Embed Size (px)
Citation preview
Agenda
Audit Committee
January 14, 20211 p.m.
Electronic Meeting
Quorum: 5
Page No.
A. Call to Order
B. Election of Chair
C. Election of Vice Chair
D. Disclosures of Interest
E. Presentations
E.1. KPMG Audit Planning Report
Kevin Travers, KPMG LLP
(See Item F.1)
E.2. Audit Services Branch Charter
Michelle Morris, Director of Audit Services
(See Item G.2)
E.3. Audit Services 2021 Risk Based Work Plan
Michelle Morris, Director of Audit Services
(See Item G.3)
F. Communications
F.1. KPMG Audit Planning Report 1
Kevin Travers, KPMG LLP dated November, 2020
Recommendation: Receive
G. Reports
G.1. Audit Services Branch Report 31
Report dated November 27, 2020 from the Director of AuditServices recommending that:
Council receive this report for information.1.
G.2. Audit Services Branch Charter 99
Report dated November 27, 2020 from the Director of AuditServices recommending that:
Regional Council approve the Audit Services BranchCharter (Attachment 1).
1.
G.3. 2021 Risk Based Work Plan 113
Report dated November 27, 2020 from the Director of AuditServices recommending that:
Regional Council approve the Audit Services Branch's2021 Risk-Based Work Plan (Attachment 1).
1.
H. Other Business
I. Private Session
None
J. Adjournment
Agenda - Audit Committee - January 14, 2021
The Regional Municipality of York
Audit Planning Report for the year ending December 31, 2020
Licensed Public Accountants
November 2020
kpmg.ca/audi t
1
Audit Planning Report
Table of contents
EXECUTIVE SUMMARY 1
COVID-19: EMBEDDING RESILIENCE & READINESS 2
GROUP AUDIT SCOPE 4
AUDIT RISKS 5
MATERIALITY 11
AUDIT QUALITY AND TRANSPARENCY 13
CURRENT DEVELOPMENTS – ACCOUNTING 15
NEW AUDIT STANDARDS 19
APPENDICES 20
APPENDIX 1: REQUIRED COMMUNICATIONS 21
APPENDIX 2: USE OF TECHNOLOGY IN THE AUDIT 22
APPENDIX 3: KPMG’S AUDIT APPROACH AND METHODOLOGY 23
APPENDIX 4: LEAN IN AUDIT™ 24
APPENDIX 5: AUDIT AND ASSURANCE INSIGHTS 25
2
Audit Planning Report
KPMG contacts The contacts at KPMG in connection with this report are:
Kevin Travers
Lead Audit Engagement Partner
Tel: 416-228-7004 [email protected]
Nicole Hately
Audit Senior Manager
Tel: 416-549-7908 [email protected]
3
Audit Planning Report P a g e | 1
Executive summary The purpose of this Audit Planning Report is to assist you, as a member of the Audit Committee, in your review of the audit planning for the consolidated financial statements (“financial statements”) of The Regional Municipality of York (the “Region”) as at and for the year ending December 31, 2020.
COVID-19
COVID-19 is undoubtedly having an impact on the Region’s business and the Region’s financial reporting. See pages 2-3 for audit considerations.
Group audit scope
Our group audit consists of the following components:
− 1 financially significant scoped in audit − 5 non-significant components, however these components are required to obtain
statutory financial statements under the Municipal act. See page 4.
Audit and business risks
Our audit is risk-focused. We will discuss these risks with you during the upcoming meeting. The audit of the Region’s consolidated financial statements is considered a group audit which includes several components. In planning our audit we have taken into account key areas of focus for financial reporting.
See pages 5 to 10.
Audit materiality
Materiality has been determined based on budgeted operating expenditures. We have determined materiality to be $68,000,000 (2019 - $66,000,000).
Materiality will be set at lower thresholds where necessary to meet local subsidiary financial statement audit requirements. See page 11.
Proposed fees
The Engagement letter includes the fees for all professional services provided to the Region and related entities. A copy of the engagement letter can be obtained from management.
Quality control
We have a robust and consistent system of quality control. We provide complete transparency on all services and follow Audit Committee approved protocols.
Current developments and audit trends
Please refer to pages 15 to 19 for relevant accounting and auditing changes relevant to the Region and relevant audit trends.
___________________________________________________________________________________________________________________________________________
This Audit Planning Report should not be used for any other purpose or by anyone other than the Audit Committee, Council, and Management of the Region. KPMG shall have no responsibility or liability for loss or damages or claims, if any, to or by any third party as this Audit Planning Report has not been prepared for, and is not intended for, and should not be used by, any third party or for any other purpose.
4
P a g e | 2
COVID-19: Embedding Resilience & Readiness COVID-19 is undoubtedly going to have an impact to the Region’s business and the Region’s financial reporting.
Potential financial reporting implications Potential implications on internal control over financial reporting
Refer to our COVID-19 Financial Reporting site: • Events or conditions that cast significant doubt regarding going concern • Impairment of non-financial assets (e.g., Tangible Capital Assets)
o Analysis of triggering events and impairment testing (e.g. cash flow forecasts and assumptions)
• Impairment of financial assets including investments • Fair value measurements • Employee benefits and employer obligations • Provisions and contingencies • Impact on funding received from federal and provincial government • Impact on programs and operations managed by the Region • Impact on capital projects managed by the Region • Subsequent events
• Reconsideration of financial reporting risks, including fraud risks, given possible new pressures on management or new opportunities to commit fraud given changes in Internal Control over Financial Reporting (ICFR) or to bias estimates.
• New or enhanced controls to respond to new financial reporting risks or elimination of on-site preventative controls.
• Consideration of changes in the individuals performing the control (e.g. re-directing the performance to head-office).
• Consideration of the appropriateness of segregation of duties because of a potential reduction in the number of employees.
• Revisions may be needed for internal audit visits planned. • Reconsideration of ICFR impacts related to broader IT access given
remote work arrangements.
Potential financial reporting implications related to disclosures Other potential considerations
Refer to our COVID-19 Financial Reporting site: • Events and conditions that cast significant doubt regarding going concern • New accounting policies • Significant management judgements in applying accounting policies • Major sources of estimation uncertainty that have significant risk • Liquidity risks
• Reporting material changes in ICFR • Cyber security risks (e.g., wire transfers schemes) • Possible delay in filing annual financial statements
5
P a g e | 3
COVID-19: Embedding Resilience & Readiness (Continued) Similarly, COVID-19 is a major consideration in the development of our audit plan for your 2020 financial statements
Potential audit implications
Planning and risk assessment:
• Understanding the expected impact on the relevant metrics for determining materiality (including the benchmark) and the implication of that in identifying the risks of material misstatement, responding to such risks and evaluating uncorrected misstatements.
• Understanding the potential financial reporting impacts, the changes in Region’s environment, and changes in the Region’s system of internal control, and their impact on our: o identified and assessed risks of material misstatement. o audit strategy, including the involvement of others (e.g., our internal
specialists or use of internal audit’s work or internal audit in a direct assistance capacity) and the nature, timing and extent of tests of controls and substantive procedures.
Executing:
• Remote auditing: o Increased use of other collaboration tools (Teams, Skype etc.) and the
need for written management acknowledgement for their use o Potential increased use of electronic evidence (and understanding the
Region’s processes to provide such evidence to us) • Timing of procedures may need to change:
o Tests of controls may need to be deferred (to allow the Region to put new or revised controls in operation and to be able to re-perform such controls).
6
P a g e | 4
Group audit scope
Type of work performed # of components Legend
Individually financially significant (scoped in):
The Regional Municipality of York (non-consolidated) 1
Not significant (note 1) 5
Procedures performed by Legend
Group team – KPMG Vaughan
Note 1. Not significant:
The following components are not significant for the purpose of issuing the auditors’ opinion on the group audit for the consolidated financial statements of The Regional Municipality of York. A separate audit opinion is issued for these non-significant components due to statutory requirements:
1. Housing York Inc. 2. YTN Telecom Network Inc. 3. York Region Rapid Transit Corporation 4. The Regional Municipality of York – Resident’s Trust Fund 5. The Regional Municipality of York – Sinking Fund
THEGROUPAUDIT
7
P a g e | 5
Audit risks Professional requirements Why is it significant?
Fraud risk from revenue recognition This is a presumed fraud risk. The primary risk of fraudulent revenue recognition resides with manual journal entries for revenue transactions not in the normal course of business.
Our audit approach
Our audit methodology incorporates the required procedures in professional standards to address this risk.
Our audit approach will consist of evaluating the design and implementation of selected relevant controls. We test journal entries that meet specific criteria. These criteria are designed during the planning phase of the audit and are based on areas and accounts that are susceptible to manipulation through management override and we design search filters that allow us to identify any unusual journal entries.
As part of our audit approach to address the inherent risk of error in revenue recognition, KPMG substantively tests revenues (both recognized and amounts held as deferred at year end).
8
P a g e | 6
Audit risks (continued) Professional requirements Why is it significant?
Fraud risk from management override of controls This is a presumed fraud risk. We have not identified any specific additional risks of management override relating to this audit.
Our audit approach
As the risk is not rebuttable, our audit methodology incorporates the required procedures in professional standards to address this risk. These procedures include testing of journal entries and other adjustments, performing a retrospective review of estimates and evaluating the business rationale of significant unusual transactions.
We will take a risk-based approach tailored to the Region when designing substantive procedures and selecting specific transactions for testing. We will consider the potential impact of COVID-19 when identifying areas which may be subject to additional risk whether due to fraud or error in this regard.
9
P a g e | 7
Audit risks (continued) Other areas of focus Why are we focusing here?
Cash and Investments Material account balances and disclosures. Valuation of investments and concerns over decline in fair value due to COVID-19 global pandemic.
Tangible Capital Assets Risk of material misstatement related to the existence, accuracy and presentation of tangible capital assets.
Our audit approach
Cash and Investments COVID-19 Implications: − To assess if there is a loss in value of a portfolio investment and whether such a decline is other than temporary. Perform audit procedures to assess whether a write-
down is necessary Substantive audit procedures: − Review year-end bank and investment reconciliations and substantive testing of significant reconciling items − Substantive test of details over additions and disposals of investments − Obtain confirmations from third parties − Review of financial statement note disclosure in accordance with Public Sector Accounting Standards (PSAS)
Tangible Capital Assets − Substantive test of details over additions (including contributed tangible capital assets) and disposals − Review amortization policy and useful life for the tangible capital assets and assess if the useful life as an estimate is reasonable − Review construction in progress to ensure amounts are properly transferred to correct capital asset classes and amortization expense commences on a timely basis − Review of financial statement note disclosure in accordance with PSAS − Perform required procedures to assess the potential risks with respect to impairment of assets as a result of the ongoing global pandemic, which is not expected to be a
significant risk for the Region’s audit
10
P a g e | 8
Audit risks (continued) Other areas of focus Why are we focusing here?
Revenue and Accounts Receivable
Risk of material misstatement related to designated revenue and accuracy of timing of revenue recognition.
Deferred Revenue – general and obligatory reserve funds Risk of material misstatement due to management assessment and judgment involved.
Our audit approach
Revenue and Accounts Receivable:
− Recalculate tax revenue using approved tax rates and assessment − Obtain confirmations from lower tier municipalities − Vouch, on a sample basis, revenue transactions to supporting documentation − Substantively test significant account receivable balances and assess analytical trends − Assess the valuation of receivables
Deferred Revenue – general and obligatory reserve funds: − Substantively test deferred capital grants, security deposits and other deferred revenue to supporting documents − Substantively test development charge collections and expenditures to supporting documents − Perform analysis on projects with budget overruns − Inquire with management if there were any breaks given to the developers due to COVID-19 and perform audit procedures on the financial reporting impact if relevant
11
P a g e | 9
Audit risks (continued) Other areas of focus Why are we focusing here?
Salaries and Benefits Risk of material misstatement related to accuracy and occurrence of expenses.
Accounts Payable, Accrued Liabilities and Expenses Risk of material misstatement related to completeness of liabilities.
Employee Future Benefits (EFBs) Risk of material misstatement related to accuracy and valuation of the estimate involved in employee future benefits.
Our audit approach
Salaries and Benefits:
− Perform control testing over payroll cycle − Vouch a sample of employees’ salary and benefit expense to payroll information
Accounts Payable, Accrued Liabilities and Expenses:
− Search for unrecorded liabilities − Examine significant accrued liabilities for existence, accuracy and completeness − Perform substantive test of details on selected non-payroll expenditures
Employee Future Benefits: − Reliance on actuaries (management specialist) engaged by the Region; update our understanding of the activities over the quality of information used, the assumptions
made, the qualifications, competence and objectivity of the preparer of the estimate, and the historical accuracy of the estimates − Communicate with actuaries and test data provided to the actuaries, if applicable. − Perform audit procedures on method, data and assumptions used by actuary and management in calculation of the EFB liability for reasonableness − Review financial statement disclosures in accordance with PSAS − We will perform audit procedures to address the new CAS 540, Auditing Accounting Estimates and related disclosure requirements related to the estimates involved
12
P a g e | 10
Audit risks (continued) Other areas of focus Why are we focusing here?
Consolidation (Region and all components) To ensure the completeness and accuracy of the consolidated information.
Contingencies Risk of material misstatement related to completeness of contingencies and corresponding disclosures.
Gross Long-term Liabilities and Debt Recoverable from Local Municipalities Material account balances and disclosures.
Reserve Funds Material account balance and disclosures.
Our audit approach
Consolidation (Region and all components):
− Review process of consolidation and perform audit procedures on the consolidation process − Audit the eliminating entries as prepared by management for accuracy and completeness
Contractual Obligations and Contingent Liabilities:
− Discuss contingent liabilities with appropriate personnel and obtain a confirmation of all claims and possible claims
Gross Long-term Liabilities and Debt Recoverable from Area Municipalities: − Substantively test long-term liability additions and principal repayments to supporting documents − Obtain confirmations from lower tier municipalities − Audit procedures related to the accounting treatment and the related disclosures in accordance with PSAS
Reserve Funds − Substantively test inflows and outflows on the reserve fund continuity schedule − Perform a substantive analytic on interest earned on the reserve funds
13
P a g e | 11
Materiality
Materiality determination Comments Group amount
Materiality Determined to plan and perform the audit and to evaluate the effects of identified misstatements on the audit and of any uncorrected misstatements on the financial statements.
The corresponding amount for the prior year’s audit was $66 million.
$68 million
Benchmark Based on budgeted full accrual PSAS expenditures.
This benchmark is consistent with the prior year.
$2,394.8 million
% of Benchmark The corresponding percentage for the prior year’s audit was 3% 3%
Audit Misstatement Posting Threshold (AMPT)
Threshold used to accumulate misstatements identified during the audit. The corresponding amount for the previous year’s audit was $3 million.
$3 million
.
Materiality is used to scope the audit, identify risks of material misstatements and evaluate the level at which we think misstatements will reasonably influence users of the financial statements. It considers both quantitative and qualitative factors.
To respond to aggregation risk, we design our procedures to detect misstatements at a lower level of materiality.
We will report to the Audit Committee:
Corrected audit misstatements
Uncorrected audit misstatements
14
P a g e | 12
Audit Quality Matters
15
Audit Planning Report P a g e | 13
Audit quality and transparency KPMG maintains a system of quality control designed to reflect our drive and determination to deliver independent, unbiased advice and opinions, and also meet the requirements of Canadian professional standards. Quality control is fundamental to our business and is the responsibility of every partner and employee. The following diagram summarizes the key elements of our quality control system.
What do we mean by audit quality?
Audit Quality (AQ) is at the core of everything we do at KPMG.
We believe that it is not just about reaching the right opinion, but how we reach that opinion.
We define ‘audit quality’ as being the outcome when audits are:
− Executed consistently, in line with the requirements and intent of applicable professional standards within a strong system of quality controls, and
− All of our related activities are undertaken in an environment of the utmost level of objectivity, independence, ethics, and integrity.
Our AQ Framework summarises how we deliver AQ. Visit our Audit Quality Resources page for more information including access to our Audit Quality and Transparency report.
Audit Quality Framework
Governance and leadership
Code of conduct, ethics
and independence
Associating with the right
clients
Performing audits in line with our AQ
definition
Appropriately qualified team,
including specialists
Smart audit tools and
technology
Methodology aligned with professional
standards
Honest and candid
communication Transparency
Industry expertise and
technical excellence
16
Audit Planning Report P a g e | 14
Key deliverables and milestones
Interim fieldwork
Closing meeting with
Commissioner of Finance and Regional Treasurer, and
issuance of audit report on financial statements
October and November November and December March and April April May or June
Audit planning report and planning meeting with
management
Year-end fieldwork
Audit findings discussions with Audit Committee
17
Audit Planning Report P a g e | 15
Current Developments – Accounting Title Details Link
Public Sector Update – connection series
Public Sector Accounting Standards are evolving – Get a comprehensive update on the latest developments from our PSAB professionals. Learn about current changes to the standards, active projects and exposure drafts, and other items.
Contact your KPMG team representative to sign up for these webinars.
