audit, compliance & ethics committee meeting

Audit, Compliance & Ethics Committee Meeting

Teacher Retirement System of Texas 1000 Red River Street, Austin, Texas 78701-2698

July 2018

NOTE: The Board of Trustees (Board) of the Teacher Retirement System of Texas will not consider or act upon any item before the Audit, Compliance and Ethics Committee (Committee) at this meeting of the Committee. This meeting is not a regular meeting of the Board. However, because the full Audit, Compliance and Ethics Committee constitutes a quorum of the Board, the meeting of the Committee is also being posted as a meeting of the Board out of an abundance of caution.

TEACHER RETIREMENT SYSTEM OF TEXAS BOARD OF TRUSTEES

AND AUDIT, COMPLIANCE AND ETHICS COMMITTEE

(Mr. Moss, Chairman; Mr.Corpus; Dr. Gibson, Ms. Sissney, Mr. Nance, Committee Members)

All or part of the July 26, 2018, meeting of the TRS Audit, Compliance and Ethics Committee and Board of Trustees may be held by telephone or video conference call as authorized under Sections 551.130 and 551.127 of the Texas Government Code. The Board intends to have a quorum and the presiding officer physically present at the following location, which will be open to the public during the open portions of the meeting: 1000 Red River, Austin, Texas 78701 in the TRS East Building, 5th Floor, Boardroom.

AGENDA

July 26, 2018 – 3:00 p.m. TRS East Building, 5th Floor, Boardroom

1. Call roll of Committee members

2. Approve minutes of April 19, 2018 Audit, Compliance and Ethics Committee meeting – Committee Chair

3. Receive TRS Compliance reports – Heather Traeger 4. Receive Internal Audit reports

A. Quarterly TRS compliance testing (Agreed-Upon Procedures) – Kate Rhoden and Heather Traeger

B. TRS Investment Company of Texas (TRICOT) cost-benefit audit – Nick Ballard and Eric Lang

C. TRS-ActiveCare eligibility, enrollment, and billing system pre-implementation audit – Toma Miller and Katrina Daniel; Neill Masterson, EY

D. Vendor procurement audit – Anandhi Mani and LaTresa Stroud E. Employer data analysis testing (Agreed-Upon Procedures) – Lih-Jen Lan and Barbie

Pearson F. Prior audit and consulting recommendations - Amy Barrett

5. Discuss or consider Internal Audit and TRS Compliance administrative reports and matters

related to governance, risk management, internal control, compliance violations, fraud, regulatory reviews or investigations, fraud risk areas, audits for the annual internal audit plan, or auditors' ability to perform duties – Committee Chair, Amy Barrett and Heather Traeger

6. Discuss personnel matters concerning the Chief Audit Executive – Committee Chair and Janet Bray

1

TEACHER RETIREMENT SYSTEM OF TEXAS AUDIT, COMPLIANCE AND ETHICS COMMITTEE

MEETING MINUTES April 19, 2018

The Audit, Compliance and Ethics Committee of the Board of Trustees of the Teacher Retirement System of Texas met on April 19, 2018, in the boardroom located on the fifth floor of the TRS East Building offices at 1000 Red River Street, Austin, Texas.

Committee Members present: Dr. Greg Gibson, Acting Chair Mr. David Corpus Mr. James D. Nance Ms. Nanette Sissney Other Board Members present: Mr. John Elliott Mr. Jarvis V. Hollingsworth Ms. Dolores Ramirez Others present: Brian Guthrie, TRS Toma Miller, TRS Ken Welch, TRS Anandhi Mani, TRS Carolina de Onis, TRS Kate Rhoden, TRS Amy Barrett, TRS Rodrigo Dominguez, TRS Don Green, TRS Karen Marino, TRS Jerry Albright, TRS Keith Brown, TRS Board Advisor Barbie Pearson, TRS Ted Raab, TX AFT Heather Traeger, TRS Bill Barnes, TRTA Katherine Farrell, TRS Christine Bailey, TRS Scott Leith, TRS Barbara Forssell, TRS Jan Engler, TRS Lih-Jen Lan, TRS Nick Ballard, TRS Audit, Compliance, and Ethics Committee Acting Chair, Dr. Greg Gibson, called the meeting to order at 1:45 p.m.

1. Call roll of Committee members.

Ms. Farrell called the roll. A quorum was present, Mr. Moss was absent.

2

2. Consider the approval of the proposed minutes of the December 15, 2017 committee meeting – Acting Committee Chair Dr. Greg Gibson.

On a motion by Mr. Nance, seconded by Mr. Corpus, the proposed minutes for the December 15, 2017 Audit, Compliance, and Ethics Committee meeting were approved as presented.

3. Receive TRS Compliance reports – Heather Traeger Ms. Heather Traeger began her report noting the complaints received through the TRS hotline and State Auditors Office. She stated there were 12 total complaints. She said the majority of the complaints related to member questions regarding their benefits or health plans. Ms. Traeger reported there was one hotline complaint regarding an allegation related to controls and access of data at State Street Bank. She said the allegations were investigated and concluded that TRS data was not improperly used. She stated State Street’s processes and procedures were reviewed and that State Street has agreed to further tighten access procedures and processes, which would be discussed further in another audit report.

Ms. Traeger reported last quarter there were four 541C requests for conflict determinations from TRS vendors. She said two were related to prudent investment letters and the other two were related to the IMD salary survey by McLagan. She reported three were determined as not presenting a conflict and could proceed with services, and the fourth was being reviewed for reporting at a future date.

Ms. Traeger provided an update on the compliance charter. She noted this is a Legal & Compliance department document that was developed in response to the Funston audit recommendation to develop a compliance policy.

4. Receive Internal Audit reports A. Quarterly TRS compliance testing (Agreed-Upon Procedures) – Amy

Barrett, Nick Ballard, and Heather Traeger Mr. Nick Ballard stated they tested reports and activity through December 31, 2017 and tested the internal public markets quarterly performance incentive pay calculations through September 30, 2017. He said there were no exceptions to report. He stated one issue was identified in the emerging manager program. He said one private markets fund-to-fund manager excluded $1.1 billion in the assets under management (AUM) test. Mr. Ballard stated the rationale for excluding the assets was that they were included in non-discretionary accounts. He said had these investments been included in the AUM test the manager would have exceeded total AUM allowed under the investment policy statement. He reported IMD management agreed with the issue, and per their management response, effective immediately, they are working with both public and private markets fund-to-fund managers to ensure that any new investment in the emerging manager program discloses the discretionary and non-discretionary accounts. He said if a manager does exceed the threshold by including both discretionary and non-discretionary accounts then a waiver could be sought establishing why the manager is still a good fit for the emerging manager program. Ms. Heather Traeger reported there was one Investment Policy Statement (IPS) violation. She said the violation occurred after the audit had closed. She stated one of the managers purchased a

3

security on the TRS Restricted Securities List. Ms. Traeger said TRS notified the manager of the error, and the security was sold at the next available market open.

B. Incentive compensation for the plan year ending September 30, 2017 (Agreed-Upon Procedures) – Amy Barrett, Scott Leith, and Christine Bailey

Ms. Barrett said this project tested incentive pay calculations before the payments were made to ensure 100 percent accuracy. She stated the State Auditors will come back later on and conduct a complete audit of the incentive compensation calculation, including testing internal controls. Ms. Barrett reported that everything was paid out with 100 percent accuracy. She noted a couple of relatively minor items. One was the participant list compiled by Organizational Excellence (OE) had not been finalized and reviewed by the Investment Division (IMD). The other item concerned where the calculation workbook was maintained in SharePoint and the controls around limiting access and maintaining confidentiality. Ms. Christine Bailey stated due to the simultaneous processing of the participant list referenced by Ms. Barrett some items were not caught. She said moving forward they will lock down the list at the beginning of the fourth quarter ensuring that a double-check of the list is in place prior to reviewing the calculations. Mr. Scott Leith said that two individuals at IMD reviewed the calculations and needed limited access to a spreadsheet. He said the individuals’ access was greater than what was needed for them to accomplish their task. He reported they will limit the individuals’ Sharepoint’s permission.

C. Investment performance calculations audit – Kate Rhoden and Barbara Forssell

Ms. Kate Rhoden stated the audit included the operations of State Street and operations of TRS’ IMD department to make sure the review processes are in place and the system and data are protected. She stated that the controls at State Street and at IMD were tested and found that there is sufficient review in place. Ms. Rhoden reported that there were two opportunities for improvement. One relates to State Street data and the need to refresh daily instead of monthly. The other issue noted was terminating access to data by third-party providers in a timely manner. Ms. Barbara Forssell commented on the State Street data issue. She said that the data itself was correct, and there was never a problem with the data. She reported the daily data from the performance application had not been uploaded to the My State Street reporting portal. She said State Street has implemented changes to address this issue. Ms. Forssell also reported that they will enhance processes with State Street to ensure only appropriate and current third-party vendors have access.

D. Prior audit and consulting recommendations – Amy Barrett Ms. Barrett provided a status update on outstanding audit recommendations. She noted two items, one related to the TEAM program and the other related to implementing recommendations

4

from the HIPAA audit. She said management had requested more time to implement the HIPAA recommendations.

E. Employer Self-Audit Program – Amy Barrett

Ms. Barrett reported on the new employer self-audit program that was recently posted to TRS website under reporting entities.

5. Discuss or consider Internal Audit administrative reports and matters related to governance, risk management, internal control, compliance violations, fraud, regulatory reviews or investigations, fraud risk areas, audits for the annual internal audit plan, or auditors' ability to perform duties – Committee Chair, Amy Barrett, Heather Traeger

Ms. Barrett presented the Chief Audit Executive Goals mapped to the TRS strategic plan. She reported they were on track and did not anticipate any issues in terms in achieving the audit plan. She noted hosting the Association of Public Pension Fund Auditors’ semiannual conference in Austin. Without further discussion, the meeting adjourned at 2:35 p.m. APPROVED BY THE AUDIT, COMPLIANCE, AND ETHICS COMMITTEE OF THE BOARD OF TRUSTEES OF THE TEACHER RETIREMENT SYSTEM OF TEXAS ON THE 26th DAY OF July 2018.

