2016 Internal Audit

Annual Report
Table of Contents
I. Compliance with Texas Government Code, Section 2102.015 3

II. Benefits Proportionality Audit Requirements for Higher Education Institutions 4

III. Internal Audit Plan for Fiscal Year 2016 5

IV. Consulting and Nonaudit Services Completed 8

V. External Quality Assurance Review 9

VI. Internal Audit Plan for Fiscal Year 2017 17

VII. External Audit Services Procured in Fiscal Year 2016 28

VIII. Reporting Suspected Fraud and Abuse 29

Note: The outline of the annual report as listed above is prescribed by the Texas State Auditors Office per the Texas Internal Auditing Act.
I. Compliance with House Bill 16
(Texas Government Code, Section 2102.015)

Requirements:
• Within 30 days of approval, an entity should post the following information on its Internet Web site:
– An approved fiscal year 2017 audit plan, as provided by Texas Government Code, Section 2102.008.
– A fiscal year 2016 internal audit annual report, as required by Texas Government Code, Section 2102.009.

• 2102.015.Required Updates
– Detailed summary of weaknesses, deficiencies, wrongdoings, or other concerns, if any raised by the audit plan or
annual report
– Summary of action taken by the agency to address concerns, if any, that are raised by the audit plan or annual report

Compliance:
The information required above will be included in this annual report and, once approved by the Alamo Colleges Board of
Trustees, will be posted to the Internal Audit page on the Alamo Colleges Web site at Alamo.edu.

3
II. Benefits Proportionality Audit Requirements
for Higher Education Institutions

Note: The requirements in this section of the annual report are not applicable for community
colleges

4
Internal Audit Plan for Fiscal Year 2016
# FY 2016 Audit Plan Projects Status Phase
1 Student Financial Aid  -
2 State and Compliance Reporting  -
3 Grants and Grant-Related Contracts Review In Progress Reporting
4 Admissions and Enrollment Review On-Hold Fieldwork
5 IT Network Security Review In Progress Fieldwork
6 HR Employment / Onboarding / Exiting On-Hold Fieldwork
7 Software Acquisition, Implementation & Management Deferred to ’17 -
8 Disbursement Audit Analytics (Continuous Audit) On-Hold Planning
9 Issue Follow-Up  -
Planned Process Reviews / Consulting Projects
10 Procure-to-Pay (Purchasing, Accounts Payable)  -
11 Emergency Management  -
12 Curriculum Coordination, International Programs, Bursar, Facilities, & ERM Deferred to ‘17 -
Investigations/Special Requests
13 Management Request  -
14 Ethics Hotline Complaint  -
15 Employee Complaint In Progress Reporting

5
 2016 Summary of Results
Project Description Results/Findings Remediation
Student Financial Review whether key • Recommendation to evaluate the process Management agreed to review
Aid Review compliance risks related to for reviewing “C” or Completed flag all “C“ flags immediately
Student Financial Aid were notifications in the system to ensure the following receiving the
addressed by external process is efficient and effective for application from the U.S.
auditors. prompt Direct Loan award processing. Department of Education.
State Reporting Review enrollment data • Internal controls related to Banner system Management will improve
Review validation processes, functionality and access needed internal controls and consider
timeliness, accuracy of improvement. establishing a data
reports, and Banner access. • Recommendation made to consider warehouse.
establishing a data warehouse.
Procure-to-Pay Review Procure-to-Pay • Adequate internal control design, yet Management agreed with the
Process Review processes, risks, and highly manual. key process maturity levels
(Consulting internal control design. • Well designed contract bid process; risk of and will evaluate
Engagement) circumventing process exists. recommendations.
Emergency Review emergency • Adequate emergency operation plans. Management agreed with the
Management management processes, • No formal review of vulnerabilities and key process maturity levels
Process Review risks, and internal control threats since 2012. and will evaluate
(Consulting design. • Risk of potential delay in timely notification recommendations.
Engagement) of incidents.

