Audit Committee Meeting - Texas Documents/board_meeting_audit... · 2016 Audit Committee meeting were approved as ... She then reviewed new Governmental Accounting Standards ... more

Audit Committee Meeting

Teacher Retirement System of Texas 1000 Red River Street, Austin, Texas 78701-2698

December 2016

NOTE: The Board of Trustees (Board) of the Teacher Retirement System of Texas will not consider or act upon any item before the Audit Committee (Committee) at this meeting of the Committee. This meeting is not a regular meeting of the Board. However, because the full Audit Committee constitutes a quorum of the Board, the meeting of the Committee is also being posted as a meeting of the Board out of an abundance of caution.

TEACHER RETIREMENT SYSTEM OF TEXAS BOARD OF TRUSTEES

AND AUDIT COMMITTEE

(Mr. Moss, Chairman; Ms. Charleston; Mr.Corpus; Dr. Gibson; and Ms. Palmer, Committee Members)

All or part of the September 23, 2016, meeting of the TRS Audit Committee and Board of Trustees may be held by telephone or video conference call as authorized under Sections 551.130 and 551.127 of the Texas Government Code. The Board intends to have a quorum physically present at the following location, which will be open to the public during the open portions of the meeting: 1000 Red River, Austin, Texas 78701 in the TRS East Building, 5th Floor, Boardroom.

AGENDA

December 2, 2016 – 9:30 a.m. TRS East Building, 5th Floor, Boardroom

1. Call roll of Committee members

2. Approve minutes of September 23, 2016 Audit Committee meeting – Christopher Moss

3. Receive independent audit reports on audits of the Comprehensive Financial Reports forFiscal Year 2016

A. TRS – Michael Clayton and Kelley Ngaide, State Auditor’s Office (SAO) B. TRS Investment Company (TRICOT) – Bhakti Patel, Grant Thornton

4. Receive review reports for TRS health plan and drug benefit administration for TRS-Careand TRS-ActiveCare – Yimei Zhao; Amy Quertermous, John Meka, Keith Gall, and CarolHamilton, Truven Health Analytics

A. Results overview of TRS-Care and TRS-ActiveCare health plan and drug administration review reports for September 1, 2013 to August 31, 2015

B. Review Report of TRS-Care health plan administration by Aetna for September 1, 2013 to August 31, 2015 and review of TRS-ActiveCare health plan administration by Aetna for September 1, 2014 to August 31, 2015

C. Review Report of TRS-ActiveCare drug benefit administration by Caremark Rx for September 1, 2014 to August 31, 2015

D. Review Report of TRS-Care drug benefit administration by ESI for September 1, 2013 to August 31, 2015

E. Review Report of TRS-Care Employer Group Waiver Plan (EGWP) drug benefit administration by ESI for September 1, 2013 to December 31, 2014

5. Receive Compliance reports – Heather Traeger

6. Receive Internal Audit reportsA. Quarterly Investment Compliance Testing (Agreed-Upon Procedures) – Hugh

Ohn and Heather Traeger B. 403(b) Program Audit – Hugh Ohn

NOTE: The Board of Trustees (Board) of the Teacher Retirement System of Texas will not consider or act upon any item before the Audit Committee (Committee) at this meeting of the Committee. This meeting is not a regular meeting of the Board. However, because the full Audit Committee constitutes a quorum of the Board, the meeting of the Committee is also being posted as a meeting of the Board out of an abundance of caution.

C. Follow-Up Audit on Outstanding Audit Recommendations (Records Management) – Jan Engler and Toma Miller

D. Prior audit and consulting recommendations; and, implementation status of Automation Best Ideas - Amy Barrett, Chris Bailey, and Scot Leith

E. Internal Audit Annual Report – Amy Barrett

7. Discuss or consider Internal Audit administrative reports and matters related to governance, risk management, internal control, compliance violations, fraud, regulatory reviews or investigations, fraud risk areas, audits for the annual internal audit plan, or auditors' ability to perform duties – Christopher Moss and Amy Barrett

TAB 2

December 2016 Board Audit Committee Meeting 1

TEACHER RETIREMENT SYSTEM OF TEXAS AUDIT COMMITTEE MEETING MINUTES

September 23, 2016

The Audit Committee of the Board of Trustees of the Teacher Retirement System of Texas met on September 23, 2016, in the boardroom located on the fifth floor of the TRS East Building offices at 1000 Red River Street, Austin, Texas.

Committee Members present: Mr. Chris Moss, Chair Ms. Karen Charleston Mr. David Corpus Ms. Anita Palmer Other Board Members present: Mr. Joe Colonnetta Mr. John Elliott Mr. David Kelly Ms. Dolores Ramirez Others present: Brian Guthrie, TRS Jan Engler, TRS Ken Welch, TRS Rodrigo Dominguez, TRS Carolina de Onis, TRS Cari Casey, TRS Amy Barrett, TRS Simin Pang, TRS Katrina Daniel, TRS Anandhi Mani, TRS Toma Miller, TRS Lih-Jen Lan, TRS Heather Traeger, TRS Michael Clayton, SAO Hugh Ohn, TRS Kelley Ngaide, SAO Dorvin Handrick, TRS Ted Melina Raab, Texas AFT Dinah Arce, TRS Philip Mullins, TSEU Art Mata, TRS LeRoy DeHaven, TRTA Katherine Farrell, TRS Audit Committee Chair Mr. Moss called the meeting to order at 8:05 a.m.

1. Call roll of Committee members.

Ms. Farrell called the roll. A quorum was present. Dr. Gibson was absent.

2. Consider the approval of the proposed minutes of the July 29, 2016 committee meeting – Committee Chair Mr. Chris Moss.

On a motion by Ms. Palmer, seconded by Ms. Charleston, the proposed minutes for the July 29, 2016 Audit Committee meeting were approved as presented.


3. Receive State Auditor’s Office presentation on the planned audit of TRS’ Comprehensive Annual Financial Report for fiscal year 2016 and results of the audit of TRS’ fiscal year 2015 Employer Pension Liability Allocation Schedules – Michael Clayton and Kelley Ngaide, State Auditor’s Office

Ms. Kelly Ngaide informed the committee that the State Auditor expected to release its opinion on the TRS’ financial statements for fiscal year 2016 on November 17. Ms. Ngaide noted the report on internal controls and compliance and other matters will be released at the end of November. She then reviewed new Governmental Accounting Standards Board (GASB) standards that will affect the audit. Mr. Clayton discussed in further detail the liability schedules. He indicated that when GASB 75, that is related to financial reporting of other postemployment benefits (OPEB), comes into play, it will have an effect similar to the 2014 GASB 68. Mr. Clayton noted the OPEB number is going to be a very large number and will probably garner a lot of interest. Mr. Clayton indicated that more guidance regarding the OPEB is expected and indicated there may be additional work required to produce the necessary schedules. Mr. Clayton said TRS staff did a good job with their outreach efforts on the pension liability schedules and it will be key to do that for OPEB as well.

4. Receive final report on the TRS-ActiveCare Open Enrollment Readiness Review and results of TRS Open Enrollment – Amy Barrett, Toma Miller, and Katrina Daniel

Ms. Daniel reported that as the enrollment progressed relatively few issues were seen. Ms. Daniel stated that every time something came up Aetna and WellSystems addressed it. Ms. Daniels indicated there will be a future discussions with Aetna about what went well during open enrollment and work needed to do in the future. Ms. Daniel stated the first full billing cycle is not complete but things have gone well so far. Mr. Greg Wood stated they recognized that just due to size and complexity that there would be some issues. He reported they positioned themselves to react and respond quickly to resolve the unexpected events and the teams performed well. Ms. Daniel concluded the next step is to review with Aetna the issues that came up from the districts during the enrollment process. She then said they would consult with some of the districts to determine what needs to be done for an even better enrollment cycle next year.

5. Receive Investment Compliance reports – Heather Traeger Ms. Barrett provided background as to the distinction between compliance and audit. Ms. Heather Traeger reported on the ethics and fraud monitoring. Ms. Traeger stated that, during the reporting period, her office had looked into four items, three of which had been concluded while one was still pending. Of these items, two were from Benefits, one from Human Resources and one from Legal. Ms. Traeger noted TRS is taking steps to enhance the visibility of the different avenues in which ethics and compliance issues can be raised. Ms. Traeger then reported on the Code of Ethics for Contractors (Code). She reminded the committee that the Board has revised the Code at its June 2016 meeting and put into place new processes for contractors to report any actual or potential conflict of interests. Ms. Traeger noted


that there had been three conflict determination requests from contractors, one of which had been withdrawn due to a transaction not moving forward. Ms. Traeger said the Executive Director and General Counsel had determined there was no conflict existed in the two remaining cases.

6. Receive Internal Audit reports A. Quarterly Investment Compliance Testing (Agreed-Upon Procedures) – Hugh

Ohn and Heather Traeger

Mr. Hugh Ohn reported on the results of the quarterly investment compliance testing. Mr. Ohn stated a couple of new areas tested during the quarter were the budget transfers, expenditures and the employees and Trustee annual ethics training. Mr. Ohn noted the results indicated that there were no compliance violations during this time period.

B. Second-Half Test Results of Investment Controls (Tactical Asset Allocation) – Hugh Ohn

Mr. Ohn reported on the results of the semiannual test of IMD controls related to the tactical asset allocations. Also covered were the derivatives instrument that the tactical asset allocation (TAA) group uses to execute their trade. Other IMD groups that provide support for the tactical, TAA portfolios, such as risk group, trading group, and investment operations group were covered. Mr. Ohn reported the results of the audit indicate that management controls are working effectively. Mr. Ohn stated they did recommend putting together written operating procedures for completing the complicated strategies running the models. He said management agrees with this recommendation.

C. Overall Opinion on Investment Management Division Internal Controls –

Hugh Ohn Mr. Ohn noted the opinion issued is similar to opinions in the past two fiscal years. And like the past two years, Mr. Ohn, stated the opinion is expressly based on 28 internal and external audits performed in the past three fiscal years. Mr. Ohn reported that overall IMD controls are effective to ensure that they are achieving their business objectives. Mr. Ohn said this opinion is based on the facts that significant controls are working at IMD as designed. In conclusion, Mr. Ohn remarked that since they had not identified any significant control weaknesses or deficiencies in the past three years, they are planning to deviate from the regularly scheduled audit cycle. Mr. Ohn stated they plan to lightly cover internal public markets as planned but also will try to cover the private markets a bit more.

D. Annual Testing of Benefit Payments (Agreed-Upon Procedures) – Amy

Barrett and Dorvin Handrick Ms. Barrett reported the results from testing benefits are excellent. Only one issue was found, and it was related to the calculation of final average salaries in the member’s favor.

E. Employer Audits – Dinah Arce and Art Mata

Mr. Art Mata reported the employer audit team completed the audits of Socorro ISD and Ysleta ISD, both districts are located in the El Paso area. Mr. Mata stated they audited the March 2016


contribution reports for these districts to confirm member eligibility and accuracy of contributions and also tested the census data of all the members. Mr. Mata noted that most of the districts reports were accurate and complete for the same that was tested. However, both districts in the summary reports were incomplete or inaccurate. Mr. Ohn said the statutory minimum report and the employment after retirement report for both districts contained errors. Ms. Dinah Arce reported on the two years that employer audits have been conducted. She noted in total eleven audits have been conducted with seven completed this past year. Ms. Arce reviewed the size of the schools and contributions reported. She said the schools are in the process of making corrections, seven schools having completed the corrections. Ms. Arce noted in the coming year there will be changes to the report in order to streamline it down and initiate efficiencies in order to accommodate the increase in number and to report quickly to schools. Ms. Barbie Pearson reported on the overall recovered or given credit for the whole year in which audits were performed. Audits only look at one month. Ms. Pearson said the net correction was a negative $17,294. New employee contributions made in error was why there was a net payout. In answer to Mr. Kelly’s inquiry, Ms. Barrett and Ms. Pearson said guidance to districts will be given through monthly newsletters and presentations.

7. Receive report on the status of prior audit and consulting recommendations – Amy

Barrett Ms. Amy Barrett reported they are scaling back in terms of what is focused on with the regular employer audits. Ms. Barrett stated they are to focus on what is not understood by the employer and pass along information to benefit reporting for communicating and educating. Ms. Barrett said they are going to do a separate audit to see if more can be done in just employment after retirement. Ms. Barrett said the third area is to develop an audit program for colleges and universities. Ms. Barrett reported on the outstanding audit recommendations as making good progress. The only one issue is in regards to TEAM being implemented in order to wrap that one up on strengthening controls.

8. Consider recommendations to the Board of Trustees – Amy Barrett

A. Proposed revisions to the Internal Audit Charter Ms. Amy Barrett brought forward two revisions to the Internal Audit Charter. Ms. Barrett stated the first change is driven by the Institute of Internal Auditors which have decided that the mission statement for Internal Audit is really a definition of Internal Audit. The Institute also recommended a list of ten principles for Internal Audit. Ms. Barrett recommended the Charter incorporate these changes. The other recommended change is to reflect the responsibility for the hotline to Compliance.

B. Proposed Audit Plan for Fiscal Year 2017

Ms. Amy Barrett noted how the plan was developed through risk assessment, feedback from various groups and interviews with Trustees. Ms. Barrett provided a summary of the plan and the audits that are proposed for the fiscal year 2017. Ms. Barrett reported there is sufficient resources to complete the annual audit plan.


On a motion by Mr. Moss, seconded by Mr. Corpus, the Committee unanimously approved to recommend that the Board of Trustees adopt the proposed revisions to the Internal Audit charter as presented by staff and to approve the proposed audit plan for the fiscal year 2017 as presented by staff.

9. Discuss or consider Internal Audit administrative reports and matters related to

governance, risk management, internal control, compliance violations, fraud, regulatory reviews or investigations, fraud risk areas, audits for the annual internal audit plan, or auditors' ability to perform duties – Christopher Moss and Amy Barrett

Ms. Barrett reported that they did get through the annual audit plan last year with all the assurance projects completed. Ms. Barrett noted data analysis activities were not completed. Ms. Barrett reported they met all of the performance measures for last year. Ms. Barrett then took the opportunity to introduce newest members of Audit and inform the Committee about reorganization and promotions within Audit. Without further discussion, the meeting adjourned at 9:55 a.m. APPROVED BY THE AUDIT COMMITTEE OF THE BOARD OF TRUSTEES OF THE TEACHER RETIREMENT SYSTEM OF TEXAS ON THE 2ND DAY OF DECEMBER 2016.

______________________________ _________________ Katherine H. Farrell Date Secretary of the TRS Board of Trustees

TAB 3

TAB 3A

TAB 3B Information regarding this report will be

distributed at the Audit Committee Meeting

TAB 4

TAB 4A

PRESENTATION TITLE >>> NAME FEB-09-15

PRESENTATION FOR THE AUDIT COMMITTEE BY TRUVEN HEALTH ANALYTICS

DECEMBER 2, 2016

Tab 4A

Background of Audited Plans

• Three self-funded plans:• ActiveCare 1-HD

• ActiveCare 2

• ActiveCare Select

• Health Plan Administrator: Aetna

• Pharmacy Benefits Manager: CVSHealth/Caremark

TRS-ActiveCare

• Three self-funded plans:• Care 1

• Care 2

• Care 3

• Health Plan Administrator:Aetna

• Pharmacy Benefits Manager:Express Scripts

TRS-Care

2

TRS Audit Changes

What changes were made?

• Procured a new audit firm:Truven Health Analytics, an IBM Company

• Full Claims Review vs. Sampling only

• Annual audits vs. every two years

• Increased focus on self-insured plans

Why were changes made?

• Truven brings full claim reprocessing, focused testing, and impact analysis based on error characteristics and root causes

• Increased assurance that our venders are implementing plan designs accordingly

• Shortened issue identification and resolution time

• Increased oversight of the self-insured plans and their vendors

3

More errors identified than in previous years is reflective of expanded auditing,

not declining vendor performance.

Audit Results

Good News Report

Vendor performance above industry standards

Affirmation of contractual obligations

4

TRUVEN HEALTH ANALYTICS - TRS AUDITS

• Audit Scope• Medical - Aetna

• TRS-Care (9/1/2013 – 8/31/2015)• TRS-ActiveCare (9/1/2014 – 8/31/2015)

• Rx - Caremark• TRS-ActiveCare (9/1/2014 – 8/31/2015)

• Rx - ESI• TRS-Care - EGWP (9/1/2013 – 12/31/2014)

• TRS-Care - Commercial (9/1/2013 – 8/31/2015)

• Claims Audit, Operational Review, Performance Guarantee Verification

5

TRUVEN HEALTH ANALYTICS – TRS AUDITS

• Audit Methodology - Claims

• Obtain Summary Plan Descriptions (SPD) and other Benefit Documentation

• Develop Benefit Templates Based on SPDs

• Obtain Claims Files From Administrators

• Use Proprietary Software to Re-adjudicate 100% of Claims• Benefit Determinations (Coinsurance, Copayments, Deductibles, etc.)• Industry Standards

Administrator Claim Count Paid

Aetna 9,741,865 $2,654,331,350

Caremark 4,331,150 $333,432,600

ESI - Commercial 5,990,979 $627,162,700

ESI - EGWP 6,164,874 $548,457,201 6

TRUVEN HEALTH ANALYTICS – TRS AUDITS

• Audit Methodology - Claims (continued)

• Group Potential Exceptions Into Various Categories

• Select Claims Samples from Exception Categories

• Test Claims Samples

• Medical - Onsite Audit

• Rx - Reviewed Remotely

• Evaluate Administrator Sample Responses

• Complete 100% Claims Analysis Based on Remaining Sample Exceptions

• “Agree To”

• “Agree to Disagree”7


• Audit Results, Key Findings and Observations

• Administrators Performing At or Above Acceptable Levels

• Medical – Aetna

• Overall claims findings are within Truven benchmark (1%-2%)• TRS-ActiveCare - 0.04%

• TRS-Care - 0.07%

• Opportunities to clarify benefit intentions• Ineligible Services

• Coinsurance Provisions

8


• Rx - Caremark

• Overall claims findings of 1.52% of Rx spend are within Truven benchmark (< 2%)

• Opportunities for improvements• Early Refill Claims

• Copayment Application

• Caremark addressing exceptions for VA claims and will reimburse TRS

9


• Rx - ESI-Commercial• Overall claims findings of 0.96% (FY2014) and 0.65% (FY2015) of Rx spend

are within Truven benchmark (< 2%)

• Opportunities for improvements• Duplicate and Early Refill Claims

• Quantity Limitation Clinical Program

• Rx - ESI-EGWP• Overall claims findings of 0.22% (CY2013) and 0.30% (CY2014) of Rx spend

are within Truven benchmark (< 2%)

• Opportunities for improvements• Early Refill Claims

• Quantity Limitation Clinical Program

10

TAB 4B

Teacher Retirement System of Texas Review of Health Plan Administration by Aetna for September 1, 2013 to August 31, 2015

Plans: TRS-ActiveCare and TRS-Care

Prepared for: Teacher Retirement System of Texas Version F1.0.1 Submitted: September 23, 2016 Submitted by: Truven Health Analytics

©Truven Health Analytics Inc. Proprietary and Confidential Page 4 of 78

1 EXECUTIVE SUMMARY

1.1 Engag ement Overview and Scope The Teacher Retirement System of Texas (TRS) engaged Truven Health Analytics (Truven) to conduct a health claims review to:

Assess the administration of TRS’s self-funded employee health plans by Aetna. Determine if Aetna is in compliance with the terms of the Administrative Services Agreement

(ASA), Summary Plan Description (SPD), and other applicable documents.

This engagement primarily examined Aetna’s claims adjudication accuracy relative to all claims incurred by TRS’s plan members for TRS-Care plans from September 1, 2013 to August 31, 2015 and paid through November 30, 2015 and for TRS-ActiveCare plans from September 1, 2014 to August 31, 2015 and paid through November 30, 2015. In addition, we were engaged to perform an operational review to assess the policies, procedures, and controls that support the administration of TRS’s health plans. The health plans included in the review consist of the following:

TRS-ActiveCare 1-HD Fiscal Year 2015 TRS-ActiveCare 2 Fiscal Year 2015 TRS-ActiveCare Select Fiscal Year 2015 TRS-Care 1 Fiscal Years 2014 and 2015 TRS-Care 2 Fiscal Years 2014 and 2015 TRS-Care 3 Fiscal Years 2014 and 2015

1.2 Claims Review Result s Using our proprietary software, we analyzed 100% of the paid claims incurred by TRS’s members for the review period (for more information about the 100% claims analysis, see Section 2, Engagement Approach).

