk management
and internal reviews
• Performance measurement
linked to business plans
• Increased demand for services
• Resource constraints -
additional Internal Auditor
required
Compliance Reporting
• Requested at March Audit
Committee
• Staff to scope resource
requirements and benefits
• Reviewed WLU Compliance
Report
• Interviewed WLU Auditor
Compliance Reporting
con't
• 2 months of extensive effort
-Resource constraints
-Growing demand for audit
services
• ERM framework in progress
Recommendation
• Continue with ERM approach to
identify and manage key risks
• No action to create a
compliance report