Public Sector Minute Link
The following are upcoming changes that are effective in the current year or will be effective in future periods as they pertain to Public Sector Accounting Standards. We have provided an overview of what these standards are and what they mean to your financial reporting so that you may evaluate any impact to your future financial statements.
Standard Summary and implications
Asset Retirement Obligations
(applicable for the year ending December 31, 2023 with option for retrospective application effective December 31, 2022)
– A new standard, PS3280 Asset Retirement Obligations, has been approved that is effective for fiscal years beginning on or after April 1, 2022 (the Region’s 2023 year-end).
– The new standard addresses the recognition, measurement, presentation and disclosure of legal obligations associated with retirement of tangible capital assets in productive use. Retirement costs would be recognized as an integral cost of owning and operating tangible capital assets. PSAB currently contains no specific guidance in this area.
– The ARO standard would require the public sector entity to record a liability related to future costs of any legal obligations to be incurred upon retirement of any controlled tangible capital assets (“TCA”). The amount of the initial liability would be added to the historical cost of the asset and amortized over its useful life.
– As a result of the new standard, the public sector entity would have to: o consider how the additional liability will impact net debt, as a new liability will be recognized with no corresponding increase in a
financial asset; o carefully review legal agreements, senior government directives and legislation in relation to all controlled TCA to determine if any
legal obligations exist with respect to asset retirements; o begin considering the potential effects on the organization as soon as possible to coordinate with resources outside the finance
department to identify AROs and obtain information to estimate the value of potential AROs to avoid unexpected issues.
Revenue – A new standard, PS3400 Revenues, has been approved that is effective for fiscal years beginning on or after April 1, 2023 (the Region’s 2024 year-end).
– The new standard establishes a single framework to categorize revenues to enhance the consistency of revenue recognition and its measurement.
18
Audit Planning Report P a g e | 16
Standard Summary and implications
– The standard notes that in the case of revenues arising from an exchange, a public sector entity must ensure the recognition of revenue aligns with the satisfaction of related performance obligations.
– The standard notes that unilateral revenues arise when no performance obligations are present, and recognition occurs when there is authority to record the revenue and an event has happened that gives the public sector entity the right to the revenue.
Financial Instruments and Foreign Currency Translation
– New accounting standards, PS3450 Financial Instruments, PS2601 Foreign Currency Translation, PS1201 Financial Statement Presentation and PS3041 Portfolio Investments have been approved by PSAB and are effective for years commencing on or after April 1, 2022 (the Region’s 2023 year-end).
– Equity instruments quoted in an active market and free-standing derivatives are to be carried at fair value. All other financial instruments, including bonds, can be carried at cost or fair value depending on the government’s choice and this choice must be made on initial recognition of the financial instrument and is irrevocable.
– Hedge accounting is not permitted. – A new statement, the Statement of Re-measurement Gains and Losses, will be included in the financial statements. Unrealized gains and
losses incurred on fair value accounted financial instruments will be presented in this statement. Realized gains and losses will continue to be presented in the statement of operations.
– Based on stakeholder feedback received, PSAB is considering certain scope amendments to PS 3450 Financial Instruments. An exposure draft with the amendments is expected to be issued in 2020. The proposed amendments are expected to include the accounting treatment of bond repurchases, scope exclusions for certain activities by the federal government, and improvements to the transitional provisions.
International Strategy – At its May 5, 2020 meeting, PSAB voted to adapt IPSAS principles when developing future standards. This decision has been years in the making, including extensive consultation with Canadian stakeholders, as part of the Board’s International Strategy project.
– In PSAB’s 2017-2021 Strategic Plan, the Board signaled its intent to review its approach towards International Public Accounting Standards (IPSAS). IPSAS has matured over the last decade and are a high quality and comprehensive set of accounting standards. With other jurisdictions comparable to Canada adopting or adapting IPSAS, PSAB has decided it was time to review Canada’s current approach towards IPSAS.
– While PSAB has made the decision, more planning and work will be done to support stakeholders in this change. The Board itself will also continue to work on implementing this change into its due process, which will require further discussion and work in the coming year. A basis for conclusions was issued in September 2020 that outlines how PSAB came to this important decision.
– The implementation date of this decision is April 1, 2021 (the Region’s 2022 year-end). All standards projects initiated on or after this date will use the principles of IPSAS in the development of the PSAS standard, if a similar IPSAS already exists. In cases where similar IPSAS does not exist, PSAS standards would continue to be developed as they are today.
Employee Future Benefit Obligation
– PSAB has initiated a review of sections PS3250 Retirement Benefits and PS3255 Post-Employment Benefits, Compensated Absences and Termination Benefits. Given the complexity of issues involved and potential implications of any changes that may arise from this review, the project will be undertaken in phases. Phase I will address specific issues related to measurement of employment benefits. Phase II will address accounting for plans with risk sharing features, multi-employer defined benefit plans and sick leave benefits.
– Three Invitations to Comment were issued and have closed. The first Invitation to Comment sought guidance on whether the deferral provisions in existing public sector standards remain appropriate and justified and the appropriateness of accounting for various components of changes in the value of the accrued benefit obligation and plan assets. The second Invitation to Comment sought guidance
19
Audit Planning Report P a g e | 17
Standard Summary and implications
on the present value measurement of accrued benefit obligations. A third Invitation to Comment sought guidance on non-traditional pension plans.
– The ultimate objective of this project is to issue a new employment benefits section to replace existing guidance.
Public Private Partnerships (“P3”)
– A taskforce was established in 2016 as a result of increasing use of public private partnerships for the delivery of services and provision of assets. The objective is to develop a public sector accounting standard specific to pubic private partnerships.
– A Statement of Principles (“SOP”) was issued in August 2017 which proposes new requirements for recognizing, measuring and classifying infrastructure procured through a public private partnership. An Exposure Draft of the new standard was issued in November 2019.
– Public private partnership infrastructure is recognized as an asset when the public sector entity acquires control of the infrastructure. A liability is recognized when the asset is recognized and may be a financial liability, a performance obligation or a combination of both.
– An infrastructure asset acquired in an exchange transaction is recorded at cost which is equal to its fair value on the measurement date. The liability is measured at the cost of the infrastructure asset initially.
– Subsequently, the infrastructure asset is amortized in a rational and systematic manner over its useful life. – Subsequent measurement of the financial liability would reflect the payments made by the public sector entity to settle the liability as well
as the finance charge passed on to the public sector entity through the public private partnership agreement. – Subsequent measurement of the performance obligation: revenues are recognized and the liability reduced in accordance with the
substance of the public private partnership agreement.
Concepts Underlying Financial Performance
– PSAB is in the process of reviewing the conceptual framework that provides the core concepts and objectives underlying Canadian public sector accounting standards.
– PSAB is developing two exposure drafts (one for a revised conceptual framework and one for a revised reporting model) with two accompanying basis for conclusions documents and resulting consequential amendments. PSAB expects to issue the two exposure drafts and accompanying documents in 2020.
– A Statement of Concepts (“SOC”) and Statement of Principles (“SOP”) were issued for comment in May 2018. – The SOC proposes a revised, ten-chapter conceptual framework intended to replace PS 1000 Financial Statement Concepts and PS 1100
Financial Statement Objectives. The revised conceptual framework would be defined and elaborate on the characteristics of public sector entities and their financial reporting objectives. Additional information would be provided about financial statement objectives, qualitative characteristics and elements. General recognition and measurement criteria, and presentation concepts would be introduced.
– The SOP includes principles intended to replace PS 1201 Financial Statement Presentation. The SOP proposes: o Removal of the net debt indicator, except for on the statement of net debt where it would be calculated exclusive of financial assets
and liabilities that are externally restricted and/or not available to settle the liabilities or financial assets. o Changes to common terminology used in the financial statements, including re-naming accumulated surplus (deficit) to net assets
(liabilities). o Restructuring the statement of financial position to present non-financial assets before liabilities. o Removal of the statement of remeasurement gains (losses) with the information instead included on a new statement called the
statement of changes in net assets (liabilities). This new statement would present the changes in each component of net assets (liabilities).
20
Audit Planning Report P a g e | 18
Standard Summary and implications
o A new provision whereby an entity can use an amended budget in certain circumstances. – Inclusion of disclosures related to risks and uncertainties that could affect the entity’s financial position.
2019 – 2020 Annual Improvements
– PSAB adopted an annual improvements process to make minor improvements to the CPA Canada Public Sector Accounting (PSA) Handbook or Statements of Recommended Practices (other guidance).
– The annual improvement process: o clarifies standards or other guidance; or o corrects relatively minor unintended consequences, conflicts or oversights.
– Major or narrow scope amendments to the standards or other guidance are not included in the annual improvement process.
Purchased Intangibles – As a result of stakeholder feedback received, PSAB will revisit validity of the prohibition against recognizing purchased intangibles in public sector financial statements and will consider a narrow scope amendment.
– Input received in response to the 2018 conceptual framework and reporting model documents for comment supported PSAB relocating the recognition prohibitions from the conceptual framework to the standards level. This is a bigger issued for Indigenous governments. PSAB is looking into the question of why purchased intangibles acquired through an exchange transaction cannot be recognized in public sector financial statements as they are measurable at the price in the transaction.
21
Audit Planning Report P a g e | 19
New audit standards New auditing standards that are effective for the current year are as follows:
Standard Key observations Reference
CAS 540, Auditing Accounting Estimates and Related Disclosures
Effective for audits of Entities with year-ends on or after December 15, 2020
Expected impact on the audit:
— more emphasis on the need for exercising professional skepticism — more granular risk assessment to address each of the components in an estimate (method, data,
assumptions) — more granular audit response designed to specifically address each of the components in an estimate
(method, data, assumptions) — more focus on how we respond to levels of estimation uncertainty — more emphasis on auditing disclosures related to accounting estimates — more detailed written representations required from management
CPA Canada Client Briefing
22
Appendices Content Appendix 1: Required communications
Appendix 2: Key Audit Matters
Appendix 3: Use of technology in the audit
Appendix 4: KPMG’s audit approach and methodology
Appendix 5: Lean in Audit™
Appendix 6: Audit and Assurance Insights
23
Audit Planning Report P a g e | 21
Appendix 1: Required communications Report Engagement terms
Audit planning report – as attached
Unless you inform us otherwise, we understand that you acknowledge and agree to the terms of the engagement set out in the engagement letter.
A copy of the engagement letter and any subsequent amendments has been provided to the management.
Reports to the Audit Committee Representations of management
At the completion of the audit, we will provide our findings report to the Audit Committee.
We will obtain from management certain representations at the completion of the audit.
Matters pertaining to independence Internal control deficiencies
At the completion of our audit, we will confirm our independence to the Audit Committee.
Other control deficiencies, identified during the audit, that do not rise to the level of a significant deficiency will be communicated to management.
Required inquiries Audit Quality
Professional standards require that during the planning of our audit we obtain your views on the identification and assessment of risks of material misstatement, whether due to fraud or error, your oversight over such risk assessment, identification of suspected, alleged or actual fraudulent behaviour, and any significant unusual transactions during the period.
The following links are external audit quality reports for referral by the Audit Committee: • CPAB Audit Quality Insights Report: 2019 Annual Inspections Results • CPAB Audit Quality Insights Report: 2019 Fall Inspection Results >
24
Audit Planning Report P a g e | 22
Appendix 2: Use of technology in the audit
Clara is KPMG’s integrated, smart global audit platform that allows our teams globally to work simultaneously on audit documentation while sharing real time information. Clara also leverages advanced technology in the execution of various audit procedures, for overall risk assessment and for performing substantive audit procedures over 100% of selected transactions through the use of robotic process automation (KPMG “Bots”). KPMG’s use of technology provides for:
1. a higher quality audit – looking at 100% of selected data
2. a more efficient audit as we are focussed on the transactions that are considered higher risk and
3. an audit that provides insights into your business through the use of technology in your audit with our extensive industry knowledge.
We are also actively piloting Artificial Intelligence (“AI”) tools which will be used in future audits.
We will be discussing the use and implementation of these tools with the Entity over the course of our audit. These tools will be adopted and applied to the Entity’s audit using a phased approach over the coming years. We will keep you apprised of our progress on a continuous basis.
1. INITIATING YOUR AUDIT — KPMG Clara Client
Collaboration — Dynamic Risk
Assessment
2. PLANNING & AUDIT RISK ASSESSMENT — KPMG Clara Advanced
Capabilities — KPMG AI
3. PROCESS UNDERSTANDING — Business Process Mining — Lean in Audit
4. RESPONDING TO IDENTIFIED RISKS — Robotic process
automation
5. REPORTING — Visualization
reporting
Our five-phased audit approach
KPMG Clara
1
2
3 4
5
25
Audit Planning Report P a g e | 23
Appendix 3: KPMG’s audit approach and methodology
Collaboration in the audit A dedicated KPMG Audit home page gives you real-time access to information, insights and alerts from your engagement team.
Deep industry insights Bringing intelligence and clarity to complex issues, regulations and standards.
Issue identification Continuous updates on audit progress, risks and findings before issues become events.
Analysis of complete populations Powerful analysis to quickly screen, sort and filter 100% of your journal entries based on high-risk attributes.
Data-driven risk assessment Automated identification of transactions with unexpected or unusual account combinations – helping focus on higher risk transactions and outliers.
Reporting Interactive reporting of unusual patterns and trends with the ability to drill down to individual transactions.
26
Audit Planning Report P a g e | 24
Appendix 4: Lean in Audit™ An innovative approach leading to enhanced value and quality How it works
Our innovative audit approach, Lean in Audit, further improves audit value and productivity to help deliver real insight to you. Lean in Audit is process oriented, directly engaging organizational stakeholders and employing hands-on tools, such as walkthroughs and flowcharts of actual financial processes.
By embedding Lean techniques into our core audit delivery process, our teams are able to enhance their understanding of the business processes and control environment within your organization – allowing us to provide actionable quality and productivity improvement observations.
Any insights gathered through the course of the audit will be available to both engagement teams and management. For example, we may identify control gaps and potential process improvement areas, while management has the opportunity to apply such insights to streamline processes, inform business decisions, improve compliance, lower costs, increase productivity, strengthen customer service and satisfaction and drive overall performance.
We will be discussing the use of this of tool with management over the coming months to understand management’s assessment and appetite for the use of this tool for current and future periods.
Lean in Audit employs three key Lean techniques:
1. Lean training
Provide basic Lean training and equip our teams with a new Lean mindset to improve quality, value and productivity.
2. Interactive workshops
Perform interactive workshops to conduct walkthroughs of selected financial processes providing end-to-end transparency and understanding of process and control quality and effectiveness.
3. Insight reporting
Quick and pragmatic insight report including immediate quick win actions and prioritized opportunities to realize benefit.
27
Audit Planning Report P a g e | 25
Appendix 5: Audit and Assurance Insights
Our latest thinking on the issues that matter most to Audit Committees, Boards and Management.
Featured insight Summary Reference
Audit & Assurance Insights Curated thought leadership, research and insights from subject matter experts across KPMG in Canada Learn more
The business implications of coronavirus (COVID 19)
Resources to help you understand your exposure to COVID-19, and more importantly, position your business to be resilient in the face of this and the next global threat. Learn more
Financial reporting and audit considerations: The impact of COVID-19 on financial reporting and audit processes. Learn more
Accelerate 2019/20 Perspective on the key issues driving the Audit Committee agenda Learn more
Momentum A quarterly Canadian newsletter which provides a snapshot of KPMG's latest thought leadership, audit and assurance insights and information on upcoming and past audit events – keeping management and board members abreast on current issues and emerging challenges within audit.
Sign-up now
Current Developments Series of quarterly publications for Canadian businesses including Spotlight on IFRS, Canadian Securities & Auditing Matters and US Learn more
Board Leadership Centre Leading insights to help board members maximize boardroom opportunities. Learn more
Return to the Workplace
As all levels of government begin to take steps toward re-opening the country and restarting our economy, planning for the return to a physical workplace is quickly becoming a top priority for many organizations. With the guidelines for the pandemic continuing to evolve daily, there are many considerations, stages and factors employers need to assess in order to properly develop a robust action plan which can ensure the health and safety of their workforce.
Link to report
28
kpmg.ca/audit
KPMG LLP, an Audit, Tax and Advisory firm (kpmg.ca) and a Canadian limited liability partnership established under the laws of Ontario, is the Canadian member firm of KPMG International Cooperative (“KPMG International”).
KPMG member firms around the world have 174,000 professionals, in 155 countries.
The independent member firms of the KPMG network are affiliated with KPMG International, a Swiss entity. Each KPMG firm is a legally distinct and separate entity, and describes itself as such.
© 2020 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
29
30
1
The Regional Municipality of York
Audit Committee
January 14, 2021
Report of the Director, Audit Services
Audit Services Branch Report
1. Recommendations
Council receive this report for information.
2. Summary
This report provides an update on the activities of the Audit Services Branch since the last
Audit Committee meeting held on June 10, 2020.
3. Background
The Audit Services Branch provides independent, objective assurance and consulting services
designed to add value and improve York Region’s operations. Audit Committee meets twice
yearly and receives the Audit Services Branch activities in the fulfilment of their oversight
responsibilities on the Region’s systems of internal control and the audit process.
