PricewaterhouseCoopers LLP
To Windsor City Council
Our Services were performed and this Report was developed in accordance with our engagement letter dated April 18,2013 and are subject to the terms and conditions included therein.
Our Services were performed in accordance with IIA Professional Practices Framework (“IIAPPF"). Accordingly, we areproviding no opinion, attestation or other form of assurance with respect to our work and we did not verify or audit anyinformation provided to us.
Our work was limited to the specific procedures and analysis described herein and was based only on the informationmade available through May 1, 2014. Accordingly, changes in circumstances after this date could affect the findingsoutlined in this Report.
This information has been prepared solely for the use and benefit of, and pursuant to a client relationship exclusivelywith the Corporation of the City of Windsor (“City”). PwC disclaims any contractual or other responsibility to othersbased on its use and, accordingly, this information may not be relied upon by anyone other than the City.
Windsor, Ontario
May 12, 2014
2
PricewaterhouseCoopers LLP
Table of Contents
Detailed Plan
1. Introduction
2. Key Updates to the Plan
3. Auditable Entities
4. Key Risk Themes
5. Risk Ratings
6. Risk Culture – Employee Survey
7. 2014-2016 Internal Audit Plan
Appendices
8. Appendix A: Methodology and Approach
9. Appendix B: Risk Definitions
10. Appendix C: Risk Profile
3
PricewaterhouseCoopers LLP
Introduction
This Internal Audit Plan has been updated to incorporate the following auditable entities:
• Committee of Adjustment;
• Ottawa Street Business Improvement Area; and
• Pillette Village Business Improvement Area.
In addition, 8 internal audit projects, including 4 ABC projects are confirmed. The prior year’s risk assessment wasvalidated with management during a risk validation and draft plan presentation held with the CLT, or designates.
This plan represents the proposed project coverage for the next 3 years for the annual cycle of June1 through to May30. The next slide provides an overview of the annual timeline proposed.
5
PricewaterhouseCoopers LLP
2014-15 timeline overview
May14’
June July Aug Sept Oct Nov Dec Jan Feb Mar Apr May June15’
Approval ofrolling 3 year
plan for 2014/15
Q1 report toECC
Q2 Report toECC *
Q3 report toECC
Q4 report toECC
6
Planning, development and approval of 3 year plan
Proposed timing of internal audit work
Review and adjustment of 2014/15 audit plan
Proposed City Council touch points. We commit to meeting with the City Council at least 4 times a year, but will arrangeadditional meetings if necessary for plan approvals, delivery of reports, and other key milestones. Quarterly reports willinclude observations to date, status of management actions, and internal audit performance dashboard.
Approval ofrolling 3 year
plan for 2015/16
* The Second Quarter Report to ECC is expected to be presented in January 2015 since there is no ECC meeting in themonth of December.
PricewaterhouseCoopers LLP
Key Updates to the Plan
This Internal Audit Plan has been updated in consideration for the following:
1. No new risks have been identified since the last revised Internal Audit plan approved on February24, 2014. Accordingly, sections of this Internal Audit plan which have not changed since February2014 include Section 4, 5, 6 9.
2. 4 City processes and 4 ABCs confirmed and included in the 2014/15 audit plan.
3. 4 new City projects identified and planned for year three of the Internal Audit Plan.
4. Updated approximate general calculation of coverage of our annual and 3 year plan efforts.These coverage estimates and market comparable have been included in the plan. IA effortcoverage analysis has been updated to reflect the coverage of the entity as a result of the projectsto be executed in the next year and next 3 years.
5. Handi-Transit is removed from the listing of auditable entities.
8
PricewaterhouseCoopers LLP
Auditable EntitiesCity of Windsor – Council and Strategic Planning
City of Windsor – Economic Development & Public Safety
City of Windsor – Social Development, Health, Recreation & Culture
City of Windsor – Environmental Protection & Transportation
City of Windsor – Public Engagement & Human Services
City of Windsor – Finance & Technology
Windsor Canada Utilities Ltd.
Enwin Utilities Ltd
Enwin Energy Ltd
Windsor Utilities Commission
Your Quick Gateway
Windsor Detroit Tunnel Corp.
Windsor Police Service
Windsor Public Library
Committee of Adjustment
Windsor Essex County Health Unit
10
Tourism Windsor Essex Pelee Island
Windsor Essex Community Housing Corporation
Huron Lodge Committee of Management
Essex Windsor Solid Waste Authority
Windsor Licensing Commission
Downtown Windsor Business Improvement Association
Erie Business Improvement Association
Ford City Business Improvement Association
Olde Riverside Business Improvement Association
Olde Sandwich Towne Business Improvement Association
Walkerville Business Improvement Association
Wyandotte Towne Centre Business Improvement Association
Windsor Essex County Economic Development Corp
Transit Windsor
Roseland Golf & Curling Club Ltd.
Pillette Village Business Improvement Association
Ottawa Street Business Improvement Association
Essex Region Conservation Authority
Included in scope of current IA plan Non-participating ABCs
PricewaterhouseCoopers LLP
Risk Themes
12
ExternalRisks
InternalRisks
ChangeRisks
Political
Economic factors
Socio-Cultural
Legislative
Pandemic/Hazards
StrategicGovernancePlanning & resource
allocationPublic relationsPublic policyReputationThird party
performanceInfrastructureEnvironmentalConflicting PrioritiesTransparency
OperationalService deliveryMaterial resourcesInformation for
decision makingSecurity & privacyTechnology costTechnology enablementTechnology experienceAsset protectionValue creation/
enhancementDepartmental
coordinationOperational oversight
OrganizationalStructure/cultureAccountabilityScalabilityHuman resourcesSuccession planning/
capacityLabour relations
FinancialCapital
structureTreasury/
liquidityAccounting &
reportingFraud &
corruptionLoss /theft of
assetsFunding
oversight
Legal/ComplianceComplianceEnvironmentalPublic policyLitigation
StrategicMajor initiativesSourcing/ cessation
OperationalProgram deliveryImplementation/
transitionBenefits realization/
sustainability
OrganizationalReadiness
FinancialCost/time
Legal/ComplianceAlignment
Terrorism
Funding Public relations/expectations Technology Public safety
Vandalism
The following risk universe groups risks identified during our risk assessment based on risk type, as follows: External,Internal and Change related risks. These impact and likelihood of these risks were assessed by management using therisk ratings in section 5 during a survey and subsequent workshop. Definitions for each risk are included in Appendix B.