The proprietary software is designed to process and identify claim exceptions in the following categories:

Payments in compliance with the plan design. This includes plan customized edits to assure that benefits are paid in accordance with the SPD including items such as benefit limits, frequencies and maximums and the appropriate application of deductibles, copayments and coinsurance. The software assures that claims for benefit exclusions (ineligible services) are not paid and that emergency claims are correctly processed for in and out of network providers.

Payments only for eligible members. The software identifies claims paid for inactive members, as well as services paid prior to or after a member’s eligibility dates.

Industry Standard edits. This includes system control edits such as National Correct Coding Initiative edits (NCCI), identification of claims that may be other party liability and coordination of benefits such as Medicare, end stage renal disease (ESRD), subrogation and worker’s compensation, duplicate payments, assistant surgeon payments and anesthesia/surgical reduction claims. NCCI edits also include facility and physician up-coding and unbundling, incidental charges, medically unlikely and never events.


Case Management edits. This includes identification of claims which may benefit from case management and/or utilization review such as high risk obstetrical claims, rehabilitation claims and terminally ill member claims.

Payment Integrity edits. These include the identification of claims which may benefit from additional provider pattern analysis to identify fraud, waste and abuse. Examples of these edits include claims for ambulance trips that had no subsequent claim that same day for an emergency room, diagnosis or CPT conflicts with age or gender, new patient exams when a less expensive established exam should have been billed, incidental services and once in a lifetime services.

Contract review. In addition to the claim exceptions identified by the software algorithms, a sample of claims are reviewed to assure compliance with the provider contract. These represent large dollar claims which are reviewed manually during an onsite visit to assure payment for each service was made in accordance with the provisions of the provider contract.

Exception categories were developed based on rules customized to TRS specific plan benefits described in the SPDs, industry standards for coding, and claims processing best practices (e.g., duplicate claims).

From the population of potential exceptions, we selected a sample of 300 claims for onsite review that consisted of 150 claims for each plan, TRS-ActiveCare and TRS-Care. Of the 300 claims reviewed, we determined during the onsite review that 257 claims were processed and paid correctly. Of the remaining 43 exceptions, Aetna agreed with Truven’s assessment that there was an exception in processing the claim on 33 claims. On the remaining 10 claims, Aetna did not agree, but Truven considers these to be exceptions. Based on these 43 exceptions, Truven determined which types of exceptions represented systemic claims processing exceptions and for these exception categories 100% of the claims identified were considered to be exceptions. This process resulted in the identification of 6,910 claims and $1,440,423 in total exceptions with $1,266,198 in net overpayment exceptions for both plans. The following chart provides the breakdown of total exceptions by plan.

Plan Claim Exceptions Total Payment

Exceptions Net Overpayment

% of Total Paid as

Exceptions

TRS-ActiveCare 2,161 $521,967 $453,628 0.04%

TRS-Care 4,749 $918,456 $812,570 0.07%

Total 6,910 $1,440,423 $1,266,198 0.05%

1.3 Result s by Plan The sample results were analyzed by plan. The 300 claim sample contained 150 claims each from both the TRS-ActiveCare plans and the TRS-Care plans. For the TRS-ActiveCare plans there was an exception rate of 0.05% of paid dollars reviewed, while the TRS-Care plans had an exception rate of 0.07% of paid dollars reviewed. Both plans performed well when compared to audits of other third party administrators.

These results include claims that were both overpaid and underpaid by Aetna. The dollar figures shown for the exceptions reflect the combined total of overpayment and underpayment dollar amounts of the


payment exceptions (not the net amount). It should also be noted that the sample exceptions are included in the final analysis. For further details on the exceptions by category and type, please refer to Section 3, Summary of Findings by Exception Area and Appendix A, Detailed Claims Findings

The absolute amount of the overall findings for both plans combined, irrespective of overpayments and underpayments is $1,440,423. The net dollar impact of all findings is an overpayment of $1,266,198, which represents potential recoveries and savings opportunities for TRS. $453,628 in net overpayments are identified for TRS-ActiveCare and $812,570 in net overpayments are identified for TRS-Care.

SPD Analysis – TRS-ActiveCare Plan Initial 100% Claims Analysis for SPD

Exceptions Claims Paid % Total Paid

Total claims analyzed 4,192,275 $1,274,098,289 100%

Claims passing Truven edits 3,564,953 $923,495,153 72.48%

Claims identified for further testing and analysis 627,322 $350,603,136 27.52%

Total claims selected for onsite review 102 $284,207 0.02%

Onsite Review Results Claims Financial Impact % of Sample

Total sample claims confirmed as correctly processed

82 $274,846 96.71%

Exceptions identified from sample 20 $9,361 3.29%

Exceptions agreed to by Aetna 16 $6,936 2.44%

“Agree to disagree” exceptions 4 $2,425 0.85%

Final 100% Claims Analysis Results Claims Financial Impact % Total Paid

Total exceptions identified in claims population 1,132 $200,146 0.02%

Administrative Services and Industry Standards and Best Practices Analysis – TRS-ActiveCare Plan

Initial 100% Claims Analysis for Industry Standards and Best Practices Claims Paid % Total Paid


Claims passing Truven edits 4,191,338 $1,273,333,961 99.94%

Claims identified for further testing and analysis 937 $764,328 0.06%




40 $564,879 98.91%




“Agree to disagree” exceptions 3 $884 0.15%



SPD Analysis – TRS-Care Plan Initial 100% Claims Analysis for SPD

Exceptions Claims Paid % Total Paid



Claims identified for further testing and analysis 125,720 $88,002,930 6.38%




87 $173,602 98.76%



“Agree to disagree” exceptions 3 $386 0.22%



Administrative Services and Industry Standards and Best Practices Analysis – TRS-Care Plan

Initial 100% Claims Analysis for Industry Standards and Best Practices Claims Paid % Total Paid



Claims identified for further testing and analysis 668 $1,791,841 0.13%




48 $909,909 99.67%



“Agree to disagree” exceptions - - 0.00%




1.4 Review Conclus ion s Based on the results of this review and our prior audit experience with other administrators, we determined Aetna is performing at an above-average level. Our experience is that, on an overall basis, the total dollars identified as exceptions range between 1% to 2% of the total dollars analyzed. The results of this review were that 0.05% of the total dollars analyzed were identified as exceptions. Unless specifically noted in the findings sections of this report, claims met the plan specific and industry standards for proper claims adjudication.

The results of our operational review indicated that generally Aetna has the proper organizational structure and processes in place to support your account. However, there were two observations made regarding Aetna processes for overpayment reporting and claims turnaround time. These observations will be discussed in detail in the Operational Review Observation section of this report.

Although performance was above-average there are several opportunities for improvement that would result in both short-term and long-term savings to TRS. Those opportunities are highlighted below.

1.5 Summ ary of Findin gs Aetna reported that approximately 84% of TRS-Care claims and approximately 87% of TRS-ActiveCare claims are auto-adjudicated, which is within and slightly above the industry average of 80% to 85%. Auto-adjudicated claims pass through all system edits, and benefits are then calculated based on the plan design features programmed in the system without claims examiner intervention. Therefore, any exceptions attributed to a discrepancy in the interpretation or loading of the benefits would impact all similar claims.

The following charts provide information on the overall review findings from a financial perspective.

SPD Exceptions – TRS-ActiveCare Plan

Exception Category Net Findings Over-

payment Under-

payment Total

Findings % of Total

100 Percent Coverage ($1,086) - $1,086 $1,086 0.5%

Coinsurance Application $7,201 $15,684 $8,483 $24,168 12.1%

Copayment Application $9,867 $34,467 $24,600 $59,067 29.5%

Ineligible Services $107,308 $107,308 - $107,308 53.6%

Visit Limitation $8,517 $8,517 - $8,517 4.3%

Grand Total $131,807 $165,977 $34,170 $200,146 100.0%


Administrative Services and Industry Standards and Best Practices Exceptions – TRS-ActiveCare Plan


payment Under-

payment Total

Findings % of Total

Contract Review $4,726 $4,726 - $4,726 1.5%

Eligibility $884 $884 - $884 0.3%

Duplicate Claim Payment $260,752 $260,752 - $260,752 81.0%

Surgery Payments $55,459 $55,459 - $55,459 17.2%

Grand Total $321,821 $321,821 - $321,821 100.0%

SPD Exceptions – TRS-Care Plan


payment Under-

payment Total

Findings % of Total

100 Percent Coverage ($187) - $187 $187 0.1%

Coinsurance Application $197,748 $245,473 $47,725 $293,198 83.3%

Copayment Application ($4,328) $703 $5,031 $5,734 1.6%

Ineligible Services $41,577 $41,577 - $41,577 11.8%

Visit Limitation $11,239 $11,239 - $11.239 3.2%

Grand Total $246,049 $298,992 $52,943 $351,935 100.0%

Administrative Services and Industry Standards and Best Practices Exceptions – TRS-Care Plan


payment Under-

payment Total

Findings % of Total

Duplicate Claim Payment $444,132 $444,132 - $444,132 78.4%

Surgery Payments $122,389 $122,389 - $122,389 21.6%

Grand Total $566,521 $566,521 - $566,521 100.0%

For further details on the exceptions by category and type, please refer to Section 3, Summary of Findings by Exception Area and Appendix A, Detailed Claims Findings.

1.6 Except ion Categories Compared to Industry Bench marks

The following chart compares Aetna’s experience for the identified exception categories to that of other Health Plans (Benchmark Error Rate). The error rate identified on the Aetna claims is well below that of other commercial and government health plans audited by Truven.


Benchmarks – TRS-ActiveCare Plan

Exception Category Benchmark Error Rate

Aetna Error Rate Aetna Score

100 Percent Coverage 1.70% 0.001% Below average error rate

Coinsurance Application 4.14% 0.003% Below average error rate

Copayment Application 4.28% 0.017% Below average error rate

Ineligible Services 0.35% 0.004% Below average error rate

Visit Limitation 0.11% 0.012% Below average error rate

Duplicate Claims Payment 0.03% 0.007% Below average error rate

Surgery Payments 0.07% 0.003% Below average error rate

Benchmarks – TRS-Care Plan

Exception Category Benchmark Error Rate

Aetna Error Rate Aetna Score

100 Percent Coverage 1.70% 0.003% Below average error rate

Coinsurance Application 4.14% 0.11% Below average error rate

Copayment Application 4.28% 0.002% Below average error rate

Ineligible Services 0.35% 0.10% Below average error rate

Visit Limitation 0.11% 0.006% Below average error rate

Duplicate Claims Payment 0.03% 0.007% Below average error rate

Surgery Payments 0.07% 0.006% Below average error rate

1.7 Recommendations Request and review financial and claim impact analyses for all “Agreed To” exceptions and other

exceptions where Aetna was not properly adjudicating claims according to the SPD language. Where applicable, recoveries should be pursued.

Work with Aetna to clarify the intent of all the plan design features identified as exceptions, with particular focus on non-covered (ineligible) services. Further clarifying language in the SPD related to ineligible services may be helpful. For services which are typically excluded but where approval for payment may be provided on an exception basis, a prior authorization requirement may be appropriate.

Aetna should address the issues identified that are related to the correct application of member liability such as coinsurance and copayment to assure that members are assessed the correct amount and that claims are paid correctly for claims that require coinsurance as well as claims that are covered at 100%.


Aetna should institute edits in the claims processing system to assure chiropractic visits are paid only up to the specified limit.

There were two claims with procedural issues identified which did not have a financial impact but where a change is recommended. When allowed charges are assigned to multiple lines of a claim record or when a claim is processed for an outdated code, the allowed amount should be assigned only to lines for procedure codes representing covered services. This would allow editing software to better identify true errors and eliminate false positive results.

1.8 Aetna’s Response We recognize that the type of audit performed by Truven selects samples based on what they consider a high probability of being paid in error rather than as a statistical sampling. This type of audit is not a measure of overall quality or indicative of any trends. Details for all errors identified and overpayment recovery status are found in the sections below along with the service center responses. We have completed a thorough root cause analysis of all the agreed upon errors and educational feedback has been provided to ensure a thorough understanding of the impact of the errors identified. All affected claims have been referred for reprocessing with the exception of those claims that would result in member responsibility.

Aetna takes these audit results very seriously and recognizes that there is always room for improvement. We continue to focus on continuous quality review through the development of additional system enhancements, as well as conducting focused and refresher training sessions with Claim Benefit Specialists. These steps are vital to our success in quality improvement and are outlined as they relate to this audit in the action plan portion of our report.

TAB 4C

Teacher Retirement System of Texas Review of Drug Benefit Administration by Caremark Rx for September 1, 2014 to August 31, 2015

Plan: TRS-ActiveCare

Prepared for: Teacher Retirement System of Texas Submitted: November 17, 2016 Submitted by: Truven Health Analytics


1 EXECUTIVE SUMMARY

1.1 Engagement Ov ervi ew The Teacher Retirement System of Texas (TRS) engaged the services of Truven Health Analytics (Truven) to conduct a pharmacy claims review to assess Caremark Rx’s (Caremark's) administration of TRS’s self-funded pharmacydrug plans and determine if Caremark complies with the terms of the administrative agreement. This engagement encompassed an audit of Caremark to assess the accuracy and appropriateness of its fiduciary responsibility as the plan’s administrative agent including the prescription adjudication process, compliance with pricing agreements, contract terms, and review of quality control procedures. Truven performed an electronic audit of all claims adjudicated by Caremark from September 1, 2014 through August 31, 2015.

The pharmacy drug plans included in this review consist of the following:

TRS-ActiveCare 1 HD Fiscal Year 2015 TRS-ActiveCare 2 Fiscal Year 2015 TRS-Active Select Network Fiscal Year 2015

1.2 Claim s Review Scope Truven analyzed 100% of TRS’s claims incurred by TRS’s plan participants during the audit period and selected a sample of 160 claims for testing and review from Fiscal Year 2015. The sample was selected based on various exception areas identified in the population of claims processed during the audit period. These exception areas were based on standard administrative rules such as quantity limits, ample day supply, co-payments, and eligibility specific to the plan benefits described in the contract and other benefit documents

1.3 Audit Concl usions The sample claims were reviewed based on Caremark’s responses, and 25 exceptions were identified. We evaluated all 4,331,150 claims during the audit period based on Caremark’s responses and identified $5,055,126 in net payment exceptions. The following chart compares the total net cost of all exceptions identified by this audit against the total cost of TRS’s entire claims population.

Overall Audit Results Paid

Total cost of all employee prescription drug claims $333,432,600

Total cost of claims sampled (detail Claims Sample Results) $25,573

Total net exceptions identified in claims sample (detail Claims Sample Results) $746

Total net cost of all exceptions identified from the analysis of TRS’s entire claims population (based on the attributes and root causes of Truven’s claims sample findings)

$5,055,126

Additional discount shortfall using TRS’s contracted rates for mail and retail and specialty drugs (TRS previously received $7.1M based on Caremark’s reconciliation.)

$53,829


The financial impact of all claim exceptions identified through this audit are net overpayments of $5,055,126 representing 1.52% of TRS’s total prescription drug plan spend. This includes approximately $5,430,000 in overpayments identified for early refills, which represents a future cost savings opportunity. This overpayment amount was primarily offset by underpayments found in the copayment category. Based on the results of the audit, we have several recommendations that we believe, if implemented, would improve the overall claims processing accuracy rate and could result in savings to TRS.

1.4 Summ ary of Key Find ings and Observ ation s & Recommendati ons

The following summarizes our key findings and observations and recommendations based on the results of the audit

1.4.1 Key Findings and Observations Discount Analysis: Based on our discount analysis, we determined that Caremark did not meet

the guarantee on all specialty claims. We have determined that claims were processed at a lower discount rate than indicated in TRS’s contract resulting in a shortfall of $53,829.

Copayment application: Claims were processed at copays other than outlined in the contract. Claims processed at Veteran Affair’s pharmacies and Retail 90 claims caused the majority of the copayment exceptions. According to Caremark, they are reviewing claims that adjudicated with the incorrect copayment during the impact period and will reimburse TRS at the conclusion of the audit.

Early Refill: Claims were filled outside of early refill parameters set in the contract. The majority of the findings were for retail claims that were filled prior to the plan design utilization of 75%.

Gender Conflicts: Although the results were minimal, we found instances where prescriptions were filled that conflicted with the member’s gender. A gender-specific edit is not in place in the plan design.

1.4.2 Recommendations TRS previously accepted Caremark's payment of $7,112,399 for not meeting contractual

obligations for discounts for mail and retail claims. Truven recommends TRS continue to work with Caremark to reconcile the specialty discount shortfall identified during this audit.

We recommend that TRS work with Caremark to resolve the copayment issues identified in the audit. Furthermore, we recommend TRS work with Caremark to determine if the Dispense as Written (DAW) penalty program is in line with client intentions.

A discussion of early refill parameters should be undertaken between Caremark and TRS. Specific parameters should be outlined in detail and agreed upon to ensure early refills occur for valid reasons such as vacation overrides, dosage changes or lost medication.

We recommend a gender-specific edit be considered as a future cost savings opportunity to ensure proper Drug Utilization Review (DUR), plan deductibles, maximum out of pockets, and that potential fraud is addressed.


A discussion of plan excluded products should be undertaken between Caremark and TRS to ensure they are in line with client intentions. Specific parameters should be outlined in detail.

TAB 4D

=

Teacher Retirement System of Texas Review of Drug Benefit Administration By Express Scripts Inc.

For September 1, 2013 to August 31, 2015

Plan: TRS-Care Prepared for: Teacher Retirement System of Texas Submitted: November 18, 2016 Submitted by: Truven Health Analytics

1 EXECUTIVE SUMMARY

1.1 Engagement Overview The Teacher Retirement System of Texas (TRS) engaged the services of Truven Health Analytics (Truven) to conduct a pharmacy claims review to assess Express Scripts, Inc.'s (ESI’s) administration of TRS’s self-funded prescription drug plans and determine if ESI complies with the terms of the administrative agreement. This engagement encompassed an audit of ESI to assess the accuracy and appropriateness of its fiduciary responsibility as the plan’s administrative agent including the prescription adjudication process, compliance with pricing agreements, contract terms, and review of quality control procedures. Truven performed an electronic audit of all claims adjudicated by ESI from September 1, 2013 through August 31, 2015.

The prescription drug plans included in this review consist of the following:

TRS-Care 2 Fiscal Years 2014 and 2015 TRS-Care 3 Fiscal Years 2014 and 2015 TRS-Care 1 Fiscal Years 2014 and 2015

1.2 Claims Review Scope Truven analyzed 100% of TRS’s claims incurred by TRS’s plan participants during the audit period and selected a sample of 38 claims for the fiscal plan year 2014 for testing and review and a sample of 21 claims for testing and review for fiscal plan year 2015. The sample was selected based on various exception areas identified in the population of claims processed during the audit period. These exception areas were based on standard administrative rules such as quantity limits, ample day supply, co-payments, and eligibility specific to the plan benefits described in the contract and other benefit documents.

1.3 Audit Conclusions The sample claims were reviewed based on ESI’s responses. We evaluated all 2,929,964 claims during the audit period FY2014 based on ESI’s responses and identified $2,838,401 in potential overpayments. We evaluated all 3,061,015 claims during the audit period FY2015 based on ESI’s responses and identified $2,172,991 in potential overpayments.

The following charts compare the total cost of all exceptions identified by this review against the total cost of the TRS’s entire claims population.

Fiscal Plan Year 2014 Overall Audit Results Paid

Total cost of all employee prescription drug claims for FY2014 $294,423,834

Total cost of claims sampled $44,653

Total exceptions identified in claims sample (detail Claims Sample Results) $2,375

Total cost of potential claims exceptions identified from the 100% analysis of the entire claims population for FY2014 (based on the attributes and root causes of Truven’s sample findings)

$2,838,401

The financial impact of all claims exceptions identified through this review for FY2014 is potential overpayments of $2,838,401 representing 0.96% of TRS’s total prescription drug plan spend. The financial impact of all exceptions is below our industry standard threshold of < 2%. Based on the results of our review, we have several recommendations that we believe, if implemented, would improve the overall claims processing accuracy rate and could result in savings to TRS.

Fiscal Plan Year 2015 Overall Audit Results Paid

Total cost of all employee prescription drug claims for FY2015 $332,738,866


Total exceptions identified in claims sample (detail Claims Sample Results) $837

Total cost of potential claims exceptions identified from the 100% analysis of the entire claims population for FY2015 (based on the attributes and root causes of Truven’s claims sample findings)

$2,172,991

The financial impact of all claims exceptions identified through this review for FY2015 is potential overpayments of $2,172,991 representing 0.65% of TRS’s total prescription drug plan spend. The financial impact of all exceptions is below our industry standard threshold of < 2%. Based on the results of our review, we have several recommendations that we believe, if implemented, would improve the overall claims processing accuracy rate and could result in savings to TRS.