4. Analysis
Audit Plan Execution
The Audit Services Branch Four-Year Audit Plan was approved by the Audit Committee on
January 9, 2019. As reported to Audit Committee on June 10, 2020 the Four-Year Audit
Plan has been impacted by the Regional declared emergency caused by the COVID-19
pandemic. As such, the Audit Services Branch has taken the opportunity to revise the Four-
Year Audit Plan from a four-year to a one-year basis. This change allows for flexibility in
planning to address new and emerging risks, in-year requests and is aligned with the
International Standards for the Professional Practice of Internal Auditing. The proposed
Risk-Based Work Plan for 2021 will be presented for approval under a separate report.
Audit Services continues to conduct audits where feasible, provide consulting and
investigation services upon request, follow up on outstanding audit recommendations and
maintain the quality assurance and improvement program that covers all aspects of the
internal audit activity.
31
Audit Services Branch Report 2
Management was provided the opportunity to defer providing an update on the status of
outstanding audit recommendations at this time given the organizational response to the
emergency caused by the COVID-19 pandemic.
A summary of the Audit Services Branch activities since the June 10, 2020 Audit Committee
is outlined in Attachment 1.
Audit Reports Issued
The following Audit Reports have been issued since June 10, 2020:
Corporate Services – Human Resources Workplace Health, Safety and Wellness
Audit (Attachment 2)
Finance – Information and Technology Cellular Audit (Attachment 3)
September 2020 Outstanding Audit Recommendations Follow-Up Report
(Attachment 4)
Audit Services Branch supports Vision 2051 and the 2019 to 2023 Strategic Plan
The Audit Services Branch, through its service offerings including assurance, consulting and
investigation services, assists the Region in achieving its goals and community results areas
in Vision 2051 under Open and Responsive Governance and in the 2019 to 2023 Strategic
Plan under Good Government. The internal audit activity is designed to add value and
improve an organization’s operations through a systematic and disciplined approach to
evaluate and improve the effectiveness of risk management, controls and processes.
5. Financial
Audit Services continues to manage its workload within the allocated budget.
6. Local Impact
The Audit Services Branch provides auditing services to seven of the local municipalities
through a Memorandum of Understanding on a cost recovery basis.
32
Audit Services Branch Report 3
7. Conclusion
Audit Services will continue to conduct audits where feasible, provide consulting and
investigation services upon request, follow up on outstanding audit recommendations and
maintain the quality assurance and improvement program. An update of Audit Services
activities will be brought forward to the next Audit Committee meeting scheduled for June
2021.
For more information on this report, please contact Michelle Morris, Director, Audit Services
1-877-464-9675 ext.71205. Accessible formats or communication supports are available
upon request.
Recommended by: Michelle Morris
Director, Audit Services
November 27, 2020
Attachments (4)
eDOCS #12040435
33
34
ATTACHMENT 1
York Region
Audit Services Branch Activities
Project Name Status
Audit Projects
1. Environmental Services – Forestry Contract Management Audit Complete
2. Community and Health Services – Paramedic Services – Fleet Management
Complete
3. Corporate Services – Human Resources – Health, Safety and Wellness Audit
Complete
4. Finance – Information and Technology – Cellular Audit Complete
5. Finance – Expenses Reporting and Reimbursement In progress
6. Transportation – York Region Transit – Mobility Plus Contract Management Audit
In progress
7. Outstanding Audit Recommendations Follow-Up Report to March 31, 2020
Complete
8. Outstanding Audit Recommendations Follow-Up Report to September 30, 2020
Complete
9. Transportation – Roads Permit Audit Deferred
10. Transportation – Capital Asset Maintenance Deferred
11. Finance – Information Technology – Network Security Audit Deferred
12. Finance – Payment Card Industry Compliance Deferred
Other Activities
13. Forensic Investigation Services Ongoing
14. Advisory and Consulting Services Ongoing
15. Controls Monitoring Program Ongoing
16. Quality Assurance and Improvement Initiatives Ongoing
17. Audit Services under the Memorandum of Understanding for seven of the local municipalities
Ongoing
18. Audit Services Vendor Prequalification Deferred
19. Redeployment Activities – On request Ongoing
20. Education and Outreach – Fraud Awareness Campaign (virtually) Complete
21. Risk-Based Work Plan 2021 Complete
35
36
ATTACHMENT 2
Internal Audit Report
Workplace Health, Safety and Wellness – Human Resources, Corporate Services
May 2020
37
Health, Safety & Wellness Audit Report May 2020
Internal Audit Report Page 1
TABLE OF CONTENTS
Section Page No.
1.0 MANAGEMENT SUMMARY ...................................................................................................................... 2
2.0 INTRODUCTION ........................................................................................................................................... 2
4.1 INCIDENT TRACKING ............................................................................................................................. 5 4.2 DETAILED TESTING – INSPECTIONS & COMMITTEE MEETINGS ............................................................. 5 4.3 ON-SITE OBSERVATION – INSPECTIONS ................................................................................................. 7 4.4 TRAINING .............................................................................................................................................. 8 4.5 HEALTH & SAFETY INFORMATION - INTRANET ..................................................................................... 9
38
Internal Audit Report Page 2
1.0 Management Summary
Audit Services has completed an audit of the Workplace Health, Safety and Wellness area, which
is under the Human Resources branch of the Corporate Services department. The objectives of
the review were to ensure: controls exist and are adequate to support the Occupational Health and
Safety Act R.S.O. 1990 (OHSA) requirements and manage the health and safety programs at the
Region; compliance with the OHSA requirements and internal policies and procedures; and
systems are used effectively and efficiently to support the departments objectives.
The audit scope included interviews with appropriate personnel, a review of the legislative
requirements and internal policies/systems, detailed testing of various health and safety
compliance requirements for the 2019 fiscal year, and on-site observations of monthly
inspections.
Our audit was conducted in accordance with the International Standards for the Professional
Practice of Internal Auditing.
Based on the work Audit Services performed, we concluded that overall the Workplace Health,
Safety and Wellness area is being well managed and controls are designed to support the
Region’s compliance with the OHSA requirements and internal policies. Opportunities for
control and process improvements have been noted and discussed in the body of this report.
These opportunities include enhanced tracking and management of “incidents” and “hazards”
within the Parklane software, additional training for Joint Health and Safety Committee (JHSC)
members on compliance requirements for monthly inspections, and increased awareness and
oversight on staff compliance with regulatory and mandatory training requirements.
It should also be noted that there were key areas identified during the audit where controls were
strong and working effectivity as designed. These areas include the Region’s 2019 documented
Health and Safety policy statement, adherence to the JHSC structure requirements, documented
standards exist and are being followed for reporting and tracking incidents, a robust workplace
harassment and discrimination program, and continuous improvement initiatives including the
“Safe Start” and “Mindful Approach” programs to help ensure the health and safety of all staff.
Should the reader have any questions or require a more detailed understanding of the risk
assessment and sampling decisions made during this audit, please contact the Director, Audit
Services.
Audit Services would like to thank Workplace Health, Safety and Wellness staff and management
for their co-operation and assistance provided during the audit.
2.0 Introduction
The Occupational Health and Safety Act (OHSA) is Ontario's legislation for workplace health
and safety. Other contributing legislation includes the Workplace Safety and Insurance Act
(WSIA) Part II of which deals with the prevention of occupational injury and disease.
39
Internal Audit Report Page 3
York Region’s Health, Safety and Wellness area is responsible for managing the safety, health
and well-being of every staff and has committed to creating a healthy workplace through the
integration of leadership, organizational culture and health and safety practices.
The Human Resources branch is the internal service responsible for the administration of
workplace health, safety and wellness programs at the Region. Responsibilities include helping
staff that develop an illness or are injured return to work in a safe manner, ensuring the workplace
is a safe place and providing education and training on health and safety topics. Human
Resources provide advisory services relating to health and safety to all departments within the
Region and develop the tools and direction to help ensure compliance with legislation.
The Region has thirty (30) JHSC’s in line with the size of our workforce and all locations. The
JHSC’s consists of management and worker representatives that have specific responsibilities and
together they are responsible for providing leadership in improving health and safety conditions
in the workplace by adhering to the OHSA and its regulations as well as internal policies.
The Minister of Labour governs health and safety and is responsible for enforcing the OHSA in
Ontario. Inspectors are the enforcement arm of the Ministry of Labour and their role includes the
following: inspection of workplaces, issuing orders where non-compliance is found and
investigations of accidents and work refusals.
3.0 Objectives and Scope
AUDIT OBJECTIVES The objectives of this engagement are:
To provide assurance on the adequacy and effectiveness of controls in place to support the
Occupational Health and Safety Act (OHSA) requirements and manage workplace health and
safety programs at the Region.
To evaluate compliance with relevant legislation (OHSA), regulations and internal policies
and procedures.
To ensure systems/software that support the Health and Safety program are designed to
provide adequate oversight and reporting on metrics.
AUDIT SCOPE
The audit objectives were accomplished through:
1. Interviews with appropriate personnel involved in workplace health, safety and wellness
programs.
2. A review of legislation and internal policies and procedures that support workplace health,
safety and wellness programs.
3. A review of health and safety documentation produced, collected and distributed.
4. A review of program objectives and industry best practices.
40
Internal Audit Report Page 4
5. Detailed testing and on-site observation of various health, safety and wellness programs for
compliance with legislation and internal policies and procedures, for the period November 1,
2018 to December 31, 2019.
41
Internal Audit Report Page 5
4.0 Detailed Observations
4.1 Incident Tracking
Observation
Corrective action completion date for incidents is not currently entered into the Parklane
software. The Parklane software is where all health and safety incidents are entered for tracking
and reporting. An incident is defined as “an occurrence, condition, or situation arising in the
course of work that resulted in or could have resulted in injuries, illnesses, and damage to health,
or fatalities.”
Based on discussions with the Lead, Health and Safety and a review of the Parklane system, the
completion date for corrective actions taken to resolve and/or prevent future issues is not actually
recorded in the Parklane software once all required action has been taken. The health and safety
group is involved with reviewing the incidents and they take trends to the JHSC meetings:
however, there is no clear way to report on the timeliness and completeness of addressing the
incident or to analyze long term trends. Tracking when an incident has been fully addressed may
help reduce the risk of the incident not being resolved sufficiently to prevent similar injuries from
occurring.
Recommendation
Management should update the process for incident reporting and tracking to ensure the
completion date of corrective actions is entered into the Parklane software.
Management Response
HR Health & Safety will explore methods to enter actions, responsibility, plan date and
completion date of incident corrective actions.
York Region’s Employee Incident/Injury process document will be updated to indicate new
corrective action tasks and management will be trained on new responsibilities.
Completion Date: Q3 2021
4.2 Detailed Testing – Inspections & Committee Meetings
Observation
The OHSA requires the JHSC’s to meet at least once every three months and that all workplaces
are inspected by the committee members at least once a month.
42
Internal Audit Report Page 6
Audit selected a random sample of ten (10) Regional locations and reviewed the quarterly JHSC
meeting minutes and monthly inspection reports for the period November 2018 to December
2019. The following observations were noted during the review:
Two (2) out of the ten (10) (20 percent) sample locations selected were missing evidence
of the quarterly JHSC meetings and three (3) out of the ten (10) (30 percent) sample
locations were missing evidence of the on-site monthly health and safety inspection
reports. Missing or incomplete OHSA requirements may increase the risk of non-
compliance orders and/or pose a risk to employee safety.
Digital copies of JHSC inspections and meeting minutes are not consistently maintained
in a centralized location. Based on discussions with health and safety committee
members and the Health and Safety Specialists, hard copies of the inspection reports are
posted on-site and digital copies emailed to the manager and specialist only if there are
concerns noted. Without a centralized location to house the regulatory compliance
results, there may be a risk of incomplete or missing items that may to go undetected.
Hazards identified during monthly inspections are not formally tracked and monitored for
resolution. The inspection reports are emailed to the manager of the area and the Health
and Safety Specialist; however, there is no formal follow up process for hazards
identified. Based on discussions with staff during the onsite visits, there have been
instances where issues have been reported multiple times with no resolution. Without a
formal follow up process, there may be a risk that an issue maybe unresolved.
Multiple versions of the inspection checklist template are in use and do not include a
checkoff column for the inspector to mark as complete for each area. Implementing a
standard checklist with a check mark requirement for each area may help ensure
consistency and completeness of inspections.
Recommendation
1. Management should consider centralizing the records management for monthly inspection
reports/results and committee meeting minutes to ensure completeness. Consideration should
be given to formally tracking hazards identified during the monthly inspections to allow for
an increase in oversight in addressing concerns.
2. Management should review the various inspection template checklists in use and ensure the
most current is communicated to all appropriate members. In addition, the template could be
updated to include a column for the inspector to initial each item reviewed to ensure
completeness. Once updated, the current checklist should be distributed to all locations
performing inspections.
Management Response
A database will be implemented by the HR Health & Safety team for centralizing the records
management for JHSC committee meeting minutes and monthly inspection reports/results.
The current JHSC inspection checklist available on the JHSC Portal page will be reviewed and
updated. Once updated, the current checklist will be distributed to all locations performing
inspections. The HR Health & Specialists will support customization of the inspections checklist
43
Internal Audit Report Page 7
for relevant groups where sector specific hazards apply. A column will be added on the checklist
for the inspector to verify that items noted on the previous inspection have been addressed.
Completion date: Q3 2021
4.3 On-site Observation – Inspections
Observation
Monthly health and safety inspections were not in full compliance with the OHSA requirements.
Audit Services selected a random sample of five (5) locations to attend and observe the monthly
health and safety inspection.
Please note, due to the timing of the scheduled inspections and the start of the Covid-19 public
health crisis, Audit Staff were only able to attend two (2) out of the five (5) on-site inspections.
The following concerns were observed during the on-site inspections;
The fire extinguishers and first aid kits were not inspected at both locations as required
under the OHSA.
The external inspection of the building was not completed at one of the locations as
required under the OHSA.
Non-compliance with the OHSA regulatory requirements for monthly inspections may result in
orders issued and/or pose a risk to employee safety.
Recommendation
Management should implement the following:
Education and communication with JHSC members to ensure they are aware of the
OHSA requirements and compliance areas covered within their inspections.
Increased oversight by Health and Safety Specialists to ensure committee members are
meeting the OHSA requirements for inspections.
Management Response
HR Health & Safety will create a self-learning JHSC workplace inspection training resource and
will engage the Corporate Health and Safety Advisory Committee (CHASAC) to assist in
educating JHSC members who complete workplace inspections.
The HR Health & Safety Specialists will attend two (2) JHSC inspections for each JHSC in 2021
in order to provide oversight of OHSA requirements for inspections. To become familiar with the
workplace inspection process, area management will also be invited to attend the when the H&S
Specialist is present.
Completion Date: Q4 2021
44
Internal Audit Report Page 8
4.4 Training
Observation
Training requirements are not always being met in accordance with legislation and Regional
requirements. York Region staff are required to complete specific Regional required mandatory
training and OHSA regulatory training. Exception reporting is produced annually within the
Learning Management System and is communicated to Directors.
Audit Staff reviewed regulatory and mandatory training compliance for a random sample of thirty
(30) staff across the Region for the 2019 year and noted the following observations in Table 1
below:
Table 1
Training Type Not Completed % Not Completed
WHMIS Full Course Regulatory 9 30%
Health & Safety
Awareness
Regulatory 9 30%
WHMIS Annual
Refresher
Mandatory 12 40%
Non-compliance with training requirements may result in fines and/or a risk to employee safety.
In addition to the sample selected, the Region wide “Required and Mandatory Learning Report
for 2019” prepared by Human Resources was reviewed and noted that the 2019 annual WHMIS
refresher course had the lowest percentage completion rate of all mandatory training at 71
percent. Non-compliance with mandatory health and safety training may pose a risk to employee
safety.
Recommendation
1. Management should reaffirm with staff their responsibility for completing training,
monitoring compliance and follow up as necessary.
2. Management should consider distributing exception reporting more frequently and directly to
staff and supervisors before escalating to the Director level annually.
3. Management should consider implementing a threshold for the length of time to complete
overdue training requirements and advise individuals to complete training before escalation to
the Executive Director of Human Resources.
Management Response
HR Health & Safety will engage Business Services, Communications to develop a
communication plan to reaffirm with staff their responsibility regarding mandatory Health and
Safety training course completion. The communications will highlight the ability to complete
courses online.
45
Internal Audit Report Page 9
HR Health & Safety will liaise with departmental Learning and Development teams to ensure that
training exception reports are distributed to supervisors and staff at least bi-annually.
HR Health & Safety will seek Senior Management endorsement to indicate specific required
completion timelines for all regulatory health and safety courses currently outlined in the
‘required courses’ information on the Portal. Overdue thresholds will be included the training
exception reports sent to supervisors.
Completion Date: Q4 2021
4.5 Health & Safety Information - Intranet
Observation:
Audit Staff reviewed the health, safety and wellness information found on the Region’s intranet
site that is used to keep employees informed under the Human Resources area and noted the
following observations:
The “Employee Health Resources” portal page can be laid out in a more organized manner.
The format of documents appears inconsistent and the information provided in the linked
documents does not always provide clear or complete directions. Improving the organization
of information contained on the portal page may help improve employee awareness and
compliance with health and safety policies/procedures.