______________________________ _________________ Christopher Moss Date Chair, Audit Committee Board of Trustees Teacher Retirement Systems of Texas

TAB 3

The information for this agenda item is confidential.

TAB 4A

Quarterly TRS Compliance TestingInternal Audit July 2018

TAB 4.1:A

Business Objectives1. All information required by Investment Policy Statement

(IPS) is reported to the TRS Board of Trustees

2. Investments made are within delegated limits and established selection criteria

3. Risk limits are followed for other investment programs and activities (IPS, Securities Lending Policy, wire transfers)

2

No issues were identified except for Restricted Securities trading violations. Chief Compliance Officer has reported on these issues to the ACE Committee in April and July 2018.

Business Objectives

Test Results

QUARTERLY INVESTMENT COMPLIANCE TESTING INVESTMENT POLICY STATEMENT (IPS), SECURITIES LENDING POLICY (SLP), AND WIRE TRANSFER PROCEDURES

CALENDAR QUARTER ENDED MARCH 31, 2018

Legend: Red - Significant to TRS Orange - Significant to Business Objectives Yellow - Other Reportable Exception Green - Positive Test Result/ No Exception

July 5, 2018 Project #18-302

1. Board Reports All required information is reported to the TRS Board of Trustees

2. Investment Selection and Approval Investments made are within delegated limits and established selection criteria

3. Other (IPS, SLP, wire transfers, other reporting) Risk limits are followed for other investment programs and activities

Programs are within risk limits and activities follow established policies and procedures

Compare Board reports to IPS requirements Trace sample information included in Board

reports to supporting documentation

All reporting requirements were met Documentation provided support for the

reports tested

Management Responses

Management Assertions

Test Results

Obtain evidence of IMD’s reporting of managers/funds added or removed

Check securities lending pool for compliance with investing guidelines

Verify wire transfers are authorized and supported

Obtain senior management disclosure about known compliance violations

Trace investments approved by the Internal Investment Committee (IIC) to supporting documentation

Compare approval limits of new investments with IPS limits

Obtain evidence that Placement Agent Questionnaires (PAQs) were received prior to funding investments approved

Business Objectives

Business Risks

Agreed-Upon Procedures

Board is not informed of key investment decisions and critical information

Risks exceed Board-established tolerances or management policies and procedures

All required information is reported to the Board

N/A

Approvals and fundings exceed delegated limits

Approvals and fundings are within delegated limits and made for qualified managers

Restricted securities were traded once in March 2018 and three times in June 2018 due to external managers combining the lists and an erroneous clearance of an internal trade.

Provide combined and segregated lists of restricted securities to external managers

Perform dual checks to clear internal trades

All investments tested were in compliance with approval limits

PAQs were obtained for all investments tested

N/A

TRS Internal Audit July 5, 2018 Quarterly TRS Compliance Testing Page 1

July 5, 2018 Carolina de Onis, TRS General Counsel Subject: Report on Independent Testing of TRS Compliance We have completed the Quarterly TRS Compliance Testing for the quarter ended March 31, 2018, as included in the Fiscal Year 2018 Audit Plan. The scope of this engagement included the requirements of the Investment Policy Statement (IPS), Securities Lending Policy (SLP), and Wire Transfer Procedures. We have also considered any compliance violations that came to our attention as of the report date. We performed the procedures that were agreed to by the TRS Legal and Compliance division. These procedures include tests that supplement the current compliance monitoring procedures performed by State Street and the Chief Compliance Officer. This agreed-upon procedures engagement was performed in accordance with generally accepted government auditing standards contained in the Government Auditing Standards issued by the Comptroller General of the United States. The sufficiency of the agreed-upon procedures performed is solely the responsibility of those parties specified in this report. Consequently, we make no representations regarding the sufficiency of the procedures described in Appendix A either for the purpose for which this report has been requested or for any other purpose.

Our testing procedures and results are included in Appendix A. We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion. Accordingly, we do not express an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you. This report is intended solely for information and use by TRS management, the Board of Trustees, and oversight agencies, and is not intended to be and should not be used by anyone other than those specified parties. However, this report is a matter of public record and its distribution is not limited.


* * * * * We express our appreciation to management and key personnel of the Investment Management Division, Investment Accounting, and Legal and Compliance for their cooperation and professionalism shown to us during this quarterly testing. Amy Barrett, CIA, CPA, CISA Nick Ballard, CFA, CPA Chief Audit Executive Director of Investment Audit Kate Rhoden, CPA, CIA Investment Audit Manager


APPENDIX A

AGREED-UPON PROCEDURES AND RESULTS

STEP #

OBJ. #

TEST PURPOSE TEST DESCRIPTION TEST RESULT MANAGEMENT RESPONSE

1 1 IPS Article 1.7a - 1.7o – Obtain evidence that requirements tested were reported to Board of Trustees. Quarterly: investment performance, policy compliance monitoring, asset class exposures, external investments under consideration, external investment activities, liquidity positions, and consultant engagements. Semi-annual: outstanding derivatives, risk limits, leverage, transparency reports, Placement Agent Disclosures. Annual: reports include staffing, Private Markets strategy review, and Governing Boards participation.

Obtain information required to be reported to Board of Trustees and compare to reporting requirements per Investment Policy Statement (IPS)

Information required to be reported to Board of Trustees complied with IPS requirements.

No response required


STEP #

OBJ. #


2 2 IPS Article 1.3c – Obtain evidence of existence of IMD’s prudent underwriting objectives for advisor’s due diligence.

Select sample of Private Market investments approved during testing period, obtain evidence of existence of advisor's report stating investment opportunity meets prudent underwriting standards and merits inclusion within respective portfolios.

For selected Private Markets approved investments for the quarter, confirmed that the prudence letter from the advisor was included in the Internal Investment Committee (IIC) materials.


3 2 IPS Article 1.8d – Obtain evidence that TRS complied with Chapter 2270 of the Government Code relating to prohibitions on investments in Sudan and Iran, respectively.

Ensure that responsible staff have updated Sudan/Iran restricted lists

Obtain evidence that TRS complied with the following requirements: (a) to notify the Comptroller’s Office regarding holdings of restricted company securities; (b) to divest holdings; and (c) to file annual report of Sudan/Iran and companies that boycott Israel investment activity to the Legislature and the Attorney General

Annual report of Sudan/Iran investment activity was not filed with the Legislature and the Attorney General. However, December 1, 2017, Attorney General opinion to the Bond Counsel appears to support the decision not to file the report.


4 2 IPS Article 12 – Obtain evidence of existence of placement agent questionnaire for each new investment selected for testing and test for inclusion in summary report to the Board.

For each investment selected for testing, verify that IMD obtained responses to the questionnaire. Obtain evidence that IMD compiled responses to the questionnaires and reported all results to the Board at least semi-annually.

Each investment tested had a completed questionnaire.


5 2 IPS Appendix B – Obtain evidence that investments approved are within policy limits.

Select sample of approved investments, obtain tear sheet for each, and observe the approved amounts are within authorized limits a) Initial allocation – .50% b) Additional or follow-on – 1% c) Total Manager Limits – 3% d) Total limit each manager organization – 6%

Obtain documentation from IMD staff that supports the calculations of the authorized limits

Inquire if any “Special Investment Opportunities” were made for the quarter

For the sample investments tested, no manager or partner organization exceeded the authorized limits and documentation existed for IMD staff calculations of authorized limits. There were no Special Investment Opportunities.



STEP #

OBJ. #


6 2 IPS Appendix G – Obtain evidence that participation in external advisory committees or boards meet the requirement of the IPS by requesting a sample of limited partnership agreements (LPA’s).

For tested investments where TRS employees serve on advisory committees, obtain evidence that: TRS employees do not serve in positions with

general liability to third parties Agreement is in writing and addresses

limitations on capacity and fiduciary duties The external entity’s insurance/indemnification

will be primary relative to TRS Compensation and reimbursement of expenses

must be paid directly to TRS

For the sample of investments tested, confirmed that tested requirements relating to advisory committee participation were met.


7 3 Quarterly Compliance Certification – Obtain evidence that all known compliance violations have been reported.

Confirm with the Chief Compliance Officer that compliance certifications have been received from IMD management, Legal Investment staff, and the CIO regarding any known compliance violations occurring during the testing period.

Obtained confirmation from the Chief Compliance Officer. No compliance exceptions were identified as a result of the quarterly compliance certification.

However, we were notified by Compliance of four instances of trades of restricted securities:

1. A security on the Restricted Securities List was traded by an external manager in March 2018. 2. Two securities on the Restricted Securities List were traded by two external managers in June 2018. 3. An internal trade of a security on the Restricted Securities List was erroneously cleared in June 2018.

1 and 2. Investment Compliance is considering sending external managers restricted securities listing (i) in one merged list and (ii) disaggregated lists. 3. Any overrides of restricted securities trades will be reviewed by two members of the Investment Compliance team.

8 3 Wire Transfers – Obtain evidence that TRS Investment Accounting’s record of processed investment funding was complete.

Obtain wire transfer reports for testing period, select a sample of wire transfers, and trace each to supporting documentation to check amount and appropriate manager authorizations.

All wire transfers tested were properly authorized and amounts were supported.



STEP #

OBJ. #


9 3 Securities Lending Policy – Obtain evidence that IMD reviews the securities lending program and performance of lender

Obtain evidence from the monthly securities lending program performance reviews conducted by the TRS Asset Allocation team and the Securities Lending Agent that investments in the securities lending program comply with the following policy requirements: Sec 4.2.3. The FMV of the portfolio shall not decline by more than 0.0035 percent per 1 basis point change in interest rates

Sec 4.3. Maximum market value of TRS securities on loan at any one time shall not exceed 30% of the market value of the total TRS portfolio.