6
 2016 Summary of Corrective Action
Issue Count Closed Open Issues
New
Project Report Date as of through as of % Closed
Issues
9/1/2015 8/31/2016 9/27/2016

Payroll and Related Business Processes

Follow-up Review 1/15/2014 62 0 61 1 98%

PAC Natatorium Operations Follow-up Review 7/9/2014 3 - 2 1 67%

Institutional Advancement Donation Processes
and Controls Review 12/11/2014 9 - 6 3 67%

Campus Continuing Education Review 7/20/2015 7 - 1 6 14%

Student Grade Processes and Controls Review 7/20/2015 6 - 3 3 50%
Student Financial Aid Review 11/3/2015 - 1 - 1 0%
State Reporting Review 3/23/2016 - 4 2 2 50%
Total 87 5 75 17 82%

7
IV. Consulting and Nonaudit Services
Completed
• Three consulting, investigative or nonaudit engagements were performed in 2016
• Procure-to-Pay Process Review
• Emergency Management Process Review
• Hotline case – Review of college department timekeeping process
• Consulting services provided to management included:
• Review of executive PCard, direct pay expenses, and supporting documentation

8
V. External Quality Assurance Review
(Next review scheduled for fiscal year 2018)

9
Quality Assurance and
Improvement Program
(QAIP)

10
 FY 2016 Accomplishments
• Updated the internal audit methodology and procedures
• Risk-based approach (enterprise risk assessments performed in-house)
• Developed process for consulting review
• Streamlined audit follow-up process
• Updated manuals supporting compliance with the Standards and the Board-approved
Internal Audit Protocols
• Restructured salary levels for Internal Audit staff to align with the competitive
marketplace
• Overhauled and streamlined job descriptions for Internal Audit staff positions
• Enhanced employee development and continuing professional education
opportunities
• Expanded support for Internal Audit staff to obtain additional professional
certifications

11
FY 2016 Accomplishments (continued)
• Results:
• 25 percent increase in the number of projects completed versus FY 2015
• FY 2016 metrics compared to the average of FY 2012-2015:
• Reduced the average hours per full scope project by 61 percent
• Reduced the average length of full scope audit reports by 79 percent
• Reduced the average number of recommendations by 82 percent
• Increased the total number of projects completed from the average of 3 to 5
• Average audit process owner satisfaction rating – 5.0 of 5.0
• Reduced the number of open management corrective action plans from 92
to 17 (82 percent reduction)
• Increased the percentage of staff holding professional certifications from 66
percent to 100 percent

12
FY 2016 Accomplishments (continued)
Average Hours Per Full Scope Audit Total Projects Completed
2,000 16
14
1,500 12
10
1,000 8
6
500 4
2
- 0
2012 2013 2014 2015 2016 2012 2013 2014 2015 2016

Average Hours Planned Hours Total Projects Completed Planned Projects

Internal Audit Reports - Full Scope Audits FY 2016 Project Allocation

30 30 Consulting
11%
25 25
Investigations
20 20 8%
15 15
IT
10 10 9%
Operational
5 5
63%
Compliance
- - 9%
2012 2013 2014 2015 2016

Issues Recommendations # pages in Report

13
Balanced Scorecard
PROCESS

Enterprise Risk Assessment - 

Audit Plan - 
Board/Mgmt Input - 
Audit Manuals - 

PROGRESS PEOPLE

% Plan Completed - 40 %
IIA Standards Staff Experience - Average of 15 years
# Unplanned Projects - 3 (241 hrs)
Govt. Auditing Standards Training Hours / Auditor - 36 hrs
% Time Spent on Consulting/
Department Goals % Staff Certified - 100%
Management Assistance - 4%

PROJECTS

Full Scope Project Hours Avg. - 459

Audit Cycle Time - 5 months
Project Survey Average - 5 of 5
Open Issues Aging - 18% Overdue

14
FY 2016 Priorities
• Internal Audit Projects
• Consulting – increase overall percentage of time spent on consulting /
management assistance projects
• IT Audit – perform two full scope IT audits

• Internal Audit Administration

• Recruiting – Hire additional Internal auditors as approved by the Board of
Trustees
• Issue Monitoring
• Clean up backlog of outstanding issues
• Establish a process to automate the management of corrective action responses
• Audit Cycle Time – reduce the overall audit cycle time
• Streamline engagement planning process
• Reduce audit report cycle times

15
FY 2017 Priorities
• Internal Audit Projects
• IT Audits – increase IT audit coverage with increased bench strength
• Consulting – increase consulting/management assistance through audit
projects and process reviews
• Audit Analytics – develop a data analytics program for continuous auditing

• Internal Audit Administration

• Recruiting – Hire three new Internal Auditors to fill current staff vacancies,
with one new hire having extensive IT auditing experience
• Increase IT auditing bench strength in Internal Audit through the hiring of
an additional Senior IT Auditor
• Audit Cycle Time – reduce the overall audit cycle time
• Streamline planning process
• Reduce audit report cycle times

16
VI. Internal Audit Plan for Fiscal Year 2017
Audit Planning
Cycle AC Approval
Risk
Assessment

Stakeholder Stakeholder External

Input Input
Draft Annual Benchmarking/
Audit Plan Best Practices
in Internal Audit
Stakeholder
Input

Assessment of
Internal Audit Update
Resources Universe of
(Staff Skill Audit Subjects
Sets, Budget, (UAS)
etc.)