PricewaterhouseCoopers LLP
Key Risk Themes
13
We summarized and grouped risks identified during our risk assessment based on risk type, as follows: External,Internal and Change related risks. Red items indicate a high risk, yellow a medium risk and green a low risk (noneidentified by management). We did not validate the risks identified or assign a weighting of the severity of the risksmentioned at this juncture. Likelihood of these risks occurring and the potential impact on the City are assessed in theRisk Profile presented in Section 10.
ExternalRisks
InternalRisks
ChangeRisks
Political
Economic factors
Socio-Cultural
Legislative
Pandemic/Hazards
StrategicGovernancePlanning & resource
allocationPublic relationsPublic policyReputationThird party
performanceInfrastructureEnvironmentalConflicting PrioritiesTransparency
OperationalService deliveryMaterial resourcesInformation for decision
makingSecurity & privacyTechnology costTechnology enablementTechnology experienceAsset protectionValue creation/
enhancementDepartmental
coordinationOperational oversight
OrganizationalStructure/cultureAccountabilityScalabilityHuman resourcesSuccession
planning/capacity
Labour relations
FinancialCapital
structureTreasury/
liquidityAccounting &
reportingFraud &
corruptionLoss /theft of
assetsFunding
oversight
Legal/ComplianceComplianceEnvironmentalPublic policyLitigation
StrategicMajor initiativesSourcing/
cessation
OperationalProgram deliveryImplementation/
transitionBenefits realization/
sustainability
OrganizationalReadiness
FinancialCost/time
Legal/ComplianceAlignment
Terrorism
Funding Public relations/expectations Technology Public safety
Vandalism
PricewaterhouseCoopers LLP
Risk Ratings - Approach
Ratings were used to prioritize the identified risks as well as rank the internal audits designed to address the risks. Inassigning a risk rating for the inherent risks identified, two factors – likelihood and impact – were considered beforeconsidering the effectiveness of the existing control environment. The likelihood rating represents the probability thatan event or risk could occur. The likelihood of the risk occurring before the effect of risk mitigation actions and thestrength of internal controls was based on the definitions in the chart below.
The impact rating represents the City exposure from a financial, regulatory or reputation perspective should the event orrisk occur. The average of two impacts was considered – corporate impact and citizen impact. The impact of the risk onthe corporation and citizen responsibilities before the effect of risk mitigation actions and the strengths of internalcontrols was based on the definitions below:
15
PricewaterhouseCoopers LLP
Risk Ratings - Approach
Based on the results of the interviews, our review of prior risk assessments, knowledge of the industry risks andknowledge of the City business, the impact of each identified risk was categorized as “higher”, “medium” or “lower” asdefined in the chart below on the right.
16
Based on the assessment of likelihood and impact, an overall risk rating was assigned. This assessment was made priorto consideration of the strength of internal controls, risk monitoring activities, or processes surrounding the risk area.Overall Risk Assessment ratings help prioritize the risks. Higher risk areas require more immediate attention by the City– either in the form of internal audit projects, management attention or other risk monitoring activities. This approachis outlined on the next page.
PricewaterhouseCoopers LLP
Risk Ratings - Approach
17
Higher Risk•Almost certain & mediumimpact•Almost certain & high impact•Likely & high impact
Moderate Risk• Almost certain & low impact•Likely & medium impact•Not likely & high impact
Low Risk•Likely & low impact•Not likely & low impact•Not likely & medium impact
AlmostCertain
Likely
NotLikely
Low Medium High
Impact
Lik
eli
ho
od
PricewaterhouseCoopers LLP
Risk Ratings - Results
18
1. Political2. Legislative &
regulatory3. Funding4. Public reaction/
expectation5. Socio-Cultural6. Economic factors7. Terrorism8. Vandalism9. Pandemics/Hazards10. Technology11. Public Safety12. Governance13. Planning & resource
allocation14. Public relations15. Public policy16. Reputation17. Third party
performance18. Environmental19. Conflicting
priorities/demands20. Transparency21. Infrastructure22. Service delivery23. Material resources24. Information for
decision making25. Security and privacy26. Technology
enablement27. Technology cost
AlmostCertain
Likely
NotLikely
Low Medium High
Impact
Lik
eli
ho
od
28. Technologyexperience
29. Inter-Departmentalcoordination
30. Asset protection31. Value creation/
enhancement32. Structure/culture33. Human resources34. Succession
planning/capacity35. Labour relations36. Accountability37. Scalability38. Capital structure39. Treasury/liquidity40. Accounting and
reporting41. Fraud & corruption42. Loss/theft of assets43. Compliance44. Environmental45. Public policy46. Ligation47. Major initiatives48. Sourcing/Cessation49. Program delivery50. Implementation/
Transition51. Benefits realization/
sustainability52. Readiness53. Time/Cost54. Alignment55. Funding oversight56. Operational oversight
Filled circles indicate where an internal audit project is proposed to evaluate and validate risk management activities.
Filled circles indicate where an internal audit project addressed the risk in a previous year.
Transparent circles indicate broad, inherent risks. These risks should be closely monitored by the management and re-evaluated on an periodic basis to determine whether it is appropriate and feasible to include them in the subsequentyear’s Internal Audit plan
#
1
2
3
4
5
6
7
8
9
10
1112
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
2930
31
32
33
34
35
36
37
38
39
40
41
42
43
43
45
46
47 48
49
50
51
52
53
54
55 56
#
Further detail on Internal Audit projects can befound in the Risk Profile in Section 10.