1.4 Summary of Key Findings and Observations & Recommendations

The following summarizes our key findings and observations and recommendations based on findings identified in the entire TRS claims population.

1.4.1 Key Findings and Observations Benefit Plan Administration:

o Duplicate Claims and Early Refill: Duplicate claims were filled for the same drug on the same day. Also, claims were filled prior to the refill utilization parameters set in the contract.

o Quantity Limitations: Claims were filled prior to quantity limit parameters set in the contract. ESI noted the “first fill at mail” logic as the reason for the claims being filled outside of plan parameters. Truven disagrees with this logic. Quantity limitations are set up based on the recommended daily dose from the Food and Drug Administration (FDA) for certain drugs. These parameters are designed to be a cost savings opportunity for TRS.

1.4.2 Recommendations Benefit Plan Administration:

o Duplicate Claims and Early Refills: We recommend TRS work with ESI to reconcile claims

processed outside of plan utilization parameters. In addition, a discussion of early refill and duplicate drug parameters should be undertaken between ESI and TRS. Specific parameters should be outlined in detail and agreed to. This should be discussed as a future cost savings opportunity.

o Quantity Limitations: We recommend TRS work with ESI to reconcile claims processed outside of plan parameters. In addition, a discussion of quantity limitations should be undertaken between ESI and TRS. Specific parameters should be outlined and agreed to. This should be discussed as a future cost savings opportunity.

TAB 4E

Teacher Retirement System of Texas Review of EGWP Drug Benefit Administration by Express Scripts, Inc.

for September 1, 2013 to December 31, 2013 and January 1, 2014 to December 31, 2014 Plan: TRS-Care Prepared for: Teacher Retirement System of Texas Submitted: November 18, 2016 Submitted by: Truven Health Analytics


1 EXECUTIVE SUMMARY

1.1 Engag ement Overview The Teacher Retirement System of Texas (TRS) engaged the services of Truven Health Analytics (Truven) to conduct a pharmacy claims review to assess Express Scripts, Inc.'s (ESI’s) administration of TRS’s self-funded prescription drug Employer Group Waiver Plan (EGWP) and determine if ESI complies with the terms of the administrative agreement. This engagement encompassed an audit of ESI to assess the accuracy and appropriateness of its fiduciary responsibility as the plan’s administrative agent including the prescription adjudication process, compliance with pricing agreements, contract terms, and review of quality control procedures. Truven performed an electronic audit of all claims adjudicated by ESI from September 1, 2013 through December 31, 2014.

The prescription drug plans included in this review consist of the following:

TRS-Care 2 Calendar Years 2013 (September – December) and 2014 TRS-Care 3 Calendar Years 2013 (September – December) and 2014

1.2 Claims Review Scope Truven analyzed 100% of TRS’s claims incurred by TRS’s plan participants during the audit period and selected a sample of 45 claims for the short plan year 2013 (September 1, 2013 through December 31, 2013) for testing and review and a sample of 41 claims for testing and review for calendar year 2014. The sample was selected based on various exception areas identified in the population of claims processed during the audit period. These exception areas were based on standard administrative rules such as quantity limits, ample day supply, co-payments, and eligibility specific to the plan benefits described in the contract and other benefit documents.

1.3 Audit Conclusi ons The sample claims were reviewed based on ESI’s responses, and various exceptions were identified. We evaluated all 1,475,803 claims during the audit period for the short plan year 2013 and all 4,689,071 claims for calendar year 2014. Based on ESI’s responses, we identified $272,965 as potential overpayments for the short plan year 2013 and $1,289,904 was identified as potential overpayments for calendar year 2014. The following charts compares the total cost of all exceptions identified by this audit against the total cost of TRS’s entire claims population.

1.4 Short Pla n Year 2013 Overall Audit Results Paid

Total cost of all employee prescription drug claims for SPY2013 $121,667,137


Total dollar errors/exceptions identified in claims sample $941

Total cost of potential claim exceptions identified from the 100% analysis of the entire claims population for SPY2013 (based on the attributes and root causes of Truven’s sample findings)

$272,965


The financial impact of all potential exceptions identified is overpayments of $272,965, representing 0.22% of TRS’s total prescription drug spend for EGWP for the short plan year 2013. The financial impact of all exceptions is below our industry standard threshold of < 2%. Based on the results of our review, we have several recommendations that we believe, if implemented, would improve the overall claims processing accuracy rate and could result in savings to TRS.

1.5 Calendar Year 2014 Overall Audit Results Paid

Total cost of all employee prescription drug claims CY 2014 $426,790,064


Total dollar errors/exceptions identified in claims sample $878

Total cost of potential claims exceptions identified from the 100% analysis for the entire claims population for CY 2014 (based on the attributes and root causes of Truven’s sample findings)

$1,289,904

The financial impact of all potential exceptions identified through this review is overpayments of $1,289,904 representing 0.30% of TRS’s total prescription drug spend for EGWP for calendar year 2014. The financial impact of all exceptions is below our industry standard threshold of < 2%. Based on the results of our review, we have several recommendations that we believe, if implemented, would improve the overall claims processing accuracy rate and could result in savings to TRS.

1.6 Summ ary of Key Findin gs and Obser vations & Recommendations

The following summarizes our key findings and observations and recommendations based on the findings identified in the entire TRS claims population.

1.6.1 Key Findings and Observations Benefit Plan Administration:

Quantity Limitations: Claims exceeded quantity limitation parameters set in the contract. Quantity limitations are designed to be a cost savings opportunity for TRS. After further review of all information provided by ESI, we do not agree that ESI has provided sufficient documentation to support the claims being refilled early and exceeding the plan limitations in the contract.

Duplicate Claims and Early Refills: Claims were processed prior to the plan’s utilization contractual parameters. ESI stated that TRS has contractual language that allows members prescriptions to be refilled if member has less than 21 days supply on hand at mail. Truven disagrees with this rule being applied to claims in which member obtain 30 days supply of medication at mail. This rule would allow claims filled at mail for a 30-day supply to be refilled at 30% utilization. Truven has spoken with TRS and obtained confirmation that the rule stating members can obtain refill when member has less than 21-day supply on hand was intended for claims filled for a 90-day supply of medication.


Recommendations Benefit Plan Administration:

Quantity Limitations: We recommend TRS work with ESI to reconcile claims processed outside of plan parameters. In addition, a discussion of quantity limitations should be undertaken between ESI and TRS. Specific parameters should be outlined and agreed to. This should be discussed as a future cost savings opportunity.

Duplicate Claims and Early Refill: We recommend TRS work with ESI to reconcile claims processed outside of plan utilization parameters. In addition, a discussion of early refill and duplicate drug parameters should be undertaken between ESI and TRS. Specific parameters should be outlined in detail and agreed to. This should be discussed as a future cost savings opportunity.

TAB 5

The information for this agenda item is confidential.

TAB 6

TAB 6A

QUARTERLY INVESTMENT COMPLIANCE TESTING INVESTMENT POLICY STATEMENT (IPS), SECURITIES LENDING POLICY (SLP), PERFORMANCE INCENTIVE PAY (PIP) PLAN, WIRE

TRANSFER PROCEDURES, AND ETHICS POLICIES CALENDAR QUARTER ENDED SEPTEMBER 30, 2016, EXCEPT AS NOTED

Legend: Red - Significant to TRS Orange - Significant to Business Objectives Yellow - Other Reportable Exception Green - Positive Test Result/ No Exception

November 15, 2016 Project #17-302

1. Board Reports All required information is reported to the TRS Board of Trustees

2. Investment Selection and Approval Investments made are within delegated limits and established selection criteria

3. Other (IPS, SLP, PIP, wire transfers, other reporting) Risk limits are followed for other investment programs and activities

4. Ethics Policies Ethics filing and reporting requirements are met

Management Responses

Management Assertions

Test Results

Compare Board reports to IPS requirements

Trace sample information included in Board reports to supporting documentation

Obtain evidence of monitoring of the securities lending agent and the program performance

Verify wire transfers are authorized and supported

Test accuracy of Internal Public Markets PIP calculations for the quarter ended 6/30/2016.

Obtain senior management disclosure about known compliance violations

Obtain evidence that financial disclosures were made to the Texas Ethics Commission

Obtain evidence that financial service providers filed annual disclosure statements on conflicts of interest

Trace investments approved by the Internal Investment Committee (IIC) to supporting documentation

Compare approval limits of new investments with IPS

Obtain evidence that Placement Agent Questionnaires (PAQs) were received prior to investing

N/A

Business Objectives

Business Risks

Agreed-Upon Procedures

Board is not informed of key investment decisions or critical information

Risks exceed Board-established tolerances or management policies and procedures

All required information is reported to the Board

Programs are within risk limits and activities follow established policies and procedures

N/A

Ethics policy requirements are not completed or filed

Ethics policies and requirements are being followed

Approvals and fundings exceed delegated limits

Approvals and fundings are within delegated limits and made for qualified managers

All requirements of the IPS, SLP, PIP, and wire transfer procedures were met

N/A N/A

All ethics filing and reporting requirements tested were met

All reporting requirements were met

Documentation provided support for the reports tested

All investments tested were in compliance with approval limits

PAQs were obtained for all investments tested

TRS Internal Audit November 15, 2016 Quarterly Investment Compliance Testing Page 1

November 15, 2016 Carolina de Onis, TRS General Counsel Subject: Report on Independent Testing of Compliance We have completed the Quarterly Investment Compliance Testing for the quarter ended September 30, 2016, as included in the Fiscal Year 2017 Audit Plan. The scope of this engagement included the requirements of the Investment Policy Statement (IPS), Securities Lending Policy (SLP), Employee Ethics Policy, Board of Trustees Ethics Policy, Code of Ethics for Contractors, Wire Transfer Procedures, and Performance Incentive Pay (PIP) Plan. We performed the procedures that were agreed to by the TRS Legal Services division. These procedures include tests that supplement the current compliance monitoring procedures performed by State Street and the Chief Compliance Officer. This agreed-upon procedures engagement was performed in accordance with generally accepted government auditing standards contained in the Government Auditing Standards issued by the Comptroller General of the United States. The sufficiency of the agreed-upon procedures performed is solely the responsibility of the specified users of the report. Consequently, we make no representations regarding the sufficiency of the procedures described in Appendix A either for the purpose for which this report has been requested or for any other purpose. Our testing procedures and results are included in Appendix A. Internal Control Structure We were not engaged to and did not perform an examination of the internal controls nor the operating effectiveness pertaining to the subject areas tested. Accordingly, we do not express an opinion on the suitability of the design of internal controls nor the operating effectiveness of the subject areas tested. Had we performed additional procedures, or had we made an examination of the system of internal control, other matters might have come to our attention that would have been reported to you. This report relates only to the procedures specified below and does not extend to the internal control structure. This report is intended solely for information and use by TRS management, the Board of Trustees, and oversight agencies, and is not intended to be and should not be used by anyone other than those specified parties. However, this report is a matter of public record and its distribution is not limited.


* * * * * We express our appreciation to management and key personnel of the Investment Management Division, Investment Accounting, and Legal Services for their cooperation and professionalism shown to us during this quarterly testing. _____________________________ _______________________________ Amy Barrett, CIA, CPA, CISA Hugh Ohn, CFA, CPA, CIA, FRM Chief Audit Executive Director of Investment Audit Services _____________________________ Rodrigo Dominguez Internal Auditor


APPENDIX A

AGREED-UPON PROCEDURES AND RESULTS

STEP #

OBJ. # TEST PURPOSE TEST DESCRIPTION TEST RESULT MANAGEMENT RESPONSE

1 1 IPS Article 1.7a - 1.7o – Obtain evidence that all requirements were reported to Board of Trustees. Quarterly reporting requirements include investment performance, asset class exposures, and external investments under consideration. Semi-annual reports include outstanding derivatives, leverage, and liquidity positions, and risk limits

Obtain all information required to be reported to Board of Trustees and compare to reporting requirements per Investment Policy Statement (IPS)test

Information required to be reported to Board of Trustees complied with IPS requirements.

No response required

2 2 IPS Article 2.6 – Verify that Investment Management Division (IMD) evaluated hedge fund classification

Select sample of approved investments in hedge funds and external managers

Obtain analysis indicating whether each investment is hedge fund or not. If analysis is unavailable, inconclusive, or erroneous, report that result

For any analysis requiring Board approval of classification, obtain Board minutes to test whether approval was obtained

Each of approved investments in hedge funds and external managers tested had analysis indicating whether investment was a hedge fund or not. No Board approval was required.


3 2 IPS Article 2.7a – Verify that the Internal Investment Committee (IIC) approved all private and relevant public markets fund investments

For the private and public markets funds approved during the quarter, obtain existence of IIC approval

Inquire with Director of External Public Markets whether portfolios were adjusted for the purposes of rebalancing or adjusting risks

If funds added, test if such additional investments or allocations did not exceed 2% of Hedge Fund

IIC approval existed for all funds approved during the quarter. Funds added to previously approved investments or purposes of rebalancing or adjusting risk did not exceed 2% of associated portfolios.



STEP #


IPS Article 2.7g – Verify funds added to previously approved investments for purposes of rebalancing or adjusting risk did not exceed 2% of associated portfolios

Portfolio, External Manager Portfolio, or Other Absolute Return Portfolio (as appropriate) per investment on a monthly basis

Obtain documentation from IMD staff supporting rebalancing analytics.

4 2 IPS Article 7 – Obtain evidence that new investments in emerging managers meet requirements

Test sample of approved investments to verify: Each is independent private investment

management firm with less than $2 billion Each has a performance track record as a firm of

less than 5 years, or both TRS commitment did not exceed 40% of fund

size

There were no emerging manager investments during the testing period.


5 2 IPS Article 12 - Obtain evidence of existence of placement agent questionnaire (PAQ) for each new investment selected for testing and test for inclusion in summary report to the Board

For each investment selected for testing, verify that IMD obtained responses to the questionnaire

Obtain evidence that IMD compiled responses to the questionnaires and reported all results to the Board at least semi-annually

Each investment tested had a completed questionnaire and was included in the summary report to the Board.


6 2 IPS Appendix B – Obtain evidence that investments approved are within policy limits

Select sample of approved investments and obtain tearsheet for each, observe the approved amounts are within authorized limits a) Initial allocation – .50% b) Additional or follow-on – 1% c) Total Manager Limits – 3% d) Total limit each manager organization – 6%

Obtain documentation from IMD staff that supports the calculations of the authorized limits

Inquire if any “Special Investment Opportunities” were made for the quarter

For the sample investments tested, no manager or partner organization exceeded the authorized limits and documentation existed for IMD staff calculations of authorized limits. There were no Special Investment Opportunities.


7 3 Quarterly Compliance Certification – Obtain evidence that all known

Confirm with the Chief Compliance Officer that she has received compliance certification from IMD profit center managers, Legal Investment

Obtained confirmation from the Chief Compliance Officer. No compliance



STEP #


compliance violations have been reported by IMD managers and Investment Legal staff

staff, and CIO regarding any known compliance violations occurred during the testing period

exceptions were identified as a result of the quarterly compliance certification.

8 3 Wire Transfers – Verify wire transfers are authorized and properly supported

Obtain wire transfer reports for testing period, select sample of wire transfers, and test that supporting documentation, including manager authorizations, exists for each

All wire transfers tested were properly authorized and correct amounts were wired.


9 3 Securities Lending Policy – Obtain evidence that IMD staff monitored the progress of the securities lending program and performance of lender

Obtain evidence for the following securities lending policy requirements: Sec. 3.1. Securities eligible for lending Sec. 3.3 Collateral received

TRS loaned only eligible securities. All collateral received was cash or government securities.


10 3 Performance Incentive Pay Plan (PIP) – Verify that investment performance results used in quarterly Internal Public Markets (IPM) portfolio matches data from TRS financial applications and custodian bank and that the excess return calculations for individual portfolio managers and sector managers are correct

Trace quarterly IPM individual component calculation spreadsheet to TRS financial performance application data and TRS custodian bank data.

Test whether employee assignments were approved by Senior Director in TRS IPM prior to quarter start by obtaining approval email from Senior Director in TRS IPM to Investment Operations Performance Analyst. If any assignment changes are included in the approval, compare the approved changes to the assignments in the quarterly IPM individual component calculation spreadsheet.

Test whether formulas in the quarterly IPM individual component calculation spreadsheet are correct by recalculating investment return totals by portfolio manager and sector manager, and comparing total investment returns to returns provided by the TRS Custodian Bank.

There were no data, employee assignment, or formula errors included in the quarterly IPM individual component calculation spreadsheet. Thus, excess return calculations for individual portfolio managers and sector managers for the IPM portfolio were correct for the quarter ended June 30, 2016.


11 4 Employee Ethics Policy – Obtain evidence that the

Obtain evidence that the TRS Executive Director filed a personal financial statement with the

The Executive Director’s 2015 personal financial statement was filed with the



STEP #


Executive Director filed a personal financial statement with the Texas Ethics Commission

Texas Ethics Commission for the year ended December, 31, 2015. Ensure that that the filing was made prior to the April 30th deadline.

Texas Ethics Commission. The document was dated prior to the April 30th deadline.

12 4 Code of Ethics for Contractors – Obtain evidence that all TRS brokers, financial advisors, and financial service providers filed annual disclosure statements with TRS General Counsel.

Sec. III.B. Obtain evidence that all TRS brokers, financial advisors, and financial service providers complied with the Code of Ethics for Contractors by filing annual disclosure statements with the TRS General Counsel. Annual filing deadline is April 30th.

All TRS brokers, financial advisors, and financial service providers filed required annual disclosure statements by the due date.


Note: Testing procedures for the Investment Policy Statement (IPS), Securities Lending Policy (SLP), Employee Ethics Policy, Code of Ethics for Contractors, and Wire Transfer Procedures are for the activities for the quarter ended September 30, 2016. Testing procedures for the Performance Incentive Pay Plan are for the quarter ended June 30, 2016.

TAB 6B

AUDIT OF TRS ADMINISTRATION OF 403(b) PROGRAM November 18, 2016

TRS Internal Audit Department

Project #: 17-601

Companies not meeting certification criteria included in TRS company list

Products not meeting qualification criteria included in TRS product list

Uncertified companies selling products to participants

No or delayed referral on complaints received

No investigation of complaints by regulatory agencies

TRS not informed of complaint resolution

TRS not taking proper action based on resolution

Fee caps not established Fee caps established not

competitive Product fees charged

exceeding the fee caps 403(b) fees collected by

TRS are credited to other funds

Fees collected are used for non-403(b) expenses

Board adoption of fee caps Use of consultant for market

studies on investment product fees

Administration cost analysis 403(b) program budget Financial report on 403(b)

program 403(b) expense monitoring

Financial strength checks completed by Texas Department of Insurance

TRS staff’s company checks on State Securities Board website

Certification and qualification forms required

Publication of certified companies and qualified products on TRS website

Board adoption of fee caps Administration cost analysis 403(b) program budget Financial report on 403(b)

program

Financial strength checks TRS staff’s company

checks Certification and

qualification forms required annual demonstration by

providers

Management controls are operating effectively. However, controls related to determining administration cost for fee-setting purposes could be improved.

Management controls are operating effectively. However, controls related to annual demonstration of provider’s qualifications could be improved.

Require records of provider’s verification of license and qualification as part of annual demonstration

Start tracking the cost of program administration for fee-setting purpose

Will consider this recommendation as part of administrative rule review

TRS rules and polices on complaint reporting

Records of complaints received and referred maintained

Quarterly reporting requirement from Texas Department of Insurance

Records of complaints received and referred maintained

Quarterly reporting requirement from Texas Department of Insurance

Management controls are operating effectively to achieve business objective.