Testing of the interest rate sensitivity of the cash collateral investment pool indicated that the portfolio fair market value would not decline by more than .0035 percent per a 1 basis point change in interest rates.

During the quarter, the market value of TRS securities on loan did not exceed 30% of the market value of the total TRS portfolio.


Note: Testing procedures for the Investment Policy Statement (IPS), Securities Lending Policy (SLP) and Wire Transfer Procedures are for the activities for the quarter ending March 31, 2018. Instances of non-compliance that Internal Audit became aware of are reported as of the report date.

TAB 4B

TRICOT Cost-Benefit AuditInternal Audit July 2018

TAB 4.2:B

Business Objectives and Risks

Source more investment opportunities for TRS and identify fee saving opportunities.

Inaccurate reporting of investment opportunities

Investing in low quality investments

Inaccurate reporting of TRICOT performance

2

Business Objective

Business Risks

Conclusion

3

Validate the cost-benefit of TRICOT for fiscal years 2017 and 2016 and determine whether internal controls are working effectively to achieve the business objectives.

Management controls are operating effectively to achieve the business objective.

No significant issues.

Results

Audit Objective

Positive Results

4

TRICOT-Sourced Investment Opportunities

For fiscal years 2017 and 2016, the TRICOT team saw 127 UK and European investment opportunities, and executed 15 investments

35

21

5 63

36

18

2 0 10

10

20

30

40

50

Real Assets Private Equity SpecialOpportunities

Energy andNatural Resources

Public Equity

FY 2017 FY 2016

Positive Results

Executed Investments Generating Positive Value

$1.1 billion of commitments generated $124 million in gains, exceeding TRICOT audited expenses of $3.8 million.

5

The table includes $179 million in committed capital for one principal investment and four sidecar fund investments that were sourced prior to the TRICOT office opening. These assets are managed as TRICOT investments as of 9/1/2015.

Gains include realized and unrealized value.

TRICOT Net Investment GainsFY 2017 FY 2016 Total

Capital Committed $746,856,558 $408,046,873 $1,154,903,431

Investment Gains $114,409,713 $9,974,545 $124,384,258

TRICOT Audited Expenses ($1,953,376) ($1,882,714) ($3,836,090)

Net Investment Gains $112,456,337 $8,091,831 $120,548,168

Positive Results

Projected Fee Savings

Fee savings for TRICOT-sourced investments in fiscal year 2017 and 2016 is estimated to be $36,800,000.

Investment Partner Feedback - Positive

Better communication, faster due diligence response time, and increased TRS knowledge of UK and European markets

6

Fee savings are estimated using an assumed five-year holding period for executed investments.

Additional Results

7

Formal Process for Tracking TRICOT Performance DevelopedDuring the audit, management enhanced procedures for tracking and calculating TRICOT performance.

The procedures include:

• Criteria for designating an investment as sourced through TRICOT, including the appropriate timeframe to report TRICOT-sourced investments.

• Methodology for calculating TRICOT performance metrics.

Management Response

We agree with the results of the audit and will continue to enhance systems and documented processes to track and calculate TRICOT performance.

TRICOT COST-BENEFIT AUDIT June 29, 2018

TRS Internal Audit Department

Project #18-306

Legend of Results: Red - Significant to TRS Orange - Significant to Business Objectives Yellow - Other Reportable Issue Green - Positive Finding or No Issue

Investment opportunities tracking Regularly occurring meetings between TRS

and TRICOT staff Investment assessment methodology TRS approval required General Partner feedback Senior managers visit TRICOT and biennial

staff rotation from TRS to TRICOT

Investment documentation included in tracking tools

State Street Bank investment data Foreign exchange rates from external

sources Private Markets management assumptions

(e.g. holding period, target returns, comparable funds)

TRICOT audited financial reports Financial records Payroll and tax services

Deal flow tracking Investment approvals External investment manager feedback

In FY 2017 and 2016, TRICOT received 127 investments and executed 15 investments.

During the audit, management enhanced documented procedures for tracking TRICOT investments.

Investment documentation included in tracking tools

SSB investment data Foreign exchange rates from external

sources Private Markets management assumptions

(e.g. holding period, target returns, comparable funds)

TRICOT audited financial reports Financial records

Projected fee savings for investments sourced through TRICOT in FY 2017 and 2016 is estimated to be $36.8 million.

During the audit, management developed documented procedures for calculating TRICOT performance.

Business Objectives

Business Risks

Management Controls

Results

Recommended Actions




Inaccurate reporting of investment opportunities

Investing in low quality investments Not developing stronger relationships with

UK and European investment managers

Inaccurate reporting of investments Unreasonable assumptions made for fee

savings calculations Inaccurate allocation of TRICOT-related

costs

None

Controls Tested

Source more investment opportunities for TRS

Identify fee saving opportunities

None

TRS Internal Audit June 29, 2018 Audit of TRICOT Cost-Benefit Page 1

June 29, 2018 Audit, Compliance, and Ethics Committee, Board of Trustees Brian Guthrie, Executive Director

EXECUTIVE SUMMARY We have completed the audit of Teacher Retirement Investment Company of Texas Ltd. (TRICOT) Cost-Benefit, as included in the Fiscal Year 2018 Audit Plan. The business objectives related to the TRICOT office are to source more investment opportunities and to identify fee saving opportunities. Based on our audit results, we determined that management controls are operating effectively to achieve business objectives. We did not identify any significant issues. We found that investments sourced through TRICOT generated investment gains1 and estimated fee savings that exceeded the office’s annual operating expenses in fiscal years 2017 and 2016, as illustrated in the table below.

We also spoke with management at two TRS investment partners. Their feedback indicated that TRICOT has resulted in better communication, shorter TRS due diligence response time, and increased TRS knowledge of UK and European markets. During the audit, management developed documented procedures for calculating TRICOT performance metrics and enhanced documented procedures for tracking investment opportunities received and executed by TRICOT.

1 Investment gains and losses may be impacted by market conditions.

TRICOT Performance SummaryDollar Amounts in '000s

FY 2017 FY 2016 Total

Investment Opportunities 70 57 127

Investments Executed 9 6 15

Capital Committed $746,856 $408,047 $1,154,903

Investment Gains (Losses) $114,410 $9,974 $124,384

Audited Expenses ($1,953) ($1,883) ($3,836)

Net Investment Gains (Losses) $112,457 $8,091 $120,548

Estimated Fee Savings $24,300 $12,500 $36,800


Results of our procedures are presented in more detail in the Results and Recommendations section. The audit objective, scope, methodology and conclusion are described in Appendix A.

BACKGROUND The Teacher Retirement Investment Company of Texas Ltd., (TRICOT) was incorporated on August 28, 2015 in the United Kingdom (UK) as a wholly-owned subsidiary of the Teacher Retirement System of Texas (TRS) Pension Trust Fund. The TRICOT office opened on November 1, 2015. TRS investment management established TRICOT to increase the number of investment opportunities for the TRS portfolio, with a focus on private equity, real assets, and co-investments. The presence in London is designed to strengthen TRS’s overall knowledge of markets in the UK and Europe. The office is staffed by five team members (three TRS secondees2 and two contractors). The team at TRICOT includes one investment manager, three associates/analysts, and one office assistant. The TRICOT team coordinates with TRS Austin office staff through weekly meetings and more frequent collaboration as necessary. TRICOT does not have authority to execute investment contracts on behalf of TRS or to provide investment advice or investment management services to any third party (Appendix B – Intercompany Agreement between TRICOT and TRS). TRICOT personnel are authorized to analyze investment opportunities for possible portfolio fit and perform due diligence in coordination with TRS personnel. TRICOT’s fiscal year end is August 31. The total costs to maintain the TRICOT office is $1,953,376 for fiscal year 2017 and $1,882,714 for fiscal year 2016. TRICOT’s operating expenses include salaries and benefits for three seconded TRS employees, fees for two contractors, professional fees for service providers, consumable supplies, and allocated costs for work performed by TRS’s support staff (e.g. legal, accounting, and information technology).

2 Secondee Definition – A person who is transferred temporarily to alternative employment, or seconded.


BUSINESS OBJECTIVES, RISKS, AND CONTROLS

For the audit of TRICOT, we obtained information about the following two business objectives, as well as the related risks and the controls management established to mitigate these risks:

Business Objectives

Source more investment opportunities

Identify fee saving opportunities that exceed TRICOT operational costs

Business Risks

Inaccurate reporting of deal flow Investing in low quality deals Not developing stronger

relationships with investors

Inaccurate reporting of investments Unreasonable assumptions made for

fee savings calculations Inaccurate allocation of TRICOT-

related costs

Management Controls

Tracking deal flow Meetings between TRS Austin and

TRICOT staff Assess investments using the

“Texas Way” methodology Investments reviewed by TRS

Private Markets team and approved by the Internal Investment Committee

General partner communication and feedback

Senior managers visit TRICOT and biennial staff rotation from TRS to TRICOT

Input of executed deal documents and information into tracking tools

State Street Bank records for investment data

Foreign exchange rate data from external sources

Private Markets management assumptions for calculation of fee savings (e.g. holding period, target returns, comparable funds)

TRICOT audited financial reports Financial records maintained by

TRS accounting staff Payroll and tax services provided by

consultants

Controls Tested

Tracking deal flow Investments reviewed by TRS

Private Markets team and approved by the Internal Investment Committee

General partner communication and feedback

Input of executed deal documents and information into tracking tools

State Street Bank records for investment data

Foreign exchange rate data from external sources

Private Markets management assumptions for calculation of fee savings (e.g. holding period, target returns, comparable funds)

TRICOT audited financial reports Financial records maintained by

TRS accounting staff


RESULTS AND RECOMMENDATIONS OVERALL RESULTS Based on the audit test results, we determined that management controls are operating effectively to achieve the business objectives. No significant issues were identified. Positive test results are described below. POSITIVE RESULTS A. European investment opportunities since TRICOT’s inception

For fiscal years 2017 and 2016, the TRICOT team saw 127 investment opportunities, and executed 15 investments.