#
PricewaterhouseCoopers LLP
Risk Culture – Employee Survey
A key component of our Enterprise Risk Assessment was to understand management's view of the risks and the riskculture at City of Windsor. To meet this objective we surveyed 25 non-executive level managers, all of which were CityDepartment personnel and did not include ABC management, (with a response rate of 84%) to further understand theirview on risks facing City of Windsor to ensure there is a consistent understanding across management of what isimportant. It should be noted that this survey was initially performed in June 2013 and not changes have been notedsubsequent to June 2013. Overall, the survey provided comfort that both executive management and middlemanagement share similar views on risk.
In addition, we asked very specific questions regarding the risk culture at City of Windsor. The table on the followingpage summarizes the results of the risk culture portion of the survey.
Certain observations can be made from the results of the risk culture survey. We have summarized these observationsbelow.
Some positive themes of the City of Windsor culture that the survey highlighted include:
• Employees have comfort that they can safely communicate issues to senior leadership
• Employees have contentment with guidance and direction provided by leadership
• Understanding of perceived risk that employees can take on behalf of City of Windsor
• Concurrence of adequate controls around information security and overall business processes
Themes where the City of Windsor should pay attention to increase perceived culture include:
• Impact of turnover and the ability to adequately achieve set objectives
• Investment in the long term
• Inadequacy of technology and communication infrastructure in maximizing job effectiveness
• Inefficient and ineffective communication between units
• Inconsistent compensation standards
20
PricewaterhouseCoopers LLP
2014-2016 Internal Audit Plan
An overall Internal Audit strategy for the City was determined in light of the business strategy as well as the currentcontrols maturity, the overall inherent risks, the ranking of the risks, the perceived adequacy of controls and any controlinitiatives underway. In developing our plan, consideration was given to the nature of the risk and the ability of InternalAudit to add value beyond work that is already being performed by management.
23
All successful internal auditfunctions go throughseveral stages of evolutionbased on the organizationsneed. The model to the rightshows a continuum of focusbased on stakeholderexpectations and thematurity factors discussedabove. There is no singlemodel for Internal Audit,rather its function is derivedfrom the current needs ofthe organization and itsdesign should be to meetthe risk managementpriorities of the businessand stakeholders' needs andexpectations.
Our stakeholder discussions have indicated the desire for the City Internal Audit to initially focus on a more valueprotection mode initially with an evolution of a more balanced focus over time. Our proposed 2014-2016 Internal Auditplan takes this into account with a move over time towards the dotted line on the illustration above, but with a constantconsideration of financial control risk.
PricewaterhouseCoopers LLP
2014-2016 Internal Audit Plan
The proposed Internal Audit plan is the final step of the Risk Assessment and can be found on the subsequent pages ofthis report. Internal Audit should focus its annual audit plan principally on activities, processes or areas of the City thatare perceived to present the greatest risk to the achievement of the City strategic or business objectives or where controlsor other mitigating control practices may not be as effective as desired. The proposed 3 year audit plan beginning June2014 attempts to cover a portion of most of the identified risks that are rated “higher” on the risk assessment matrix.
In addition, to gain coverage over the auditable entities not yet included in the risk assessment – the 26 agencies,boards and commissions (ABCs) - there will be roughly 4 projects for the ABCs per year to attain a portion of coverageof each ABC over 7 years. Another round of ABC risk assessment is expected to occur prior to year 3 of the plan.
We propose Internal Audit will adopt a continuous risk assessment process whereby internal audit areas andcorresponding risk profiles will be revisited as the City business changes. This will result in ongoing risk discussionswith members of management and adjustments to the Internal Audit plan as needed. The frequent risk discussions willallow for timely identification of changes in the risk environment and closer alignment of Internal Audit projects withthese risks and the changing business needs.
The following table outlines the proposed internal audit projects:
24
PricewaterhouseCoopers LLP
2014/15 Internal Audit Project SummaryAnnually Recurring Projects
25
Internal Audit Area Description
Planning
Risk Assessment and AnnualPlan Development
Identify value drivers, facilitate or leverage management’s corporate risk andcontrol self assessment and draft a 3 year rotational internal audit plan.
Management and reporting
Status & PerformanceReporting
Provide quarterly reports to Council, CLT and SMT on internal auditperformance and project status. Monthly status and liaisonreporting/coordination.
Attendance at Key CityMeetings
Attendance at or review of selected Council, CLT and SMT meetings/sessions toprovide information or enhance internal audit’s risk and operations awareness.
Recurring projects
Prior Findings Follow-Up Follow up on management’s resolution of prior findings on a quarterly basis.
Inbound Call Investigation Receive, log and apply call resolution decision framework and provide statusreporting to CLT and Council.
Unallocated Effort reserved in accordance with recommended practices to address adhocqueries in the year.
Previous YearProjects
Projectsbeyond 3 years
Projects within3-year planLegend
RecurringProjects
PricewaterhouseCoopers LLP
2014-2016 Internal Audit Project Summary
Rotational Projects – City Departments
26
Internal Audit Area 2013/14 2014/15 2015/16 2016/17
Provide governance and strategic leadership to the Corporation and ensure policies of theMunicipality are implemented
X
Purchasing, payables, tendering, procurement and third party management integrated witha hotline call follow up
X
Manage information security X
Recommend annual operating and capital budgets X
Succession planning and management X
Manage infrastructure X
Manage changes to information systems X
Manage capital structure X
Manage the daily operations of service delivery X
Fraud Risk Management X
Governance of information technology to support the business objectives and strategies X
Protecting the Environment X
Oversight of major City projects and initiatives X
Property billing and tax collection services X
Legal & Risk Management Services X
Further description of the 2014/15 projects and the risks they are aligned with is included on pages 33-34.