17
2016 Annual Risk Assessment

18
Risk Assessment Overview
How to Use Risk Assessment Results
Management Internal Audit Board of Trustees
• Ensure that processes/internal • Prioritize audit subjects to • Understand significant risks to
controls are in place to mitigate create annual Audit Plan the organization
significant risks • Consult with Management on • Hold management accountable
• Evaluate whether current risk mitigation and internal for mitigation of significant risks
policies adequately address controls
significant risks

19
 Alamo Colleges Audit Universe
Entity Level = Alamo Colleges
Auditable Entity Level
NE Lakeview NW Vista Palo Alto San Antonio St. Philip’s DSO
Auditable Function / Audit Unit
Governance

Governance
District-Wide Support Services
Finance HR IT Administration Operations Inst. Gov.
• General Acctg. • Benefits & • IT Operations • Facilities • Economic & WF • Ethics & Compliance
• Financial Rptng. Compensation • Info. Security • Procurement Development • Strategic Planning
• Budget Mgmt. • Training & • System Development • Risk Mgmt & Sfty. • Academic Success • Enterprise Risk
• Financial Aid Development • System and Database • Campus Police • Student Success Management (ERM)
• Treasury • Employment Support • Instit. Research • Auxiliary Locations • Legal Affairs
• Payroll • Network & • Strategic Initiatives & - WFCOE
• AP/Disbursements Infrastructure Support Perf. Excellence - CTTC
• Fixed Assets • IT Governance • Records Mgmt. - WTEC
• Bursar • Communications & - Kerrville/Floresville
• Grants/Contracts Public Relations

Individual Colleges
NE Lakeview NW Vista Palo Alto San Antonio St. Philip’s
• Academic Programs • Academic Programs • Academic Programs • Academic Programs • Academic Programs
• Student Services • Student Services • Student Services • Student Services • Student Services
• College Services • College Services • College Services • College Services • College Services

20
Audit Subjects by Risk Grouping
Highest Moderate-High Moderate Low
Grants/Grant-Related Contracts State Reporting Contract Administration Facilities Management
Information Security IT Systems/Database Support IT Operations Business Office / Bursar
IT Network & Infrastructure Support IT Strategy & Organization Strategic Planning Business Outreach
HR- Compensation & Benefits Payroll Curriculum Coordination Developmental Education
Admissions and Enrollment Employment Accounting, A/P, Budget Community Partnerships
Institutional Governance – ERM Purchasing Campus Police Off-Site Locations
SACS Accreditation / Reaffirmation District Institutional Research Facilities - Construction Management Treasury
College IT and Technical Services Student Advising High School Programs Facilities – Tobin Lofts
College Admissions International Programs Workforce Development Student Leadership Institute
College Enrollment Management Enterprise Risk Management Dept. & Safety Communications & Public Relations Inventory Control
College Grant Management Emergency Management Academic Partnerships
Center for Student Information (CSI) Student and Program Development
Student Financial Aid HR Training & Development
Alamo Colleges Online IT Systems Development
Continuing Education Alamo Colleges Foundation
College Contract Management Records Management
College Institutional Research College Student Records Management

21
2017 Proposed Internal Audit Plan

22
 Internal Audit Resources
District Director of
Internal Audit

Total Approved
Headcount = 5
Senior IT Auditor Senior Internal Auditor Senior Internal Auditor
Lead Senior IT Auditor
(Vacant) (Vacant) (Vacant)

Academic Year
Total Hours* 8,320
* Based on Less Audit Director’s Time (2,080)
11/1/16, 1/1/17,
and 3/1/17 start Net Internal Audit Staff Time 6,240
dates for three
new auditors Holidays/Vacation/Sick (808)
Training (400)
Staff General Admin (average of 10%) (624)
Total Time Available for Audits, Investigations, & Consulting Engagements 4,408

23
 FY 2017 Proposed Internal Audit Plan
Total Budgeted
Project Type Description
Hours Expense
1 IT Network Security Review (FY 2016 Rollover) Evaluate the IT network security program 200

2 Admissions and Enrollment Review (FY 2016 Rollover) Review admissions and enrollment processes 300

3 HR Employment / Onboarding / Exiting (FY 2016 Rollover) Review hiring and onboarding processes 300

4 Software Acquisition, Implementation , and Mgmt. (FY 2016 Rollover) Review of SDLC and software management processes 400