The policies that appear under the “Employee Health Related Policies” section are outdated.
As such, there is a risk that information contained in one or more of those policies is not
consistent with the OHSA, which was last updated in December 2017.
The extent of health and safety information and resources provided varies across the Region’s
employee portal. There is a greater level of health and safety related information found
within other areas on the Region’s intranet site compared to that found within the Human
Resources Health, Safety & Wellness page. Examples of these other areas include the Health
& Wellness tab under the Paramedic Services Resources section and the Safety tab under the
“My Life & Career” drop down menu on the home site. Decentralized information may lead
to inconsistent messaging, duplication of information, and be difficult for staff to navigate.
Recommendation:
1. Management should review the “Employee Health Resources” portal page and update to
ensure information is presented in an organized and consistent manner. Policies should
be reviewed and updated accordingly to ensure they are clear, accurate, complete and
current.
2. Management should determine the frequency with which policies should be reviewed and
updated going forward to ensure current regulations and compliance requirements are
accurately reflected in a timely manner.
46
Internal Audit Report Page 10
3. Management should review the current landscape for health and safety information
available on the portal and ensure health and safety information is presented in a clear,
consistent and coordinated manner. Consideration should be given to link the
information under the “My Life & Career” safety section to the Human Resources Health
Safety & Wellness portal page.
Management Response:
The My Life and Career and the associated tabs is where all workplace safety information is to be
housed. The Corporate Services – Human Resources – Health and Safety will be updated.
Duplicate information by other departments will be flagged and removed or redirected to the tabs
on My Life and Career page.
Management will review Health and Safety policies annually and will update information as
necessary to ensure current regulations and compliance requirements are accurately reflected.
Completion Date: Q2 2021
47
Internal Audit Report Page 11
Original signed by Original signed by
Dino Basso
Commissioner, Corporate Services
Sharon Kennedy
Executive Director, Human Resources
Original signed by
Michelle Morris
Director, Audit Services
48
ATTACHMENT 3
Internal Audit Report
Finance - Information Technology Cellular Audit Report
June 2020
49
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 1
TABLE OF CONTENTS Section Page No.
1.0 MANAGEMENT SUMMARY ............................................................................................................ 2
2.0 INTRODUCTION .............................................................................................................................. 2
3.0 OBJECTIVES AND SCOPE ............................................................................................................... 3
4.0 DETAILED OBSERVATIONS AND RECOMMENDATIONS .......................................................... 4
4.1 POLICIES REQUIRE UPDATED REVIEW .................................................................................... 4 4.2 POLICIES REGARDING EMPLOYEE REIMBURSEMENT FOR PERSONAL CHARGES INCURRED ON
CELLULAR DEVICES REQUIRE CLARIFICATION ....................................................................... 5 4.3 EMPLOYEE SIGN-OFF NOT REQUIRED WHEN PROVIDED A REGION ISSUED CELLULAR DEVICE6 4.4 INFORMATION COMMUNICATED TO EMPLOYEES REQUIRES CLARIFICATION ON
EXPECTATIONS REGARDING ROAMING CHARGES ................................................................... 7 4.5 THERE IS NO FORMAL OFF-BOARDING PROCESS FOR DECOMMISSIONING CELLULAR DEVICES8 4.6 EMPLOYEES ARE NOT REQUIRED TO USE A CASE WITH THEIR REGION ISSUED CELLULAR
DEVICE ................................................................................................................................. 10
50
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 2
1.0 Management Summary
Audit Services has completed an audit of Information Technology Cellular in Finance.
The audit was conducted in accordance with the Institute of Internal Auditors International
Standards for the Professional Practice of Internal Auditing.
The scope of the audit included a review of the Region’s policies that govern the process of
issuing, administrating and decommissioning cellular devices to provide secure and reliable
communication for staff. Additionally, detailed data analysis on all 2019 cellular related orders
from the Region’s main service provider, Rogers was conducted.
Testing was conducted at a sufficient level of detail to allow us to evaluate compliance with
contract terms and applicable policies / procedures.
Overall, the results of our detailed testing indicate that the cellular process operates in a manner
that helps to ensure devices are administered and used in accordance with policies and
procedures, and the billing process is in accordance with contract terms and conditions.
Opportunities for internal control improvements were noted and discussed with appropriate
management. These improvements relate to Region policy updates, the process for off-boarding
and decommissioning cellular devices, and various aspects of device administration.
It should also be noted that there were key processes identified during the audit where controls
were strong and working as designed. This includes the process for inventory management of
older devices to save the Region money on new device purchases and repair costs between the
cellular devices refresh periods, mobile device management and security initiatives, and the
process of issuing new devices to employees.
Should the reader have any questions or require a more detailed understanding of the risk
assessment and sampling decisions made during this audit, please contact the Director, Audit
Services.
Audit Services would like to thank Information Technology staff for their co-operation and
assistance provided during the audit.
2.0 Introduction
As part of our Regional Council Approved Audit Plan, the Audit Services branch performed a
Cellular Audit. The Audit Plan, approved by the Audit Committee, is developed by Audit
Services using a risk assessment methodology that helps to define the different risks associated
with the various processes at the Region. It is one tool that Audit Services uses in assessing
where best to allocate audit resources.
The IT Services branch administers the process for cellular devices used by Regional staff. This
process includes assigning devices to staff, managing billing and payments, managing device
51
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 3
repairs, and off-boarding devices when no longer required. In 2019, excluding police, the Region
spent approximately $2.4 million on cellular.
Audit Services reviewed all Region policies related to cellular devices and the processes and
procedures in place to ensure administration of cellular devices in performed in compliance with
related policies.
3.0 Objectives and Scope
The main objectives of this engagement were to:
Review the internal controls regarding cellular communications at the Region to ensure
administration of devices and services is controlled.
Review Corporate and Departmental policies to ensure they are in alignment.
Ensure accurate billing based on contract terms and conditions.
The audit objectives were accomplished through:
1. A review of the Region’s policies and processes regarding the issuing and
decommissioning of cellular devices.
2. A review of contract terms for existing cellular services.
3. A review of the cellular billing process to ensure accuracy of billings.
4. A detailed analysis on all 2019 cellular billing data received from Rogers.
5. Interviews with appropriate personnel.
6. Review of other related documentation.
52
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 4
4.0 Detailed Observations and Recommendations
4.1 Policies require updated review
Observation
As part of the audit, Audit reviewed all policies relating to cellular at the Region. During this
review, it was noted that the:
Responsible Use of IT policy was originally approved on November 14, 2016 and had
not been reviewed or updated since.
Privacy Policy was last updated on June 21, 2012.
Use of Social Media Policy was last updated on December 17, 2014.
Technology Acquisition Policy was last updated on November 14, 2016.
Voicemail Policy was last updated on April 30, 2014.
Outdated policies may not reflect the current operating environment and allow the Region to
mitigate risk.
Recommendation Management should review the identified policies to ensure they remain relevant and accurate.
Due to the inherent environment of rapid change regarding technology, management should
consider providing a timeframe requirement for review within the policies themselves, to ensure
they regularly remain up to date, applicable and accurate.
Management Response
Two of the identified policies, ‘Responsible Use of Technology’ and ‘Technology Acquisition’,
are maintained by IT Services. As part of the current review, IT Services will be:
Updating Responsible Use of Technology to reflect any new and emerging requirements
and to strengthen ties to related corporate policies
Rescinding Technology Acquisition as a policy and confirming requirements are
reflected within general procurement procedures.
The remaining policies are maintained by branches in departments outside of Finance,
specifically Office of the Regional Clerk (Privacy Policy), Corporate Communications (Use of
Social Media Policy) and the Office of the CAO (Voicemail Policy). For these policies, IT
Services will reach out to the responsible branch with the recommendations in this audit and offer
support during their reviews.
53
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 5
The Corporate Policy Development Framework establishes an annual review requirement for
corporate policies. IT Services will implement this requirement moving forward.
Target completion: Q4 2020
4.2 Policies regarding employee reimbursement for personal charges incurred on
cellular devices require clarification
Observation
None of the Region’s policies related to cellular outlines the expectation for employees to
reimburse the Region for personal charges incurred on their cellular device, or for their managers
to seek reimbursement for these charges.
The Code of Conduct states, “Personal use of Regional property must never result in direct
expenses being paid for by the Region”.
Determined through discussion with management, the most common and substantial charges
incurred for personal use are roaming charges. The Responsible Use of Regional Technology
Policy states,
“Intent to travel with Technology Systems and Resources outside of Canada and the
United States must be reported to Information Technology Services a minimum of 10
business days prior to departure”, and
The Responsibilities of Directors / Managers / Supervisors section outlines that they
“Enforce the requirements of this policy” and “take appropriate corrective actions against
policy violations”, however, does not define appropriate correction actions.
Without clarification of employee and manager expectations through policy, there is no consistent
process for seeking reimbursement of charges resulting from personal use across the Region
which may lead to inequities amongst employees.
Recommendation
Management should determine the appropriate corrective actions regarding reimbursement of
personal charges incurred on a Regional cellular device.
Management should update the Responsible Use of Regional Technology Policy to ensure
employees are aware of their expectations regarding reimbursement for personal use charges, and
management across the Region can consistently apply the appropriate corrective actions.
Management Response The Controllership Office has issued ‘Guidelines for Reimbursement of Costs’ which establishes
a process to reimburse the Region for personal expenses and improper use of Regional property,
including cellular/ mobile devices. The Responsible Use policy will be updated to reference these
guidelines.
Current roaming plans are activated only by request and include a limited amount of voice and
data, which can result in substantial fees if the user neglects to request a plan or exceeds the
limits. IT Services anticipates these issues will be resolved through the new cellular contracts
54
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 6
expected to be begin in January 2021 (pending Council approval). The new contracts include
roaming plans that are automatically activated when the device enters a different country and
charge a daily ‘flat fee’ rate for unlimited voice and data.
Staff will continue to be required to obtain pre-approval to travel with their device, specifically
from their direct supervisor/ manager for daily roaming charges and from IT Services for a
destination security check. IT Services will review the Responsible Use policy’s expectations for
travelling with Region-issued devices and work with corporate partners to include these
expectations in the vacation request process. These expectations will also be included in the sign-
off document (Recommendation 4.3).
Target completion: Q4 2021.
4.3 Employee sign-off not required when provided a Region Issued cellular device
Observation
Through discussion with management, Audit determined that employees are not required to sign-
off that they have received and understand their responsibilities related to the cellular device that
they have been issued. Although the process control for issuing a device requires the approval of
a Manager, they would be unaware as to whether the employee has received and is aware of all
required information.
During the last refresh of cellular devices at the Region, management has informed Audit that all
employees issued a device were provided the Smartphone and Cell Phone Quick Reference Guide
that covers plan details, high level technical information, and clear direction to related policies
and procedures. The guide was received and reviewed by Audit and it was noted that it does not
provide guidance to employees on maintaining their own personal information.
Management has informed Audit that the guide continues to be distributed with the issue of new
devices and between the refresh periods.
Without proper employee sign-off to confirm their understanding of roles and responsibilities
related to the device, there is the risk that employees do not follow the requirements of applicable
policies as such the Region may incur additional security and privacy risks, as well as costs, as a
result.
Recommendation Management should consider that Regional employees issued a cellular device are required to
sign-off on receipt and understand the contents of the Smartphone and Cell Phone Quick
Reference Guide that outlines the plan details, roles and responsibilities and other related policies
and procedures to the cellular device. The contents of the guide should also reflect the
employee’s responsibility for their own personal information.
Management Response
IT Services agrees that a sign-off procedure on receipt of all technology devices is beneficial to
confirm that staff understand the device specifics and their responsibilities related to the device.
55
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 7
IT Services will review options for obtaining these sign offs with corporate stakeholders to ensure
the new process can be effectively implemented and supported over the long term.
The Quick Reference Guide will be reviewed to include additional information regarding
reimbursement expectations and responsibility for personal information.
Target completion: Q4 2021.
4.4 Information communicated to employees requires clarification on expectations regarding roaming charges
Observation
Audit observed that the information provided to employees through the Smartphone and Cell
Phone Quick Reference Guide and My Portal (the Region’s intranet site) does not explicitly state
the employee requirement to put on a roaming plan, as well as any repercussions or expectations
of repayment for not applying a plan.
The Region provides information on My Portal regarding roaming details and rates as well as the
available form to apply a roaming plan to their device. In addition, My Portal provides tips for
reducing roaming charges and data security.
It was noted during the review that the Region will be adopting a new plan during the next refresh
planned for Q4 2020. The new plan includes more limits regarding roaming to avoid substantial
charges. However, there are certain countries that are outside the limits, as well as cruise ships,
where it is possible that an employee may incur substantial charges in addition to the cost of a
roaming plan.
Recommendation Management should consider clarifying the employee’s expectations on My Portal and in the
Smartphone and Cell Phone Quick Reference Guide regarding application of a roaming plan
when necessary and repayment for failing to do so.
The expectations provided through My Portal and the Smartphone and Cell Phone Quick
Reference Guide should remain consistent with updated policies and procedures across the
Region.
Management Response Expectations for travelling with any Region-issued device and reimbursement of unapproved
roaming fees will be clarified on My Portal and in the Smartphone and Cell Phone Quick
Reference Guide and included as part of the new sign off process.
IT Services will review the existing cellular content information to ensure that the messaging for
staff is up-to-date, consistent and understandable across all communication materials.
Additionally, departments will be consulted on the best way to integrate ‘travelling with devices’
information into their vacation request processes.
Target completion: Q4 2021.
56
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 8
4.5 There is no formal off-boarding process for decommissioning cellular devices
Observation
Through discussion with management, Audit determined that there is no formal off-boarding
process for the decommissioning of cellular devices at the Region.
The Acquisition of New Technology Policy provides a requirement to consult with the IT
Services Branch prior to the acquisition of new and additional Technology Systems and
Resources. However, this policy does not provide a requirement to consult with IT when off-
boarding and decommissioning devices.
When an employee no longer requires a cellular device, there is no process to ensure that
management notifies IT or returns the device. This creates the opportunity for devices to be
misplaced. Further, secured information may not be properly disposed of before reassignment in
accordance with related policies.
The Information Management Policy states:
“All personal information is collected, shared, used, retained, disclosed and disposed of
in accordance with legislative and regulatory requirements of the Code of Conduct”, and
“Controls are developed to prevent the improper, intentional and unintentional
destruction and disclosure of information.”
The Privacy Policy States, as part of the accountability for privacy:
“All personal information will be collected, used, retained, disclosed and disposed of in
accordance with the applicable legislation”
“Personal information will not be collected unless necessary… Personal information is
used only as outlined in the notice and is not retained for longer than necessary”, and
“Personal information will be disposed of in compliance with records and information
management policy in a secure manner that prevents loss, misuse, theft or unauthorized
access.”
The existing “Checklist for Exiting Employees” instructs the collection of handheld devices, as
well that the employee wireless account “can be placed on a temporary disconnect plan,
cancelled, or assigned”. There is no mention of a requirement to notify IT.
Failing to inform IT that a device is no longer in use does not provide IT with the opportunity to
securely wipe all information from the device in accordance with Regional policies.
Recommendation
Management should implement a formal off-boarding process to ensure that IT is notified when a
cellular device is no longer in use by an employee.
As part of this process, management should consider providing the off-boarding Manager with a
checklist for decommissioning cellular devices. Part of this checklist should be the requirement
to contact IT to ensure devices can be assessed for damage and sensitive information is securely
wiped prior to disposal or reassignment.
57
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 9
Management Response IT Services will review and update off-boarding processes for all technology devices (i.e.,
smartphones, laptops, iPads, etc.) with Human Resources, and work with stakeholders to ensure
changes are communicated effectively and devices are properly wiped. The Responsible Use
policy will also be updated to reflect expectations regarding proper asset management of devices,
with additional checklists to assist with the decommissioning process.
Target completion: Q1 2021
4.6 Departments are not required to review active accounts on a regular basis
Observation
Audit confirmed that IT uploads the information for active accounts on a monthly basis into the
PeopleSoft system that is accessible to departments for management review. However, it was
noted that it is at the discretion of the individual department as to whether they review this
information and the frequency in which they do so.
Only through the IT led refresh process every three years, where departments are required to
review the information of active accounts and confirm with IT whether to cancel or continue the
phone circuit for that device.
It was noted that the phone circuit is tied to an individual in a certain position. If an employee
leaves that position for any reason, the employee’s name remains to the account until the device
is reassigned, or the phone circuit is cancelled during departmental review. Therefore, it would
be common that accounts are tied to employee names that are no longer in the position.
An account that remains active on a device that is no longer in use may result in unnecessary
charges incurred by the Region.
Recommendation Management should consider a process in which individual departments review active cellphone
accounts in their area and determine whether to cancel or continue the phone circuit for that
device on a more frequent basis, rather than only during the required review at the 3-year refresh.
Management Response ITS will work with stakeholders in each department to assess the feasibility of more frequent
review of active accounts and implement if the expected cost savings outweigh the increased
administration.