PricewaterhouseCoopers LLP
2014-2016 Internal Audit Project Summary
Rotational Projects – Agencies, Boards & Commissions/HotlineInvestigation
27
Internal Audit Area 2013/14
2014/15
2015/16
2016/17
2017/18
2018/19
2019/20
Transit Windsor X
Your Quick Gateway X
Windsor Detroit Tunnel Corporation X
Essex Windsor Solid Waste Authority X
Windsor Public Library X
Windsor Essex Community Housing Corporation X
Huron Lodge X
Windsor Utilities Commission X
Enwin Utilities Ltd X
Enwin Energy Ltd/Windsor Canada Utilities Ltd. X
Further description of the 2014/15 projects and the risks they are aligned with is included on page 35.
PricewaterhouseCoopers LLP
2014-2016 Internal Audit Project Summary
Rotational Projects – Agencies, Boards & Commissions/HotlineInvestigation
28
Internal Audit Area 2013/14
2014/15
2015/16
2016/17
2017/18
2018/19
2019/20
Windsor Police Service X
Roseland Golf & Curling Club X
Windsor Essex County Economic Development Corp X
Tourism Windsor Essex Pelee Island X
Committee of Adjustment X
Windsor Licensing Commission X
Downtown Windsor Business Improvement Association X
Erie Business Improvement Association X
Ford City Business Improvement Area X
Olde Riverside Business Improvement Area X
Olde Sandwich Towne Business Improvement Area X
Ottawa Street Business Improvement Area X
Pillette Village Business Improvement Area X
Walkerville Business Improvement Area X
Wyandotte Towne Centre Business Improvement Association X
Further description of the 2014/15 projects and the risks they are aligned with is included on page 35.
PricewaterhouseCoopers LLP
ABC Audit Approach
In many instances the issues and risks of both the City and the ABCs are similar in their inherent nature. Given thefinite resources to be applied in assessing the appropriate risk management and internal practice across 35 differentauditable entities Internal Audit is recommending a structured approach to incorporating ABCs into the Internal AuditPlan.
For each ABC Internal Audit proposed to conduct one of 3 potential types of reviews:
1. Expanded Review of Specified Objectives
2. Targeted Review of Specified Objectives
3. Selected Review of High Risk Area
The Expanded and Targeted Review of Specified Objectives will focus on predetermined key City business objectiveswhere the ABCs have a direct impact. The type of project (Expanded/Targeted) will be aligned to the nature, size andrelationship of the ABC to the City. We have outlined the key areas for both the Expanded and Targeted Review ofSpecified Objectives in the following table:
29
PricewaterhouseCoopers LLP
ABC Audit Approach con’tTopic Targeted Review
of Specified
Objectives
Expanded
Review of
Specified
Objectives
City Reporting relationship & agreement X X
Compliance with city reporting relationship X X
Tone at the top X X
Policy framework and evidence of compliance X X
Regular reporting to City X X
Shared services X
Integrity of management information X X
Succession planning X
Funding/budget process X
Fraud risk management protocols X X
Cash management process X X
Media monitoring and escalation X X
IT governance X
Change management X
Information and data security X
30
Select Reviews of High Risk Areas will be Internal Audit project tailored to High Risk areas that warrant attention duethe nature of the risk or where the project effort level is expected to result in an improved risk posture for the City as acorporation.
PricewaterhouseCoopers LLP
Internal Audit Coverage Summary for 3 Year Plan
The coverage factors in the following table represent the highest potential coverage.Actual coverage obtained may be less than the stated values because projects may onlyaddress high risk processes and/or key controls.
31
Area Annual CoverageFactor will be less
than
3 Year CycleCoverage factorwill be less than
Corporate Process Coverage: 1.5% 5%
High Risks Considered* 10% 36%
ABC entity touch points: 15% 46%
ABC coverage: Indeterminable Indeterminable
* It is important to note that a common target for Internal Audit coverage in a 3-5year plan is to address 80-100% of the high risk considerations plus emergingissues and management and professional standards requirements.
PricewaterhouseCoopers LLP
2014/15 Internal Audit Project Summary
32
Internal Audit Activity Allocation (Hours)
Planning 250
1. Risk Assessment and Annual Plan Development 250
Management and reporting 350
2. Status & Performance Reporting 120
3. Attendance at Key City Meetings 230
Projects (11) 1,900
4. Prior Findings Follow-Up 120
5. Inbound Call Investigation 80
6. Recommend annual operating and capital budgets 250
7. Succession planning and management 175
8. Manage infrastructure 175
9. Manage changes to information systems 250
10. Windsor Detroit Tunnel Corporation 230
11. Essex Windsor Solid Waste Authority 190
12. Windsor Public Library 190
13. Windsor Essex Community Housing Corporation 190
14. Unallocated 50
Total 2,500
PricewaterhouseCoopers LLP
2014/15 Internal Audit Project Description
33
Internal Audit Area Description/Related Risks
Manage infrastructure Evaluate the process and controls in effect surrounding the planning andimplementation of replacing and restoring infrastructure.
Risks: Legislative and regulatory, Funding, Public Relations and expectations,Vandalism, Public Safety, Reputation, Conflicting priorities/demands,Infrastructure, Service delivery, Technology Enablement, Technology cost, Assetprotection, Capital structure, Treasury/liquidity, Loss/theft of assets,
Manage changes to informationsystems
Evaluate the process and controls in effect when planning and implementinginformation systems.
Risks: Information for decision making, Security and privacy, Technologyenablement, Technology cost, Technology experience, Asset protection,Implementation/transition
PricewaterhouseCoopers LLP
2014/15 Internal Audit Project Description
34
Internal Audit Area Description/Related Risks
Recommend annual operating andcapital budgets
Evaluate the process and controls in effect when planning and developingbudgets.
Risks: Funding, Public Relations and expectations, Economic factors,Governance, Planning and resource allocation, Public policy, Reputation,Conflicting priorities/demands, Transparency, Service delivery, Information fordecision making, Capital structure, Treasury/liquidity, Major initiatives,Sourcing/cessation, Time/cost
Succession planning andmanagement
Evaluate the process and controls in effect to identify, manage, monitor andmitigate succession planning risks or single points of failure.