None

NA

Legend of Results: Red - Significant to TRS Orange - Significant to Business Objectives Yellow - Other Reportable Issue Green - Positive Finding or No Issue

Business Objectives

Business Risks

Management Controls

Results

Recommended Actions

Management Responses

Ensure that fee caps of investment products are competitive to the market and that TRS fees to investment companies reflect administration costs

Controls Tested

Maintain lists of certified 403(b) companies and products that meet the requirements of governing laws and rules

Refer complaints received to appropriate regulatory agencies and ensure that they are properly addressed

Agrees – Has already begun tracking staff time to capture the cost of administration

TRS Internal Audit November 18, 2016 Audit of TRS Administration of 403(b) Program Page 1

November 18, 2016 Audit Committee, Board of Trustees Brian Guthrie, Executive Director

EXECUTIVE SUMMARY We have completed the audit of the 403(b) Program, as included in the Fiscal Year 2017 Audit Plan. Primary business objectives related to TRS’ administration of the 403(b) Program are as follows:

To maintain lists of qualified 403(b) companies and products that meet the requirements of governing laws and TRS rules

To refer complaints received to appropriate regulatory agencies and ensure that they are properly addressed

To ensure that fee caps of investment products are competitive as compared to the market and that TRS fees to investment companies reflect administrative costs

Based on our audit results, we determined that management controls are operating effectively to achieve business objectives. We did not identify any significant issues. However, we identified an opportunity to improve controls related to: (a) annual demonstration of provider’s qualifications; and (b) determination of administration cost for fee-setting purposes. As part of this audit, we did not test the business objective related to ensuring that the fee caps of investment products are competitive as compared to the current market rates since management is currently working with an outside firm to assess the current fee caps adopted by the TRS Board of Trustees in May 2002. Results of our procedures are presented in more detail in the Results and Recommendations section. The audit objective, scope, methodology and conclusion are described in Appendix A.


BACKGROUND 403(b) Plan Overview

A 403(b) plan, authorized under Section 403(b) of Internal Revenue Code, is a tax-deferred retirement savings plan offered for employees of public schools, employees of certain tax-exempt organizations, and certain ministers. Individual 403(b) accounts are established and maintained by eligible employees. Accounts under a 403(b) plan can be one of the following three types:

An annuity contract provided through an insurance company; these 403(b) annuity plans are also known as tax-sheltered annuities (TSAs) and tax-deferred annuities (TDAs).

A custodial account provided through a retirement account custodian; investments are limited to regulated investment companies, such as mutual funds.

A retirement income account, for which investments options are either annuities or mutual funds.

The employer, like school district, may determine the financial institution(s) at which individual employees may maintain their 403(b) accounts, which in turn determines the type of 403(b) accounts that the employees may establish and fund. Generally, these annuities are funded by elective deferrals made under salary reduction agreements and non-elective employer contributions. 403(b) plans are very similar to 401(k) plans offered by for-profit businesses. Just like with a 401(k) plan, a 403(b) TSA plan lets employees defer some of their salary. In this case, their deferred money goes to a 403(b) plan sponsored by the employer. Generally, these deferred funds are not taxed until distributed. 403(b) plans offer the following benefits for participants:

Contributions to a 403(b) plan reduce taxable income since they are made on a before-tax basis,

Earnings on the retirement money are tax deferred, The annuity transfers with the participant when he/she changes employers or retires, Paying less tax on assets is likely as distributions usually occur during retirement, when a

participant may be in a lower tax bracket, and The 403(b) plans allow participants to take out loans from their accounts.

403(b) Plans for Texas School District Employees

In Texas, the Legislature has set requirements for companies and products that are eligible to receive 403(b) contributions from school employees. Beginning June 2002, Texas school districts and open enrollment charter schools can enter into a 403(b) salary reduction agreement with a company only if the company has certified to the TRS Board of Trustees. In addition, beginning January 2008, products offered for 403(b) salary reduction agreements in Texas must generally be registered with TRS. The school districts direct the participants’ contributions to specific 403(b) investment products selected by each participant from among the options available in their district or charter school. In


Texas, public school employees may only invest in 403(b) products that are: (a) offered by a TRS-certified company; and (b) registered with TRS. TRS maintains a list of certified 403(b) companies and a list of registered 403(b) investment products on its website as required by State law. Currently, 74 companies are certified by TRS to offer 403(b) investment products in Texas. The TRS List of 403(b) Certified Companies classifies these companies into three categories: annuity, non-annuity and/or platform. These classifications indicate what type of investments the company offers.

Annuity companies offer proprietary annuities Non-annuity companies offer proprietary mutual funds Platform companies offer non-proprietary mutual funds from various other certified

companies Several of the companies on the TRS certified list offer investments in more than one category. The products registered with TRS, including information on all fees charged, can be accessed from the TRS website. Responsibilities under Governing Statute

The 403(b) program administered by TRS is governed by Tex. Rev. Civ. Stat. Art. 6228a-5 (Annuities or Investments for Certain Public Employees; Salary Reductions) and Chapter 53 of the Texas Administrative Code (Certification by Companies Offering Qualified Investment Products). These governing laws and rules require several parties involved to perform different duties with regard to the 403(b) program. Primary parties involved in the administration of the 403(b) program in Texas include TRS, Texas Department of Insurance (TDI), State Securities Board (SSB), Texas Department of Banking (TDB), providers/companies of 403(b) products, and Educational Institutions (including school districts) as plan sponsors. Each party’s responsibilities include the following:


TRS TDI/SSB/TDB Provider/Company Educational Institution

Establish and maintain a list of companies that have been certified

Establish and maintain a list of qualified investment products

Adopt the form and content of the registration process

Make the lists of certified companies and qualified investment products available on TRS’ website

Establish the maximum amount of fees, costs, or penalties on investment products offered by companies

Refer all complaints to other regulatory state agencies

Collect a fee from a company not to exceed the administrative cost of TRS

Cooperate with TRS in the administration of the 403(b) program

Investigate a complaint received from TRS

If determined that a violation may have occurred, forward the results of the investigation to state or federal regulatory agency

Submit a quarterly report to TRS that provides the status of any enforcement action taken or investigation on referral made by TRS regarding a product or a company

Promptly notify TRS of any final enforcement order issued regarding the product or company.

Certify to TRS to offer qualified annuity contract if it is authorized to issue annuity contracts in Texas, does not assess fees, cost, or penalties that exceed TRS rules, and comply with the relevant standards

Meet the eligibility criteria to be included in TRS Certified Company List

Submit an application to TRS (to register a product) and pay the registration fee.

Notify TRS if, at any time, the product is not an eligible qualified investment

Provide toll-free telephone transferring privileges each business day

Hold a license issued by TDI, is registered as a securities dealer or agent or investment advisor with SSB, or is a financial institution

Demonstrate annually to TRS that each of its representatives are properly licensed and qualified, by training and continuing education, to sell and service the company’s eligible qualified investments

Enter into a salary reduction agreement with an employee if the offered investment product is an eligible qualified investment and is registered with TRS

Not require or coerce an employee’s attendance at any meeting at which qualified investment products are marketed

Not limit the ability of an employee to initiate, change, or terminate a qualified investment product at any time the employee chooses

No grant exclusive access to an employee by discriminating against or imposing barriers to any agent, broker, or company

Not accept any benefit from a company or from an agent or an affiliate of a company


BUSINESS OBJECTIVES, RISKS, AND CONTROLS For the audit of the 403(b) program, we obtained information about the following three business objectives, as well as the related risks and the controls management established to mitigate these risks (including information on the controls we tested):

Business Objective

Inherent Risks (without considering

controls)

Management Controls (Existing and Potential)

Controls Tested

1. To maintain lists of qualified companies and products which meet requirements of laws and TRS rules

(1) Uncertified companies selling products to participants or unregistered products sold to participants

A) Availability of a list of certified companies in TRS website

B) Availability of list of registered investment products in TRS website

C) Communication of TRS company and product lists to school districts (e.g., TRS Update newsletter)

D) Recertification required (every five years)

List of certified companies in TRS website

List of registered investment products in TRS website

Recertification required

(2) Companies included in the TRS lists not meeting certification criteria (e.g., financial strength)

A) Checks completed by TDI at time of application

B) Notification from TDI or SSB throughout the year (not required under the current statute)

C) TRS staff’s checks on SSB website D) TRS Form 615 (Certification

Application) E) Ability to revoke certification

Checks completed by TDI

TRS staff’s checks on SSB website

TRS Form 615

(3) Outdated or inaccurate lists of certified companies or qualified products

A) TRS staff’s review of information submitted by companies

B) TRS Form 615 (Certification Application) required

C) Checks completed by TDI D) TRS staff’s checks on SSB website E) Recertification required F) Limited access to company and

product files (e.g., IT controls) G) Notification requirement about

changes from providers

TRS Form 615




Limited access to company and product files

Notification requirement about changes from providers

(4) Certified companies or registered products not available or accessible in TRS

A) IT department’s monitoring of TRS website’s unavailability

B) Availability of TRS staff’s assistance to school districts

C) School districts’ and providers’ access to TRS website

No controls selected for testing


Business Objective


controls)


Controls Tested

website (including IT system-down issue)

D) IT Department’s regular backup of company list and product list

(5) TRS’ failure to adopt the form and content of the registration application

A) Statutory provisions readily available

B) Dedicated TRS staff for 403(b) program


(6) TRS’ company certification rules not consistent with statutes

A) Statutory provisions readily available

B) TRS Form 615 (Certification Application)

C) TRS Form 634 (Product Registration Application)

TRS Form 615

TRS Form 634

(7) companies whose certification was denied, suspended, or revoked remaining on the list

A) Checks completed by TDI B) TRS staff’s checks on SSB website C) TRS rules and policies



TRS rules and policies

(8) TRS not informed of certified companies whose licenses have been revoked or denied

A) Coordination with TDI and SSB B) Information available in SSB website C) TRS staff’s checks in SSB website as

part of recertification

TRS staff’s checks in SSB website

(9) Certified companies not notifying TRS about changes or non-compliance

A) 403(b) statutes and TRS rules B) Communication thru TRS Update C) Recertification required D) Notification requirement (including

30-day deadline) and related sanctions for non-compliance


(10) Involved state agencies not clearly understanding statutory responsibilities or not cooperating with TRS

A) Agencies’ responsibilities specified in governing statutes

B) Interagency contact or memorandum of understanding (MOU) established between agencies

Interagency contract or MOU

(11) Noncompliance with laws, regulations, or policies

A) Dedicated TRS staff for 403(b) B) Availability of Legal Services staff C) Ability to revoke certification for

non-compliance



Business Objective


controls)


Controls Tested

(12) Certification renewal period exceeding the limit (i.e., five years)

A) Spreadsheet tracking certification expirations

Spreadsheet tracking certification expirations

(13) Registration period not offered or designated

A) TRS rules B) Announcement of open registration

periods in TRS website


(14) School districts offer uncertified companies or unregistered products to employees

A) TRS lists available in website B) Communication in TRS Update C) Complaints filed by providers or

participants D) Centralized, single agency

administration model (which would require statutory changes)

TRS lists available in website

Complaints filed by providers or participants

(15) Not receiving information for annual demonstration (of representative’s license and training) or not taking action for no completion of annual demonstration

A) Statutory requirement for companies to demonstrate representative’s license and qualifications

B) Use of TRS Form 616 (Annual Demonstration of Licensure and Qualification)

C) TRS’ verification of provider’s evidence of meeting annual demonstration requirements

D) TRS staff’s tracking and disclosure of annual demonstration status

TRS Form 616

TRS’ verification of provider’s evidence of meeting annual demonstration requirements

TRS staff’s tracking and disclosure of annual demonstration status

(16) TRS not denying, suspending, or revoking company certification or product registration

A) Statutory provision giving authority to TRS

B) TRS rules and policies adopted, including different levels of offenses and related sanctions

TRS rules and policies adopted, including different levels of offenses and related sanctions

(17) Making changes to certified lists without supporting documentation

A) Policy requiring supporting documentation

B) Segregation of duties between 403(b) program and IT Department

Policies requiring supporting documentation

(18) Fraud risk, including false information submitted to TRS and companies making misrepresentations to school districts or participants

A) Verification with TDI and SSB B) Screening by school districts C) Complaints that can be filed by

school districts or participants

Verification with TDI and SSB as part of recertification

Complaints filed by school districts or participants


Business Objective


controls)


Controls Tested

2. To refer complaints to appropriate regulatory agencies and ensure that they are properly addressed

(1) Complaints not referred to appropriate regulatory agencies

A) Statutory provisions on complaints B) TRS policy on complaint reporting C) Tracking of complaints TRS referred

to TDI or SSB

TRS policy on complaint reporting

Tracking of complaints TRS referred to TDI or SSB

(2) Complaints not investigated by regulatory agencies

A) TRS records of complaints referred to TDI or SSB

B) Involvement of multiple state agencies

C) Designation of complaint processing departments or individuals at TDI and SSB

TRS records of complaints referred to TDI or SSB

(3) TRS not informed of complaint resolution (that TRS filed)

A) TRS records of complaints filed B) Quarterly reporting requirements

from TDI C) SSB ListServ available for sign-up

TRS records of complaints filed

Quarterly reporting requirements from TDI

(4) TRS not taking proper action based on the outcome of the investigation of a complaint

A) Complaint policy B) Policy on corrective action levels

Policy on corrective action levels

(5) TRS not informed of complaints filed with regulatory agencies (by others)

A) Information available at SSB website

B) SSB ListServ available for sign-up C) Reporting required from regulatory

agencies (which would require statutory changes)


3. To ensure that: fee caps of investment products are competitive as compared to the market rates; and

(1) TRS not established fee caps

A) Statutory authority B) TRS rules adopted C) IT system alerts (if fee caps are

exceeded)

IT system alerts

(2) Fee caps established are not competitive or in line with the market (e.g., too high or too low)

A) Outside expertise available B) Availability of market information C) Feedback from school districts or

participants


(3)Fee information not included in TRS qualified investment product list

A) TRS Form 634 (Product Registration Application)

B) IT design to capture fee information

TRS Form 634


Business Objective


controls)


Controls Tested

TRS fees to investment companies reflect administrative costs

(4) Vendor fees charged for products exceeding the cap established by TRS

A) Fee caps established by TRS B) IT system on fee alerts C) Availability of fee cap information in

TRS website D) Communication of fee cap

information in TRS Newsletter E) Fee checks by school districts

Fee caps established by TRS

IT system on fee alerts

(5) TRS charging administrative fees in excess of $5,000 limit

A) Awareness of statutory fee cap B) TRS rules and policies


(6) TRS product registration fees not reflective of the cost of administration

A) Administrative cost analysis B) Knowledge of recertification dates

Administrative cost analysis

(7) TRS fees collected are not credited to 403(b) trust fund

A) TRS accounting policy B) 403(b) program budget C) Collection report at the time of

receipt D) Financial reports on 403(b) program

403(b) program budget

Financial report on 403(b) program

(8) TRS fees collected are used for non-403(b) related expenses

A) TRS accounting policy B) 403(b) program budget C) Expense monitoring (e.g., thru

monthly financial report)

403(b) program budget

Expense monitoring


RESULTS AND RECOMMENDATIONS OVERALL RESULTS Based on the audit test results, we determined that management controls are operating effectively to achieve the business objectives. No significant issues were identified. The positive test results as well as opportunities for management to improve annual demonstration of provider’s qualifications and fee-setting controls are described below. Additionally, a separate memo was issued to management for other less significant matters related to the business objectives that we observed during fieldwork. POSITIVE RESULTS Example of the positive results we noted from our testing included the following: A. Controls Related to Company Certification and Product Registration

Financial strength checks were completed on the annuity providers included in the TRS Certified Company List.

TRS staff checked a company’s registration status for investment products in the State Securities Board’s website.

TRS made the lists of certified companies and registered products available on the website. TRS staff tracks the expiration date of each company’s certification and as a result, no

company’s certification status passed the five-year limit. TRS forms for company certification and product registration are consistent with statutory

requirements. TRS staff tracks and discloses the status of each company’s submission of the affirmation

form for annual demonstration of licensure and qualifications. B. Controls Related to Complaints Referrals

TRS staff tracks the complaints filed and referred to the TDI or SSB. TRS staff maintains the records of complaints referred to the TDI or SSB.

C. Controls Related to Fee Caps of Investment Products and TRS Fees for Company Certification

and Product Registration

As required by the statute, fee caps have been established for each registered 403(b) product. TRS Information Technology system captures fees information and generate alerts if fee caps

of investment products are exceeded. A separate budget of the 403(b) program is established as a trust fund.

SIGNIFICANT RESULTS1 No significant issues and recommendations were identified.

1 A significant result is defined as a control weakness that is likely to create a high risk of not meeting business objectives if not corrected.


OTHER REPORTABLE RESULTS 1. Require Records of Provider’s Verification of License and Qualification As Part of Annual

Demonstration State statute requires that a certified company/provider shall demonstrate annually to TRS that each of its representatives are properly licensed and qualified, by training and continuing education, to sell and service the company’s qualified investments. However, TRS does not require companies to submit any records or evidence of these requirements. TRS only requires the companies to affirm in a box included in Form 616 (Annual Demonstration of Licensure and Qualification by 403(b) Certified Company) whether the company meets these requirements or not. Some of the responses to our survey of providers indicated that they maintain and verify records of their representatives’ license status and continuing education hours completed. Thus TRS could require the certified companies to submit the evidence of how they met this requirement, such as the names of representatives, their license status, and the number of continuing education or training hours completed each year. Recommendation We recommend that TRS require the providers to submit the records of the verification of the representatives’ license status and the number of continuing education or training hours completed as part of the provider’s annual demonstration.

Management Responses Management will consider this recommendation for potential inclusion in the administrative rules. Currently, management is conducting the statutorily required review of the 403(b) administrative rules. As part of this rule review, management will determine if there is a useful and practical level of evidence to require from providers as part of their annual demonstration. A potential concern is that TRS does not have the authority to set qualification requirements, including minimum training hours. Those requirements are set by several different state and federal regulating entities depending on the type of certified company. While, certified companies must assert to TRS annually that their agents are properly licensed and qualified, TRS is not apprised of the minimum continuing education or training requirements for the different licensing agencies. Moreover, TRS is not apprised as to which types of licensure and training requirements apply to the different agents of the various certified companies. So, if TRS were to get a list of agents and the number of training hours completed for each agent, TRS would not be able to interpret if the hours were sufficient or lacking. Management is open to exploring as part of the rule review whether these concerns can be addressed and whether this information can be required in a manner and form that is productive and useful. 2. Start Tracking the Cost of Program Administration For Fee-Setting Purpose State statute states that TRS may collect a fee not to exceed the administrative cost to the TRS from a company that certifies or recertifies or that registers a qualified investment products, without exceeding $5,000. Statute further states that the fee for registration of a qualified investment products must be set by TRS in the reasonable amount necessary to recover the cost of the administration of the 403(b) program. TRS currently charges $3,000 each for company certification


and product registration and the total amount of net asset for the 403(b) program was approximately $268,000 as of August 31, 2016. According to 403(b) program staff, this fee rate which was set many years ago was determined mainly based on the amount of fund balance available at the time without considering the cost of the program administration. In addition, when the fee amount was initially set, the program was very small with no significant direct or indirect costs. However, the program has expanded in the past with additional staff and administrative support from IT Department and Legal Services. Therefore, before resetting the fee amount for company certification and product registration, TRS should consider the cost of administering the 403(b) program by tracking staff time, allocating direct and indirect costs, and estimated costs of infrequent special projects. Recommendation We recommend that TRS start tracking the direct and indirect costs of the 403(b) program administration to set the fee amount in a manner consistent with statutory provisions. Management Responses Management agrees with the recommendation. The 403(b) program team has already begun tracking the amount of time it spends on 403(b) related work as opposed to work on pension or health care related matters. In years past, the 403(b) program did not require a large amount of resources as evidenced by the lowering of the administrative fee from $5,000 to $3,000 in 2006. Recently, however, complexities in the 403(b) market have resulted in the program requiring more resources. Management will work with General Accounting to start tracking the direct and indirect costs of administering the program for fee-setting purposes and to help ensure the proper and equitable allocation of resources. Management recognizes that these cost allocations might not be well defined because 403(b) program staff can be working on other programs outside the 403(b) program, involvement by support groups such as the IT Department and Legal Services is needed at times, and ad hoc projects requiring resources could arise. In consideration of these factors, management will develop a methodology to capture the cost of program administration in a systematic and consistent manner. The target implementation date to develop this methodology is August 31, 2017, with the effective application date of September 1, 2017. Other Observation One of the TRS Board of Trustees’ responsibilities under the 403(b) statutes is to set the maximum rates (i.e., fee caps) for the annuities and investment products that the providers should not exceed. These fee caps, first adopted in May 2002, have not been changed since. Thus they may no longer be aligned with the current industry or market rates. TRS management is currently seeking outside expertise to obtain market information to assess the current fee caps and therefore, we did not assess the competitiveness of these caps as part of our audit.