B. Executed investments generating gains

The total capital committed for investments sourced through TRICOT in fiscal years 2017 and 2016 is $1,154,903,430.

35

21

5 6 3

36

18

2 0 10

10

20

30

40

50

Real Assets Private Equity SpecialOpportunities

Energy andNatural Resources

Public Equity

TRICOT Investment Opportunities

FY 2017 FY 2016

$746,856

$408,047

$0

$200,000

$400,000

$600,000

$800,000

FY 2017 FY 2016

Capital Committed to TRICOT-Sourced InvestmentsDollar Amounts in '000s

Capital Committed


For fiscal years 2017 and 2016, executed investments sourced through TRICOT generated total investment gains of $124,384,258, exceeding total operating expenses of $3,836,090 by $120,548,168.

C. Estimated fee savings

Estimated fee savings for investments sourced through TRICOT are $36,800,000 in fiscal years 2017 and 2016. This estimate is calculated by comparing the lower fees charged for TRICOT-sourced principal and sidecar fund investments to the fees that would have been charged if the investments were executed in funds with comparable strategies and typical management fees and carried interest terms.

D. General partner feedback positive

Based on feedback obtained from two European-based investment manager partners, the benefits of the TRICOT office include:

Quicker response time when working on investment due diligence versus other non-Europe based limited partners.

Greater depth of knowledge of the European investment environment.

$114,410

$9,974 $1,953 $1,883 $0

$50,000

$100,000

$150,000

FY 2017 FY 2016

Gains and (Losses) for TRICOT-Sourced Investmentsand TRICOT Annual Expenses

Dollar Amounts in '000s

Investment Gains and (Losses) Expenses Per Audited AFR


SIGNIFICANT RESULTS3 No significant issues and recommendations were identified. OTHER REPORTABLE RESULTS 1. Procedures to calculate TRICOT performance metrics and to track TRICOT-sourced

investments received and executed have been strengthened

During the audit, management developed documented procedures to track performance metrics for TRICOT. The procedures include methodology for calculating:

Investment commitments and investment gains and losses. Estimated fee savings. The methodology defines the assumed investment holding

period for TRICOT-sourced investments; identifies criteria for selecting comparable funds for TRICOT-sourced investments; and clarifies certain calculation inputs (e.g. the calculation will include inputs that trace to investment legal documents; and the calculation will include investment target gross returns when available through due diligence materials and target net returns otherwise).

Incremental costs4 to operate TRICOT.

Additionally, management enhanced current private markets documented procedures to ensure that all investment opportunities sourced by TRICOT staff are recorded accurately in investment tracking tools. These enhancements state that:

Investments will be designated as TRICOT investments if the opportunity was sourced through TRICOT and the investment is in TRICOT’s target areas (e.g. UK and Europe).

Investment opportunities sourced through TRICOT will be reported in the year that the investment was received or the year that the investment was executed.

Recommendation

Management has enhanced or developed documented processes for monitoring TRICOT performance metrics prior to audit completion. There are no outstanding recommendations for this audit.

Management Responses We agree with the results of the audit and will continue to enhance systems and documented processes to track TRICOT investments and calculate TRICOT performance metrics.

3 A significant result is defined as a control weakness that is likely to create a high risk of not meeting business objectives if not corrected. 4 Incremental Costs – the additional costs incurred by TRS to operate TRICOT.


* * * * * We appreciate TRICOT and TRS Investment Division management and staff for their cooperation, courtesy, and professionalism extended to us during this audit. We also appreciate support provided by TRS Financial Division management and staff. Amy Barrett, CIA, CPA, CISA Nick Ballard, CFA, CPA Chief Audit Executive Director of Investment Audit Rodrigo Dominguez Investment Auditor


APPENDIX A

AUDIT OBJECTIVE, SCOPE, METHODOLOGY, AND CONCLUSION We conducted this performance audit in accordance with generally accepted government auditing standards contained in the Government Auditing Standards issued by the Comptroller General of the United States and the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors, Inc. These standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our audit findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. AUDIT OBJECTIVE The audit objective was to validate the cost-benefit of TRICOT for fiscal years 2017 and 2016 and to determine whether internal controls are in place and are working effectively to achieve the business objectives stated below and mitigate significant risks to meeting those objectives.

To source more investment opportunities for TRS To identify investment fee saving opportunities for TRS

SCOPE The scope of the audit included TRICOT expenses and investment sourcing activities for fiscal years 2016 (September 1, 2015 to August 31, 2016) and 2017 (September 1, 2016 to August 31, 2017). METHODOLOGY Our methodology included obtaining information on management’s business objectives and risks, and focused on key processes and monitoring controls that management has established to address significant risks. To meet the audit objectives, we specifically performed the following procedures:

Reconcile deal flow and executed investments information to TRS Investment Management Division investment tracking tools (e.g. State Street Bank, Tamale, eFront).

Test TRICOT activity for principal investments and sidecar investment vehicles that were executed before September 1, 2017.

Trace TRICOT principal investments to approvals from TRS Internal Investment Committee.

Trace TRICOT sidecar fund investments to approvals documented in TRS Opt Out forms.

Trace foreign exchange rates used to convert non-US Dollar denominated TRICOT investments to external foreign exchange rate providers.

Assess management assumptions for calculating TRICOT investment estimated fee savings.


Trace TRICOT expenses to audited financial statements. Trace unavoidable TRICOT expenses to TRS accounting records. Obtain State Street TRICOT Monthly Summary Report. Trace to TRICOT investment

committed amounts and reconciliation of TRICOT investments’ beginning and ending values.

CONCLUSION Based on our audit results, we determined that management controls related to the calculation and tracking of TRICOT performance metrics are operating effectively to achieve the business objective. We did not identify any significant issues. We found that for fiscal years 2017 and 2016 executed investments sourced through TRICOT generated estimated fee savings and investment gains that exceeded the office’s annual operating expenses. We also found that feedback from external managers indicates that their relationship with TRS has been strengthened through TRICOT. During the audit, management developed documented procedures for calculating TRICOT performance metrics and enhanced documented procedures for tracking investment opportunities sourced by TRICOT staff.


APPENDIX B

Intercompany Agreement - TRICOT’s Services to TRS

September 2015 (Renewed in 2016 and 2017)

London, UK services to be provided by TRICOT to TRS

1. TRICOT will use its best efforts to increase TRS’s private investment opportunities in the United Kingdom and Europe. The office may also represent TRS in Asia and Africa as assigned.

2. TRICOT may use TRS secondees and contractors to perform the services, including networking activities with respect to investment firms and managers in the UK and Europe who are deemed to be potential sources of the best investment opportunities for TRS.

3. TRICOT will analyze prospective investment opportunities to determine whether they satisfy TRS investment criteria and objectives.

4. TRICOT will perform due diligence on prospective investment opportunities and prepare and submit written investment referrals and reports to TRS for further consideration.

5. TRICOT will, at TRS’s expense, lease office space in London for its operations sufficient to provide the services under this Agreement.

6. TRICOT will acquire such goods and services as may be necessary for its operations under this Agreement, subject to the agreed annual budget.

7. Unless TRS does so directly, TRICOT will, at TRS’s expense, lease corporate housing to be provided for the TRS secondees assigned to TRICOT.

8. TRICOT will supervise contract workers assigned to TRICOT at the request of TRS in connection with particular vendors of TRS.

9. For convenience, TRICOT will register with HM (Her Majesty’s) Revenue & Customs as nominal employer for purposes of online reporting required for PAYE (pay-as-you-earn) withholding with respect to the TRS secondees.

10. TRICOT will cooperate with TRS with respect to funding arrangements for the TRICOT’s operating bank accounts in the UK.

11. TRICOT will perform additional duties as assigned in accordance with this agreement and applicable law.


APPENDIX C TRICOT Performance Tables

Table 1: TRICOT Investment Opportunities Received and Executed

Investment Opportunities(Based on date received)


Real Assets 35 36 71

Private Equity 21 18 39

Special Opportunities 5 2 7

Energy and Natural Resources 6 0 6

Public Equity 3 1 4

Total Deals Seen 70 57 127

Investments Executed(Based date investment vehicle closed)


Real Assets 7 3 10

Private Equity 2 3 5

Special Opportunities 0 0 0

Energy and Natural Resources 0 0 0

Public Equity 0 0 0

Total Investments Executed 9 6 15

Table 2: TRICOT Investment ActivityFiscal year 2017 and 2016 closed investments


Total Committed Capital $746,856,558 $408,046,873 $1,154,903,431

Investment Gains and Losses5 114,409,713 9,974,545 124,384,258

Expenses per Audited TRICOT AFR (1,953,376) (1,882,714) (3,836,090)

TRICOT Net Gains and Losses $112,456,337 $8,091,831 $120,548,168

5 The table includes $179 mi l l ion in committed capita l for one principal investment and four s idecar fund

investments that were sourced prior to the TRICOT office opening. These assets are managed as TRICOT

investments as of 9/1/2015.


APPENDIX C TRICOT Performance Tables - Continued

Table 3: TRICOT Estimated Fee Savings

Assuming 5-year Investment Holding Period Fiscal year 2017 and 2016 approved investments

5-year holding period estimate FY 2017 FY 20166 Total

Management Fee Savings 6,500,000 3,900,000 10,400,000

Carry Fee Savings 17,800,000 8,600,000 26,400,000

Total Estimated Fee Savings $24,300,000 $12,500,000 $36,800,000

Table 4: TRICOT-Sourced Investments Beginning and Ending Values

FY 2017 FY 2016

Beginning Value7 498,423,762 96,221,476

Contributions 325,095,286 452,466,796

(Distributions) (16,385,065) (60,239,056)

Investment Gains and Losses8 114,409,713 9,974,545

Ending Value $921,543,696 $498,423,762

Table 5: TRICOT Incremental CostsFiscal year 2017 and 2016


Expenses per Audited TRICOT AFR 1,953,376 1,882,714 3,836,090

TRS Unavoidable Costs9 (565,365) (459,556) (1,024,921)

Incremental Expenses of TRICOT $1,388,011 $1,423,158 $2,811,169

9Unavoidable Costs are expenses that TRS would have incurred without TRICOT.