Risks: Succession planning,/capacity, Service delivery, Program delivery,Governance, Structure/culture, Human Resources
PricewaterhouseCoopers LLP
ABC Audit Approach con’tTopic Targeted Review
of Specified
Objectives
Expanded
Review of
Specified
Objectives
Windsor Detroit Tunnel Corporation X
Essex Windsor Solid Waste Authority X X
Windsor Public Library X X
Windsor Essex Community Housing Corporation X X
35
Risks for targeted reviews: Operational oversight, Funding oversight, Program delivery, Governance,Structure/culture, Legislative & regulatory, Public reaction/expectation, Governance, Planning & resource allocation,Reputation, Service Delivery, material resources, Information for decision making, Security and privacy, Inter-departmental co-ordination, Asset protection, Value creation, Structure/culture, Labour relations, Accountability,Scalability, Treasury/liquidity, Fraud & corruption, Loss/theft of assets, Compliance, Sourcing/cessation, Programdelivery, Benefits realization/sustainability, Compliance, Transition/implementation
Risks for expanded reviews: Operational oversight, Funding oversight, Succession planning/capacity, Servicedelivery, Program delivery, Governance, Structure/culture, Human Resources, Legislative & regulatory, Publicreaction/expectation, Governance, Planning & resource allocation, Reputation, Third party performance, ServiceDelivery, material resources, Information for decision making, Security and privacy, Inter-departmental co-ordination, Asset protection, Value creation, Structure/culture, Labour relations, Accountability, Scalability,Treasury/liquidity, Fraud & corruption, Loss/theft of assets, Compliance, Sourcing/cessation, Program delivery,Benefits realization/sustainability, Compliance, Transition/implementation
PricewaterhouseCoopers LLP
Methodology and Approach
Our risk assessment methodology involved an identification of the strategy, goals and objectives of the City and therelated risks that could potentially impair the achievement of those objectives. A key objective of this risk assessment isto align the Internal Audit plan with the most critical risks facing the City. The key activities performed initiallyin June 2013 and subsequently in May 2014 are as follows:
June 2013:
• Reviewed relevant information regarding the City including financial statements and other internal reports andinformation.
• interviews of approximately 25 executive management team members and 30 ABC management team memberswere conducted. These representatives were from all departments and agencies, boards and commissions.
• Administered a comprehensive risk survey to a cross section of approximately 17 management team members.
• Performed a value driver analysis to gain understanding of key company strategy and the value creating processwith highest impact on achieving that strategy.
• Summarized the risks identified to capture the most significant risk categories.
• Analyzed and rated the risks to assess the likelihood of each identified risk occurring and its potential impact.
• Performed a high-level assessment of the control environment surrounding the identified risks.
• Reviewed our inventory ("Audit Universe") of key risks, business processes, activities, applications and businessunits, which are potentially subject to audit, and updated the Audit Universe, if necessary.
37
PricewaterhouseCoopers LLP
Methodology and Approach con’d
May 2014:
• Internal Audit met with CLT members to validate prior years internal audit planning risk assessment andidentified any significant changes in risk positioning , new risks and areas of management concern. Nosignificant changes were identified.
• Recommended to senior leadership through this report, a three year Internal Audit plan to address theidentified risks subject to audit and to cover other areas within the Audit Universe on a multi-year, rotationalbasis.
From our review and the interviews, surveys and workshop with members of the SMT and CLT team we developed aRisk Profile (included on page 18) using a color-coded scheme to assess the severity of the risks related to the Citymost significant value creating processes. The matrix provides a framework for directing internal audit resources to theareas of higher risk and for estimating the level of Internal Audit resources required to monitor the risks. It includes anassessment of the severity of the risks (based on likelihood and impact [Corporate and Citizen]) and the effectiveness orperceived maturity of the controls in place to mitigate the risks (a controls assessment). The risks included in the matrixwere either those mentioned by our interview and survey participants (some risks more frequently than others) oridentified in other risk projects by management. They have not been corroborated through testing or the gathering ofother evidence. It is likely that the matrix does not include all the risks the City faces, but the risks noted appear toinclude the most widely recognized. These initial assessments are subject to review and adjustment by CorporateLeadership and the City Council.
Additionally, in developing our audit plan for 2014/15, we also considered whether or not the risks linked to these keyprocesses were good candidates for current Internal Audit activity. In some cases, the risks identified are inherent in thebusiness and, therefore, it may be impractical, ineffective or inefficient to allocate Internal Audit resources to audit therisks. In these cases, these risks should be addressed by another risk monitoring function or management may considerdeveloping internal controls or processes to address these risks.
38
PricewaterhouseCoopers LLP
Risk Definitions
40
Domain Risk Definition
External Political The risk that political unrest, changes in office bearers, future elections (local, provincial andfederal) impair or significantly change/redirect the City’s mandate, operations or fundingmodels.
Legislative ®ulatory
Changes or conflicts in legislation, the regulatory environment and laws or conflicts inlegislation impair or significantly change/redirect the City’s mandate, operations or fundingmodels.
Funding The risk that changes in funding models and allocations occurs resulting in an unplannedreduction in service or an inability to react in a timely manner.
Public reaction/expectation
The risk that services, policies and administrative directives do not meet citizen needs or requireundue attention and resource deployment.
Socio-Cultural Unemployment, migration of workers, socio-cultural needs, demographics and citizen/businessexpectations change and adapt requiring redirection in public policy, funding and managementattention.
Economic factors Changes in inflation, foreign exchange fluctuations, interest rates, employment rates, businessstartup/creation/departure impact current and future revenue streams and public needs.
Terrorism Intentional acts of terror occur resulting in the need for emergency services or increasedservices and funding from City sources.
Vandalism Intentional acts of vandalism occur resulting in the need for emergency services or increasedservices and funding from City sources.