Target completion: Q1 2021
58
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 10
4.7 Employees are not required to use a case with their Region issued cellular device
Observation
Audit performed an analysis on all 2019 orders through Rogers, the Region’s primary service
provider for cellular. Of the 77 new phone purchases made in 2019, 48 (62 percent) were ordered
with a case. It was determined that $43,333 was spent across 167 repair instances to Region
cellular devices.
Through discussion with management, it was confirmed that when an employee receives a new
cellular device, they are not required to order a Region approved case. There is also no
requirement that a case be used at all with their device.
If an employee decides to use a case, they have the option to purchase a case with their device
through the Region or purchase a case on their own and submit the expense for reimbursement.
It was also confirmed that when phone accessories are ordered through the Region’s contract with
Rogers, the Region receives a 50 percent discount on the accessory.
Inadequate protection for cellular devices may result in additional repair costs to the Region.
Also, if an employee purchases an accessory and submits the costs for reimbursement, the Region
would not obtain the benefit of a 50 percent discount.
Recommendation For existing cellular devices, management should consider communicating to employees that it is
their expectation to use a case with their cellular device.
For newly issued cellular devices, management should consider requiring employees to order a
pre-approved case. This would ensure adequate protection for the asset which will likely reduce
repair costs incurred by the Region. Additionally, the Region would benefit from 50% percent
cost savings on accessory purchases made through our service contract.
Management Response
The expectation to use a phone case will be added to all cellular communication materials.
IT Services will review the cases currently available at a discount and determine a preferred case
for each device. ITS will consult with stakeholders regarding reimbursement options when
permitting staff to purchase their own (e.g., limiting the reimbursed amount to the value of the
preferred case).
Target completion: Q1 2021
59
Finance - IT Cellular Audit June 2020
Internal Audit Report Page 11
Michelle Morris
Director Audit Services
Laura Mirabella
Commissioner of Finance
Richard Leest
Director, Information Technology Services
60
Attachment 4
Outstanding Audit Recommendations Follow-Up
Audit Report
January 2021
61
Outstanding Audit Recommendations Follow-Up Report
January 2021
Internal Audit Report Page 2
TABLE OF CONTENTS
Section Page No.
1.0 MANAGEMENT SUMMARY ...................................................................................................................... 3
2.0 INTRODUCTION ........................................................................................................................................... 3
3.0 OBJECTIVES AND SCOPE ......................................................................................................................... 4
4.0 DETAILED OBSERVATIONS AND RECOMMENDATIONS ................................................................ 4
4.1 STATISTICS AND DETAILS OF OUTSTANDING AUDIT RECOMMENDATIONS FOLLOWED UP .................... 4
62
Outstanding Audit Recommendations Follow-Up Report
January 2021
Internal Audit Report Page 3
1.0 Management Summary
Audit Services has completed a follow-up of outstanding audit recommendations as at
September 30, 2020. These recommendations are comprised of:
1. Audit recommendations that were noted as ‘not yet completed’ in our previous
Outstanding Audit Recommendations Follow-Up Audit Report dated June 2020.
2. Any new audit report recommendations presented at the June 2020 meeting of the
York Region Audit Committee.
Management was provided the option to defer the current update to the next audit follow-
up given the ongoing health crisis. Of the 13 audit reports currently on the list for follow-
up, three have been deferred to the next audit follow-up date, which will be completed in
March 2021 for the June 2021 Audit Committee.
There were 76 audit recommendations originally issued through the 13 audit reports
currently on our list for follow-up. In the ten audit reports for which management
responses were not deferred, there were 62 audit recommendations originally issued.
Management has implemented 77% of these recommendations. In the last term of Council,
this has ranged between 60% and 90% and varies based on timing of reports being issued.
For a detailed summary of audit reports followed up and recommendations issued,
completed and outstanding, please refer to section 4.0. Additional detail is available
upon request from the Director, Audit Services.
Our follow-up was conducted in accordance with the Institute of Internal Auditors
International Standards for the Professional Practice of Internal Auditing Standard 2500
– Monitoring Progress:
The chief audit executive must establish and maintain a system to monitor the
disposition of results communicated to management.
2500.A1 – The chief audit executive must establish a follow-up process to
monitor and ensure that management actions have been effectively
implemented or that senior management has accepted the risk of not
taking action.
2.0 Introduction
On a semi-annual basis, Audit Services updates the Region’s Audit Committee and the
Chief Administrative Officer (CAO) on the status of issued audit recommendations. To
provide this update, Audit Services contacts Commissioners and Directors to confirm the
status of the issued recommendations relating to their area. In some cases, the status is
further validated directly by Audit Services through discussion and/or detailed testing.
This is an integral part of our audit process that allows us to confirm that the
opportunities for improvement outlined in audit reports have been implemented.
63
Outstanding Audit Recommendations Follow-Up Report
January 2021
Internal Audit Report Page 4
The Audit Services Branch performed a follow-up of outstanding audit recommendations
as at September 30, 2020. These recommendations included those noted as outstanding
in our Outstanding Audit Recommendations Follow-Up Report dated June 2020, and all
new recommendations issued in audit reports reported to Audit Committee in their last
meeting in June 2020.
Department heads were emailed requests containing:
1. A request to provide a status update and a confirmation of the original due date
for implementation of the recommendation, or a new anticipated implementation
date if necessary.
2. A summary of outstanding audit recommendations for their area. The
Commissioner and Director responsible for the implementation of the
recommendations are also requested to sign off on the updated document.
3. As requested by Audit Committee in November 2008, departments having an
audit recommendation that remains outstanding more than one year past the
original due date must provide Audit Committee with a separate memo as to why
the recommendation has not been implemented. Management action plans that
detail what is being done to implement the recommendation(s) are to be included.
Audit reports presented at the January 2021 meeting of the York Region Audit
Committee will be followed up at the next Audit Committee meeting.
3.0 Objectives and Scope
The objective for this engagement was:
To provide feedback to the Region’s Audit Committee and CAO as to the
disposition of issued audit recommendations.
The audit scope to accomplish this objective was:
All outstanding audit recommendations issued prior to and including those
presented at the June 2020 meeting of the York Region Audit Committee.
4.0 Detailed Observations and Recommendations
4.1 Statistics and Details of Outstanding Audit Recommendations Followed Up
Table A provides a summary of the number of management responses received
and the number of audit recommendations that remain open as at September 30,
2020.
64
Outstanding Audit Recommendations Follow-Up Report
January 2021
Internal Audit Report Page 5
Table B provides details of audit recommendations that were followed up for this
review, as well as management responses as at September 30, 2020.
65
Outstanding Audit Recommendations Follow-Up Report
January 2021
Internal Audit Report Page 6
TABLE A – Summary of Outstanding Audit Recommendations Follow-Up as at September 30, 2020
Audit Report
Date Reported to Audit
Committee
Number of recommendations
in Audit Report Completed for 3/31/20
Completed for 09/30/20
Not yet complete as at 09/30/20
(%) Complete as at 09/30/20
ENV – Operations Maintenance and Monitoring
Feb-16 11 10 1 - 100%
FN – Accounts Payable & Procurement Jun-16 6 5 0 1 83%
TRN – Fleet Services Jun- 18 7 5 0 2 71%
CS – Compensation and HRMS Jun-18 6 3 0 3 50%
CS – Health & Safety on Property Services Capital Projects
Jan-19 6 5 0 1 83%
FN – Treasury Investment Jun-19 4 2 2 - 100%
ENV – Warranty Admin Jan-20 6 2 4 - 100%
TRN – Traffic Signal & Illumination Maintenance
Jan-20 5 1 1 3 40%
HYI – Contract Management Jan-20 4 - 2 2 50%
ENV – Forestry Jun-20 7 - 5 2 71%
Total – responses received 62 33 15 14 77%
CHS – Ontario Works [Note a] Jun-19 5 2 1
[Note b]
2 60%
CHS – Sexual Health [Note a] Jan -20 5 - - 5 100%
CHS – Paramedic Fleet Services [Note a] Jun-20 4 - 1 3 25%
Total – responses deferred 14 2 2 10 29%
Grand Total 76 35 17 24 68%
Note a: Management elected to defer update to the next follow-up date in March 2021 for Audit Committee presentation in June 2021.
66
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 7
Note b: Deferral option waived by Finance Department for its portion of the audit recommendation. TABLE B – Summary of Outstanding Audit Recommendations as at September 30, 2020
Audit Report Recommendation Management response
Original
due date
Current
due date
Environmental
Services –
Operations
Maintenance &
Monitoring
4.1
OMM work with IAM to resolve the noted asset
inventory discrepancies.
OMM continue updating the protocol used to
identify assets needed to be entered into
MAXIMO from an asset maintenance perspective.
Complete. All on site Asset Tagging was
completed as of Q2 2020.
Complete.
Q4 2019
N/A
N/A
N/A
4.2
OMM continue with the implementation of an
input screen to help in updating the MAXIMO
inventory base whenever it changes.
OMM should also perform a full inventory of all
their MAXIMO assets to establish a baseline of
actual assets within each facility.
OMM should develop and implement annual
inventory verification routines that spot check an
acceptable level of asset inventory using ‘book to
floor’ and ‘floor to book’ asset verification.
Complete.
N/A
N/A
4.3
Spare parts inventory program create detailed
plans and process flows to help ensure that
Complete.
N/A N/A
67
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 8
Audit Report Recommendation Management response
Original
due date
Current
due date
management controls over the inventory are
sufficient.
4.4
The backlog listing should be reviewed:
1. To determine which codes are required and
who may require them.
2. Reiterate to all MAXIMO users the proper
protocols for entering a Level code, with
particular attention to Level 5 codes.
3. Reiterate to all MAXIMO users the
importance of descriptions to help schedule
work order assignment to mechanics and
electricians.
4. Reiterate to all MAXIMO users the
importance of timely resolution of the work –
order in MAXIMO.
5. Determine the required work necessary to
complete this work order.
Complete. N/A
N/A
4.5
OMM management should reconsider the value
being provided by the tablets. The connectivity
fee should be terminated immediately. The 36
tablets noted could be reassigned where they will
be used or sold to recover any residual value.
Complete.
N/A N/A
4.6 Complete. N/A N/A
68
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 9
Audit Report Recommendation Management response
Original
due date
Current
due date
For some types of work orders, predominantly
level 1 thru 4, a triage system should be piloted to
determine if tradespersons could be more
effectively and efficiently dispatched to perform
their work.
4.7
OMM management should continue constructing
and finalizing an input page to be used by
tradespersons in the field.
Complete.
N/A N/A
4.8
Consultants contracted to provide complete and
accurate asset information should be held
accountable for incomplete and erroneous asset
information.
Explore the possibility to recoup the cost of
having to review and correct any new asset
information entered by consultants.
Complete.
N/A
N/A
4.9
OMM management ensures that any future
contracts issued for tender follows the Surety
Bond Policy and associated procedures.
Complete. N/A N/A
4.10 Complete. N/A N/A
69
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 10
Audit Report Recommendation Management response
Original
due date
Current
due date
A current, blanket COI should be collected by
Finance – Insurance & Risk for the contractor
executing the diesel generator maintenance.
4.11
OMM management should arrange for
preventative maintenance to be performed on the
portable diesel generators as per the contract with
the contractor responsible for this work.
Missing documentation should be investigated
and collected to help ensure that all equipment is
being maintained as per the standards followed.
Complete.
N/A
N/A
Finance – A/P &
Procurement
4.1
Consider implementing a stamp for departments
to use for invoice approval / general ledger
coding.
Reiterate to staff the requirement for segregation
of duties between purchase commitment and
payment authority.
Complete.
N/A
N/A
4.2
Tender Bid Request Form is updated to clarify the
requirement for advertising in the DCN.
Consider implementation of an electronic
procurement filing system to reduce likelihood of
Complete. N/A N/A
70
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 11
Audit Report Recommendation Management response
Original
due date
Current
due date
misplacing key documents, and, create a more
consistent standard file set-up.
4.3
A formal process be developed to ensure
compliance with the policy of annual reviews of
designated authorities.
Department heads perform annual review of the
designated approval authorities and report results
to Finance for updates.
Complete.
N/A N/A
4.4
Compare all NSA forms to purchasing course
training records. Where the course has not been
attended, a deadline established for attendance. If
not attended, the NSA form should be revoked.
NSA form should include the requirement for
attendance to the purchasing training course and
employee statement that the course was attended
or scheduled attendance.
Complete. N/A N/A
4.5
Authorization of Payment of Goods and Services
Policy is updated to clarify approval limits for
Project Managers, include the segregation of
duties between purchase commitment and
payment approval.
Complete.
N/A
N/A
71
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 12
Audit Report Recommendation Management response
Original
due date
Current
due date
Purchasing Tool Kit be updated to clearly identify
the requirement for a purchase order for purchases
above a specified dollar limit.
Due to continuing pressures on the
organization from the COVID-19 pandemic,
we have recommended to the CAO that
implementation be deferred to Q3 2021, so the
new Bylaw will not take effect until Jul 1,
2021 at earliest. A new protocol – “Payment
for Goods and Services by Purchase Order”
will take effect at the same time that the Bylaw
takes effect.
Q1 2020
Q3 2021
4.6
Perform a thorough review of the purchase orders
identified as having errors and omissions and
correct them in the system.
Perform an annual review of unused purchase
orders beyond a certain age to identify instances
where invoices are being processed without being
applied to a purchase order or directly to a general
ledger account.
Complete. N/A N/A
Transportation
Services – Fleet
Services
4.1
Management should develop and communicate a
comprehensive Operator’s Safety Manual. The
Manual should address York Region
requirements, defensive driving and equipment
operation, vehicle collision and incident
responsibilities, general operating procedures, and
updated fueling procedures.
The Corporate Fleet and Driver Safety Policy
incorporates provisions for the application of
tires and replaces TRN and ENV Fleet
Vehicles Policy. Policy has been socialized
and is currently under submission for review
and approval by the Commissioner and CAO.
On target for Q1 2021 sign-off.
Q4 2019
Q1 2021
72
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 13
Audit Report Recommendation Management response
Original
due date
Current
due date
Management should consider rescinding the
outdated Use of Transportation Services and
Environmental Services Fleet Vehicles Policy and
clarify employee expectations regarding personal
use of fleet vehicles in the Manual.
A policy regarding the application of tires to fleet
vehicles should be developed and communicated
to staff.
Additionally, the Manual should be
communicated to contractors, who may use
Region equipment and fueling stations during
their operations.
The Fleet Operators Safety Manual has been
created as a living document and available
through Fleet Services.
Completed, application of tires to fleet vehicles
included in new Corporate Fleet and Driver
Safety Policy.
4.2
Management should implement a formal process
to ensure all specifications developed for bid
documents are administered through the Fleet
Services to ensure compliance with the
Purchasing Bylaw.
The process should ensure compliance to the
Region Records Retention Bylaw. Each file
should include a cover page summarizing the
product or service being tendered and a list of
personnel involved in the development and
evaluation of specifications. Also included in the
file should be all documentation received from the
requesting department and all correspondence
Complete.
N/A
N/A
73
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 14
Audit Report Recommendation Management response
Original
due date
Current
due date
regarding changes to specifications throughout the
process.
All specifications development files should be
maintained at a centralized location within Fleet
Services.
4.3
Management should re-communicate to staff their
requirement to decommission fleet equipment
when unsafe conditions are identified, until
appropriate repairs are complete.
Management should create a Driver Trainer
position in the next budget process.
Complete.
N/A
N/A
4.4
Management should consider providing Fleet
Services with access to vehicle GPS to assist in
maintenance scheduling. Coordinating servicing
based on usage and location assists in reducing
unnecessary travel of the vehicle, labour hours,
and the amount of time the vehicle is unavailable
for use due to servicing.
Complete.
N/A N/A
4.5
A formal process should be developed requiring
the semi-annual or perpetual review of inventory
stock. The Fleet Manager should identify slow
moving and obsolete inventory, which can be
Complete.
N/A N/A
74
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 15
Audit Report Recommendation Management response
Original
due date
Current
due date
forwarded to the Director, Roads and Traffic
Operations.
The Director may discuss with Finance and any
other appropriate departments before providing
approval to the Fleet Manager to move ahead with
the auction or disposal of inventory, in accordance
with the Corporate Disposal of Surplus Assets
Policy
4.6
Policy should require Fleet Services to be
involved in any purchase of fleet assets under
their jurisdiction, regardless of department. This
process would ensure that the Region does not
purchase equipment it does not require, and Fleet
Services is aware of all existing assets to properly
schedule preventative maintenance.
Additionally, Fleet Services should participate in
the budgeting process for vehicles and equipment
to assist in ensuring the accuracy of actual versus
budgeted costs.
The Fleet Optimization Policy has been
socialized and is currently under submission
for review and approval by the Commissioner
and CAO. On target for Q1 2021 sign-off.
The Fleet Operators Safety Manual has been
created as a living document and is available
through Fleet Services.
Q4 2019
Q1 2021
4.7
Management should implement a formal process
requiring use of the existing checklists for the
commissioning and decommissioning of assets,
including a training and orientation requirement
as part of the commissioning process.
Complete.
N/A
N/A
75
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 16
Audit Report Recommendation Management response
Original
due date
Current
due date
The existing checklists should be reviewed to
consolidate steps and require sign-off by
responsible personnel.