* * * * * We appreciate 403(b) Program management and staff for their cooperation, courtesy, and professionalism extended to us during this audit. We also appreciate support provided by IT and Legal Services staff. _____________________________ ___________________________________ Amy Barrett, CIA, CPA, CISA Hugh Ohn, CIA, CPA, CFA, FRM Chief Audit Executive Director of Investment Audit Services _____________________________ ___________________________________ Anandhi Mani, CIA, CPA Rodrigo Dominguez Senior Investment Auditor Internal Auditor


APPENDIX A

AUDIT OBJECTIVE, SCOPE, METHODOLOGY, AND CONCLUSION We conducted this performance audit in accordance with generally accepted government auditing standards contained in the Government Auditing Standards issued by the Comptroller General of the United States and the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors, Inc. These standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our audit findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. AUDIT OBJECTIVE The audit objective was to determine whether internal controls are in place and are working effectively to achieve the business objectives stated below and mitigate significant risks to meeting those objectives.

To maintain lists of qualified 403(b) companies and products that meet the requirements of governing laws and TRS rules

To refer complaints received to appropriate regulatory agencies and ensure that they are properly addressed

To ensure that fee caps of investment products are competitive as compared to the market and that TRS fees to investment companies reflect administrative costs.

SCOPE The scope of the audit included the TRS’ administration of the 403(b) program as specified in Vernon’s Texas Civil Statutes Relating to 403(b) Certification, §§4-13, Article 6228a-5. The focus of our audit was on the responsibilities of TRS under the governing statutes, including coordination with other entities, such as TDI, SSB, school districts, and providers/companies of investment products. Our sample testing focused more on the most recent information, covering the time period from 2015 and 2016 to-date. The audit scope did not include other parties’ responsibilities regarding the administration of 403(b) program, including school districts and providers of 403(b) products. The scope also did not include any review of competitiveness of the current fee levels as compared to the market. Furthermore, our scope did not include any comparison of 403(b) plan with other tax deferred plan offered by school districts such as 457 plan. METHODOLOGY Our methodology included obtaining information on management’s business objectives and risks, and focused on key processes and monitoring controls that management has established to address significant risks. Our methodology generally included validation of controls in place through


observations, sample testing of transactions, documentation of supporting documents, interviews with school district staff, and a survey of providers. Specifically, we performed the following procedures:

Obtained information about tax-sheltered retirement plans authorized by federal laws Reviewed reports on tax-sheltered retirement plans, including Government Accountability

Offices’ (GAO) review of retirement savings Reviewed state law governing the State of Texas 403(b) program Met with representatives of the Texas Department of Insurance (TDI) and the State Securities

Board (SSB) Interviewed the Executive Director, Deputy Director, Director of Strategic Initiatives,

Director of 403(b) Program and staff, Budget staff, and Legal Services staff Traced a sample of 403(b) certified companies to the application forms (i.e., TRS Form 615) Traced a sample of 403(b) registered products to the application forms (i.e., TRS Form 634) Surveyed TRS-certified providers of 403(b) products in Texas to find out about their

practices, including information on how to meet annual demonstration requirements Obtained information about fees charged 403(b) products, including the fee caps established

by the TRS Board of Trustees Obtained budget information and sample financial reports on TRS 403(b) program

CONCLUSION Based on the audit test results, we determined that management controls are operating effectively to achieve the business objectives. No significant issues were identified. However, we identified opportunities to improve controls related to annual demonstration of provider’s qualifications and tracking of 403(b) program administration for fee-setting purpose.

TAB 6C

TRS Internal Audit Summary of Prior Audit Recommendations

November 16, 2016

Project 17-410

RECORDS MANAGEMENT AUDIT

Issue Type Recommendation Status Reported by Management

Reported Implementation

Date

Management Response Addressed

Recommendation?

Management Response

Fully Implemented?

Implementation Current?

Significant

Records Management staff should perform routine enterprise-wide records retention schedule assessments to identify problems such as non-compliance or areas where focused training or consultation is needed.

Implemented 9/25/2015 Partially Yes Yes

Significant

Records Management staff should ensure that management and staff receive adequate records management training that includes well-defined guidelines for users of electronic record systems, including electronic mail and calendar systems. Records Management staff’s increased records management awareness efforts should be visible throughout TRS.

Implemented 9/25/2015 Yes Yes Yes

Significant

TRS should require terminating employees and contract workers to formally certify that they do not have any TRS records.

Implemented 3/2/2016 Partially Yes Yes

TRS Internal Audit November 16, 2016 Records Management Follow-up Audit Page 1

November 16, 2016 Audit Committee, Board of Trustees Mr. Brian Guthrie, Executive Director

EXECUTIVE SUMMARY We have completed the Records Management Follow-Up Audit, which is one of the areas identified in Internal Audit’s Fiscal Year 2017 Audit Plan. The audit objective was to verify management’s implementation actions taken to address the significant finding and audit recommendations made during the Records Management Audit conducted in Fiscal Year 2015, and to answer the following questions:

1. Did management responses fully address the original audit recommendations? 2. Were management responses implemented? 3. Is the implementation current?

The significant finding reported by Internal Audit was related to instances of non-compliance with established record retention periods which identified a need for more training, well-defined guidance, and routine monitoring to address TRS’ records management needs now and in the future. As a result of our follow-up audit work, we concluded:

1. One of the management responses fully addressed the audit recommendation, while two partially addressed audit recommendations.

2. All three management responses were fully implemented. 3. Implementation of management’s stated action plans is current.

Results of our procedures are presented in more detail in the Audit Results section and the audit objective, scope, methodology and conclusion are described in Appendix A. A Summary Report of the FY 2015 Records Management Audit is included in Appendix B.

BACKGROUND In 2015, Internal Audit conducted a Records Management Audit and issued a report in September of that year. The audit objective was to determine whether TRS records management practices aligned with state requirements and guidelines, TRS internal policy and procedures, and generally accepted recordkeeping principles and best practices. Results of the audit determined that while TRS has a mature records management function and experienced Records Management department leadership and staff, records management practices did not always align with state requirements and guidelines, TRS internal policy and procedures, and generally accepted recordkeeping principles and best practices.


Testing found that oversight and monitoring of compliance with records retention schedules and records management program understanding did not occur by Records Management staff. Individuals within both TRS management and general staff reported that they were unsure of roles and responsibilities regarding the creation, maintenance, and disposition of records, whether hardcopy or electronic. Auditors also determined that a lack of understanding of records management requirements could increase the risk that terminating employees and contract workers might intentionally or unintentionally take TRS records when they terminate employment. Testing identified instances where records were maintained past their retention period and other instances where records were discarded prior to their retention period. Additionally, some electronic records could not be located during testing and others were filed in multiple locations. The audit resulted in one significant finding and three other reportable findings. Management agreed with all recommendations included in the audit report and has indicated that actions have been implemented to mitigate the identified risks. The objective of this follow-up audit was to verify the implementation actions taken by management in addressing the three recommendations related to the one significant finding reported in the prior audit.

AUDIT RESULTS OVERALL RESULTS Audit fieldwork focused on the three recommendations made during the prior audit that were related to the one significant finding. These recommendations were:

1. Records Management staff should perform routine enterprise-wide records retention schedule assessments to identify problems such as non-compliance or areas where focused training or consultation is needed.

2. Records Management staff should ensure that management and staff receive adequate records management training that includes well-defined guidelines for users of electronic record systems, including electronic mail and calendar systems. Records Management staff’s increased records management awareness efforts should be visible throughout TRS.

3. TRS should require terminating employees and contract workers to formally certify that they do not have any TRS records.

Results of audit fieldwork found the following:

One of the management responses fully addressed the audit recommendation, while two partially addressed audit recommendations.

All three management responses were fully implemented. Implementation of management’s stated action plans is current.


DETAILED RESULTS Regarding the first recommendation, we found that management is in the final stages of contracting with a vendor to perform a comprehensive, enterprise-wide review of recordkeeping practices including the establishment of electronic records repositories and a revision of departmental record retention schedules. This process is expected to take approximately 2 years to complete. While management’s plan is very thorough in the approach that will be taken during the enterprise-wide assessment, we found that it did not include a plan for conducting on-going monitoring activities to ensure compliance with the revised departmental record retention schedules and newly established processes. When this concern was addressed with management, they committed to several actions to improve their planned monitoring and compliance function. The Records Management Policy, currently undergoing revision, will specifically designate the Records Management Officer as being responsible for monitoring and enforcing compliance with records management policies. The revision will also include an annual certification requirement for management to certify the completeness of their records retention schedule. Further, Records Management will, by the Fiscal Year 2018 purge cycle, revise its procedures associated with the annual purge to include:

More detailed analysis of purge activity to monitor whether all records that are eligible for destruction are in fact being purged.

Providing a “report card” to division directors on their area’s performance in the purge and the level of compliance exhibited recognizing areas of exemplary performance as well as areas needing improvement.

Conducting follow-up spot checks of retention schedule completeness and level of compliance in selected departments based on the results observed during the purge.

Lastly, management has committed to consulting with the vendor contracted to perform the agency-wide records retention assessments regarding any additional routine monitoring activities that management could perform to identify areas of non-compliance and opportunities for focused training or consultation with individual departments. These new monitoring activities will be performed in addition to the current review processes related to the annual purge and monitoring of e-records metrics. Regarding the third recommendation, we found that management’s response and subsequent actions only addressed the development and implementation of a process for exiting TRS employees to certify that they do not have any TRS records. The need for contract workers to certify was not addressed. During the follow-up audit, management developed, and is in the process of implementing, a certification form that requests the contract vendor, rather than the contract worker, to certify that all records have been returned to TRS. The certification form will be implemented by the Contract Management department as part of the contract close-out process. The form will be implemented for all contracts initiated after January 1, 2017.


Additionally, the Records Management Policy is being revised to include a requirement that upon departure, all staff certify that working documents and final records have been returned to TRS. The Records Management Policy is one of several TRS policies that new employees and contract workers receive during the onboarding process. They are required to complete a form acknowledging that they have reviewed the policies and agree to abide by them. The updated Records Management Policy is expected to be finalized by December 31, 2016. The table below provides a summary of management’s implementation status of the significant audit recommendations from the FY 2015 Records Management Audit.

Rec # Original Recommendation

Implementation Status (As determined by Follow-up Audit)

Notes Management Response Fully

Addressed Recommendation

Management Response

Fully Implemented

Implementation is Current

1 Records Management staff should perform routine enterprise-wide records retention schedule assessments to identify problems such as non-compliance or areas where focused training or consultation is needed.

Partially

Yes Yes Auditor Note Management response did not address the need for on-going monitoring activities to ensure compliance with record retention schedules. Management Response Management has agreed to address this risk by taking the following actions: Updating language in the

Records Management Policy to clearly assign responsibility for monitoring and enforcing compliance with records management policies to the Records Management Officer

Adding additional analysis, monitoring, and reporting features to the existing purge process

Conducting spot checks of retention schedule completeness and compliance

Consulting with the vendor hired to conduct the agency-wide records






Management Response

Fully Implemented


management assessments regarding any additional routine monitoring activities that management could perform to identify areas of non-compliance and opportunities for focused training and consultation

2 Records Management staff should ensure that management and staff receive adequate records management training that includes well-defined guidelines for users of electronic record systems, including electronic mail and calendar systems. Records Management staff’s increased records management awareness efforts should be visible throughout TRS.

Yes

Yes

Yes

Auditor Note Management has worked with Human Resources and Organizational Change Management to develop a training schedule and will continue to work with them to develop the necessary materials to provide focused training to staff at all levels across the agency.

3 TRS should require terminating employees and contract workers to formally certify that they do not have any TRS records.

Partially Yes Yes Auditor Note Management response did not address the implementation of a certification process for exiting contract workers. Management Response Management has developed a certification form that will request contract vendors to certify that all records have been returned to TRS. Use of the certification form will be implemented by the Contract Management






Management Response

Fully Implemented


department during the contract close-out process for contracts initiated after January 1, 2017. Additionally, the Records Management Policy is being updated to include language stating that all staff are required to return all working documents and final records to TRS upon departure from the agency.

* * * * * We appreciate the cooperation, courtesy, and professionalism extended to us during this follow-up audit by TRS Records Management department management and staff. _____________________________ ______________________________ Amy Barrett, CIA, CPA, CISA Toma Miller, CIA, CGAP Chief Audit Executive Senior Internal Auditor _ ____________________________ Jan Engler, CIA, CISA, CFE Director of Benefit Audit Services


APPENDIX A

AUDIT OBJECTIVE, SCOPE, METHODOLOGY, AND CONCLUSION We conducted this audit in accordance with generally accepted government auditing standards contained in the Government Auditing Standards issued by the Comptroller General of the United States and the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors, Inc. These standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our audit findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. AUDIT OBJECTIVE The audit objective was to verify management’s implementation actions taken to address audit recommendations related to the significant finding made during the Records Management Audit conducted in Fiscal Year 2015, and to answer the following questions for each recommendation:

1. Did management responses fully address the original audit recommendations? 2. Were management responses implemented? 3. Is the implementation current?

SCOPE The scope of the follow-up audit included three audit recommendations related to the one significant finding reported in the FY 2015 Records Management Audit. METHODOLOGY The audit methodology included obtaining information on management’s implementation actions for each recommendation within the scope of the audit. To determine the implementation status, the auditor conducted interviews, reviewed documents, and reviewed departmental procedures. CONCLUSION During the Records Management Audit, Internal Audit identified one significant finding related to the need for more training, well-defined guidance, and routine monitoring in order to address TRS’ records management needs now and in the future. Three recommendations were made related to this finding. During the follow-up audit, we concluded:

1. One of the management responses fully addressed the audit recommendation, while two partially addressed audit recommendations.

2. All three management responses were fully implemented. 3. Implementation of management’s stated action plans is current.


APPENDIX B

Summary Report of FY 2015 Records Management Audit Findings and management responses that are in the red-line box are covered in the project scope of this follow-up audit

TAB 6D

TRS Internal Audit Summary of Audit Recommendations Status

November 2016


Project Recommendation Status Issue Type Estimated Date

Revised / Actual Date

16-301 Overall IMD Opinion Audit

Improve the travel process to ensure justification for excess lodging expenses for foreign travel Implemented Other

Reportable 8/2016 10/2016

Enhance written operating procedures for TAA process Implemented Other Reportable 12/2016 10/2016

16-303 Performance Incentive Payment Calculations

Qualitative Award for Transferred Employees Implemented Other Reportable 9/2016 9/2016

Significant to Business Objectives Other Reportable Past original estimated completion date No management action plan or No progress on management action plan Past original estimated completion date Progress on management action plan Original estimated completion date has not changed Progress on management action plan

Satisfactory implementation of management action plan or Acceptance of risk by management

Implementation of management action plan pending Internal Audit validation

Past original or first revised estimated completion date No management action plan or No progress on management action plan Past original or first revised estimated completion date Progress on management action plan Within original or first revised estimated completion date Progress on management action planSatisfactory implementation of management action plan or Acceptance of risk by management


November 2016


Status of Reporting Entity Audit Recommendations

Statuses:

Under Legal Services Review – TRS Benefits team has requested Legal Services review before taking any further action In Progress – TRS Benefits team is working with RE on corrections/adjustments Closed – TRS Benefits team has resolved all RE audit findings No Audit Findings – the audit resulted in no audit findings

Audit Project # Audit Report Date Reporting Entity (RE) Status

1 16-401 A 1/15/2016 Manor ISD In Progress

2 16-401 D 5/13/2016 Daingerfield-Lone Star ISD Closed

3 16-401 E 8/3/2016 Socorro ISD In Progress

4 16-401 F 8/3/2016 Ysleta ISD In Progress


November 2016


State Auditor’s Office (SAO) Audit Recommendations

Project Recommendation Status Issue Type Estimated Date

Revised / Actual Date

15-305 SAO Audit of Fiscal Year 2014 Comprehensive Annual Financial Report

Strengthen controls over census data In Progress Significant 8/2016 9/2017

16-030 SAO Audit of Incentive Compensation

Strengthen Controls over Incentive Compensation Calculation and Review Processes In Progress Other

Reportable 9/2016 1/2017

TRS Internal Audit Status of Top 10+1 Innovation Ideas

As of October 2016


Description Status Estimated

Implementation Date

Top 10+1 Innovation Ideas presented to the Board in February 2016

1 Explore an automate tool to ensure accuracy and protect the Incentive Pay Calculation

The Iconixx has been selected and are in the development stage. It is expected to be used to perform this year’s incentive pay calculations. 1/2017

2 Expand Use of ERM Technology to entire TRS

Continuing to test LogicManager for annual updates of agency-wide BIA and BCP data. Planning to test the tool for follow-up on risk-related action items and strategic plan status updates. Identified additional support needed from both TRS IT and the vendor. This initiative is on track.

12/2017

3 Testing the Entire Population of Data in REs Audits

This project is deferred until the TEAM Phase 1B implementation when full payroll data is available. 9/2018

4 Development of a Financial Data Hub

The Information Systems Architecture (ISA) team has completed contract data architect/modeler interviews and will select a candidate around mid-October. Requirements gathering should begin the first part of November. The ISA and General Accounting teams will work with the new contractor to develop a project schedule for this 3rd phase of the financial data hub.

9/2017

5 Expand the use of K2 Blackpearl for improved workflow automation

Below are the updates for Expanding the use of K2 Blackpearl: 1. Continue to make enhancements to the Purchase Requisition (TRS146) form as well as

the IT Service Request form.2. Successfully implemented the Exiting Employees (E-Records) process using K2 and

EasyVista.3. Actively working on developing K2 forms for a better user experience for the following

HR forms: Employee Name Change, Employee Transfer, New Hire Setup, ContractorSetup

4. Kicking off the Inventory Management Process project

9/2017

6 Automate Board members Eligibility Assessment and Nomination Process

Purchasing will soon issue an RFP for board election management services. ICommunications has included in that RFP's scope of work an option where the contractor would manage a new process whereby members and retirees who wish to nominate someone to appear on a TRS board election ballot could do so online.

9/2018

TRS Internal Audit Status of Top 10+1 Innovation Ideas

As of October 2016


Description Status Estimated

Implementation Date

7 Use In-House Resources for IT Security Monitoring

IT Security team is validating the existing security controls for security monitoring of TRS network. Updates to all monitoring tools would help determine their validity. The validation checks should be completed by Fall 2016.

9/2019

8 Implement HR Dashboard using Automatic Tool

HR has started an initial discussion about various software products, but decision has not been made. 9/2019

9 Central Repository for Employee Information

FSR Team project is currently on hold. HR is exploring other technology opportunities 9/2019

10 TEAM 2.0 - Continue Improving TEAM Program

TRS will be taking on development and maintenance of a new Health Care application as well as assuming responsibility for CRM and Workflow development. In addition, TRS is building some of our own functionality to get more experience maintaining the application

9/2019

11 Expand the Use of E-Signature

General Accounting is coming up to speed with eSignLive system and working on processes and procedures for using e-signature for TRS contracts.

IT Team continues planning activities for other e-signature proof of concepts such as automating the TRS138/Medical Board process. During the month of October, the team should be doing some initial requirements gathering with eSignLive professional services to help scope out the TRS138 effort and provide high-level solution. The eSignLive professional services team will assist with some of the integration needs.