Pandemics/
Hazards
The risk that a health or natural occurrence beyond management’s control impacts normaloperations and support services to municipal stakeholders. Factors to consider include:
Depletion of natural resources
Environmental degradation
Spillage
Pollution
Flooding/freezing/storm
Epidemics
Technology The risk that municipal adoption, avoidance or use of technology does not appropriately alignwith advancements in technology and public/stakeholder expectations or with potential valuecreation.
Public Safety The risk that public safety is impaired due to a failure of public services.
PricewaterhouseCoopers LLP
Risk Definitions
41
Domain Risk Definition
Internal –Strategic
Governance The risk that governance mechanisms fail to enable a culture of awareness, consistent valuesand reputational protection/enhancement.
Planning &resource allocation
Planning and resource allocation and decisions results in unnecessary expenditure, impairmentof value, misalignment of resources with priorities and is not adaptable to change.
Public relations Inappropriate or erroneous disclosure of information is made to the media/public resulting inunnecessary resource allocation, costs, public scrutiny and/or legal action.
Public policy Public policy objectives are not aligned with municipal stakeholder needs or fail to be attainedresulting in a failure of mandates and unnecessary costs.
Reputation Media, public perception, policy, resource allocation and/or funding issues result in impairedreputation decreasing public and business profile, operational ability and future revenuesources or increasing operating costs.
Third partyperformance
Third party providers failure to perform to the agreed to service levels, do not render theservice in time, do render the correct service or deliver inadequate/poor service resulting in lostrevenues, increased operational costs, lost time, public scrutiny, increased oversight orreputation risk. This risk also includes the misalignment of public service needs and privatesector profits.
Environmental Operational actions result in environmental exposures issues and non-compliance with policiesand expectations.
Conflictingpriorities/demands
The risk that differing priorities and demands between citizen, council, administration as wellas federal and provincial bodies creates a stalemate, inability to act, lost resources, servicedelays.
Transparency The risk that citizen, federal, provincial and business partner expectations with regards totransparency are not met, understood or attained.
Infrastructure The risk that infrastructure is not available, able to be maintained or suitable for current andoperational needs.
PricewaterhouseCoopers LLP
Risk Definitions
42
Domain Risk DefinitionInternal –Operational
Service delivery The risk that services delivery to citizens and businesses are not efficient and effective or arelacking in quality. The risk that services delivered does not provide value to those whom it isdelivered to.
Material resources Material resources needed to enable operations are not available, costly to attain, cannot beacquired in a timely manner, or are wasted.
Information fordecision making
Information for decision making not being available, accurate, stable, relevant or lackingintegrity resulting in faulty, erroneous and wrong decisions. Factors to consider include:
Availability of information
Stability of information
Integrity of information
Relevance of information
Retention
SafeguardingSecurity andprivacy
Information is improperly accessed, modified or disclosed resulting in impaired reputation,increased oversight and operational costs or legal action.
Technologyenablement
Enabling technology is not available, reliable, integrated, ineffective or obsolescent.
Technology cost Enabling technology solutions and infrastructure are not cost effective
Technologyexperience
Technology is not enabling operations or is impairing the citizen/business experience
Inter-Departmentalcoordination
Coordination between departments does not occur in a timely or effective manner resulting isservice delivery issues, increased costs and impaired reputation.
Asset protection Value preservation is lost, not known or missed resulting in a reduction in available capital,funding losses or unnecessary expenditures.
Value creation/enhancement
Value creation/enhancement opportunities are not known, missed or under exploited resultingin a reduction in available capital, potential revenue losses or unnecessary expenditures.
Operationsoversight
The risk that the Corporation does not sufficiently and appropriately monitor the operationaldecisions made by its’ ABCs
PricewaterhouseCoopers LLP
Risk Definitions
43
Domain Risk Definition
Internal –Organizational
Structure/culture Corporate culture and control environment fail to enable strategic objectives, corporate valuesor use of resources. Factors to consider include:
communication channels and effectiveness
cultural integration
ethics and values
goal alignment
management style
tone at the top
organizational structureHuman resources The risks that relate to the human resources of the City. Factors to include:
Integrity and honesty
Recruitment
Skills and competence
Employee wellness
Employee relations
Retention
Occupational health and safetySuccessionplanning/capacity
Management resources could fail to meet strategic and operational requirements due to limitedcapacity, departures and retirements with limited to no backup or alternative plans resulting ina loss of key competencies and skills.
Labour relations Labour relations actions or inaction results in service delivery failure, increased costs orincrease scrutiny.
Accountability Corporate and individual accountability is unclear, not understood or ignored resulting in afailure to achieve corporate objectives, efficient operations or an unnecessary loss of time.
Scalability Organizational structures, policies and operating models impair the ability to fluid react tochanging municipal demands and resourcing needs.
PricewaterhouseCoopers LLP
Risk Definitions
44
Domain Risk Definition
Internal -Financial
Capital structure The capital structure solutions impair investment requirements, public policy attainment oralignment with legislative requirements.
Treasury/liquidity Inadequate cash flow due to improper management, investment, collection, planning orwasteful spending.
Accounting andreporting
Impairment in financial statements or public reporting integrity.
Fraud & corruption The risk of occurrence of illegal or improper acts by employees resulting in a loss of the City’sassets or resources.
Loss/theft of assets Loss of financial value and/or resource to execute operations due to either theft or loss of a Cityasset.
Funds oversight The risk that the Corporation does not sufficiently and appropriately monitor the manner inwhich its’ ABCs utilize the funds they are allocated
Internal –Legal/Compliance
Compliance Failure to maintain an awareness of compliance requirements, monitor compliance, enforcecompliance, implement and maintain enabling mechanisms resulting in consequences of non-compliance – reputation, funding, fines, penalties, etc.
Environmental Environmental policy does not align with municipal and actual needs or public policy or thatactions taken are contrary to those policies and needs resulting in increased costs, reputationimpairment, loss of resources and increased scrutiny.