8Investment Gains and Losses include real ized and unreal ized va lues .

6FY 2016 includes estimated fee savings from a $101 mi l l ion principal investment commitment that was sourced

prior to the TRICOT office opening. As of 9/1/2015, this investment was managed as a TRICOT investment.

7 The table includes $179 mi l l ion in committed capita l for one principal investment and four s idecar fund

investments that were sourced prior to the TRICOT office opening. These assets are managed as TRICOT

investments as of 9/1/2015.

TAB 4C

TRS-ActiveCare bswift Pre-Implementation AuditInternal Audit July 2018

TAB 4.3:C

Audit Team

2

TRS Internal AuditInside Knowledge

Consulting FirmOutside Perspective

Co-Sourced Audit

Audit Objective & Risk Assessment

Assess whether adequate operating and management controls are being conceived, developed, and implemented by bswift to ensure accurate administration of TRS-ActiveCare eligibility, enrollment, and billing activities.

3

What could go wrong? What would have the biggest impacts? Where have we seen problems in the past?

TRS-ActiveCare participants being unable to access health care benefits

Ineligible enrollments and additional costs to the TRS-ActiveCare plan

Inaccurate billing for participating districts

Unauthorized access to protected health information

Audit Objective

Business Risks

Audit Scope

Assessment of highest risks in six key areas:

Change management process

IT Security procedures and processes

System design and compliance with TRS-ActiveCare administration rules

Data migration and conversion process

Development of Electronic data interchange (EDI) for file transfers between bswift, external carriers, third-party administrators (TPAs), and TRS

District billing

4

32

7

12 0

4 4

0 0

7

11

23

4

13 3

17

01 0

5

00

2

4

6

8

10

12

14

16

18

Low Medium Significant HighC

OU

NT

OF

RIS

K R

ATI

NG

RISK RATING

Risk Rating Results of 6 Key AreasChange management process

Data Migration & conversion

IT Security

System Design

Electronic data Interchange (EDI)

Billing

Process and Methodology

• Conduct interviews to gain a basic understanding of implementation process, monitoring activities, and testing being performedAetna and bswift staff welcomed the audit and were very responsive and

cooperative throughout

Leadership team attended interviews, very involved and able to answer all of our questions

• Review bwsift process documentation, policies, and procedures for six key areasDocumentation was well organized and easy to understand

• Conduct tests and data analysisProvided quick response to any questions or needed follow-up

5

Data Analytics Testing Performed• Data Analytics

100% comparison of WellSystems file to data extract from bswift application for the month of April Completeness – did all participants from the WellSystems file make it into bswift?

Accuracy – did the key data fields convert accurately?

6

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

100% 100% 100% 99.96% 99.99% 100% 99.9998% 100% 100%

0% 0% 0% 0.04% 0.01% 0% 0.0002% 0% 0%

bswift & WellSystems Record Matching Result(Total records 498,451)

% of Matched % of unmatched

Billing Testing Performed

• Billing Review100% comparison of enrollment information on 3 district TPA files to the bills generated by bswift in the month of June

All covered individuals on the TPA file are included on the bill with accurate plan and tier

All individuals on the bill were included on the TPA file

Any exceptions were identified on discrepancy reports for the districts

7

185employees

220employees 165

employees

10*

0

50

100

150

200

250

Correct

* All 10 of the discrepancies identified during testing were captured by the bswift system and identified on discrepancy reports for the district Benefit Administrators to review

Total Audit Results

8

25%(3)

67%(8)

18%(1)

IT System Design Data Cleansing

No Significant Findings

12 Opportunities for Strengthening Controls Identified

All have been agreed to and addressed by bswift

TAB 4D

Vendor Procurement AuditInternal Audit July 2018

TAB 4.4:D

2

• Determine if procurements follow TRS Laws & Rules, Contract Administration Policy and the State Contract Administration Guide (collectively referred to as Procurement Guidance) for the Health and Insurance Benefits (HIB) division and the Investment Management Division (IMD) contracts

• Determine if a Business Associate Agreement (BAA) is formed for all contracts that are associated with Protected Health Information (PHI). Our scope was contracts related to the Health and Insurance Benefits (HIB) division and Health Insurance Line-of-Business (HILOB), the new health insurance system

Introduction

AuditObjectives

3

Procurement Guidance was followed for the group health benefit plan contracts in our audit sample and BAAs were in place for those contracts. However, overall we determined that management controls related to vendor procurement need improvement to reduce significant risk of not meeting business objectives.

Audit Results

Results

4

1. Procurement guidance is not consistently used throughout the contracting process

2. Fifteen contract workers had authorized access to PHI, but the eight contracts associated with their employers did not have an executed BAA

Audit Results

Significant Findings

5

3. Omissions were found in the TRS Contract Administration Policy (CAP) where referenced procedural guidance is needed

4. Procurement and Contracts (P&C) is not consistently following internal procedures throughout the contracting process

5. P&C dependency on the use of a rigid, outdated, legacy Budget and Expense Vouchering System (BEVO) and staff turnover in critical functions have exacerbated work process inefficiencies

Audit Results

Other Findings

6

P&C Should be Involved During Procurement

To ensure P&C is involved during the procurement process, there needs to be increased communication between P&C and the Business Unit. In order to help with that communication, P&C will be more proactive, develop additional written processes and develop agency training.

The following actions have been implemented:

• Executive Management has sent reinforcing messages to the Executive Council and Leadership Team on the importance of following policy and involving P&C early in the procurement process

• P&C increased communication between P&C and Business Units by setting up quarterly meetings with P&C, Legal and Business Units

• P&C has made their intranet page more visible to staff

• P&C has developed a new exemption justification procedure with increased oversight from the P&C Director

• Developed a method to identify and track procurements that were not procured per procurement policy

7

Involving P&C - Continued

In addition, the following actions are proposed:

• Develop the following items by December 31, 2018:

Job Aids

Quick Reference Guides

Step-by-Step User Manuals

• Develop a Procurement Training Program by March 1, 2019 that will include:

Mandatory Contract Sponsor training

Annual classroom style procurement training

Brown Bag sessions on various topics

• Conduct a survey to identify potential areas for improvements in the procurement process

8

Executing Required BAAs

The following actions have been completed:

• Obtained a BAA from all the companies of the contract workers that were identified in the audit that required a BAA

• Developed and sent questionnaire to Contract Sponsors to ensure all current contracts have a BAA, if required

Additional actions include:

• Developing a Risk Assessment questionnaire by December 31, 2018 to be completed by Contract Sponsors prior to a procurement to determine if a BAA is required

• By September 1, 2019 a BAA work group will create procedures on how to implement a BAA per Health Insurance Portability and Accountability Act (HIPAA) rules and regulations

9

Revising Procurement Polices and Procedures

The following actions have been completed:

• Revised TRS Contract Administration Policy (CAP) to address most of the identified omissions within the audit

• Created a work group to start reviewing current agency-wide procurement policies and identify TRS long-term policy and procedural changes to address all audit recommendations as a whole

The goal would be to have the revised policies and new procedures completed by September 1, 2019.

10

P&C Did Not Follow Internal Policies

The following actions have been completed to ensure P&C staff follow internal policies:• P&C Director is meeting weekly with individual staff members and monthly as a

team• Developed an internal review of P&C work for anything that is $25,000 or more

Additional action items that are to be completed by December 31, 2018 are:

• P&C is currently reviewing and revising internal processes• P&C is currently and will continue to conduct monthly team meetings to go over

internal processes• P&C review of contracts that are $25,000 or more is currently being conducted,

however, additional resources are needed to help ensure additional reviews are conducted

11

Legacy Procurement System

P&C will complete the following actions:

P&C is currently working on creating a Request for Information (RFI) for a contract management solution that should be posted by July 31, 2018

After P&C receives and reviews the responses from the RFI, they will conduct a Request For Offer (RFO) by December 31, 2018 to purchase a contract management solution

12

Additional Actions

The following are additional actions we are taking that were not identified in the audit:

Created an Executive Management Quarterly Procurement Report

Reviewing and updating Historically Underutilized Business (HUB) policies and procedures

Developing additional guidelines for TRS ProCard Program so that it can be expanded to more users at TRS allowing P&C staff to focus on higher risk procurements

Added a Program Specialist to the Procurement Team to help develop policies and training

Asking for an additional Contract Specialist and Purchaser to help implement new policies and procedures

13

What the future holds?

• Follow-up audit of implementation of audit recommendations in FY20

• Audit of contract management process including contract monitoring (after Contract Sponsor Training) in FY20

• Review and revise procurement policies every 5 years or after applicable legislative mandates

• Follow-up survey on implementation

• Continue with ongoing training and guidance

• It will be important that the proper tone from the top and from the business units support procurement enhancements

14

Questions?