6/2017

Solution: Iconixx Software

• Austin-based company

• Provides web-based solutions to manageincentive compensation, salescompensation and merit planning

• Solution is stand alone and does notrequire integration with a financial or HRsystem

• Primary users are Investment Accountingand Human Resources

TRS Gains

• Automated solution to track and maintain data

• Increased audit capabilities

• System helps formalize our internal workflowsand processes

• Once implemented, system will provide testdatabase to model potential plan changes

• Dashboards and reports will improve TRS’ abilityto track and analyze data

• System will create automated compensationstatements for IMD employees

Incentive Compensation Software Update


Timeline

• April – Demo and initial meeting• May – Activation scope meetings• June – Signed agreement and project

preparation• July – Project kick-off and requirements

gathering• August/September – System

configuration• October – Validate 2014-2015 incentive

data• November – Testing and begin loading

2015-2016 data• December – Finish calculations, review

and audit results• January – Process incentive payments

Next Steps

• Phase I – Basic incentive calculations

• Phase II – Develop dashboards and analyticsgrid

• Phase III – Configure system for 2016-2017calculations

Incentive Compensation Software Update


TAB 6E

Internal Audit Annual Report

Fiscal Year 2016

Teacher Retirement System of Texas 1000 Red River Street, Austin, Texas 78701-2698

October 2016

TEACHER RETIREMENT SYSTEM OF TEXAS

BOARD AUDIT COMMITTEE (As of October 15, 2016)

Christopher Moss, Chair T. Karen Charleston

David Corpus Greg Gibson

Anita Smith Palmer

BOARD MEMBERS (As of October 15, 2016)

R. David Kelly, Chair Dolores Ramirez, Vice Chair

T. Karen Charleston Greg Gibson John Elliott

Joe Colonnetta David Corpus

Christopher Moss Anita Smith Palmer

EXECUTIVE DIRECTOR

Brian Guthrie

INTERNAL AUDIT DEPARTMENT

Amy L. Barrett, CIA, CISA, CPA, Chief Audit Executive Jan Engler, CIA, CISA, CFE, Director of Benefit Services

Lih-Jen Lan, CIA, CPA, CISA, CISSP, CCSA, Information Technology (IT) Audit Manager

Hugh Ohn, CFA, CPA, CIA, FRM, Director of Investment Audit Services Dinah G. Arce, CIA, CPA, CFE, CIDA, Senior Auditor

Toma Miller, CIA, CGAP, Senior Auditor Dorvin Handrick, CISA, IT Audit Manager

Simin Pang, CIA, CISA, Senior IT Auditor Anandhi Mani, CIA, CPA, Senior Investment Auditor

Art Mata, CEBS, CPM, Senior Internal Audit Benefit Consultant Carol Casey, CPM, Internal Audit Benefit Consultant

Rodrigo Dominguez, Investment Auditor

October 15, 2016 Honorable Greg Abbott, Governor Members of the Legislative Budget Board Members of the Sunset Advisory Commission Ms. Lisa R. Collier, CPA, First Assistant State Auditor Mr. R. David Kelly, Chair, TRS Board of Trustees Mr. Christopher Moss, Chair, TRS Board Audit Committee Members of the Board of Trustees, Teacher Retirement System of Texas Mr. Brian Guthrie, Executive Director, TRS Attached is the annual report of the Internal Audit department of the Teacher Retirement System of Texas (TRS). This report provides information on the audit plan, assurance, consulting, and advisory projects completed, and other Internal Audit activities. It also meets the annual reporting requirement of the Texas Internal Auditing Act (Texas Government Code, Chapter 2102.009 and Texas Government Code, Sections 2102.015 and 2102.0091). This report includes the following State Auditor’s Office reporting guidelines:

I. Compliance With Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit annual report, and Other Audit Information on Internet Website

II. Internal Audit Plan for Fiscal Year 2016 III. Consulting Services and Nonaudit Services Completed IV. External Quality Assurance Review (Peer Review) V. Internal Audit Plan for Fiscal Year 2017 VI. External Audit Services Procured in Fiscal Year 2016 VII. Reporting Suspected Fraud and Abuse

The work performed by TRS Internal Audit contributes toward accountability, integrity, and good management practices within TRS operations. Fiscal year 2016 projects contributed to the improvement of risk management, control, and governance processes. Internal Audit (or those engaged by Internal Audit) issued 10 assurance and 8 agreed-upon procedures reports, followed-up and reported quarterly on the status of all outstanding audit recommendations, and performed advisory services in various areas including TEAM (TRS Enterprise Application Modernization) Program initiatives. For further information about the contents of this report or to request copies of Internal Audit reports, please contact Amy Barrett at (512) 542-6559. Sincerely, Amy L. Barrett, CIA, CISA, CPA Chief Audit Executive

TEACHER RETIREMENT SYSTEM OF TEXAS

INTERNAL AUDIT ANNUAL REPORT

FISCAL YEAR 2016

October 2016

Teacher Retirement System of Texas Internal Audit Annual Report for Fiscal Year 2016

I. Compliance With Texas Government Code, Section 2102.015:

Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Website

Teacher Retire Teacher Retirement System of Texas Internal Audit Annual Report for Fiscal Year 2016 I. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit

Plan, Internal Audit Annual Report, and Other Audit information on Internet Web site

Texas Government Code, Section 2102.015 requires state agencies and institutions of higher education, as defined in the statute, to post agency internal audit plans and internal audit annual reports on the agency’s internet website within 30 days of approval. The statute also requires entities to update the posting on the Internet to include a.) a detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns raised by the audit plan or annual report and b.) a summary of the actions taken to address concerns, if any, that are raised by the audit plan or annual report.

TRS Internal Audit follows the following procedures to ensure compliance with the requirements of Texas Government Code, Section 2102.015:

The TRS Annual Internal Audit Plan is approved each fiscal year by the TRS Board of Trustees as recommended by the TRS Audit Committee. The annual audit plan, as approved by the TRS Board of Trustees, is provided by Internal Audit staff to the TRS Website coordinators and posted to the TRS Website within 30 days of approval.

The TRS Internal Audit Annual Report is prepared annually by Internal Audit staff in accordance with the Texas State Auditor’s Office guidelines by the required deadline. This report, once approved by the Chief Audit Executive, is submitted to the Governor, the Legislative Budget Board, the Sunset Advisory Commission, the State Auditor’s Office and the TRS’ Board of Trustees by November 1st of each fiscal year. The annual report is provided by Internal Audit staff to the TRS Website coordinators to post to the TRS Website.

Summaries of the weaknesses, concerns, and actions taken to address concerns in the audit plan or annual report are provided by Internal Audit in the quarterly TRS Audit Committee materials. The audit committee materials provide audit reports completed during each quarter, quarterly status reports on management action on outstanding audit recommendations, and the status of the current fiscal year audit plan. The individual audit reports provide the results, recommendations, and management actions taken to address the audit recommendations. The TRS Audit Committee materials are posted to the TRS Website, after dissemination to TRS Board of Trustees, through an administration process of board and committee materials prior to the scheduled board meeting.


II. Internal Audit Plan for Fiscal Year 2016

Fiscal Year 2016 Audit Plan Status As of August 2016

September 2016 Board Audit Committee Meeting 2

Title and Project # Type Status Executive and Finance

Actuarial Data Controls (15-402) Audit Complete

State Auditor’s Office (SAO) Financial (CAFR) Audit Coordination Advisory Complete

Internal Ethics and Fraud Hotline Administration Advisory Complete. Transferred to Compliance

Meetings Participation Advisory Ongoing

Special Requests and Emerging Issues

Innovation Best Ideas (16-605) - Board Chair Request

Audit/Consulting/Advisory Consulting

Complete

Testing of Executive Performance Incentive Pay Calculations Agreed-Upon Procedures Complete

TEAM Program TEAM Program Internal Controls Assessment Advisory In Progress

TEAM Security and Access Controls Assessment Advisory In Progress

TEAM Independent Program Assessment (IPA) Vendor Support Advisory Ongoing

TEAM Committees and TEAM Projects Participation Advisory Ongoing

Pension Benefits

Benefits Testing for State Auditor’s Office (SAO) Audit of Comprehensive Annual Financial Report (CAFR) (16-100)

Audit Complete

Annual Benefits Testing (16-101) Agreed-Upon Procedures Complete

Reporting Entity Audits (6-8) and Investigations (16-401) Audit Complete

(Completed 7 REs)

TRS Reporting Entity Website Audit Information Advisory Complete

Benefits Data Analysis Pilot Project Advisory Deferred to FY17

Health Care

Health Care Audit Risk Assessment Follow Up Consulting Complete

Open Enrollment and Billing Readiness Review Consulting Complete

Health Care Vendor Selection Observation Advisory Complete

Health Care Vendor Update Meetings Advisory Ongoing

Fiscal Year 2016 Audit Plan Status As of August 2016


Title and Project # Type Status

Information Technology

SharePoint Governance and Security Audit (16-501) Audit Complete

Wireless Network Security Assessment (16-502) Agreed-Upon Procedures Complete

Data Protection Project Advisory Complete

Disaster Recovery, Network Penetration Tests; Security Risk Assessment Review Advisory Ongoing

Investment Management

Overall Internal Control Opinion on Investment Activities (16-301) Audit Complete

Quarterly Investment Compliance, Incentive Pay, Ethics Policies and Budget Testing (16-302) Agreed-Upon Procedures Complete

Annual Incentive Compensation Plan Testing (16-303) Agreed-Upon Procedures Complete

Coordination of SAO Audit of Incentive Pay Advisory Complete

Investments Data Analysis Pilot Project Advisory Complete

Investment Committees Attendance Advisory Ongoing

Coordinate the TRICOT Financial Audit Advisory In Progress

Internal Audit Department

Annual Internal Audit Report (16-603) Audit Complete

Data Analytic Development Project Advisory In Progress

Quarterly Audit Recommendations Follow-up Audit Ongoing

External Quality Assurance Review Audit Complete

Internal Quality Assurance Review (16-602) Advisory Complete

Fiscal Year 2017 Audit Plan Advisory Complete

Internal Audit Vendor Request for Qualifications (RFQ) Advisory Complete

Audit Committee Meetings Preparation Advisory Ongoing


Deviations from Fiscal Year 2016 Audit Plan As Approved by TRS Board of Trustees in the April 2016 Board Meeting

Project Proposed Change Reason

Semi-Annual Benefits Testing (Agreed- Upon Procedures)

Change to Annual Benefits Testing

• To reduce reporting requirement to once per year instead of twice per year. The project will cover the same time-period as the semiannual testing, but results will only be reported once. (Completed August 2016)

Testing of Executive Performance Incentive Pay Calculations (Agreed-Upon Procedures)

Added Management request as a result of overall discussion with the Board of Trustees. (Completed July 2016)


III. Consulting Services

and Nonaudit Services Completed

Teacher Retirement System of Texas Internal Audit Annual Report for Fiscal Year 2016 III. Consulting Services and Nonaudit Service Completed

During fiscal year 2016, Internal Audit conducted (or hired consultants to conduct) the following

consulting (nonaudit services) projects resulting in formal recommendations to management.

1. Special Requests and Emerging Issues – Innovation Best Ideas

(Project #16-605, PowerPoint presentation to Board, December 14, 2015)

Objective: Gathered information on TRS manual processes to make recommendations for

processes to be automated in the next two years.

Obtained information on current manual processes, researched best practices to identify

ways in which TRS can become more efficient through those processes being automated.

2. TRS-ActiveCare enrollment and billing readiness review

(PowerPoint presentation to the Board, dated August 14, 2016)

Objective: Assessing the design effectiveness of the controls implemented by Aetna at

WellSystems to address completeness and accuracy of electronic file transmissions,

discrepancy identification and resolution, and customer quality monitoring.

The following elements were completed:

A. Performed inquiry and testing to assess the root cause of identified enrollment and

billing issues.

B. Performed inquiry and testing to assess whether or not known issues in the enrollment

and billing process have been remediated by the action plans implemented by

WellSystems and Aetna Inc. (Aetna).

3. Health Care Audit Risk Assessment Follow Up

(Project #16-201, PowerPoint presentation to Health Insurance Benefits (HIB), May 5,

2016)


Objective: In 2015 Protiviti was engaged to update the risk assessment and provide action

plan recommendations to Health Insurance Benefit Management.

The proposed action plans could provide a higher sense of assurance to TRS that risks

inherent to healthcare are effectively monitored and controlled.

Internal Audit also performed various advisory (nonaudit services) as listed in section II.


IV. External Quality Assurance Review (Peer Review)

INTERNAL AUDIT QUALITY ASSURANCE SELF-ASSESSMENT March 22, 2016

Teacher Retirement System Internal Audit Department

Project 16-602

Legend of Results: Red - Does not conform Yellow - Partially conforms Green - Generally conforms

Best Practices

Inherent Risks Without Controls

Results

Update TeamMate (the electronic project work paper application) project templates to ensure documentation of:

Opportunities for making improvements to risk management/control processes Protocols to follow if fraud activities are suspected Assessment of IA’s ability to perform non-audit services Various understandings between auditor and client, for agreed-upon

procedures engagements and include the word “independent” in the report title of these engagements

Audits may not address significant organizational risks Audit processes may be inefficient and ineffective Assurance could be unreliable without effective quality control

Internal Audit Responses

IA “generally conforms” with professional auditing standards, related codes of ethics, Texas state law, and Internal Audit’s Quality Assurance and Improvement Program. Many best practices were identified. Opportunities for additional improvement were identified.

Internal Audit Controls

Recommended Actions

Internal Audit charter, organizational chart, board minutes Job descriptions, resumes, training records, performance evaluations Work papers, work programs, reports, quality control processes Annual risk assessment, audit plan IA policies and procedures TRS Internal Audit Quality Assurance and Improvement Program

The Chief Audit Executive agrees with the recommendations and will ensure that the TeamMate project templates are updated by August 31, 2016.

Tests Performed

To determine whether Internal Audit (IA) function generally conforms with professional auditing standards, Texas Internal Auditing Act, auditor codes of ethics, and Internal Audit’s Quality Assurance and Improvement Program (QAIP). (Professional audit standards consider Internal Audit function authority, independence, proficiency, quality assurance and improvement program, and how the audits are planned, performed, communicated, managed, and resolved.)

Conducted self-assessment to validate Internal Audit activities conform with applicable professional standards and state law using the self-assessment tool developed by the State Agency Internal Audit Forum (SAIAF). These tests included steps to assess implementation of Internal Audit’s QAIP.

Business Objectives

Board approved TRS Internal Audit Charter Achievement of professional requirements for annual training Supervisory review of all audit working papers Management involvement in annual audit planning IA Strategic Plan alignment with TRS Strategic Plan


VI. Internal Audit Plan for Fiscal Year 2017

Fiscal Year 2017 Audit PlanSeptember 23, 2016

_______________________ _______________________Amy Barrett, CIA, CISA, CPA Christopher S. MossChief Audit Executive Chair, Audit Committee, Board of Trustees

_______________________ _______________________Brian Guthrie R. David KellyExecutive Director Chair, Board of Trustees

Fiscal Year 2017 Audit Plan

September 23, 2016

Executive Summary

Professional and Statutory Requirements

This document provides the Fiscal Year 2017 Audit Plan (Audit Plan) as required by professional auditing standards, the Texas Internal Auditing Act (Act), and the Texas Government Code 2102.008 for the Teacher Retirement System of Texas (TRS). The Act requires state agencies to conduct a program of internal auditing that includes an annual audit plan that is prepared using risk assessment techniques and identifies individual audit projects to be conducted during the year. The Audit Plan is required to be evaluated and updated annually for recommendation of approval by the TRS Audit Committee of the Board of Trustees (Audit Committee) to the TRS Board of Trustees (Board). Internal Audit is independent of management and provides objective assurance and consulting services designed to add value and improve TRS’ operations.

Audit Plan Development and Scope

Our Audit Plan is designed to provide coverage of key risks, given the existing staff and approved budget. See the Appendices for information regarding the internal audit budget, performance measures, and audit universe.

Changes Subsequent to Approval

Interim changes to the Audit Plan will occur from time to time due to changes in business risks, timing of TRS’ initiatives, and staff availability. We will report Audit Plan changes to senior management and present changes to the Audit Committee at the following quarterly Audit Committee meeting. Amendments to the approved Audit Plan deemed to be significant (based on discussions with the executive director and audit committee chair) will be submitted to the Audit Committee for recommendation to the Board for approval. The State Auditor’s Office also requires notification of material changes to the Audit Plan.

September 2016 Audit Committee Meeting 2

Risk Assessment & Audit Planning Approach


Interviews of TRS executives and external service providers, risk assessment surveys from the prior year, and the current Stoplight Report developed by the Enterprise Risk Management (ERM) team were used to identify areas of risk and potential internal audit projects. This information was combined into an overall audit plan designed to address critical risks to achieving TRS objectives while being sensitive to operational requirements. The Audit Plan also includes hours for ad hoc projects and special requests. The following approach was taken in creating the Audit Plan:

Information Gathering and Scoping Risk Analysis

Development and Vetting of Internal

Audit PlanNext Steps

A. Gained understanding of industry trends and current environmental risks through discussions with industry personnel, reading publications, and attending relevant training

B. Read technical guidance from GASB and AICPA to identify changes to audit and accounting requirements

C. Gained understanding of TRS’ strategic objectives and key initiatives by reading the strategic plan

D. Updated audit universe based upon changes in organizational structure, information from TEAM, and input from staff

A. Interviewed members of the TRS executive team to obtain various points of view on risks

B. Reviewed prior year surveys of executives and selected leadership team members on their assessment of risk in the categories of fraud, compliance, materiality, complexity, suspected concerns, and emerging risks

C. Obtained latest ERM Stoplight Report to identify additional areas of risk

A. Developed a proposed Audit Plan based on interviews, risk assessments, resource availability, budget, and division coverage

B. Met with Risk Oversight Committee to discuss proposed audit plan

C. Updated TRS Internal Audit Charter to ensure alignment with proposed audit activities and standards

A. Review and discuss the proposed Audit Plan with the Audit Committee

B. Obtain Audit Committee recommendation and Board approval of Audit Plan

Types of Projects to Cover Risk Areas


An important part of the Audit Plan is that the identified processes, systems, and initiatives should receive differing types and levels of review based on their importance, perceived risk, and most efficient approach. Our suggested levels of review activities are as follows:

• Audit Focus: Assess evidence available in order to conclude on an audit objective• Deliverable: Audit report for public distribution unless protected by statute• Estimated level of effort per project: 400 - 500 hours

Audit

Formal Consulting

• Consulting Focus: Respond to requests for formal study or assessment with recommendations; no assurance provided• Deliverable: Consulting report or memo for limited distribution; significant material weaknesses identified would be

reported to executive management and the Audit Committee as required by professional auditing standards• Estimated level of effort per project: 100 - 200 hours

Informal Consulting (Advisory)

• Advisory Focus: Participate in activities in a non-voting capacity, e.g., provide training and input on policies and procedures

• Deliverable: Verbal discussion or a brief memo to management• Estimated level of effort per year: 10 – 100 hours

• Agreed-Upon Procedures Focus: Determine specific steps to test with management’s agreement and report on results; used for data analytics and quarterly testing of specific data and transactions

• Deliverable: Agreed-upon procedures report for public distribution (use is limited to those with understanding of procedures performed)

• Estimated level of effort per project: 100 - 300 hours


Audit Plan: Pension Benefits and Employer Audits


The tables on this page and the following pages provide the name of each project, type of project, and preliminary scope of workto be performed. Scope of work will be finalized as part of each project’s formal planning phase.

Title Type Preliminary ScopeAnnual Benefits Testing Agreed-Upon

ProceduresRecalculate a sample of benefit payments annually and determine whether documentation on file supports the calculation; scope in other tests related to benefits as agreed-upon with management

Employer Audits (6-10 Independent School Districts)

Audit Determine whether information reported to TRS is complete and accurate, especially in the areas of eligibility, compensation, contributions, surcharges (pension and healthcare), and premiums paid

Employer Audit of Pension and TRS-Care Surcharges

Audit Conduct a desk audit across multiple entities targeted at surcharge reporting and collections with the goal of collecting significantly underreported amounts to the trust.

Employer Audit Follow-Up Audit Follow-up and report on the status of outstanding audit recommendations related to reporting entities

Higher Education Pilot and Audit Program Development

Advisory Select a higher education institution to pilot an audit in order to develop an audit program for future audits and for requesting internal auditors at higher education institutions to conduct

TRS Reporting Entity Website Audit Information and Communication

Advisory Update audit-related information and tools on the TRS employer (reporting entity) website. Information may include self-audits, audit programs, audit results, technical guidance, and frequently asked questions about reporting entity audits.

Audit Plan: Health Care


Title Type Preliminary Scope

Health Insurance Portability and Accountability Act (HIPAA) Gap Assessment and Validation

Audit Conduct a gap assessment and validation of TRS' compliance with HIPAA, especially in the areas of privacy, breach notification, and IT security. Incorporate assessment of third party monitoring of business associates and their subcontractors and cybersecurity risks and controls.

Trust Expense Allocation Audit Audit Assess reasonableness of expenses allocated between pension and health care trusts

TRS-ActiveCare Open Enrollment Readiness Assessment Follow-Up

Audit Follow up on outstanding action items significant to open enrollment

TRS-ActiveCare Eligibility Pilot and Audit Program Development

Advisory Conduct a second pilot audit of a school district to determine whether any dependents are ineligible for participating in TRS-ActiveCare. Provide results to management to determine whether audits on a larger scale are beneficial.

Health Care Vendor Update Meetings

Advisory Attend quarterly meetings with health care vendors to understand results, issues, and TRS management’s monitoring controls

Health Care Vendor Selection Observation

Advisory Observe selection process of large vendor and service providers, when applicable

Audit Plan: Investment Management



Private Equity Fees Audit Verify the accuracy of private equity fees and compliance with investment management agreements for 1 – 2 private equity funds.