Additionally, supporting documentation
(including vehicle assets approval information)
requirements should be clearly defined and each
file should be stored in a centralized location in
accordance with the Records Retention Bylaw.
Corporate Services
– Compensation and
HRMS
4.1
Management should review the existing
compensation related policies and update or create
where necessary.
Management should also develop and formally
document procedures for key processes to support
the policies once completed.
On target for approvals and delayed for
communications and launch due to COVID:
• Policy and procedure documents draft
completed, reviewed by Legal
• Commissioner review on Nov 20, 2020
• CAO review and approval expected in
December
• Expected launch in Q1 2021
Q2 2020
Q1 2021
4.2
Management should review the current Job
Evaluation policy and procedures and update to
reflect actual practice.
On target for approvals and delayed for
communications and launch due to COVID:
As described in 4.1, this policy and procedure
is incorporated into the broader non-union
compensation policy.
The purpose of the Non-Union Appeals
Committee has been revisited for the interim as
the job evaluation process is being revitalized -
Q2 2019
Q1 2021
76
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 17
Audit Report Recommendation Management response
Original
due date
Current
due date
Management should also consider implementing a
formal Job Evaluation Committee for non-union
jobs and/or a formal appeals process to ensure the
process remains as fair and transparent as
possible.
Once policies/procedures have been updated,
management should ensure information is
communicated with staff and available on the
Region intranet.
currently the Committee is providing support
as a Business Advisory Group and change
champions for the revised job evaluation
process.
Complete.
On target for approvals and delayed for
communications and launch due to COVID:
As described in 4.1, this policy and procedure
is incorporated into the broader non-union
compensation policy.
N/A
Q4 2020
N/A
Q1 2021
4.3
Management should consider developing and
implementing a standard Job Evaluation checklist
to ensure consistency in file documentation and
that all supporting documents, including the JIF
and Evaluation Record Sheet, are included in the
evaluation files.
Complete.
N/A N/A
4.4
Management should continue to investigate
alternative options to Microsoft Excel for
managing and tracking key compensation
programs to better help streamline processes and
Complete. Q2 2019
N/A
77
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 18
Audit Report Recommendation Management response
Original
due date
Current
due date
reduce the room for errors inherent with using
Excel.
4.5
Access for compensation rate changes and adding
new employees should be reviewed and removed
where not required as part of the employee’s job
function.
Management should develop a policy and process
for requesting and granting HRMS access and for
reviewing access when there is an internal
transfer. A form could be developed that links to
defined user roles when requesting access.
Transfers should include a check for existing
access to determine if still required.
Management should develop and implement
defined user roles/groupings within HRMS that
should be tied to job code/functions. The existing
access within HRMS should be reviewed and
converted once the roles are clearly defined and
developed.
Complete.
N/A
N/A
4.6
Management should review the above survey
results and could consider the following:
Increasing the maximum increase per pay
grade for acting assignments and internal
On target for approvals and delayed for
communications and launch due to COVID:
Q4 2020
Q1 2021
78
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 19
Audit Report Recommendation Management response
Original
due date
Current
due date
promotions to better align with industry best
practices. Alternatively, a policy could be
developed where increases above the 3.5%
increase per grade would be permitted at the
hiring Director’s discretion.
A job evaluation maintenance review
schedule.
Develop and implement a formal Retention
& Attraction Policy for “hot skills”, which
includes regular reviews and updates when
required.
Review and update, if required, the current
municipal comparator list to ensure it
includes the most accurate and representative
comparator municipalities.
As previously stated in issue 4.1 and 4.2,
management should review and update all
existing compensation related policies and
procedures and implement a job evaluation
committee and/or a formal appeals process
for evaluation results.
Incorporated into non-union salary policy and
guidelines completed Q4 2020, approval for
policy expected in 2020 with target launch and
implementation in Q1 2021
On target: Can only implement once
concurrent projects to reduce evaluation
volumes are complete.
On target for approvals and delayed for
communications and launch due to COVID:
Market Pay practices incorporated into non-
union salary policy and guidelines completed
Q4 2020 for approval and implementation in
2021.
Complete.
See 4.1 and 4.2
Q4 2019
Q4 2020
N/A
Q4 2020
Q1 2021
Q1 2021
N/A
Q1 2021
79
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 20
Audit Report Recommendation Management response
Original
due date
Current
due date
Corporate Services
– Health & Safety
on Property Services
Capital Projects
4.1
Property Services should continue identifying and
implementing workable solutions to create a
capital project filing structure for project
documentation.
Complete. N/A N/A
4.2
For non-emergency capital projects, management
should reiterate the requirement to collect health
& safety documentation.
For emergency purchases a process should be
established that would allow for a quicker
collection of the necessary health & safety
documents as listed in the Policy and Guideline so
as to help minimize the risk of accidents
happening.
The Contractor Safety Specialist should be
notified of projects as per the Policy and
Guideline.
Complete. N/A N/A
4.3
Based on the collection of documents testing
results, management should consider a refresher
course (HS0076 - Contractor Safety Construction
Projects) that may be useful to reaffirm the health
& safety documentation needing to be collected
and why the Region collects them.
Complete. N/A N/A
80
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 21
Audit Report Recommendation Management response
Original
due date
Current
due date
4.4
The SOP for the Construction Safety Audit
Process should be updated to reflect current
practises in place.
Complete.
N/A N/A
4.5
Management should consider the incorporation of
tablet based software to capture the construction
safety audits performed by the Region. This data
can then be used for management reporting and
planning purposes.
Complete.
N/A N/A
4.6
The Policy and Guideline should be updated to
reflect current corporate processes and document
collection requirements. Once management
approval has been obtained, the updated policy
should be posted on the intranet with the
necessary hyperlink to the updated guide. All
affected staff should be made aware of the update.
This will help to ensure corporate process and
documentation requirements continue being met.
Draft Health and Safety Guideline for
Employees Involved in Construction Projects
is complete. The review by key stakeholders is
forthcoming but may be delayed due to
COVID-19.
Upon finalization, a request to rescind the
Contractor Safety for Construction Projects
policy will be submitted, whereby the new
guideline will replace the policy.
Q1 2019
Q1 2022
81
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 22
Audit Report Recommendation Management response
Original
due date
Current
due date
Community &
Health Services –
Ontario Works
DEFERRAL
(CHS)
4.1
Management should ensure that all OW
locations understand and comply with the
Region’s Petty Cash Funds policy and related
procedures, including performance of
reconciliations on a quarterly basis at a
minimum.
The owner of the Region’s Petty Cash Funds
policy should consolidate the Procedures for
Petty Cash Funds and the Petty Cash
Instruction Guide to create a single,
comprehensive procedures document on
which the owner, creation date, and last
revised date are indicated. The consolidated
procedures document should also clearly
identify the Regional policy to which it
relates.
Complete.
Response from FIN: Complete. A
comprehensive Procedures for Petty Cash
document has been created and shared on
myPortal for Regional petty cash users and
owners.
Further, updates to the Petty Cash Funds
policy (November 2016) were drafted to align
with the new procedures. The policy will be
posted on myPortal once CAO approval is
received.
N/A
Q3 2020
N/A
N/A
4.2
Management should:
Ensure that Participation Agreement reviews
are up to date for all active Ontario Works
clients, in accordance with Provincial
directives. In those instances where the
legislation permits a review over the phone,
ensure that the details of the review are
clearly recorded in the client file and in the
appropriate field(s) in SAMS.
Deferred.
Q4 2019
Q4 2019
82
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 23
Audit Report Recommendation Management response
Original
due date
Current
due date
Implement a Participation Agreement review
scheduling system across all Ontario Works
office locations. Investigate the opportunity
to use the Vaughan location’s system as a
model for a uniform solution across all
locations.
4.3
Management should update the current Lost or
Stolen Entitlement Policy to address recovery of
overpayments to clients, reimbursement to third
parties where stopped cheques were cashed, and
timing of replacement cheques. The updated
policy should be communicated to all relevant
staff to ensure consistent application among the
Region’s OW office locations.
Deferred.
Q4 2019
Q4 2019
4.4
Management should provide OW case workers
with training related to legislated document
collection and retention requirements and:
ensure that case workers do not take and/or
file copies of documents that are to be
visually verified only;
ensure that required documents are not
duplicated in client files.
Complete.
N/A N/A
4.5
Management should develop and implement
measures such as enhanced training to ensure that
Complete. N/A N/A
83
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 24
Audit Report Recommendation Management response
Original
due date
Current
due date
data entry in SAMS is complete, timely, and
consistent across all Ontario Works locations in
York Region.
Finance – Treasury
Investment
4.1
Management should review the value of the
Investment Policy requirement to include
estimated ratios. If deemed appropriate,
management should ensure that the Annual
Investment Report includes an estimated ratio of
the total long-term and short-term securities
compared to the total investments, and the
description of any year-over-year changes.
If management determines that the requirement to
include estimated ratios in the Annual Investment
Report is no longer necessary, the Investment
Policy should be updated to reflect that decision.
Management should also ensure that the Report
includes a statement by the Commissioner of
Finance and Treasurer as to whether or not all
investments were made in accordance with the
investment policies and goals adopted by the
Corporation, as required by the Investment Policy.
Complete. N/A N/A
4.2
Management should update the Investment Policy
to identify and clearly state the responsibilities of
Complete. The recommended changes were
included in an update to the Region’s
Investment Policy that was subsequently
Q2 2020
N/A
84
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 25
Audit Report Recommendation Management response
Original
due date
Current
due date
obtaining adequate insurance coverage based on
the current organizational structure.
approved by Council at its meeting on October
23, 2020.
4.3
Management should update the Investment Policy
to reflect the requirement to use only IIROC (or
equivalent) approved dealers to perform
investment transactions, or perform a pre-
qualification process of financial institutions.
Complete. The recommended changes were
included in an update to the Region’s
Investment Policy That was subsequently
approved by Council at its meeting on October
23, 2020.
Q2 2020
N/A
4.4
Management should require the written name of
the approver underneath the signature, making it
easy to identify the individual who approved the
transaction.
Management should ensure that all bank
confirmations are attached to the associated
transaction when maintaining documentation.
Complete.
N/A N/A
CHS – Sexual
Health
DEFERRAL
4.1
Ensure that all quality control reviews are
completed with evidence maintained.
Develop a standardized peer review form and
update policy to require retention of the forms.
Consider implementing a requirement to
communicate peer review results with the
Program Manager.
Deferred.
Deferred.
Deferred.
Q4 2019
Q1 2020
Q1 2020
85
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 26
Audit Report Recommendation Management response
Original
due date
Current
due date
4.2
Develop and implement and centralized tracking
system for incident reporting.
Deferred.
Q1 2020
4.3
Determine the frequency and need for the
community needs assessment. Consider updating
the needs assessment every 4 years in line with
term of Council.
Ensure the information included in the needs
assessment is current and relevant.
Ensure all information contained in the needs
assessment is directly tied to and supported by the
survey results.
Consider the use of an external resource to
prepare the needs assessment, or at a minimum
review the assessment prepared internally.
Deferred.
Deferred.
Deferred.
Deferred.
Q4 2020
Q4 2020
Q4 2020
Q4 2020
4.4
Implement an appropriate segregation of duties
for the sales, cash handling, and reporting
functions.
Ensure that all clients receive a payment receipt as
proof of purchase, including those who pay with
cash. Receipts should be produced in duplicate,
Deferred.
Deferred.
Q4 2019
Q4 2019
86
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 27
Audit Report Recommendation Management response
Original
due date
Current
due date
with one copy to the client and one copy for the
Region’s records.
Ensure that all reconciliations are provided to
management for review and signoff prior to
submission of month end transaction reports to
Finance.
Ensure that supporting documentation for cash
sales is included in the month end submission to
Finance.
Ensure that the reconciled Hampson report is
included with the month end reports to Finance.
Ensure that management approval is evident on
the month end reports submitted to Finance.
Develop and implement a policy and
corresponding procedures to ensure that instances
of non-payment by clients are handled
consistently across all clinics, including a
mechanism to track and report all occurrences and
periodic review by management.
Deferred.
Deferred.
Deferred.
Deferred.
Deferred.
Q4 2019
Q4 2019
Q4 2019
Q4 2019
Q1 2020
4.5
Strengthen oversight and enforcement measures
to ensure that all mandatory training is completed
and tracked annually as required.
Deferred.
Q4 2019
87
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 28
Audit Report Recommendation Management response
Original
due date
Current
due date
ENV – Warranty
Admin
4.1
Management should ensure that during the next
update to Project Server, Consultant email
addresses are able to be set up to receive warranty
related reminders and notifications set up by the
project team.
Complete. The automatic generation of
reminders related to the warranty period has
been included in the upgrade to Project Online.
These reminders include Consultants, as well
as internal project teams. This new
functionality was launched with Project Online
in September 2020.
Q3 2020
N/A
4.2
Management should develop a formal reporting
template for use during the Final Warranty
Inspection. This document should include a
checklist of warrantable items that have been
inspected that satisfies the requirements of the
CRM.
Additionally, this document should identify all
personnel in attendance at the Final Warranty
Inspection and include sign-off.
Complete. The Warranty Inspection Template
has been established to summarize inspection
outcomes by specification division and
includes inspection attendees. The Warranty
Tracking Tool in Project Online has been
established to action and assign outcomes.
Q4 2020
N/A
4.3
Management should consider updating the CRM
to require a formal inspection of warrantable
items during the warranty period at a defined
frequency.
Complete. N/A N/A
88
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 29
Audit Report Recommendation Management response
Original
due date
Current
due date
4.4
For projects that were procured prior to the
implementation of CRM and currently under
warranty, or entering their warranty period,
Management should consider using the
Deficiencies under Warranty Reporting Form.
Complete. Digitization of the Deficiencies
Under Warranty Reporting Form was included
in the Project Online upgrade.
Q3 2020
N/A
4.5
Management should ensure that the responsibility
for recording warranty expiration date into
MAXIMO is clearly defined in the CRM ensuring
that work orders under warranty are identified.
Complete. OMM’s Work Management System
Coordinators are responsible for recording
warranty expiration information in Maximo.
The process has been documented in the latest
release of the CRM.
Q4 2020
N/A
4.6
Management should consider contractually
defining an extended warranty period for critical
pieces of process equipment.
Complete.
N/A N/A
Transportation –
Traffic Signals &
Illuminations
Maintenance
4.1
The contractor should be required to call into the
Region’s Roads and Traffic Operations Centre to
record arrival and departure times for high and
low priority work.
Contractor notification, arrival and departure
times to and from work sites should be reviewed
as a vendor performance management tool.
Management benchmarks for acceptable response
times are stipulated in the contract.
A dedicated telephone line for Contractor
reporting of arrival and departure times to the
Roads and Traffic Operations Centre is
underway. Completion of the installation is on
target and will be operational prior to year-end.
Q4 2020
Q4 2020
89
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 30
Audit Report Recommendation Management response
Original
due date
Current
due date
Management should investigate management
reporting for this function under CityWorks.
4.2
A formal reconciliation of CMC, INS, FBI and
Luminaire Patrols should be performed at the end
of every maintenance period.
Management should ensure that all FBI records
are collected and clarify the acceptable repair
codes for each of these routine inspections with
the contractor.
Management should ensure that all RPC testing
occurs as required by the Region’s Traffic Signal
and Illumination Maintenance Contract best
practices.
Management should also investigate automating
the scheduling of this testing in CityWorks.
Complete. CityWorks reporting function
implemented and operational.
Complete.
Complete. Work Orders have been completed.
Complete. Management have investigated
automated scheduling of planned work orders
for inspection and testing in Cityworks.
Cityworks does have the capability to schedule
work orders, however, further integration with
the Region’s new asset database (TSO viewer)
is needed. Management will further explore the
feasibility of integrating this feature in 2021.
Q3 2020
N/A
Q4 2020
Q4 2020
N/A
N/A
N/A
N/A
90
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 31
Audit Report Recommendation Management response
Original
due date
Current
due date
4.3
TSO management should determine if the
collection of private driver information by the
contractor is necessary. If so, management
should, through discussion with the Corporate
Services - Access & Privacy Office, consider
supplying the contractor with a notice from the
Region re the authority of the Region to collect
the information.
If not necessary, management should formally
communicate to the contractor to refrain from
collecting personal information from drivers of
non-commercial vehicles.
Collection of driver information from a
commercial vehicle would still be valid.
Complete.
N/A N/A
4.4
TSO Management should determine a reasonable
number of spare parts to keep, considering that
the older model controller cabinets are being
replaced every year and there is a decreasing
number of older cabinets in service. Once that
number is determined, management should ensure
the contractor disposes of any excess parts.
Quantities of spare parts to be retained
identified to Contractor. Disposal of excess
parts on target for year-end.
Q4 2020
Q4 2020
4.5
Management should investigate the use of
electronic devises (tablets, smartphones) to
On track for completion by Q4 2022.
Q4 2022
Q4 2022
91
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 32
Audit Report Recommendation Management response
Original
due date
Current
due date
automate and replace the current manual steps
required in TOPS. To help ensure all data
collected is complete and accurate, drop down
menus also can be incorporated to match problem
codes to repair codes.