5 Enterprise Risk Management and Safety Review of Risk Management and Safety processes 400

6 Grant Review – Health Profession Opportunity Grant (HPOG) Program Review program controls and processes effectiveness 400
Review

7 Institutional Research – Internal Reporting (Performance Management) Review reporting accuracy/data integrity 500

8 Curriculum Coordination Review curriculum design, controls, and processes 500

9 Process Reviews/Consulting Document risks/controls for five processes 750

10 Disbursement Audit Analytics (Continuous Audit) Data analysis to identify cost recovery/avoidance 300

11 Investigations/Special Requests Investigations and requests as necessary 358

Total 4,408 TBD

24
 FY 2017 Proposed Process Reviews
Total
Project Type
Hours

1 Business Office (Bursar) * 150

2 Facilities Management * 150
3 International Programs * 150
4 Student Transcript Processing 150
5 Employee Expense Reporting and PCards 150
Total 750

* Carryover from the FY 2016 Process Review List

Note: The purpose of the Process Reviews is to document key processes along with relevant risks and controls, and to provide
input related to potential improvements to internal control design and/or process efficiencies and effectiveness.

25
 Alternate/Potential FY 2017/18 Projects
Project Type Description

IT Vendor Management Audit * Review controls to prevent software licensing infractions

Procurement and Contract Management * Assess effectiveness of controls to support contracting activities

Independent Contract Workers (Joint Employee Liability Risks) Review practices for handling independent contract workers to ensure
the institution is not exposed to joint employer liability risks

Time and Attendance Reporting Determine system is operating effectively and internal controls have
been implemented

Workforce Classification (Exempt vs. Non-Exempt) Evaluate workforce classification processes to ensure the institution is
not misclassifying employees

IT Data Security Audit Network audit of sensitive data (student records, PII, CC, SSN, etc.)

Continuing Education Operations Review Assess effectiveness of processes and controls including
implementation of the LERN Report recommendations

* Carryover from the FY 2016 Alternate/Potential List

26
 Audit Plan Coverage 2016 Actual 2017 Plan

Highest Moderate-High Moderate Low

Grants/Grant-Related Contracts State Reporting Contract Administration Management Facilities
Information Security IT Systems/Database Support IT Operations Business Office / Bursar
IT Network & Infrastructure Support IT Strategy & Organization Strategic Planning Business Outreach
HR- Compensation & Benefits Payroll Curriculum Coordination Developmental Education
Admissions and Enrollment Employment Accounting, A/P, Budget Community Partnerships
Institutional Governance – ERM Purchasing Campus Police Off-Site Locations
SACS Accreditation / Reaffirmation District Institutional Research Facilities - Construction Management Treasury
College IT and Technical Services Student Advising High School Programs Facilities – Tobin Lofts
College Admissions International Programs Workforce Development Student Leadership Institute
College Enrollment Management Enterprise Risk Management Dept. & Safety Communications & Public Relations Inventory Control
College Grant Management Emergency Management Academic Partnerships
Center for Student Information (CSI) Student and Program Development
Student Financial Aid HR Training & Development
Alamo Colleges Online IT Systems Development
Continuing Education Alamo Colleges Foundation
College Contract Management Records Management
College Institutional Research College Student Records Mgmt.

27
VII. External Audit Services Procured in Fiscal
Year 2016
External audit services procured by Internal Audit:
• Non-IT Audit Support – Weaver
• IT Audit Support - Weaver

External audit services procured by Finance & Administration:

• Financial Statement Audit – Grant Thornton
• A-133 Single Audit - Grant Thornton

28
VIII. Reporting Suspected Fraud and Abuse
In accordance with section 7.09 of the Texas General Appropriations Act, a link in the footer of the home page for the Alamo
Colleges external website referencing “Fraud Hotline” takes users to the Ethics site which includes instructions on how to report
fraud, waste and abuse to the State Auditor’s Office as follows:

Any person who suspects fraud or financial impropriety at Alamo Colleges should report their suspicions immediately to any
supervisor, the Chancellor or designee, the Board Chairperson, the College District Ethics Hotline, local law enforcement,
Internal Audit or the State Auditor’s Office Hotline.

If you suspect fraud, waste, or abuse, and would like to file an anonymous complaint, please report the matter to one of the
following:

Alamo Colleges Ethics Hotline

1-844-302-0425
www.alamo.edu.ethicspoint.com
or
State Auditor’s Office Hotline
1-800-TX-AUDIT (1-800-892-8348)
http://sao.fraud.state.tx.us

29