Soft Dollars and Commission Sharing Arrangements (CSA’s)

Audit Assess compliance with soft dollar policies; assess effectiveness and efficiencies of processes for accounting and reporting soft dollars and CSA's. Assess compliance with TRS travel policies

Quarterly Investment and Ethics Policies Compliance Testing


Assess compliance with TRS ethics policies and the Investment Policy Statement (IPS) requirements

Annual Testing of Investment Incentive Pay Plan


Prior to payment, recalculate the investment incentive compensation award amounts to determine if they are calculated in accordance with plan provisions; reconcile performance to the service provider, and calculated in accordance with plan provisions

Investment Fiduciary Audit Coordination

Advisory Coordinate the audit of the auditors hired by the SAO to assess TRS' fiduciary activities around real assets

Investment Committees Attendance

Advisory Stay current on Investment Management Division initiatives by attending the Internal Investment Committee, Derivatives Operations, monthly staff, and other meetings such as the Annual Town Hall meeting

Audit Plan: Finance



Comprehensive Annual Financial Report (CAFR) testing of annuity payments

Audit Conduct pension benefits testing on behalf of the State Auditor’s office(SAO) to be used in completion of the CAFR audit

CAFR Audit Coordination (SAO, auditors)

Advisory Coordinate activities of the SAO to ensure deadlines are met; coordinate quarterly update meetings with executive management and the SAO; maintain SAO document request SharePoint site

Teacher Retirement Investment Company of Texas (TRICOT) Financial Audit Coordination (Grant Thornton, auditors)

Advisory Coordinate a financial audit of TRICOT, a wholly-owned subsidiary of TRS in London

Audit Plan: Executive


Title Type Preliminary ScopeRecords Management Audit Follow-Up

Audit Follow up on outstanding action items significant to records management

403(b) Program Controls Assessment, including Provider Compliance

Audit Assess the design and effectiveness of controls at TRS in meeting 403(b) program objectives, including 403(b) providers’ compliance with program requirements

Contractor Onboarding and Off-boarding Processes

Audit Assess sufficiency of processes for onboarding and off-boarding contractors

Federal Labor Standards Act (FLSA) Compliance

Consulting Analyze hourly and salaried employees and compare with requirements of the FLSA

Executive Incentive Pay Agreed-Upon Procedures

Independent recalculate executive incentive pay in order to test the accuracy of the calculation by management

The University of Texas at Austin (UT) Student Project

Consulting Assess a TRS policy and provide recommendations for enhancing it.

Enterprise Risk Management (ERM) Fraud Risk Assessment

Advisory Partner with ERM to update the TRS fraud risk assessment and identify mitigating controls

Special Requests and Emerging issues

Advisory or Consulting

Set aside time to address special requests and emerging issues during the year as requested by management

Meetings Participation Advisory Participate (non-voting) in various TRS-wide meetings such as Executive Council, Leadership Team, and Risk Oversight Committee

Audit Plan: TEAM and Technology



TEAM Independent Program Assessment (IPA) Vendor Support

Advisory Coordinate and facilitate activities of the IPA vendor and ensure direct access to executive management and the board

TEAM Committees, Projects,and Controls Assessment Participation

Advisory Participate in TEAM Executive Steering Committee (ESC) and other committees and requirements gathering sessions in a non-voting capacity, and provide advisory services related to TEAM project activities as outlined in the TEAM charter of internal audit activities. Provide input into controlsidentification projects. In FY 16, Internal Audit participated in the following TEAM committees and projects:- Executive Steering Committee- TEAM Budget Committee- Organizational Change Management Advisory Groups- Business Procedures and Training Project- Decommissioning Project- Enterprise Security Team meetings- Monthly meetings with TEAM program manager and HPE executives

Disaster Recovery, Network Penetration Tests; Security Risk Assessment Review

Advisory Obtain, read, and follow-up on any issues identified during the network disaster recovery, penetration tests, and the security risk assessment conducted by the TRS Information Security Officer

Audit Plan: Internal Audit Activities


Title Project Description

Internal Quality Assurance Review Assess Internal Audit’s Quality Assessment and Improvement Program

ERS Audit Quality Assurance Review

TRS participates in a state program to receive and provide audit quality assessment reviews (QAR) required by auditing standards. ERS has requested that TRS lead its required QAR

Annual Internal Audit Report Prepare annual report of audit activities in accordance with SAO instructions

Quarterly Audit Recommendations Follow-Up

Follow-up and report on the status of outstanding audit recommendations

Data Analysis Processes Continue to build out data analysis skills of audit staff; incorporate into audit projects and annual audit plan development; and pilot analysis projects in various business units

Fiscal Year 2018 Audit Plan Prepare annual audit plan based on a documented risk assessment in accordance with professional auditing standards and the Texas Internal Auditing Act

Internal Audit Strategic Plan Update

Bi-annual update of the Internal Audit Strategic Plan to consider changes in the department and continuing alignment with the TRS strategic plan

Audit Committee Meetings Preparation

Prepare communications and attend Audit Committee and Board Meetings

Audit Plan: High Risk Areas (High, Elevated, or Caution) and Ares of Interest to the SAO (Procurement and IT Security)

excluded from the Audit Plan


Area Reason for Exclusion

Purchasing Compliance Audit Allow time for more health care procurements to be processed under new legislative requirements



Appendix A

Internal Audit Operating Budget

Appendix AInternal Audit Operating Budget


Line ItemBudgetFY 2017

BudgetFY 2016

000 – Salaries $1,086,970 $998,762

000 – Benefits 279,344 226,847200 – Professional Fees (Increase due to investment fiduciary audit) 950,000 681,500

505 – Travel-In-State 13,500 14,500

510 – Travel-Out-of-State 23,000 18,000

705 – Dues, Fees, and Staff Development 25,000 22,500

710 – Subscriptions and Reference Materials 2,000 4,500Total Operating Budget(excluding indirect costs such as computers, office space, and utilities) $2,379,814 $1,966,609

Full Time Equivalent (FTE) Positions (excluding interns) 12.0 11.0

Resources are sufficient to complete the annual audit plan.



Appendix B

Internal Audit Performance Measures

Appendix BInternal Audit Goals and Performance Measures


For the internal audit function, the FY 2017 goals and performance measures are as follows:

Goal 1: Ensure Effectiveness of Internal Audit Organization Performance Measures

a. Spend a minimum of 75% of total available department hours (excludes uncontrollable leave) for professional staff on direct assurance, consulting, and advisory services

b. Complete an internal assessment and report the results of the Quality Assurance and Improvement Program

Goal 2: Develop and Implement Internal Audit Annual Audit Plan based on Formal Risk AssessmentPerformance Measures

a. Prepare an annual audit plan based on a documented risk assessment and obtain input from trustees and staff

b. Execute 80% of audit and agreed-upon procedures projects (80% allows for flexibility due to changes in TRS business practices and special requests)

c. Update the formal reporting entity risk assessment to identify reporting entities for audit

Goal 3: Enhance Internal Audit Staff Skills and Knowledge in Assurance PracticesPerformance Measures

a. Update data analytics roadmap identified by external advisor and complete year 2 activities

b. Collaborate with an institution of higher education to pilot a reporting entity audit program; develop and distribute the audit program to other higher education auditors and request that they conduct these audits

Appendix BInternal Audit Goals and Performance Measures


Goal 4: Support Activities of External Service Providers Performance Measures

a. Facilitate coordination of TEAM Independent Program Assessment (IPA) Vendor by coordinating meetings with Executive Director, Executive Steering Committee (ESC) and Core Management Team (CMT), quarterly presentations to the TRS Board of Trustees, and other contractual activities

b. Facilitate timely completion and success of State Auditor’s Office (SAO) audits, fiduciary audits, and Grant Thornton financial audit of TRICOT in fiscal year 2017 by effectively providing audit support, coordinating meetings, reserving facilities and gathering schedule and documentation requests

Goal 5: Enhance Participation in Professional and Peer Organizations Performance Measures

a. Participate in professional organizations (APPFA, IIA, ISACA, ACFE, SAIAF, CFA Institute) through monthly chapter meetings and participation in leadership roles in at least one professional organization

b. Support staff in obtaining additional certifications such as the CFA, CPA, and CIA certifications and have all staff obtain a minimum of 24 continuing professional education hours in a fiscal year and a minimum of 80 hours for a two year period

(continued)



Appendix C

Audit Universe

Appendix C Audit Universe


Executive and Finance Divisions; Records Management IMD ProcessesGovernance, Strategy, and Risk

Management Workforce Continuity Accounting & Reporting Governance - IMD

Board governance (FY13) Employee recruiting and hiring practices (FY10) Accounts receivable Investment Governance and

Management (FY16)Strategic planning and performance measures (FY13) Employee training compliance (FY11) Accounts payable (FY15) IMD Processes

Enterprise Risk Management Internal policy setting and monitoring Travel (FY16) Internal Public Markets (FY14)

Information technology governance (FY10) Communications and External Relations Federal withholdings/tax compliance External Public Markets (FY16)

Open Government Social media Inventory Private Equity (FY15)

Open meetings compliance Information and communication Budget Real Assets (FY15)

Open records request compliance 403(b) Budget process and reporting (FY10) Trade Management (FY14)

Ethics and Fraud Prevention 403(b) certification process Purchasing and Contracts Emerging Manager Program (FY13)

Employee ethics policies (FY16) Records Management Vendor file, encumbrance, purchasing (FY14) Energy/Natural Resources (ENR) (FY14)

Fraud risk detection and prevention controls (FY15) Records retention (FY15)

Contract administration and monitoring (FY14) Strategic Partners (FY14)

Contract worker onboarding, monitoring and compliance (FY14)

Strategic Asset Allocation/Stable Value (FY14)Regulatory, Compliance, & Litigation Accounting & Reporting

Compliance: Pension Trust (FY15) Financial/CAFR reporting including, new accounting pronouncements, reconciliations, general ledger, closing process (FY16)

HUB program compliance and reporting Tactical Asset Allocation (FY16)

Compliance: Health Care Trusts (FY13) Facilities and Facilities Planning Risk Management (FY16)

Litigation risk management Other reporting (non-financial / CAFR) Facility planning and maintenance Performance Analytics and Operations (FY14)

Business Continuity Employee leave, timekeeping, and payroll (FY12)

Mail room operations (FY10) Information Systems (FY15)

Business continuity plan (FY09) Security (FY12) Business Center, Reporting, HR, Incentive Pay (FY16)

Risk management (health and safety, insurance) (FY12) Cashier (FY10) Government Relations and Legislation Investment Accounting (FY16)

(FY #) - indicates last year audited

Appendix C Audit Universe


Benefits and Customer Service Information Technology (IT) Processes and TEAM

Pension Benefit Administration Pension Benefit Administration and Customer Service Governance - IT IT Processes

1099R Statistical reporting (actuarial) (FY15) Project prioritization (FY10) Change & Configuration Management

Annuity payroll (FY16) Web self service IT risk management Applications (FY12)Benefit adjustments (FY16) Work flow (Imaging) IT Strategy & Planning Databases

Benefit calculations (FY16) TRS employee benefit administration (administered separately from non-TRS employees)

Asset management Infrastructure

Benefit estimates Human resources Data Center Operations

Cash receipts (FY10) IT Security and Confidentiality Archive management (FY13)

Check payments (FY16) Telephone Counseling Center (FY14) Identity and access management (FY14)

Facilities management (TAC202) (FY12)

Contact management Employer Reporting Threat and vulnerability management (FY16) Technology Management

Death benefits (FY16) Employer setup, enrollment, and reporting (FY16) Security awareness and training (FY11) Standards

Disability benefits (FY16) Health Care Administration Security configuration management Technology upgrades

Legal orders (FY13) TRS-Care vendor selection and contract monitoring (FY13) Virtualization User and Vendor Support

Member account maintenance (FY09) TRS-Care TRS Administration (FY13) Cloud based computing (FY14 Consulting) Problem management

Member statements TRS-ActiveCare vendor selection and contract monitoring

Mobile device security (FY14 Consulting) Incident response

Optional Retirement Plan TRS-ActiveCare TRS Administration (FY16) Disaster Recovery Plan TEAM

Refunds (FY15) TRS-Care Funding Co-location (FY14 Consulting) Independent Program Oversight (FY16)

Retirement application process TRS-Care Finance (FY10) Disaster Recovery Management (FY09) Internal Controls Assessment, including security controls

Retirement system transfer TRS-ActiveCare AffordabilityService credit calculation and purchase TRS-ActiveCare Finance (FY10) (FY #) - indicates last year audited

2015 - 2019 TRS’ Internal Audit Strategic Plan

Looking Towards the Future

Trusted Assurance,

Valued Advice

TRS

TRS INTERNAL AUDIT STRATEGIC PLAN FY2015 – 2019


Our Mission The mission of the Internal Audit department is to provide independent, objective assurance and consulting services designed to add value and improve the organization's operations. Internal Audit helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. ��

Our Vision

We strive to provide trusted assurance and valued advice through our services to the Board of Trustees, the

Audit Committee, and executive management:

Assurance that TRS’ risk management, governance, and control processes support achievement of TRS mission and business objectives

Advice and consultation for improving processes through business partnerships and collaboration

Our Stakeholders One of our priorities is to assess key stakeholder expectations, identify gaps, and implement a comprehensive

strategy for improvement. Our primary stakeholders include:

TRS Board of Trustees, and the Board Audit Committee

Executive Director

Executive Management



STRATEGIC GOALS

Our four strategic goals were developed to ensure that Internal Audit supports the changing needs of TRS’ stakeholders in achieving business goals and objectives. These goals represent a strategy for enhancing our contribution to the TEAM Program success, supporting effective Audit Committee governance processes, improving internal audit business expertise, and integrating TRS core values into internal audit processes. Goal 1 Assist with the Success of the TRS Enterprise Modernization Application (TEAM) Program Goal 2 Support Audit Committee Governance Goal 3 Enhance Internal Audit Staff’s Competence and Expertise in Support of TRS Risk Management,

Control, and Governance Processes Goal 4 Support Agency Culture Initiatives

The table on the following pages identifies the objectives and related strategies and tactics for each goal.



GOAL 1: ASSIST WITH THE SUCCESS OF THE TRS ENTERPRISE APPLICATION MODERNIZATION (TEAM) PROGRAM

Objective 1: Facilitate independent oversight for Board and external oversight agencies

Strategy Tactics

S1. Provide contract oversight and monitoring of Independent Program Assessment (IPA) vendor

T1: Obtain deliverables, schedule required meetings, and approve invoices for payment T2: Monitor hours incurred and contract performance

S2. Coordinate communication process between IPA vendor and key stakeholders

T1: Obtain and address feedback from stakeholders and IPA regarding communications process and access requests

T2: Clarify audit’s role relating to IPA in Internal Audit Charter update

S3. Coordinate with State Auditor’s Office (SAO) for testing of Financial System Replacement (FSR) software application for financial and other future audits

T1: Participate in status update and key decision-making meetings on FSR T2: Communicate documentation requirements for SAO future audits T3: Review sufficiency of documentation in preparation for SAO future audits

Objective 2: Provide input and assistance during development and implementation of TRUST (new Benefits system)

Strategy Tactics

S1. Define involvement in TEAM program related to TRUST system

T1: Participate in TEAM committees and other activities, as requested, and ensure Internal Audit (IA) role is stated clearly in TEAM documents such as project charters

T2: Allocate resources in annual audit plan to provide coverage of significant committees and projects activities

T3: Participate in review of documents by established TEAM deadlines

S2. Assist management in evaluating key internal controls incorporated in TRUST system and business processes

T1: Allocate/schedule IA resources in annual audit plan T2: Obtain list of key controls from management where assistance in validation is desired T3: Assist management in evaluating selected key controls, participate in controls testing,

review test results and follow-up on test exceptions T4: Formally communicate observations from testing participation to project

management

S3. Assist management in evaluating key security controls incorporated in TRUST system and business processes

T1: Allocate/schedule IA resources in annual audit plan T2: Obtain list of key security controls from management where assistance in validation is

desired T3: Assist management in evaluating selected key security controls, participate in controls

testing, review test results, and follow-up on test exceptions T4: Formally communicate observations from testing participation to project

management



Objective 3: Use TRUST in future audits

Strategy Tactics

S1. Obtain training on using TRUST T1: Coordinate with Business Process Managers (BPMs) to ensure Internal Audit (IA) training needs are identified and scheduled

T2: Allocate/schedule IA resources in annual audit plan for TEAM training T3: Augment IA TEAM training with internal meetings as needed by IA Subject Matter

Experts T4: Maintain IA repository for “training” documents as a permanent file for future use

S2. Utilize data analytics and continuous auditing T1: Participate in TEAM program requirements gathering and detailed reviews to ensure that the TRUST system has the capability of providing data to perform data analysis

T2: Based on knowledge obtained from training, identify potential new data analytic tests in the TRUST system

T3: Incorporate data analytics and continuous auditing into projects associated with TRUST system

Objective 4: Provide input during development and implementation of the Financial System Replacement (FSR) software application

Strategy Tactics

S1. Define involvement in TEAM program related to the FSR software application

T1: Participate in TEAM committees and other activities, as requested, and ensure Internal Audit (IA) role is stated clearly in TEAM documents such as project charters

T2: Allocate resources in annual audit plan to provide coverage of significant committees and projects activities

T3: Participate in review of documents by established TEAM deadlines

S2. Assist management in evaluating key internal controls incorporated in the FSR software application and business processes

T1: Allocate/schedule IA resources in annual audit plan T2: Obtain list of key controls from management where assistance in validation is desired T3: As Assist management in evaluating selected key controls, participate in controls

testing, review test results and follow-up on test exceptions T4: Formally communicate observations from testing participation to project

management

S3. Assist management in evaluating security controls incorporated in the FSR software application and business processes

T1: Allocate/schedule IA resources in annual audit plan T2: Obtain list of key security controls from management where assistance in validation is

desired T3: Assist management in evaluating selected key security controls, participate in controls

testing, review test results, and follow-up on test exceptions T4: Formally communicate observations from testing participation to project

management



Objective 5: Use FSR software application in future audits

Strategy Tactics

S1. Obtain training on using new FSR software application T1: Coordinate with Business Process Managers (BPMs) to ensure Internal Audit (IA) training needs are identified and scheduled

T2: Allocate/schedule IA resources in annual audit plan for TEAM training T3: Augment IA TEAM training with internal meetings as needed by IA Subject Matter

Experts T4: Maintain IA repository for “training” documents as a permanent file for future use

S2. Utilize data analytics and continuous auditing T1: Participate in TEAM program requirements gathering and detailed reviews to ensure that the FSR application has the capability of providing data to perform data analysis

T2: Based on knowledge obtained from training, identify potential new data analytic tests in the FSR application

T3: Incorporate data analytics and continuous auditing into projects associated with the FSR application

GOAL 2: SUPPORT AUDIT COMMITTEE GOVERNANCE

Objective 1: Provide assurance to the Audit Committee and executive management on risk mitigation activities related to the pension and healthcare trusts

Strategy Tactics

S1. Conduct assurance activities relating to the completeness and accuracy of Reporting Entity information submitted to TRS

T1: Conduct audits and investigations of Reporting Entities as requested or as scheduled on the annual audit plan based on an objective risk assessment

T2: Conduct internal audits of controls maintained by TRS or its vendors over completeness and accuracy of Reporting Entity data

T3: Communicate to Reporting Entities regarding issues found during audits via presentations, the TRS website, and direct communication

T4: Coordinate with the SAO to facilitate their audit of the TRS financial statements and with other interested organizations conducting reporting entity audits

T5: Monitor changes in auditing requirements of professional organizations and the SAO

S2. Provide assurance on investment risk mitigation activities T1: Issue an overall opinion annually on the effectiveness of internal controls relating to investment activities for the past three years

T2: Test investment compliance, cash transfers, and ethics controls quarterly T3: Continuously monitor changes to the investment environment by analyzing

investment data, attending important meetings, reading relevant documents, utilizing consultants, networking, attending relevant training, and maintaining certifications



Strategy Tactics

S3. Provide assurance on health care risk mitigation activities T1: Stay current on legislative changes impacting TRS health plans and associated risks T2: Utilize TRS and vendor health care risks assessments to develop a reasonable and

flexible approach for performing routine audits of the health care trusts T3: Procure health care expertise to execute risk-based audit plans, if needed T4: Obtain training for dedicated Internal Audit staff on health care risks and compliance

requirements

S4. Coordinate with Enterprise Risk Management (ERM) on risk assessment activities

T1: Enhance collaboration with ERM through regular meetings and information sharing T2: Utilize risk assessments developed by management through the ERM program as the

basis of the annual audit plan T3: Provide feedback after each audit to ERM about the completeness of management’s

risk assessments for future consideration T4: Participate in internal Risk Oversight Committee meetings