VENDOR PROCUREMENT AUDIT June 2018


Project # 18-201

Legend of Results: Red - Significant to TRS Orange - Significant to Business Objectives Yellow - Other Reportable Issue Green - Positive Finding or No Issue

Business Objectives

Business Risks

Management Controls

Results

Recommended Actions


Business Associate Agreement (BAA) in place for all contracts associated with Protected Health Information (PHI)

Management agrees with the recommendations and agrees to do the following: • Coordinate with departments to develop detailed procedures

unique to the procurement needs of business units • Incorporate effective guidance to TRS Contract Administrative

Policy to address omissions • Follow procedures to ensure that contract files are complete • Address shortcomings of the current legacy system & CAPPS

Management agrees with the recommendations and agrees to do the following: • Implement formal process for sign off by

Contract Sponsor, the Privacy Officer and IT Security on the question of vendor access to PHI

• Confirm any changes in contract scope of work necessitating a BAA

• Substandard products and services • Unfavorable pricing or contract terms • Penalties for non-compliance with laws • Internal or external fraud or collusion • Heavy workload & competing priorities • Contracts not tracked • Duplicate or incorrect invoicing, paying for services not

received

• Vendor that has access to PHI without a BAA in contract file

• Unauthorized access or release of member PHI

• Federal audit with severe penalties for each incident of non-compliance

• Documented process & procedures • Automated process & tracking system • Secondary review & segregation of duties • Legal Services reviews • Authorizations & audit trails • Authorized system access • Vendor oversight & monitoring • Cross training & succession planning

• Cross-functional participation in BAA determination

• Procurement checklist • Documented processes and procedures • Minimum necessary access to PHI

Procurement Guidance was followed for tested group health benefit plan contracts

15 Non-TRS workers had authorized access to PHI but the eight associated employer contracts did not have a BAA

• Coordinate with departments to develop detailed procedures unique to the procurement needs of business units

• Incorporate effective guidance in TRS CAP to address omissions

• Follow procedures to ensure that contract files are complete • Address shortcomings of current legacy system and

Centralized Accounting & Payroll/Personnel (CAPPS) implementation

• Implement a formal process for sign off by Contract Sponsor, the Privacy Officer and IT Security regarding vendor access to PHI

• During scheduled procurement planning meetings, confirm changes in contract scope necessitating a BAA

All of the above management controls Controls Tested

All of the above management controls except vendor oversight & monitoring and cross training & succession planning

Procurements follow TRS Laws & Rules, Contract Administration Policy and the State Contract Administration Guide (Procurement Guidance)

• Omissions in TRS Contract Administration Policy (CAP) where referenced procedural guidance needed

• Inconsistent application of internal procedures throughout the contracting process

• Use of a rigid, outdated legacy system

Departments not consistently using Procurement Guidance throughout the contracting process

BAAs were in place for group health benefit plan contracts

TRS Internal Audit June 26, 2018 Vendor Procurement Audit Page 1 of 18

June 26, 2018 Audit, Compliance and Ethics Committee, Board of Trustees Brian Guthrie, Executive Director

EXECUTIVE SUMMARY The Vendor Procurement audit has been completed as included in the Fiscal Year 2018 Audit Plan. Business objectives related to the Procurement and Contracts (P&C) department are as follows:

Procurements follow Teacher Retirement System of Texas (TRS) Laws & Rules,

Contract Administration Policy (TRS CAP) and the State Contract Administration Guide (collectively referred to as Procurement Guidance)

Business Associate Agreements (BAA) are in place for all contracts associated with Protected Health Information (PHI)

Procurement Guidance was followed for the group health benefit plan contracts in our audit sample and BAAs were in place for those contracts. However, overall we determined that management controls related to vendor procurement need improvement to reduce the significant risk of not meeting business objectives. Specifically, we identified significant issues related to key procurement practices linked to (1) departments not consistently using Procurement Guidance, and (2) 15 contract workers (non-TRS workers) having access to PHI without their eight respective employers having a BAA with TRS. Other reportable issues identified related to omissions in the TRS CAP, inconsistent application of internal procedures, and use of a rigid, outdated legacy system. Management should implement the following enhancements to effectively achieve business objectives: Coordinate with departments to develop detailed procedures unique to the procurement

needs of business units Develop formal processes for sign off by the Contract Sponsor, the Privacy Officer,

and IT Security regarding vendor access to PHI Confirm changes in contract scope necessitating a BAA during scheduled procurement

planning meetings Incorporate effective guidance in TRS CAP to address omissions Follow procedures to ensure contract files are complete Address shortcomings of current legacy system and Centralized Accounting &

Payroll/Personnel (CAPPS) implementation


Overall, by not following Procurement Guidance, TRS may not ensure consistency in its documented competitive bid process and demonstrate best value for TRS. Results of audit procedures performed are presented in more detail in the Results and Recommendations section. The audit objective, scope, methodology and conclusion are described in Appendix A. Audit issues that are mapped to a representation of a maturity model for the procurement process are shown in Appendix B.


BACKGROUND Public procurement is the process of obtaining an item or service at the best value including price, quality, and other considerations that meet the needs of a government entity. The TRS CAP which provides guidelines for procurement, incorporates the importance of open and competitive contracting, acting with integrity and honesty, pursuing best value, and encouraging continuous improvement and innovation while maintaining transparency, accountability, and fiscal responsibility in our procurement and contracting processes. TRS’ emphasis on these elements is important because the Texas Government Code Section 825.103(d) gives TRS exclusive authority in purchasing goods and services exempting the retirement system from certain state procurement and contract reporting law. In recent years, Senate Bill 201 (SB 20) brought about mandatory reporting requirements for healthcare benefit administration contracts that affected the TRS Health and Insurance Benefits (HIB) contracts. TRS is also considered a ‘covered entity’ and under federal law, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allows covered entities to disclose PHI to an entity in its role as a business associate to help the covered entity carry out its health care functions. P&C plays a role in meeting the accompanying requirement to have a BAA with the business associate during contract formation. Federal and State reporting requirements are unique to certain TRS business units, creating the need for unique procurement and contract processes and procedures. These reporting requirements require TRS’ interpretation as to which requirements apply and how they will be incorporated in an authoritative procurement and contracting policy. With TRS’ upcoming implementation of the Comptroller’s Centralized Accounting and Payroll/Personnel System (CAPPS), TRS expects contract postings to the Legislative Budget Board (LBB) will be automated. Consequently, to assist withstanding the scrutiny by interest groups and stakeholders, TRS procurement challenges are:

Necessity for established policy and procedures Execution of those procedures Consistent documentation and recordkeeping

A procurement function that is responsive by ensuring that communication lines are open and that a user perspective is incorporated into all processes can meet these challenges. Since TRS has grown to a government entity with approximately 900 workers (includes non-TRS workers), P&C plays a vital role in working with individual business units to determine procedures that serve unique needs while obtaining best value and meeting both federal and state requirements. 1 Senate Bill 20 relating to state agency contracting, was introduced in the 84th (R) Legislative Session, effective September 1, 2015.


BUSINESS OBJECTIVES, RISKS, AND CONTROLS For the audit of Vendor Procurement, information was obtained about the following two business objectives, as well as the related risks and the controls management established to mitigate these risks:

Business Objectives

Procurements follow TRS Laws & Rules, Contract Administration Policy and the State Contract Administration Guide

Business Associate Agreement (BAA) for all contracts associated with Protected Health Information (PHI)

Business Risks

• Substandard products and services • Unfavorable pricing or contract terms • Penalties for non-compliance with

laws • Internal or external fraud or collusion • Heavy workload and competing

priorities • Contracts not tracked • Duplicate or incorrect invoicing,

paying for services not received

• Vendor that has access to PHI without a BAA in contract file

• Unauthorized access or release of member PHI

• Federal audit with severe penalties for each incident of non-compliance

Management Controls

• Documented process and procedures • Automated process and tracking

system • Secondary review and segregation of

duties • Legal Services reviews • Authorizations and audit trails • Authorized system access • Vendor oversight and monitoring • Cross training and succession

planning

• Cross-functional participation in BAA determination

• Procurement checklist • Documented processes and procedures

• Minimum necessary access to PHI

Controls Tested All of the above management controls except vendor oversight & monitoring and cross training & succession planning

All of the above management controls


RESULTS AND RECOMMENDATIONS OVERALL RESULTS Procurement Guidance2 was followed for the tested group health benefit plan contracts and BAAs were in place for those contracts. However, overall we determined that management controls related to vendor procurement need improvement to reduce the significant risk of not meeting business objectives. Specifically, we identified significant issues related to key procurement practices linked to (1) departments not consistently using Procurement Guidance, and (2) 15 non-TRS workers having access to PHI without their eight respective employers having a BAA with TRS. Other reportable issues were identified related to omissions in the TRS CAP, inconsistent application of internal procedures and use of a rigid, outdated legacy system. POSITIVE RESULTS During the audit we observed the following positive actions by P&C:

Meeting with the various business units to: Discuss existing contracts Create a departmental procurement plan for the current and next budget year Provide education on the use of the automated system for the contract closeout

process Consider contracts with vendors with access to PHI for the need of a BAA Informally review procurement policies and procedures as a training

opportunity Educating business units on communication strategies with vendors, such as having

a procurement plan discussed with P&C prior to negotiations with the vendor to obtain the best value for TRS.

Proactively tracking non-compliant transactions such as when an invoice is

received for payment that does not have a corresponding Purchase Order or executed contract.

Communicating to executive management through a formal presentation on P&C

needs and next steps to bring attention to TRS procurement culture.

Actively sharing Historically Underutilized Businesses (HUB) events to promote more HUB procurements in TRS to increase HUB purchases.

2 Teacher Retirement System of Texas (TRS) Laws & Rules, Contract Administration Policy (TRS CAP) and the State Contract Administration Guide (collectively referred to as Procurement Guidance)


Working with Investment Management Division (IMD) to update contract records in preparation for CAPPS. As a result, IMD is working with the Information Technology (IT) Division to develop an automated IMD Contract Management system to better track contracts.

SIGNIFICANT RESULTS3 1. Procurement Guidance is not consistently used throughout the contracting

process

TRS CAP advises that P&C and business units work together well ahead and throughout the procurement and contracting process to ensure compliance with state and federal laws, and to achieve the best outcome for TRS. However, audit tests identified the following instances where departments were not consistently using Procurement Guidance throughout the contracting process. a. Documentation existed to show that the selected vendor was qualified but there was

no vendor evaluation documentation in the contract file that indicated why the particular vendor was chosen over another. There was also no documentation to support how many vendors responded to the solicitation.

b. Non-competitively bid contracts with no term limits or not-to-exceed amounts did not include a justification form. Therefore, only the annual contract cost was considered as the contracts were executed with no term limit. Contracts without a not-to-exceed dollar amount would never meet the justification threshold. Without a total contract cost, P&C cannot ensure the necessary documentation is in place and state reporting requirements are met.

c. Although the TRS CAP is not specific about when to include P&C in the contracting process, a department used their consultant/outside vendors without including P&C to develop their solicitation and contracts documents and did not use approved TRS solicitation templates.

d. A new contract was created using an outside consultant, rather than following Procurement Guidance to create an amendment to an existing contract when the vendor was purchased by another company.