HYI – Contract
Management
4.1
Management should develop and formalize
policies and procedures within the HYI contract
management area. Roles and responsibilities
should be clearly defined and communicated to all
staff.
Delayed to Q1 2021 due to COVID-19.
Q3 2020
Q1 2021
4.2
Management should formalize a plan to ensure all
active contractors have current insurance on file
and implement a policy for on-going
tracking/managing of upcoming expiries.
Complete.
Q4 2020 N/A
4.3
Management should consider using the
maintenance tracking functionality of their current
Yardi system to better manage building
maintenance and contractor service delivery
commitments. At a minimum, management
should ensure the current tracking sheet is
reviewed and updated where necessary to allow
for better tracking of compliance requirements.
Complete.
N/A N/A
92
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 33
Audit Report Recommendation Management response
Original
due date
Current
due date
Management should formally track the elevator
contracts to ensure all warranty service periods
are managed for compliance and coverage.
Management should follow up on the missing fire
safety sign offs and remind staff of their
responsibilities for completing all fire safety
checks. Additional training and/or review of fire
code requirements should also be considered.
Management should ensure all contracts are on
site and accessible for reference to ensure service
delivery commitments, etc. are properly tracked
and managed.
4.4
Management should implement the integrated
purchase order module for contracts along with
the work orders to centralize the purchasing
function and better manage contract status and on-
going commitments. A centralized purchase order
system would allow for better tracking of
commitments, clear communication of work to be
completed and cost, and ease of processing
invoices for payment.
Completion expected early, by the end of Q4
2020
Q4 2021
Q4 2021
Environmental
Services - Forestry
4.1
Management should create and finalize the
Standard Operating Procedures document.
On track – Work is underway to update
existing and create new standard operating
procedures as required. External expertise has
Q4 2021
Q4 2021
93
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 34
Audit Report Recommendation Management response
Original
due date
Current
due date
Management should review the existing policies
and procedures that exist but have not been
updated or approved as far back as 2010, as well
as other various standards and guidelines, and
consider their inclusion in the Standard Operating
Procedures document.
Due to the inexperience and turnover of student
employees, we recommend reviewing the Juvenile
Tree Maintenance Field Guide for approval and
sign-off to be communicated with students.
been retained to assist with updating and
creating select procedures.
4.2
Management should consider performing regular
audits using the GPS analysis on the Contractor to
help ensure that the Contractor is spending
sufficient time on route to properly perform
watering. Management should include any audit
results as a standing item with the Contractor at
monthly meetings to formally document any
performance issues.
Management should review and update the
existing watering forms to include more detail
regarding the work performed by the Contractor.
The Region should ensure that these forms are
collected from the Contractor and maintained.
Complete. All contractor watering is being
audited on a regular basis using GPS analysis
and field inspections. Results are being
documented and communicated with
contractors as part of regular contract update
meetings. Contract meeting agenda template
has now been updated to include this item.
Complete. Watering audit forms have been
reviewed for all contracts and updated where
required to include additional detailed
information.
Q4 2020
N/A
94
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 35
Audit Report Recommendation Management response
Original
due date
Current
due date
Management should also formally document and
track the soil moisture inspections performed and
their results.
Complete. Results of soil moisture audits have
been documented with these revised watering
audit forms.
4.3
Management should ensure that Contractors are
fulfilling their contractual requirement to provide
electronic notifications of work to the Region
within one working day notice and a minimum of
16 hours prior to commencing work each day (or
other, depending on the contract).
Complete. Requirements for electronic
notification have been reviewed for contracts
scheduled for tender in 2020/2021 and where
appropriate revised to reflect the nature of the
work. Compliance with contractual
requirements continues to be monitored for
existing contracts and contractors are
complying with the requirements.
Q4 2020
N/A
4.4
Management should document and maintain
evidence that the Contractor was provided all
mandatory training as required by the contract.
For all contracts with training requirements, the
Region should collect and maintain the
corresponding training records regularly as
evidence that training was provided.
Management should also ensure that train-the-
trainer courses are provided to the Contractor as
required by the contract, and that the Contractor
ensures their staff training is up to date as per
Region standards.
Complete. Contract training course sign-in
sheet template has been created and will be
implemented on all contracts containing
training requirements going forward.
Contractors completing training in house are
required to submit proof of training by
submitting a completed sing-in sheet to the
Region. These requirements have been
communicated to all Forestry staff responsible
for administration of contracts.
Q1 2021
N/A
95
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 36
Audit Report Recommendation Management response
Original
due date
Current
due date
4.5
Management should implement formal deficiency
tracking across all contracts. Deficiency tracking
includes logging all deficiency items, their status,
and the length of time for satisfactory resolution.
This document should also ensure that we are
capturing all the necessary information for
contractor performance evaluation, if any,
required by the corresponding contract.
Management should consider the existing
deficiency tracking document maintained for the
mature tree maintenance contract as a template for
tracking deficiencies across other contracts.
On track – A review of all existing contract
deficiency tracking within the division has
been completed. Minimum requirements for
deficiency tracking across all contracts are
being developed in the form of a standard
operating procedure.
Q2 2021
Q2 2021
4.6
Management should collect and review the crew
qualifications for the mature tree maintenance
Contractor.
Management should also ensure that for all
contracts, as part of the contractor audit process,
documentation confirming qualifications is
obtained regularly and reviewed against contract
requirements to ensure the contractor and all their
crew is qualified to perform work on behalf of the
Region.
Complete. A review of all existing division
contracts was completed to identify any
missing documentation. All documentation
confirming qualifications has been collected.
Contractor meeting agenda templates have
been revised to include this item and the
revised templates have been communicated to
all Forestry staff responsible for administration
of contracts.
Q4 2020
N/A
96
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 37
Audit Report Recommendation Management response
Original
due date
Current
due date
4.7
Management should include a periodic review of
contractor disposal logs and designated dumping
site information in the contractor audit process for
contracts which involve tree maintenance and
disposal.
This review should ensure that the contractor
disposes of material from trees in regulated areas
and quarantined zones in accordance with
Canadian Food Inspection Agency (CFIA)
regulations.
Complete. For contracts involving tree
maintenance and disposal, the disposal of
wood material has been reviewed and
confirmed in compliance with Canadian Food
Inspection Agency regulations.
Q2 2021
N/A
Community and
Health Services –
Paramedic Services
Fleet Management
DEFERRED
4.1
Redesign the Preventative Maintenance sheet
template to better align with the original
equipment manufacturer’s routine maintenance
schedule descriptions.
Ensure that all Preventative Maintenance sheets
are dated by the vendor when completed.
Complete. N/A N/A
4.2
Investigate opportunities to integrate the M5 and
QRS systems to eliminate the need for manual
transfer of data.
Deferred.
Note 1
4.3
Consider engaging an external consultant, or
dedicating internal resources, to perform a needs
assessment and determine which priorities must
Deferred.
Note 1
97
Outstanding Audit Recommendations Follow-Up Report January 2021
Internal Audit Report Page 38
Audit Report Recommendation Management response
Original
due date
Current
due date
be met with respect to facilities, staffing, and
vehicle inventory to accommodate legislated
requirements and ensure continued compliance
with Provincial mandates in a cost-effective
manner.
4.4
The Risk Management branch should take the
appropriate steps necessary to ensure that all
current vendor contracts have valid certificates of
insurance in the Region’s COI database.
Deferred.
Q2 2022
Note 1: As noted in the Paramedic Services Fleet Management audit report, due to the coronavirus pandemic and the related impact on Community
and Health Services (CHS) resources, Audit Services and CHS agreed to discuss implementation timelines at a later date. Once established, these
timelines will be communicated to Audit Committee.
98
1
The Regional Municipality of York
Audit Committee
January 14, 2021
Report of the Director, Audit Services
Audit Services Branch Charter
1. Recommendations
Regional Council approve the Audit Services Branch Charter (Attachment 1).
2. Summary
An Audit Services Charter is a governance document that establishes the Audit Services
Branch’s position within the Region and defines its overall purpose, authority and
responsibility. The adoption of an Audit Services Charter explicitly sets out the standards
under which the Audit Services Branch will perform its responsibilities.
As required by the International Standards for the Professional Practice of Internal Auditing
(Standards), the Audit Services Charter must be approved by the Audit Committee. The
Audit Committee has an existing Audit Committee Charter which defines its authority, roles,
and responsibilities. It was last updated at the June 7, 2017 Audit Committee meeting and
approved by Regional Council on June 29, 2017.
3. Background
Audit Committee Charter and the Audit Services Branch Charter
The Audit Committee Charter sets out the purpose, authority, roles and responsibilities in
regard to the Audit Committee’s fulfilment of its oversight role over the financial reporting
process, the system of internal controls of the Region, the internal audit process, and the
Region’s process for monitoring compliance with laws and regulations and the Code of
Conduct. The Audit Committee Charter is attached for reference as Attachment 2.
The Audit Services Branch’s authority and responsibilities are included in section 5.3 of the
Audit Committee Charter; however, an Audit Services Branch Charter has not been
developed and approved by the Audit Committee outlining the Audit Services Branch position
within the Region and its scope, authority, roles, responsibilities and its conformance with the
Standards. Both charters are important components of organizational governance.
99
Audit Services Branch Charter 2
4. Analysis
The Audit Services Branch Charter provides the details on how the Audit Services Branch will conform to the International Standards for the Professional Practice of Internal Auditing
The Audit Committee is responsible to review the effectiveness of the Audit Services Branch,
including its compliance to the International Standards for the Professional Practice of
Internal Auditing (Standards). The Audit Services Branch Charter formally establishes this
compliance in detail by:
Setting the purpose and mission of the Audit Services Branch
Identifying and describing for Regional Council and staff the detailed standards under
which the Audit Services Branch is expected to perform their responsibilities
Helping to ensure the Audit Services Branch has authority and access to fulfill its
duties
More clearly defining the Audit Services Branch’s independence, objectivity and
scope of activities and responsibilities
Formally recognizing a quality assurance and improvement program that helps
Regional Council maintain confidence in the effectiveness of the work performed by
the Audit Services Branch
Audit Services initiative supports the Strategic Plan
The Audit Services Branch, through both audit and consulting engagements, assists the
Region in achieving operational excellence and fiscal responsibility, which are two of the
action areas in Vision 2051 under Open and Responsive Governance. The audit and
consulting assignments assist management in ensuring processes are efficient, effective and
economical.
5. Financial
Audit Services Branch will manage its workload within the Audit Services budget.
6. Local Impact
In addition to providing audit and consulting services to the Region, the Audit Services
Branch also provides services to seven of the local municipalities through a Memorandum of
Understanding, on a cost recovery basis.
100
Audit Services Branch Charter 3
7. Conclusion
The Audit Services Branch Charter is a governance document that improves and strengthens
the Audit Services Branch position within the Region and defines its scope, authority, roles,
responsibilities and conformance with the Standards. The Charter supports the Strategic
Plan priority of Good Government to deliver trusted and efficient services.
For more information on this report, please contact Michelle Morris, Director, Audit Services
at 1-877-464-9675 ext. 71205. Accessible formats or communication supports are available
upon request.
Recommended by: Michelle Morris
Director, Audit Services
November 27, 2020
Attachments (2)
eDOCS #12058623
101
102
ATTACHMENT 1
The Regional Municipality of York
Audit Services Branch Charter
September 2020
103
Audit Services Branch Charter September 2020
Page 2 of 6
Purpose and Mission As part of Audit Committee’s responsibilities, the purpose of the Regional Municipality of York (York Region) Audit Services Branch is to provide independent, objective assurance and consulting services designed to add value and improve York Region’s operations. The mission of Audit Services is to enhance and protect organizational value by employing a risk-based approach to provide objective assurance, advice, and insight. The Audit Services Branch helps York Region accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. Standards for the Professional Practice of Internal Auditing The Audit Services Branch will govern itself by adherence to the mandatory elements of:
The Institute of Internal Auditors' (IIA) International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing.
York Region’s Code of Conduct. The chief audit executive (Director, Audit Services) will report routinely to York Region’s Audit Committee regarding the Audit Services Branch’s conformance to the IIA Code of Ethics and the IIA Standards. Authority The chief audit executive will report functionally to the York Region Audit Committee and administratively (i.e. day-to-day operations) to the Chief Administrative Officer. To establish, maintain, and help ensure that York Region’s Audit Services Branch has sufficient authority to fulfill its duties, the York Region Audit Committee will:
• Review and recommend for Regional Council’s approval the Audit Services Branch Charter on a periodic basis and/ or when changes are made.
• Review and recommend for Regional Council’s approval the risk-based Audit Services Branch Annual Audit Plan.
• Receive communications from the chief audit executive on the Audit Services Branch’s performance relative to its plan and other matters.
• Review and concur in the appointment, replacement or removal of the chief audit executive. • Make appropriate inquiries of management and the chief audit executive to determine whether
there are inappropriate scope or resource limitations. The chief audit executive will have unrestricted access to, and communicate and interact directly with, the York Region Audit Committee, including in private meetings without management present where necessary.
104
Audit Services Branch Charter September 2020
Page 3 of 6
The York Region Audit Committee authorizes the Audit Services Branch to: • Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent
to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.
• Allocate resources, set frequencies, select subjects, determine scope of work, apply techniques required to accomplish audit objectives, and issue reports.
• Obtain assistance from the necessary personnel of York Region, as well as other specialized services from within or outside York Region, in order to complete the engagement.
• Make changes to the approved risk-based work plan as needed. Independence and Objectivity The chief audit executive (and staff) will ensure that the Audit Services Branch remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the chief audit executive determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties. Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others. Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including:
• Assessing specific operations for which they had responsibility within the previous year. • Performing any operational duties for York Region or its affiliates. • Initiating or approving transactions external to the Audit Services Branch. • Directing the activities of any York Region employee not employed by the Audit Services Branch,
except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.
Notwithstanding the previous paragraph, in case of a Regional emergency, to the extent that redeployment of staff may be necessary to support critical functions, Audit Services Branch staff may be required to perform otherwise non-audit related duties. Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity. Auditors will:
• Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties.
• Exhibit professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
• Make balanced assessments of all available and relevant facts and circumstances. • Take necessary precautions to avoid being unduly influenced by their own interests or by others in
forming judgments. The chief audit executive will confirm to the York Region Audit Committee, at least annually, the organizational independence of the Audit Services Branch.
105
Audit Services Branch Charter September 2020
Page 4 of 6
The chief audit executive will disclose to the York Region Audit Committee any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results. Scope of Internal Audit Activities The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the York Region Audit Committee, management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for York Region. The scope includes York Region and any wholly owned subsidiary of the Regional Municipality of York but does not include York Regional Police. Audit Services assessments include evaluating whether:
• Risks relating to the achievement of York Region’s strategic objectives and business objectives are appropriately identified and managed.
• The actions of York Region’s officers, directors, employees, and contractors are in compliance with York Region’s policies, procedures, and applicable laws, regulations, and governance standards.
• The results of operations or programs are consistent with established goals and objectives. • Operations and programs are being carried out effectively and efficiently. • Established processes and systems enable compliance with the policies, procedures, laws, and
regulations that could significantly impact York Region. • Information and the means used to identify, measure, analyze, classify, and report such information
are reliable and have integrity. • Resources and assets are acquired economically, used efficiently, and protected adequately.
The chief audit executive will report periodically to senior management and the York Region Audit Committee regarding:
• The Audit Services Branch purpose, authority, and responsibility. • The Audit Services Branch plan and performance relative to its plan. • The Audit Services Branch conformance with The IIA’s Code of Ethics and Standards, and action
plans to address any significant conformance issues. • Significant risk exposures and control issues, including fraud risks, governance issues, and other
matters requiring the attention of, or requested by, the York Region Audit Committee. • Results of audit engagements or other activities. • Resource requirements. • Any response to risk by management that may be unacceptable to York Region.
The chief audit executive also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The Audit Services Branch may perform advisory and related client service activities, the nature and scope of which will be agreed with the client, provided the Audit Services Branch does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.
106
Audit Services Branch Charter September 2020
Page 5 of 6
Responsibility The chief audit executive has the responsibility to:
• Submit, at least annually, to senior management and the York Region Audit Committee a one-year risk-based audit plan for review and approval.
• Communicate to senior management and the York Region Audit Committee the impact of resource limitations on the audit plan.
• Review and adjust the audit plan, as necessary, in response to changes in York Region’s business, risks, operations, programs, systems, and controls.
• Communicate and seek approval of senior management and the York Region Audit Committee any significant interim changes to the audit plan.
• Ensure each engagement of the audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.
• Follow up on engagement findings and corrective actions, and report periodically to senior management and the York Region Audit Committee.
• Evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. • Lead or support the investigation of suspected fraudulent activities reported to Audit Services. • Conduct consulting engagements as requested where the scope is defined by management or the
Audit Committee. • Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and
upheld. • Ensure the Audit Services Branch collectively possesses or obtains the knowledge, skills, and other
competencies needed to meet the requirements of the Audit Services Charter. • Ensure trends and emerging issues that could impact York Region are considered and
communicated to senior management and the York Region Audit Committee as appropriate. • Ensure emerging trends and successful practices in internal auditing are considered. • Establish and ensure adherence to policies and procedures designed to guide the Audit Services
Branch. • Ensure adherence to York Region’s relevant policies and procedures, unless such policies and
procedures conflict with the Audit Services Charter. Any such conflicts will be resolved or otherwise communicated to senior management and the York Region Audit Committee.