Objective 2: Improve Internal Audit communication

Strategy Tactics

S1. Refine report format of Internal Audit reports and Audit Committee materials

T1: Review current materials for possibilities for improvement T2: Survey Audit Committee members and management on report format and

incorporate feedback T3: Review other entities’ presentations for ideas

S2. Improve delivery of information T1: Survey Audit Committee and management for improvement on delivery of information and incorporate feedback

T2: Identify and participate in public speaking training/opportunities T3: Maintain Internal Audit intranet and internet sites

Objective 3: Provide information on effective Audit Committee practices

Strategy Tactics

S1. Obtain and provide information to the Audit Committee on best practices of audit committees

T1: Designate a portion of the spring meeting to Audit Committee education during legislative session years

T2: Provide Audit Committee orientation to new trustees

S2. Consider using Audit Committee self-evaluation tool T1: Present and explore concept of self-evaluation with the Audit Committee chair T2: Develop a self-evaluation tool for consideration by the Audit Committee chair

S3. Explore sharing governance resources through Diligent T1: Meet with Diligent owner to discuss ideas and potential resources T2: Discuss idea of sharing information with the Audit Committee chair



Objective 4: Improve governance on fraud awareness, prevention, and detection activities

Strategy Tactics

S1. Develop fraud detection activities T1: Document standard procedures for Internal Audit fraud investigations T2: Provide input into updates to the TRS Fraud Policy T3: Provide assistance in investigations as formally requested T4: Incorporate control tests in assurance projects to ensure controls are there to prevent

or timely detect unusual “fraud” red flag activity

S2. Improve fraud awareness and prevention program T1: Administer the TRS Fraud and Ethics Hot Line, including updating promotional materials

GOAL 3: ENHANCE INTERNAL AUDIT STAFF’S COMPETENCE AND EXPERTISE IN SUPPORT OF TRS RISK MANAGEMENT, CONTROL, AND GOVERNANCE PROCESSES

Objective 1: Cultivate in-house Subject Matter Experts

Strategy Tactics

S1. Deepen knowledge of TRS laws (federal and state), rules, and internal policies

T1: Pilot new auditor rotation into operational functions T2: Participate in internal training in business units T3: Hold lunch-and-learn knowledge transfers sessions at audit meetings T4: Analyze other audit reports and share best practices identified in those reports T5: Leverage knowledge transfer from contractors

S2. Broaden foundational skills in data analytics T1: Prepare and present training programs (e.g., Audit Command Language, Microsoft Access, Computer-Aided Audit Tools) to Internal Audit (IA) staff

T2: Add a project scoping step in TeamMate to include data analytics on every project T3: Identify data analytics mentors for IA staff T4: Attend and apply external data analysis training in projects

Objective 2: Ensure continued competence and expertise of Internal Audit

Strategy Tactics

S1. Develop workforce continuity plans T1: Work with Human Resources to develop a continuity plan for Internal Audit (IA) T2: Establish a cross training policy within IA T3: Participate in the TRS Leadership Development Program



GOAL 4: SUPPORT AGENCY CULTURE INITIATIVES

Objective 1: Integrate TRS Core Values into Internal Audit activities

Strategy Tactics

S1. Explore opportunities and methods to tie audit findings into TRS core values

T1: Recognize Internal Audit and client actions that demonstrate TRS core values T2: Identify in audit activities when positive findings directly demonstrate a TRS core

value

S2. Integrate TRS Core Values into IA policies and procedures T1: Incorporate TRS core values into the internal Ethics and Fraud Hot Line materials T2: Update job descriptions and performance evaluations to include TRS core values

(Human Resources led initiative)


VI. External Audit Services Procured in Fiscal Year 2016


VI. External Audit Services Procured in Fiscal Year 2016

External Audit Services

Procured and Outsourced by Internal Audit

Provided by

Report Date

Wireless Network Security Assessment Myers and Stauffer LC 11/09/2015

SharePoint Governance and Security Audit Myers and Stauffer LC 11/17/2015

External Audit Services

Procured by TRS

Provided by

Report

Date

Review of Health Plan Administration Truven Health Analytics 9/23/2016

Comprehensive Annual Financial Report (CAFR) – Fiscal Year 2015

State Auditor’s Office

11/16/2015

Comprehensive Annual Financial Report (CAFR) – Fiscal Year 2016

State Auditor’s Office

In Progress

TRS Investment Company (TRICOT) Financial Audit Grant Thornton In Progress


VII. Reporting Suspected Fraud and Abuse

Teacher Retirement System of Texas Internal Audit Annual Report for Fiscal Year 2016 VII. Reporting Suspected Fraud and Abuse TRS has taken the following actions to implement the fraud detection and reporting requirements of Section 7.09 of the General Appropriations Act and Section 321.022 of the Texas Government Code:

• Updated in July 2016, TRS Fraud, Waste, and Abuse Policy establishes a fraud, waste, and abuse prevention awareness program that includes employee training and guidelines for reporting suspected fraud, waste, and abuse. Key elements of the policy include definitions, covered acts, reporting procedures of detected or suspected fraud, waste, or abuse, detection and investigation, awareness training, and corrective action.

• The TRS Internet site includes the contact number of the State Auditor’s Office Hotline and a link for reporting instructions.

• Links are available on the TRS Intranet for both the State Auditor’s Office Hotline and the TRS Internal Fraud and Ethics Hotline.

• Administration of the TRS Internal Fraud and Ethics Hotline moved from Internal Audit to the Chief Compliance Officer & Compliance Counsel during fiscal year 2016.

• In compliance with the reporting requirement of fraud, waste, and abuse, TRS reports all instances of suspected fraud, waste, and abuse to SAO.

TAB 7


Teacher Retirement System of Texas December 2016 Audit Committee Agenda Items Mapped to TRS Stoplight Report

403(b)

Agenda Items 6B

Accounting & Reporting

Agenda Items 3A-B

Budget

Business Continuity Communications & External Relations

Credit

Customer Service Employer Reporting

Ethics & Fraud Prevention

Facilities Management & Planning

Governmental / Association Relations &

Legislation

Health Care Plans Administration

Agenda Item 4A-4E

Information Security & Confidentiality

Investment Accounting

Agenda Items 6A

Investment Operations

Agenda Items 6A

Legacy Information

Systems

Liquidity / Leverage

Market

Open Government

Agenda Items 6C-E, 7

Pension Benefit Administration

Pension Funding

Purchasing & Contracts

Records Management

Regulatory, Compliance

& Litigation

Agenda Item 5

Talent Continuity

TEAM Program TRS-ActiveCare Affordability

TRS-Care Funding

Fiscal Year 2017 Audit Plan Status As of November 2016


Title and Project # Type Status

Executive and Finance

Records Management Audit Follow-Up (17-410) Audit Complete

403(b) Provider Compliance (17-601) Audit Complete

Federal Labor Standards Act (FLSA) Compliance Consulting

State Auditor’s Office (SAO) Financial (CAFR) Audit Coordination Advisory Complete

Teacher Retirement Investment Company of Texas (TRICOT) Financial Audit Coordination (Grant Thornton)

Advisory Complete

Testing of Executive Performance Incentive Pay Calculations Agreed-Upon Procedures

The University Of Texas at Austin Student Project Consulting Complete

Enterprise Risk Management (ERM) Fraud Risk Assessment Advisory In Progress

Meetings Participation Advisory Ongoing

Special Requests and Emerging Issues Advisory

TEAM Program

TEAM Independent Program Assessment (IPA) Vendor Support Advisory Ongoing

TEAM Committees, Projects and Controls Assessment Participation Advisory Ongoing

Pension Benefits Annuity Payment Testing for State Auditor’s Office (SAO) Audit of Comprehensive Annual Financial Report (CAFR) (17-100)

Audit Complete

Annual Benefits Testing (17-101) Agreed-Upon Procedures

Reporting Entity Audits (6 to 10 ISDs) (17-401) Audit In Progress

Employer Audit Follow-up Audit In Progress

Employer Audit of Pension and TRS-Care Surcharges Audit

Higher Education Pilot and Audit Program Development Advisory

TRS Reporting Entity Website Audit Information and Communication Advisory Ongoing

Fiscal Year 2017 Audit Plan Status As of November 2016


Health Care Health Insurance Portability and Accountability Act (HIPAA) Gap assessment and Validation (17-501)

Audit In Progress

Trust Expense Allocation Audit Audit

TRS-ActiveCare Open Enrollment Readiness Assessment Follow-Up Audit

TRS-ActiveCare Eligibility Pilot and Audit Program Development Advisory Deferred to FY18

Health Care Vendor Selection Observation Advisory

Health Care Vendor Update Meetings Advisory Ongoing

Information Technology

Contractor onboarding and off boarding (17-502) Audit

Disaster Recovery, Network Penetration Tests; Security Risk Assessment Review Advisory Ongoing

Investment Management

Private Equity Fees Audit

Soft dollars and Commission Sharing Arrangements Audit

Quarterly Investment and Ethics Policies Compliance Testing (17-302) Agreed-Upon Procedures 1st Qtr Complete

Annual Testing of Investment Incentive Pay Plan Agreed-Upon Procedures

Investment Fiduciary Audit Coordination Advisory In Progress

Investment Committees Attendance Advisory Ongoing

Internal Audit Department

Annual Internal Audit Report Audit Complete

Data Analysis Processes Advisory In Progress

Quarterly Audit Recommendations Follow-up Audit Ongoing

ERS Audit Quality Assurance Review Audit Complete

Internal Quality Assurance Review Advisory Ongoing

Fiscal Year 2018 Audit Plan Advisory

Internal Audit Strategic Plan Update Advisory Ongoing

Audit Committee Meetings Preparation Advisory Ongoing


Internal Audit Advisory Services1 Fiscal Year 2017 – 1st Quarter

BENEFIT SERVICES

Participated in the TEAM Program

Executive Steering Committee Organizational Change Management Advisory Group Business Procedures and Training Monthly meetings with TEAM Program Manager and vendor personnel Reporting Entity Outreach (REO) Core Team TRS Website Redesign Committee TEAM Enterprise Security Team meetings Independent Program Assessment (IPA) Vendor Coordination Made presentation at Texas Association of School Business Officials (TASBO)

HEALTH INSURANCE BENEFITS (HIB)

Attended the Health Plan Administrator (HPA) and Pharmacy Benefit Manager (PBM) Vendor Quarterly Update Meetings

Participated in the TRS-Care Medicare Advantage PBM Request for Proposal (RFP) meeting (non-voting)

INVESTMENT MANAGEMENT DIVISION (IMD)

Attended Internal Investment Committee (IIC) meetings Participated in Proxy Voting Committee meeting Participated in Securities Lending monitoring calls Reviewed and discussed the Investment Policy Statement and other investment policies proposed

changes Liaison for investment fiduciary review

FINANCIAL SERVICES

Liaison for the State Auditor’s Office (SAO) Fiscal Year 2016 TRS Comprehensive Annual Financial Report (CAFR) audit

Liaison for financial statement audit of Teacher Retirement Investment Company of Texas (TRICOT - London Office)

EXECUTIVE

Facilitated SAO’s Quarterly Update Meetings Participated in the Risk Oversight Committee Participated in Health and Safety Committee Quarterly Meetings Collaboration with Enterprise Risk Management on the upcoming enterprise-wide fraud risk

assessment

INFORMATION TECHNOLOGY (IT)

Participated in the Enterprise Risk Management (ERM) Data Protection Project Disaster Recovery Exercise Planning Incidents Response Plan Update

1 Advisory Services (non-audit services) - The scope of work performed does not constitute an audit under Generally Accepted Government Auditing Standards (GAGAS).

Internal Audit Goals and Performance Measures - Fiscal Year 2017 1st Quarter Ending November 2016


Target Performance Activity Status

Goal 1: Enhance Effectiveness of Internal Audit Organization

1. Spend a minimum of 75% of total available department hours (excludes uncontrollable leave) for professional staff on direct assurance, consulting, and advisory services

Achieved 73% for 1st quarter of fiscal year 2017. We are slightly below the target but still on track. On Task

2. Complete an internal assessment and report the results of the Quality Assurance and Improvement Program

The assessment is scheduled for completion in the 4th quarter

On Task

Goal 2: Develop and Implement Internal Audit Annual Audit Plan based on Formal Risk Assessment

3. Prepare an annual audit plan based on a documented risk assessment and obtain input from trustees and staff

The audit planning and risk assessment is scheduled for the 4th quarter

On Task

4. Execute 80% of audit and agreed-upon procedures projects (80% allows for flexibility due to changes in TRS business practices and special requests)

Planned audit and agreed-upon procedures projects are on schedule and assigned to staff On Task

5. Update the formal reporting entity risk assessment to identify reporting entities for audit.

The update of the formal reporting entity risk assessment is in progress

On Task

Goal 3: Enhance Internal Audit Staff Skills and Knowledge in Assurance Practices 6. Update data analytics roadmap identified by external advisor and

complete year two activities The data analytics roadmaking and implementation plan is on schedule

On Task

7. Collaborate with an institution of higher education to pilot a reporting entity audit program; develop and distribute the audit program to other high education auditors and request that they conduct these audits

Two institutes of higher education have formally agreed to participate in the pilot On Task

Goal 4: Deliver Value-Added Consulting and Advisory Activities

8. Facilitate coordination of TEAM Independent Program Assessment (IPA) vendor by coordinating meetings with Executive Director, Executive Steering Committee (ESC) and Core Management Team (CMT), quarterly presentations to the TRS Board of Trustees, and other contractual activities

Coordination and support of IPA vendor is ongoing as planned. On Task

Internal Audit Goals and Performance Measures - Fiscal Year 2017 1st Quarter Ending November 2016


Target Performance Activity Status

9. Facilitate timely completion and success of State Auditor’s Office (SAO) audits in fiscal year 2017 by effectively providing audit support, coordinating meetings, reserving facilities and gathering schedule and documentation requests

Internal Audit staff has provided support and coordination for the following SAO audits: Audit of FY 2016 Comprehensive Annual

Financial Report (CAFR) Investment Fiduciary Audit

On Task

Goal 5: Enhance Participation in Professional and Peer Organizations 10. Participate in professional organizations (APPFA, IIA, ISACA,

ACFE, SAIAF, CFA Institute) through monthly chapter meetings and participation in leadership roles in at least one professional organization.

The CAE is secretary for APPFA and IT Audit Manager is the web administrator for APPFA. One audit manager is on the Board of Governors for the Austin Chapter of the IIA. Participation in professional organizations is ongoing.

On Task

11. Support staff in obtaining additional certifications such as the CFA, CPA, and CIA certifications and have all staff obtain a minimum of 24 continuing professional education hours in a fiscal year and a minimum of 80 hours for a two year period.

Staff planned and attended professional development training this quarter On Task

Legend: Target Status

Target not achieved Behind in achieving target or partially complete On task to achieve target Achieved target

CAE Performance Goals – FY 2017

TRS Strategic Plan CAE Goals Key Performance Indicators

1 TRS Goal 1:

Sustain a financially

sound pension trust

fund (investments)

Support an effective investment

governance structure

Perform regular investment audit and

consulting activities.

Facilitate and coordinate the external audits of the TRS Investment Company of

Texas (TRICOT – London Office), Investment Fiduciary Review of Real Assets, and

Comprehensive Annual Financial Report (CAFR) Audit.

Pilot one to two audits of private equity funds to assess accuracy of fees,

compliance with contractual provisions, and support for investment valuations.

Provide assurance on compliance with soft dollar policy, Investment Policy

Statement, TRS ethics policies, and incentive pay plan.

Continue buildout of internal investment audit dashboard for soft dollar

expenditures, private market fees, and other areas as resources permit.




2 TRS Goal 2:

Continue to improve

benefit delivery

(pension).

Facilitate TEAM oversight

function

Identify cost recovery

opportunities at employers

Obtain greater audit

coverage at higher education

employers

Perform regular pension

audit and consulting

activities

Enable full access of TEAM independent program assessment vendor to people and

documents

Participate in TEAM and TEAM committees as an advisor on internal controls.

Identify opportunities for recovery of underpayments for employment after retirement

(EAR) surcharges by conducting targeted audit of EAR for multiple entities

Pilot two university audits to develop an audit program to disseminate to higher

education internal auditors

Provide assurance to TRS members and retirees by validating the accuracy of annuity

payments and manual payments

Assist TRS management in its oversight of 403(b) providers by providing assurance on

internal controls and compliance with statutes




3 TRS Goal 3:

Facilitate access to

competitive, reliable health

care benefits for our

members (health care)

Perform regular healthcare

audit and consulting

activities

Assist TRS in assessing its preparedness for undergoing a federal HIPAA audit by

conducting a gap assessment of HIPAA compliance (HIPAA Security Rule, Privacy Rule,

and Breach Notification Rule)

Obtain evidence that Aetna and Wellsystems have implemented requested controls

related to open enrollment

Provide feedback on the reasonableness of expense allocations to healthcare trusts



TR Strategic Plan CAE Goals Key Performance Indicators

4 TRS Goal 4:

Attract, retain, and

develop highly competent

staff

Update the internal audit

strategy and activities

Develop managers and staff

Implement an auditor

recognition program

Enhance leadership skills

Update departmental goals and activities:

a. Update the internal audit strategic plan using the internal audit capability maturity

model with significant input for audit staff

b. Update the annual audit plan using risk assessment techniques and feedback from

key stakeholders

Implement staff development goals:

a. Develop an auditor staffing plan that links the auditor competency framework, skills

inventory, and training plans

b. Identify areas of expertise where internal audit can serve as a resource for TRS

stakeholders and professional organizations. Continue to develop competencies in

areas identified such as data analysis skills.

c. Form an audit management team to steer the direction of the audit department and

provide for optimal decision-making and communication among teams.

d. Simplify auditor evaluations and provide more feedback after each project. Link

annual evaluations to merit pay.

e. Develop and communicate career paths for staff within the department and link to

the departmental succession plan

f. Implement a staff recognition program that recognizes excellent work of others and

encourages high achievement

( Continue on next slide)




4 TRS Goal 4:

Attract, retain, and

develop highly competent

staff

Update the internal audit

strategy and activities

Develop managers and staff

Implement an auditor

recognition program

Enhance leadership skills

(Continued)

Implement personal development goals:

a. Serve on the Association of Public Pension Fund Auditors (APPFA) board, lead the

ERS audit quality assessment review, participate in the advisory committee for the

State Agency Internal Audit Forum’s (SAIAF) Internal Audit Leadership Development

Program (IALDP), and encourage staff to take leadership positions in professional

organizations.

b. Study frameworks for organization performance excellence through online

resources, training participation, and discussion with other organizations who have

implemented them. Consider adopting a framework for the Internal Audit

Department and gathering information in conjunction with TRS Strategic Planning

staff to identify elements which might be beneficial for TRS to incorporate.

c. Learn more about staff, peers, and audit clients through asking open-ended “power”

questions and applying emotional intelligence techniques.

d. Practice active listening and summarizing meeting discussions to ensure input of

participants is understood and incorporated.

e. Continue personal recovery through regular physical therapy, exercise, and

mindfulness techniques.



Jan Engler is one of the recipients of TRS Golden Apple Award for FY 2016. She is the

first TRS employee to receive this award twice. She received her first award in FY 2006.

The TRS Employer Audit team consisting of Jan Engler, Dinah Arce, Art Mata, and Cari Casey, have continued participation in presentations hosted by the Texas Association of School Business Officials (TASBO) at Sugarland, Allen, and Austin. The presentations include topics such as identifying upcoming changes in reporting requirements, audit testing scope and methodology, common errors in reporting, and TRS employer website information and resources.

Hugh Ohn, Lih-Jen Lan, and Amy Barrett attended the Association of Public Pension Fund Auditor (APPFA) Conference.

Toma Miller attended a four-day Healthcare Information Technology Training course.

Anandhi Mani and Rodrigo Dominguez attended the Investment Training and Consulting Institute Inc. (ITCI) – Understanding and Audit Investment Activities, 2016 Fall Series.

Art Mata, Cari Casey, and Anandhi Mani attended the Public Pension Financial Forum (P2F2) Conference.

Internal Audit Staff Quarterly Accomplishments


Jan Engler (center) is one of the recipients of TRS Golden Apple Award for FY 2016. She is the first TRS employee to receive this award twice. She received her first award in FY 2006.

The TRS Employer Audit team consisting of Jan Engler, Cari Casey, Dinah Arce, and Art Mata, have continued participation in presentations hosted by the Texas Association of School Business Officials (TASBO) at Sugarland, Allen, and Austin.