These process inconsistencies occurred because TRS business units find going through their own procurement process meets their unique contracting needs without considering engaging P&C. Therefore, P&C is not always able to ensure documentation and state reporting requirements are met.

3 A significant result is defined as a control weakness that is likely to create a high risk of not meeting business objectives if not corrected.


Overall, the concern in not using Procurement Guidance is that TRS cannot ensure consistency in its documented competitive bid process and may not be able to demonstrate best value for TRS. Departments also have a perception that if P&C is included, the process would be unduly lengthy. Transactional testing on active contracts having payouts during 2017 showed a zero to four month procurement cycle from the date of the requisition to contract award date. Due to system limitations in identifying the type of procurement, the test was not exclusively done on competitive solicitations. However, complex solicitations in the audit test sample showed a five to 13 month procurement cycle from the date of requisition to the contract award date with most solicitations taking ten months. Based on this analysis, the true procurement cycle can be assumed to be six to nine months in duration, somewhere between the two extremes seen here. Therefore, having an agreed procurement plan with P&C in advance is important to expedite the process. A procurement function that is responsive by ensuring that communication lines are open and that a user perspective is incorporated into all processes can meet these challenges.

Recommendation

P&C should coordinate with business units to develop procurement plans, timelines, and detailed procedures tailored to the procurement needs of the business units. Procedures should address:

(1) Maintenance of RFP/RFQ responses meeting minimum submission

requirements and evaluation activity

(2) Specified value and term limit of contract to allow identifying those contracts that would meet the threshold for justification and state reporting

(3) P&C involvement in developing procurement solicitation documents to meet

state reporting/documentation requirements even when outside vendors/consultants are used



Management agrees with the recommendation and has completed the following actions:

Executive Management has sent reinforcing messages to the Executive Council and Leadership Team members on the importance of following policy and involving P&C early in all procurements

Increased communication between P&C and Business Units by setting up quarterly meeting with P&C, Legal and Business Units

P&C has relocated their intranet page so that it is more visible to staff and easier to find

P&C has developed a new exemption justification policy with more oversight from P&C Director

Developed a method to identify and track procurements that were not procured per procurement policy

In addition to the above actions, the following additional actions are proposed:

Develop a Procurement Training Program by December 31, 2018 that will include:

o Mandatory Contract Sponsor training o Annual classroom style procurement training o Brown Bag sessions on various topics

Develop the following items by March 1, 2019:

o Job Aides o Quick Reference Guides o Step-by-Step User Manuals

2. 15 non-TRS workers having authorized access to PHI without their eight

respective employers having a BAA with TRS

TRS is considered a ‘covered entity’ and under federal law, the HIPAA Privacy Rule allows covered entities to disclose PHI to an entity in its role as a business associate to help the covered entity carry out its health care functions. A prior audit report, HIPAA Gap Evaluation Audit (May 2017), included recommendations to ensure that BAAs are executed for all TRS contracts associated with business associates that require access to PHI. Management is currently in the process of implementing this recommendation. However, there is not a process in place where all involved parties participate to formally determine the need for a BAA before P&C signs off on the Purchase Order/Contract Checklist (PAC 491). Audit tests identified 15 non-TRS workers


having authorized access to PHI without their eight respective employers having a BAA with TRS. When completing the question on the Purchase Order/Contract Checklist (PAC 491) for the HIPAA requirement for a BAA, P&C should ensure responses from the Contract Sponsor, the Privacy Officer, and IT Security Officer confirming the type of access a vendor requires.

Recommendation

P&C should consider a formal process that includes a routed checklist that can be approved by the Contract Sponsor, Privacy Officer and IT Security Officer regarding vendor access to PHI. This checklist should provide the means to train staff on identifying PHI to assess the requirement for a BAA. During scheduled procurement planning meetings, P&C should require business units to confirm any changes in the contract scope that would necessitate a vendor having access to PHI; and therefore, become a business associate requiring an executed BAA. With the assistance of Legal Services, P&C should ensure that the contracts associated with the eight vendors identified through audit testing have an associated BAA.


Management agrees with the recommendation and has completed the following actions:

Contacted companies of the contract workers that were identified in the audit to require a BAA and have obtained a BAA from all but one company. We are still negotiating the final terms and should finalize the last BAA by the end of July.

Developed a questionnaire to ensure all current contracts have a BAA, if required.

Additional actions include:

Developing a risk assessment questionnaire that will be completed prior to a procurement to determine if a BAA is required, to be implemented by December 31, 2018.

Developing a BAA work group to create guidance and procedures for implementing a BAA per the HIPAA rules with a finalized policy by September 1, 2019.


OTHER REPORTABLE RESULTS 3. Omissions were found in the TRS CAP where referenced procedural guidance is

needed

TRS business units do not find the TRS CAP to be a comprehensive tool that meets their needs due to omissions in the policy. An authoritative policy with established guidelines and consistency in record keeping, documentation and execution of procedures would assist TRS in withstanding scrutiny by stakeholders and interest groups. Audit tests identified the following omissions in the TRS CAP where referenced procedural guidance is needed: a. No formal procedures exist defining roles and responsibilities that also serves as a

training manual for Contract Sponsors, P&C, Legal Services and IT Security in ensuring compliance with the HIPAA BAA requirements.

b. TRS CAP does not include procedures on how to administer the board approved contracts including how to record evidence of vetting of vendors and guidelines for blackout periods for allowing vendors to appear before the Board.

c. SB 204 compliance in the TRS CAP does not connect the multiple TRS processes that ensure compliance with SB 20 requirements such as obtaining the Non-Disclosure Agreements (NDA) for conflicts of interest and ensuring enhanced monitoring of healthcare claims that are conducted via outside audits.

d. In having a justification threshold for non-competitive Commission Credit procurements above the $100,000 threshold; the TRS CAP does not address documenting how best value was obtained.

e. Contracts in existence before the policy effective date of January 2016 that are nearing renewal are not required to follow established contracting guidelines such as completing a Purchase Exemption Justification Form (PAC 100).

f. Cross-reference to the guidance for completing the Purchase Exemption Justification Form (PAC 100) along with specifying that the contract value should be considered for the life of contract versus the cost for one year, is not in the current TRS CAP.

4 Senate Bill 20 relating to state agency contracting, was introduced in the 84th (R) Legislative Session, effective September 1, 2015.


g. TRS CAP does not clearly define who should be responsible for verifying respondent’s minimum qualifications and who should be verifying minimum submission requirements on responses to solicitation.

h. The roles and responsibilities for departments and P&C when outside vendors are used for the solicitation and contract process are not defined in the TRS CAP.

i. TRS CAP states that during contract coordination, P&C and business units should work together throughout the procurement and contracting process. However, within the roles and responsibilities for Contract Sponsor there is no mention of including P&C, other than for renewals and amendments.

Recommendation An authoritative and complete policy helps ensure a more prevalent use of P&C, who serve as a safeguard for compliance with the TRS CAP, federal laws, and state law reporting requirements. Procedures supporting TRS procurement and contracting policy need to:

(1) Define roles and responsibilities for Contract Sponsors, P&C, Legal Services and IT Security in ensuring compliance with the HIPAA BAA requirements in formal procedures that also serve as a training manual.

(2) Define how to handle board authorization to contract with a vendor, with clear steps as to how to record evidence of vetting of vendors and specifying strict guidelines for adherence to blackout periods for allowing vendors to appear before the Board.

(3) Incorporate written procedures to support the multiple processes that ensure compliance with SB 20 requirements. Procedures should connect the processes such as obtaining the Non-Disclosure Agreement (NDA) for conflicts of interest and healthcare claims audits reported to the Audit, Compliance and Ethics Committee.

(4) Address documenting how best value was obtained, irrespective of the justification threshold for non-competitive Commission Credit procurements.

(5) Require contracts in existence before January 2016 that are nearing renewal, to follow established contracting guidelines such as completing a Purchase Exemption Justification Form (PAC 100).

(6) Cross-reference to the guidance for completing the Purchase Exemption Justification Form (PAC 100), particularly the contract value needed for life of contract versus cost for one year.

(7) Define who should be responsible for verifying respondent’s minimum qualifications and who should be verifying minimum submission requirements.

(8) Define the roles and responsibilities for departments and P&C when outside vendors are used for the solicitation and contract process.

(9) Include consistent procedures related to coordination with P&C well ahead and throughout the procurement and contracting process.


Management Responses Management agrees with the recommendation and completed the following actions: Revised the Contract Administration Policy to address most of the identified omissions

to address current processes. Created a work group to start reviewing current agency-wide procurement policies,

such as Contract Administration Policy, Board Procurement Policy, Historically Underutilized Business (HUB) Manual, and the ProCard Manual, to identify any possible TRS long term policy and procedural changes and to address all audit recommendations as a whole. The goal would be to have the revised policy and new procedures completed by September 1, 2019.

4. P&C is not consistently following internal procedures throughout the contracting

process P&C is not consistently following internal procedures to ensure that contract files are adequately documented and scanned as required. Audit tests identified the following instances where internal procedures were not followed:

a. The Purchase Order/Contract Checklist (PAC 491) is used to ensure the

completeness of contract documents and state reporting guidelines. One out of nine contracts did not have a completed checklist. The contract was for services of $2 million executed in 2017.

b. The current contract files are maintained on an imaging system which requires

documents to be scanned. Documents are not always consistently coded and some were not timely scanned into the system. The assessment of procurement and contract process consistency is difficult without having complete scanned files.