• Ensure conformance of the Audit Services Branch with the Standards, except where conformance would violate legal or regulatory requirements. When the Standards cannot be conformed too, a qualification with the appropriate disclosure(s) to highlight the nonconformance will be issued.
Quality Assurance and Improvement Program The Audit Services Branch will maintain a quality assurance and improvement program that covers all aspects of the Audit Services Branch. The program will include an evaluation of the Audit Services Branch’s conformance with the Standards and an evaluation of whether internal auditors apply The IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of the Audit Services Branch and identify opportunities for improvement. The chief audit executive will communicate to senior management and the York Region Audit Committee
on the Audit Services Branch quality assurance and improvement program, including results of internal
107
Audit Services Branch Charter September 2020
Page 6 of 6
assessments (both ongoing and periodic) and external assessments conducted at least once every five
years by a qualified, independent assessor or assessment team from outside York Region.
108
The Regional Municipality of York
Audit Committee Charter 1. PURPOSE
To assist Regional Council in fulfilling its oversight responsibilities for the financial
reporting process, the system of internal control, the audit process, and the Region’s process
for monitoring compliance with laws and regulations and the Code of Conduct.
2. AUTHORITY
The Audit Committee has authority to conduct or authorize investigations into any matters
within its scope of responsibility. It is empowered to:
Appoint, compensate, and oversee the work of any registered public accounting firm
employed by the organization.
Resolve any disagreements between management and the auditor regarding financial
reporting.
Pre-approve all auditing and non-audit services.
Retain independent counsel, accountants, or others to advise the Committee or assist
in the conduct of an investigation.
Seek any information it requires from employees—all of whom are directed to
cooperate with the Committee's requests—or external parties.
Meet with the Region’s Management team, external auditors, or outside counsel, as
necessary.
3. COMPOSITION
The Audit Committee will consist of The Regional Chair (ex-officio) and at least three and
no more than ten members of Regional Council. The Regional Chair will recommend to
Regional Council the Committee members and Regional Council will appoint the members to
the Audit Committee. The Audit Committee will elect from among its members a Chair and
Vice-Chair.
4. MEETINGS
The Audit Committee will meet at least two times a year, with authority to convene
additional meetings, as circumstances require. The Committee will invite members of
management, auditors or others to attend meetings and provide pertinent information, as
necessary. Meeting agendas will be prepared and provided in advance to members, along
with appropriate briefing materials. Minutes will be prepared.
5. RESPONSIBILITIES
The Committee will carry out the following responsibilities:
ATTACHMENT 2
109
5.1 Financial Statements
Review significant accounting and reporting issues, including complex or unusual
transactions and highly judgmental areas, and recent professional and regulatory
pronouncements, and understand their impact on the financial statements.
Review with management and the external auditors the results of the audit,
including any difficulties encountered.
Review the annual financial statements, and consider whether they are complete,
consistent with information known to Committee members, and reflect
appropriate accounting principles.
Recommend to Regional Council the approval of the annual financial statements.
Review with management and the external auditors all matters required to be
communicated to the Committee under Generally Accepted Auditing Standards.
5.2 Internal Control
Consider the effectiveness of the Region’s internal control system, including
information technology security and control.
Understand the scope of internal and external auditors' review of internal control
over financial reporting, and obtain reports on significant findings and
recommendations, together with management's responses and the timing of the
disposition of significant findings.
5.3 Audit Services Branch
Review with management and the Director, Audit Services, the charter, plans,
activities, staffing, and organizational structure of the Audit Services Branch.
Ensure there are no unjustified restrictions or limitations, and review and concur
in the appointment, replacement, or dismissal of the Director, Audit Services.
Review the effectiveness of the Audit Services Branch, including compliance with
The Institute of Internal Auditors' Standards for the Professional Practice of
Internal Auditing.
5.4 External Audit
Review the external auditors' proposed audit scope and approach, including co-
ordination of audit effort with Audit Services.
Review the performance of the external auditors and recommend to Regional
Council the appointment or discharge of the auditors.
Review and confirm the independence of the external auditors by obtaining
statements from the auditors on relationships between the auditors and the Region,
including non-audit services, and discussing the relationships with the auditors.
5.5 Compliance
Review the effectiveness of the system for monitoring compliance with laws and
regulations and the results of management's investigation and follow-up
(including disciplinary action) of any instances of non-compliance.
Review the findings of any examinations by regulatory agencies, and any auditor
observations.
Review the process for communicating the Code of Conduct to Regional
personnel, and for monitoring compliance therewith.
110
Obtain regular updates from management and the Region’s legal counsel
regarding compliance matters.
5.6 Reporting Responsibilities
Regularly report to Regional Council about Audit Committee activities, issues,
and related recommendations.
Provide an open avenue of communication between Audit Services, the external
auditors, and Regional Council.
Review any other reports the Region issues that relate to Audit Committee
responsibilities.
5.7 Adequacy of Region’s Resources
Review the nature of evolving or developing businesses managed by the Region,
including those changes occasioned by business or process redesign.
As new businesses and ventures are embarked on by the Region, the Committee
would carry out a review in order to gain comfort that all appropriate processes
have been put in place to evaluate feasibility of the new business, and to ensure
proper resources, both human and financial, have been provided.
5.8 Other Responsibilities
Perform other activities related to this Charter as requested by Regional Council.
Institute and oversee special investigations as needed.
Review and assess the adequacy of the Audit Committee Charter during the term
of Council, requesting Regional Council approval for proposed changes, and
ensure appropriate disclosure as may be required by law or regulation.
111
112
1
The Regional Municipality of York
Audit Committee
January 14, 2021
Report of the Director, Audit Services
2021 Risk Based Work Plan
1. Recommendations
Regional Council approve the Audit Services Branch’s 2021 Risk-Based Work Plan
(Attachment 1).
2. Summary
This report provides Audit Services’ 2021 Risk-Based Work Plan for Council’s
approval (Attachment 1). The Work Plan is flexible and dynamic to allow for changes
in response to the Region’s changing priorities.
As reported to Audit Committee on June 10, 2020, the Four-Year Audit Plan has been
impacted by the Regional declared emergency caused by the COVID-19 pandemic.
As such, the Audit Services Branch has taken this opportunity to revise the Four-Year
Audit Plan from a four-year to a one-year basis.
This report informs Council of the risk assessment methodology used by the Region’s
Director, Audit Services to conduct a Region wide risk assessment. This risk
assessment is one component for developing the 2021 Risk-Based Work Plan.
Audit Services confirms their ability to independently and objectively carry out the
audits identified in the 2021 Risk-Based Work Plan. Through the budget process,
Audit Services has been allocated sufficient resources to deliver the workplan.
3. Background
The Region’s Audit Services Branch follows the International Standards for the Professional
Practice of Internal Auditing (“Standards”) as defined by the International Institute of Internal
Auditors. The Standards states that: “the chief audit executive must establish a risk-based
plan to determine priorities of the internal audit activity, consistent with the organization’s
goals”. The Standards require that “the internal audit activity’s plan of engagements must be
based on a documented risk assessment, undertaken at least annually.”
113
2
The Region’s risk landscape has been fundamentally altered by the ongoing pandemic.
Audit Services has re-evaluated its existing 2019-2022 work plan and has prepared a one-
year risk-based work plan for 2021 for Audit Committee’s approval.
The Standards require that the Director, Audit Services confirm to the board, at least
annually, the organizational independence of the internal audit activity. Organizational
independence requires the audit function to be free of interference in determining the scope
of internal auditing, performing audit work, and communicating audit results.
The Audit Services Branch, through its service offerings including assurance, consulting and
investigation services, assists the Region in achieving its goals and community results areas
in Vision 2051 under Open and Responsive Governance and in the 2019 to 2023 Strategic
Plan under Good Government. The internal audit activity is designed to add value and
improve an organization’s operations through a systematic and disciplined approach to
evaluate and improve the effectiveness of risk management, controls and processes.
4. Analysis
Risk Assessment
Audit Services identified five areas of risk that were assessed, which are summarized in
Table 1 below.
Table 1
Risk Categories
Risk
Categories Description of Risk
Strategic Risks that may prevent the achievement of business outcomes and
objectives. Exposure to loss resulting from a lack of response to the
changing business environment, adverse business decisions, and/ or
improper implementation of decisions.
Operational The risk of loss from people, systems, internal procedures or events which
have the potential for the organization to deviate from its objectives and
outcomes. Day-to-day risks typically managed by mid-level management
and staff.
Reputational Risk associated with negative publicity, perceived or real, regarding
Regional business practices, actions or inactions which could cause a
decline in the public’s trust and confidence.
114
3
Risk
Categories Description of Risk
Compliance The risks associated with non-compliance with laws, legislation, regulation
or policy. Non-compliance may be due to the complexity of the legislation
and various regulatory requirements across multiple business lines.
Financial Risk that the organization may not have adequate cash flow to sustain
financial obligations.
Audit Services conducted over 60 interviews with Directors, Managers and General
Managers to discuss each of the risk categories as they related to their areas of
responsibility. Audit Services developed a series of statements and questions related to each
of the five risk categories. Through these discussions, management assessed the extent to
which they agreed or disagreed with the questions and statements posed. Audit Services
assigned a numeric value associated with the answers that management provided and
calculated the overall relative risk associated with each risk area. These values were used to
calculate the overall risk ranking for each division.
The Region’s audit universe is comprised of 57 distinct branches or functional units. An audit
universe represents all areas that could be subject to internal audit activities within the
Region. The Region’s audit universe excludes York Regional Police as they are governed by
the York Regional Police Services Board. Table 2 below summarizes the distribution of
results of the risk ranking of the audit universe.
Table 2
Risk Prioritization Summary
Risk Level Number of Units Percentage (%)
Very High 3 5.2
High 15 26.3
Medium 27 47.4
Low/Medium 12 21.1
Total 57 100.0
The 2021 Risk-Based Work Plan focuses Audit Services’ resources on the units identified as
Very High and High risk.
115
4
Audit Plan
In developing the 2021 Risk-Based Work Plan (Attachment 1), Audit Services incorporated
information from different sources as outlined in Chart 1 below.
Chart 1
Risk Prioritization Summary
Audit Services prepared the 2021 Risk-Based Work Plan, assigning resources to the highest
risk areas. The Work Plan is flexible and dynamic in order to respond to the Region’s
changing priorities. The Work Plan includes time for management requests and
investigations, which are inherently unpredictable and occur throughout the year. The Work
Plan also includes time for educational programs, outreach and process improvement
initiatives as well as time to follow-up on outstanding audit recommendations and controls
monitoring.
5. Financial
Audit Services Branch will manage its workload within the Audit Services budget. Through
the budget process, Audit Services has been allocated sufficient resources to deliver the
workplan.
2021 Risk-Based
Work Plan
2020 Risk Assessment
2019-2022 Risk-Based Work Plan
Previous Audits and
Results
Auditor Knowledge
and Environmental
Scan
Senior Management
Input
116
5
6. Local Impact
The Audit Services Branch continues to provide audit services to seven of the local
municipalities through an Audit Services Memorandum of Understanding, on a cost recovery
basis. A similar exercise of risk assessment and audit planning is conducted at the local
municipalities.
Both the development services audit and the water billing audit will include involvement from
the local municipalities. Depending on the start dates of these audits, work may continue
into the 2022 year.
7. Conclusion
The Audit Services Branch’s 2021 Risk-Based Work Plan was developed using a risk
assessment methodology to determine how to best allocate audit and consulting resources
across the Region to the areas of highest risk.
For more information on this report, please contact Michelle Morris, Director Audit Services
at 1-877-464-9675 ext. 71205. Accessible formats or communication supports are available
upon request.
Recommended by: Michelle Morris
Director, Audit Services
November 27, 2020
Attachments (1)
eDOCS #12070016
117
118
Attachment 1 - Audit Services Branch 2021 Risk-Based Work Plan
Alignment with
2019 to 2023
Strategic Plan
Area of Focus Department/Branch Project
Last Time
Audited Risk and Rationale for Audit
Economic Vitality Transportation Services -
Transit Operations
Bus Operations
Contracts
2016 There are a significant number of
high value contracts in place. There
are new contracts in place since the
last time Audit Services audited this
area. Assurance should be provided
to ensure that contracts are being
managed and oversighted
appropriately.
Finance - Treasury
Office
Development
Charges
2012 Second only to taxes, DC Collections
represents the largest revenue
sources for municipalities for the
purposes of infrastructure
development as a result of growth.
York collects revenues from the local
municipalities. There is an
opportunity to review the
effectiveness and efficiencies of
processes in place to manage DC
Collections.
Good Government Legal Services - Court
Services
Revenue
Management
2010 Court Services provides front counter
services to the public to pay tickets.
Assurance should be provided that
Court Services has effective controls
in place for cash handling.
Finance - Strategy &
Transformation
Payroll Audit 2018 This area processes pay for over 4,000
salaried and hourly employees on a bi-
weekly basis. Further, Payroll
collects and stores private and
sensitive employee data in order to
accurately pay individuals. There is
a risk that information collected
maybe compromised and that pay to
staff may be inaccurate.
Corporate Services -
Regional Clerk
Phase 1 -
Handling of
Private
Information
N/A The Regional Clerk is the Privacy
Officer for the Region as delegated by
Council and is responsible for the
policy and processes for the collection
and protection of private information.
Various programs and services
collect, store and access private and
confidential client information in the
delivery of services. There are
opportunities to phase various audits,
based on risk, for service areas that
handle confidential information in
order to assess the adequacy of
controls in place to protect
information. Without effective
controls, client information may be
breached both by internal and
external parties.
119
Attachment 1 - Audit Services Branch 2021 Risk-Based Work Plan
Alignment with
2019 to 2023
Strategic Plan
Area of Focus Department/Branch Project
Last Time
Audited Risk and Rationale for Audit
Corporate Services -
Human Resources
Hiring Practices N/A As an equitable and fair employer,
the Region follows applicable
legislation and internally developed
policies and procedures to help ensure
employees are hired in an open, fair
and timely manner. Without
adequate controls over the hiring
process, there is a risk that practices
do not ensure that the right people
are hired at the right time.
Finance - Controllership
Office & Deputy
Treasurer
PCI Compliance N/A Various branches within the Region
handle credit card information for
payments by customers. The
Payment Card Industry Security
Standards Council (PCI SSC) sets
standards for handling credit card
information. Assurance should be
provided to ensure that the Region is
in compliance with PCI SSC.
Finance - Procurement
Office
Advisory Services 2017 The Procurement Office currently has
several initiatives to modernize the
Region's procurement function. A
new Procurement bylaw is also in
progress. The impact of responding to
COVID-19 has also impacted the
procurement function. There is an
opportunity to review proposed
changes to the Procurement bylaw
from a controls perspective and
provide value-added advice to the
Procurement team.
Corporate Services -
Property Services
Construction Act N/A Ontario recently passed various
amendments to the Construction Act.
Assurance should be provided that
Property Services has processes in
place to ensure the Region remains in
compliance with the Construction
Act.
Finance - Information
Technology Services
Cyber Security 2007 As identified in the 2019-2022 work
plan, cyber security risk continues to
be a risk faced by all organizations
but due to the transparency of public
sector organizations, may be more
acute. Information Technology
Services continue to manage attacks
against the Region and their
employees. Assurance should be
provided that controls in place are
effective and efficient at reducing
network security issues.
120
Attachment 1 - Audit Services Branch 2021 Risk-Based Work Plan
Alignment with
2019 to 2023
Strategic Plan
Area of Focus Department/Branch Project
Last Time
Audited Risk and Rationale for Audit
Sustainable
Environment
Environmental Services -
Environmental
Promotion & Protection
Waste
management
agreements
between Region
and the local
municipalities
N/A Contamination of blue box materials
has been a significant challenge.
There is additional cost in processing
contaminated blue box materials.
Assurance should be provided to
ensure there are appropriate
processes in place to manage blue box
materials collection agreements with
the local municipalities.
Environmental Services -
Operations Maintenance
& Monitoring
SCADA Audit N/A The Supervisory Control and Data
Acquisition (SCADA) system collects
and analyzes real-time data of the
Regional water plants and pumping
stations to ensure that York Region is
in compliance with Ontario Drinking
Water Regulations. Without effective
controls to manage the security of the
system, unauthorized users may gain
access to the system. There is an
opportunity to review security
controls in concert with the network
security audit noted above. Both
audits will require the support of
external professional services.
Environmental Services -
Infrastructure Asset
Management
Water Billing
Audit
2014 The Region bills significant amounts
to the local municipalities for water
services. Assurance should be
provided over the efficiency and
effectiveness of the Region's water
billing processes and collections
including the systems used to create
bills, distribution of water bills and
customer service metrics.
Note 1 - Certain branches within the Community and Health Services Department ranked as high risk, but given the
current pandemic response, Audit Services will not be performing audits but will focusing on providing advisory services as
necessary in 2021.
121