Public policy Failure to maintain awareness and compliance with provincial or federal public policyrequirements results in increased costs, reputation impairment, loss of resources and increasedscrutiny.
Litigation Risks that the City may suffer loss due to litigation and lawsuits against it. Losses may emanatefrom:
Claims by employees, the public, service providers and other third parties
Failure by the City to exercise certain rights to its advantage
PricewaterhouseCoopers LLP
Risk Definitions
45
Domain Risk Definition
Change Risks Major initiatives The risk that major initiatives are not aligned with strategic objectives or municipal need, thatthey are not identified and acted on a timely manner or that they result in excessive cost andtime overruns or ongoing sustainment expenditure beyond expectations.
Sourcing/Cessation The risk that services and solutions are not effectively identified for sourcing or cessation aspart of operational analysis resulting in increased cost, lost opportunity and unnecessaryexpenditures.
Program delivery The risk that program delivery is ineffective, results in failed projects, cost and time overruns orrecurring scope/cost/timing changes which can result in increased costs, reputationimpairment and increased scrutiny.
Implementation/Transition
The risk that although program delivery is successful there is a failure to implement the endresult as a sustainable solution that realize the original business case results due to poor changemanagement, adoption, ease of use or transition failure from project to ongoingprocess/program.
Benefitsrealization/sustainability
The risk that major initiatives and sourcing activities do not realize the original benefitsexpected or exceeds sustainable operations expectations. This includes the risk that whensourcing services or asset custody to external parties there are competing profit and serviceinterest that the City is accountable for.
Readiness Operational readiness to adopt, implement and sustain change and transformation impairs theeffective deployment of transformation resulting in failure, increased costs and reputationalimpairment.
Time/Cost Time/costs of changes and transformation exceed original business case, cost/benefitexpectations and ponging sustainment expectations resulting in increased expenditures and aloss of efficiency.
Alignment Changes and transformational activities doe result in failures in compliance or result in legalelements that are offside of existing requirements.
PricewaterhouseCoopers LLP
Risk Profile
47
Impact
LikelihoodL M H
NL L AC
Risk RiskScore
Impact
Likelihood
Proposed IA Project 2013/14
2014/15
2015/16
2016/17
Political H M L None in the next 3 years
Legislative&Regulatory
H M L Provide governance and strategic leadership to theCorporation and ensure policies of the Municipality areimplemented
Manage information security
Manage third party performance
Manage infrastructure
Manage the daily operations of service delivery
Oversight of Major City InitiativesProtecting the EnvironmentLegal and Risk Management Services
X
X
X
X
X
XXX
Funding H H L Provide governance and strategic leadership to theCorporation and ensure policies of the Municipality areimplemented
Recommend annual operating and capital budgets
Sourcing and major initiatives
Manage infrastructure
Manage capital structureOversight of Major City InitiativesProperty billing and tax collection
X
X
X
X
XXX
PricewaterhouseCoopers LLP
Risk Profile
48
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
PublicRelations andExpectations
H H L Recommend annual operating andcapital budgets
Manage information security
Manage third party performance
Manage infrastructure
Manage capital structure
Fraud Risk Management
Oversight of Major City Initiatives
X
X
X
X
X
X
X
Socio-Cultural
M M L None in the next 3 years
EconomicFactors
H M L Recommend annual operating andcapital budgets
Manage capital structure
Oversight of Major City InitiativesProperty billing and tax collection
X
X
XX
Terrorism M H NL Manage information security X
PricewaterhouseCoopers LLP
Risk Profile
49
Risk RiskScore
Impact Likelihood
Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Vandalism H L AC Manage infrastructure X
Pandemic/Hazards
H H L Manage information security
Protecting the Environment
Legal and Risk ManagementServices
X
X
X
Technology M M L Governance of informationtechnology to support thebusiness objectives andstrategies
Oversight of Major City Initiatives
X
X
Public Safety M M L Manage infrastructure
Oversight of Major City Initiatives
X
X
PricewaterhouseCoopers LLP
Risk Profile
50
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15
2015/16
2016/17
Governance H M/H L Provide governance and strategicleadership to the Corporation andensure policies of the Municipality areimplemented
Recommend annual operating andcapital budgets
Succession planning and management
Manage information security
Manage third party performance
Manage capital structure
Fraud Risk Management
Governance of information technologyto support the business objectives andstrategies
X
X
X
X
X
X
X
X
PricewaterhouseCoopers LLP
Risk Profile
51
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Planning &resourceallocation
H M/H L Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented
Recommend annual operatingand capital budgets
Succession planning andmanagement
Manage third party performance
Sourcing and major initiatives
Manage capital structure
Governance of informationtechnology to support thebusiness objectives andstrategies
X
X
X
X
X
X
X
PublicRelations
M M L None in the next 3 years
PricewaterhouseCoopers LLP
Risk Profile
52
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Public Policy M M L Recommend annual operatingand capital budgets
Manage capital structure
X
X
Reputation M M L Provide governance andstrategic leadership to theCorporation and ensurepolicies of the Municipality areimplemented
Recommend annual operatingand capital budgets
Manage information security
Manage third partyperformance
Manage infrastructure
Manage the daily operationsof service delivery
Fraud Risk Management
X
X
X
X
X
X
X
PricewaterhouseCoopers LLP
Risk Profile
53
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Third PartyPerformance
H M AC Manage information security
Manage third party performance
Sourcing and major initiatives
Manage the daily operations ofservice delivery
X
X
X
X
Environmental H M/H L Manage third party performance
Protecting the Environment
X
X
ConflictingPriorities/demands
M M L Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented
Recommend annual operating andcapital budgets
Succession planning andmanagement
Manage infrastructure
X
X
X
X
PricewaterhouseCoopers LLP
Risk Profile
54
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Transparency M M L Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented
Recommend annual operating andcapital budgets
Sourcing and major initiatives
X
X
X
Infrastructure H H AC Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented
Manage information security
Manage infrastructure
X
X
X
PricewaterhouseCoopers LLP
Risk Profile
55
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Service Delivery H H AC Recommend annual operatingand capital budgets
Succession planning andmanagement
Manage information security
Manage third party performance
Sourcing and major initiatives
Manage infrastructure
Manage the daily operations ofservice delivery
Governance of informationtechnology to support thebusiness objectives andstrategies
X
X
X
X
X
X
X
X
MaterialResources
H M/H L Manage third party performance
Oversight of major initiatives
X
X
PricewaterhouseCoopers LLP
Risk Profile
56
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Informationfor decisionmaking
M M L Provide governance and strategicleadership to the Corporation andensure policies of the Municipality areimplemented
Recommend annual operating andcapital budgets
Manage information security
Manage third party performance
Manage changes to information systems
Governance of information technology tosupport the business objectives andstrategies
X
X
X
X
X
X
Securityand Privacy
M M L Manage information security
Manage third party performance
Manage changes to information systems
Fraud Risk Management
Governance of information technology tosupport the business objectives andstrategies
X
X
X
X
PricewaterhouseCoopers LLP
Risk Profile
57
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
TechnologyEnablement
M M L Manage infrastructure
Manage changes to informationsystems
Governance of informationtechnology to support the businessobjectives and strategies
X
X
X
TechnologyCost
M M L Manage infrastructure (2014/15)
Manage changes to informationsystems (2014/15)
Governance of informationtechnology to support the businessobjectives and strategies (2015/16)
X
X
X
TechnologyExperience
M M L Manage information security
Manage infrastructure
Manage changes to informationsystems
Governance of informationtechnology to support the businessobjectives and strategies
X
X
X
X
PricewaterhouseCoopers LLP
Risk Profile
58
Risk RiskScore
Impact Likelihood
Proposed IA Project 2013/14 2014/15 2015/16 2016/17
InterdepartmentalCoordination
M M L Provide governance and strategicleadership to the Corporation and ensurepolicies of the Municipality areimplemented
Manage third party performance
Governance of information technology tosupport the business objectives andstrategies
X
X
X
Asset Protection M M L Manage information security
Manage third party performance
Manage infrastructure
Manage changes to information systems
Fraud Risk Management
X
X
X
X
X
Value Creation/Enhancement
M M L Manage third party performance X
Structure/Culture H M L Provide governance and strategicleadership to the Corporation and ensurepolicies of the Municipality areimplemented
Manage third party performance
Sourcing and major initiatives
X
X
X
PricewaterhouseCoopers LLP
Risk Profile
59
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Human Resources H M L Succession planning andmanagement
Oversight of major City Initiatives
X
X
SuccessionPlanning/Capacity
H M AC Succession planning andmanagement
X
Labor Relations H M/H L Succession planning andmanagement
Manage third party performance
Sourcing and major initiatives
X
X
X
Accountability M M L Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented
Manage information security
Manage third party performance
Manage the daily operations ofservice delivery
Fraud Risk Management
X
X
X
X
X
PricewaterhouseCoopers LLP
Risk Profile
60
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Scalability M M L Succession planning and management
Manage third party performance
X
X
Capital Structure H H AC Recommend annual operating and capitalbudgets
Manage infrastructure
Manage capital structure
X
X
X
Treasury/Liquidity
H M/H L Recommend annual operating and capitalbudgets
Manage third party performance
Manage infrastructure
Manage capital structure
Property Billing and Collection Services
X
X
X
X
X
Accounting andReporting
M M L None in the next 3 years
Fraud andCorruption
H H AC Manage information security
Manage third party performance
Fraud Risk Management
X
X
X
PricewaterhouseCoopers LLP
Risk Profile
61
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Loss/Theft ofAssets
M M L Manage information security
Manage third party performance
Manage infrastructure
Fraud Risk Management
X
X
X
X
Compliance M M L Provide governance and strategicleadership to the Corporation andensure policies of the Municipalityare implemented
Manage information security
Manage third party performance
Sourcing and major initiatives
X
X
X
X
Environmental M M L Protecting the Environment X
Public Policy M M L None in the next 3 years
Ligation H H L Fraud Risk Management X
PricewaterhouseCoopers LLP
Risk Profile
62
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Major Initiatives H H AC Recommend annual operating andcapital budgets
Major initiatives
X
X
Sourcing/Cessation H H AC Recommend annual operating andcapital budgets
Manage third party performance
Sourcing and major initiatives
X
X
X
Program Delivery M M L Succession planning and management
Governance of information technologyto support the business objectives andstrategies
X
X
Implementation/Transition
M M L Succession planning and management
Manage information security
Manage changes to informationsystems
Governance of information technologyto support the business objectives andstrategies
X
X
X
X
PricewaterhouseCoopers LLP
Risk Profile
63
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
BenefitsRealization/Sustainability
M M L Succession planning andmanagement
Manage third party performance
Fraud Risk Management
Governance of information technologyto support the business objectives andstrategies
X
X
X
X
Readiness M M L Succession planning andmanagement
Governance of information technologyto support the business objectives andstrategies
X
X
Time/Cost M M L Recommend annual operating andcapital budgets
Governance of information technologyto support the business objectives andstrategies
X
X
PricewaterhouseCoopers LLP
Risk Profile
64
Risk RiskScore
Impact Likelihood Proposed IA Project 2013/14 2014/15 2015/16 2016/17
Alignment M M L Governance of informationtechnology to support thebusiness objectives andstrategies
X
Fundingoversight
M M L ABC projects to beexecuted over the next 7years
Operationaloversight
M M L ABC projects to beexecuted over the next 7years
PricewaterhouseCoopers LLP
© 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers toPricewaterhouseCoopers LLP, an Ontario limited liability partnership, which is a member firm ofPricewaterhouseCoopers International Limited, each member firm of which is a separate legalentity.
65
Top Related