In ensuring completeness of contract files, P&C provides safeguards in complying with laws and policy. These safeguards would be lost if such internal procedures are not followed, resulting in reputational risk and possible legislative oversight for non-compliance. Recommendation P&C should ensure that contract files are consistently documented with a completed Purchase Order/Contract Checklist (PAC 491) to ensure the completeness of contract documents and adherence to state reporting guidelines. Documents in the contract files should be timely recorded and uniformly coded by document type, to enable assessment of whether a consistent process was followed to obtain best value.


Management Responses Management agrees with the recommendation and has completed the following actions:

P&C Director is meeting weekly with individual staff members and monthly as a team

Developed an internal review of P&C work for procurements of $25,000 or more Additional action items that are to be completed by December 31, 2018 are:

P&C is currently reviewing and revising internal processes P&C is currently and will continue to conduct monthly team meetings to go over

internal processes An internal review by P&C of contracts that are $25,000 or more is currently being

conducted. However, additional resources are needed to help ensure ongoing reviews are conducted.

5. P&C dependency on the use of a rigid, outdated, legacy Budget and Expense

Vouchering System (BEVO) and staff turnover in critical functions, have exacerbated work process inefficiencies

TRS procurement and contract needs are varied and vast. Depending on a legacy system that is not effective in recording contract characteristics and key milestones inhibits P&C’s ability to effectively carry out procurement functions. Requirements for manual entry into the system make it more difficult for staff to carry out their job duties. Even with the upcoming implementation of the State Comptroller’s Centralized Accounting and Payroll/Personnel System (CAPPS), there are still some procurement functions that may need to be addressed. The following are shortcomings from the use of the BEVO system that were identified during audit testing:

a. TRS currently uses the Contract Administration Tracking System (CATS) which

has differences in renewal terms from the actual terms in the contract, particularly the remaining number of renewals prior to expiration. Use of this system results in unnecessary solicitations when renewals may be available. A more robust Contract Management Software would help the P&C team to manage TRS’ large budget and contracts.

b. BEVO does not have an accurate capture of all of TRS contracts. There are

differences in the recorded number of contracts, funding sources and identification of vendors between the IMD book of record and BEVO.

c. BEVO does not have data validation checks for date entries such as contract award dates that may be in the future.


d. BEVO reports cannot classify or differentiate between competitively sourced, non-competitive, statewide, sole source or contracts formed due to special circumstances.

P&C can benefit from having a system that provides recording and monitoring contracting activities to allow effective oversight to achieve TRS fiduciary responsibilities in getting best value for TRS members.

Recommendation P&C should work with management to overcome the following shortcomings of the current automated legacy system, particularly the processes that will not be addressed in the CAPPS implementation in August 2018:

(1) The need for a contract management system to handle a large budget and contracts such as the process for tracking contract renewals.

(2) Ensure that the finance book of record is accurate as to funding source, identity of vendor, and completeness of contracts compared with an individual department’s book of record.

(3) Ensure that the contract administration system is able to classify or differentiate between competitively sourced, non-competitive, statewide, and sole-sourced contracts to monitor compliance with state laws and TRS CAP.

Management Responses Management agrees with the recommendation and proposes the following actions:

P&C is currently working on creating a Request for Information (RFI) for a

contract management solution that should be posted by July 31,2018

After P&C receives and reviews the responses from the RFI, P&C will conduct a Request For Offer (RFO) by December 31, 2018 to purchase a contract management solution.

* * * * *

Internal Audit appreciates P&C management and staff for their cooperation, courtesy, and professionalism extended during this audit. Internal Audit also appreciates the support provided by management and staff in Legal Services, Health and Insurance Benefits, Investment Management Division, Information Technology Division and Organizational Excellence. Amy Barrett, CIA, CPA, CISA Anandhi Mani, CIA, CPA, FCCA (UK) Chief Audit Executive Senior Internal Auditor Carol Casey Jan Engler, CIA, CISA, CFE Internal Audit Consultant Director of Benefit Audit Services


APPENDIX A AUDIT OBJECTIVE, SCOPE, METHODOLOGY, AND CONCLUSION This performance audit was conducted in accordance with generally accepted government auditing standards contained in the Government Auditing Standards issued by the Comptroller General of the United States and the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors, Inc. These standards require that the audit is planned and performed to obtain sufficient, appropriate evidence to provide a reasonable basis for the audit’s findings and conclusions based on the audit objectives. The evidence obtained provided a reasonable basis for the audit findings and conclusions based on the audit objectives. AUDIT OBJECTIVE The audit objective was to determine whether internal controls are in place and are working effectively to achieve the business objectives stated below and mitigate significant risks to meeting those objectives.

Determine if procurements follow TRS Laws & Rules, Contract Administration Policy and the State Contract Administration Guide (collectively referred to as Procurement Guidance)

Determine if a BAA is formed for all contracts that are associated with PHI SCOPE The scope of the first audit objective included current contracts spanning fiscal year 2016 and 2017 transactions for Health and Insurance Benefits (HIB) department and the Investment Management Division (IMD). The scope for the second audit objective covered contracts related to the Health and Insurance Benefits (HIB) department and Healthcare Line-of-Business (HILOB), the new health insurance system. METHODOLOGY The audit methodology included obtaining information on management’s business objectives and risks, and focused on key processes and monitoring controls that management has established to address significant risks. To meet the audit objectives, the following procedures were specifically performed:

Ascertained procurement method by doing a search by contract number for solicitation document in General Accounting Imaging System (GAC). Identified type of procurement such as Request for Proposal (RFP) and Request for


Qualifications (RFQ). Where there is no competitive bid method, searched for a "Purchase Exemption Justification" and checked completeness of :

contract value date signed appropriate responses to sections on the form authorization as per TRS CAP matrix assessment overall as to whether a competitive procurement could have

been done Searched for scanned "PO/Contract Checklist" in imaging system by Contract

number, when found verified: sections were filled out as applicable date and signature of person completing and then signature of person

reviewing (3 signatures are required including P&C Contract Administration Manager when >$100,000 and the Director of Procurement when >$5 million for healthcare contracts)

Searched for TRS HIB contracts posting on LBB at http://contracts.lbb.state.tx.us/Introduction.aspx. Verified posting and note posting details. Where not visible, observed the record of posting of contracts in person by viewing P&C’s Contract Administration Manager’s LBB login screen.

Searched for scanned "Business Associate Agreement" in imaging system for contracts in sample by contract number:

ensured the parties were as per contract signature as required by Vendor and Executive Director

Searched for scanned earliest dated "State Voucher" in imaging system for contracts in sample by contract number to verify date was after the contract start date

Assessed the duration of procurement cycle from posting to Electronic State Business Daily (ESBD) to Contract Start Date for competitive bids

Checked if competitively solicited contract or exemption filed, if not, assessed if it was a renewal or amendment

Board approval minutes were viewed in imaging system. For the contracts that did not have an approval, checked with TRS Board Authorized Contracts list as well as Policy

Traced the Health and Insurance Benefits (HIB) and Health Insurance Line-of-Business (HILOB) list of contracts to the HIPAA audit (May 2017) list

For the contracts not on the HIPAA audit list, followed up to ascertain if vendor has access to PHI and a BAA was required

For non-TRS workers found to have access to PHI but no executed BAA, contacted Organizational Excellence (Human Resources) to confirm their HIPAA training

Compared the records between IMD QuickBase list of non-asset management contracts and BEVO to validate the completeness of contracts both for vendor identity, value and accuracy of funding source

Reviewed statewide contracts with TIBH Industries and Department of Information Resources (DIR) to determine if a BAA was executed


Traced non-TRS workers to the Health Insurance System (HEIN) access list and checked contract files on imaging system and SharePoint site for BAA document

Tested contract transactional data from BEVO for invoices before contract date and calculated duration from requisition date to contract award date

CONCLUSION Procurement Guidance was followed for the tested group health benefit plan contracts and BAAs were in place for those contracts. However, overall we determined that management controls related to vendor procurement need improvement to reduce the significant risk of not meeting business objectives. Specifically, we identified significant issues related to key procurement practices linked to (1) departments not consistently using Procurement Guidance, and (2) 15 non-TRS workers having access to PHI without their eight respective employers having a BAA with TRS. Other reportable issues were identified related to omissions in the TRS CAP, inconsistent application of internal procedures and use of a rigid, outdated legacy system.


APPENDIX B AUDIT ISSUES MAPPED TO STATE CONTRACT MANAGEMENT BEST PRACTICES MATRIX

To measure the ability for continuous improvement of TRS procurement processes, the audit issues 1-5 are mapped to applicable areas based on the best practice matrix from the State Contract Management Guide showing progression from initial to best practice. Note issues map to multiple areas where applicable.

COMPONENT

INITIAL

REPEATABLE BEST PRACTICE

Processes

2

• No standard processes for contracting or compliance management (BAA)

4

• Contract processes are defined at the division level, but are sporadically followed

• Contracting process standardized agency-wide

• No contract or solicitation document templates. Every contract or solicitation document looks different

1

• Contract templates utilized sporadically or limited availability of templates

• Formal templates utilized for all solicitations and contracts

1

• Contract Managers not involved from “cradle to grave”

• Contract managers assigned after award is made

• Contract managers are involved in writing solicitation, negotiating contract, managing contract and contract closeout

• Contract Management Guide is ignored or not consulted

3

• Contract Management Guide is used sporadically to address specific questions or concerns

• The Contract Management Guide serves as a roadmap to guide the contracting process

• No structured business planning process to determine sourcing and re-bid strategy

• Limited planning to determine solicitation efforts, re-bid strategies

• Active, formal business planning process

1

• No contract processes that overlap with existing project management practices are defined

• Contract processes that overlap with existing project management practices are defined, but are sporadically followed

• Standardized agency-wide contracting process is comprehensively integrated with existing standardized agency-wide project management practices

Organization

• No coordination between divisions involved in the procurement and contracting process

• Sporadic coordination between contract manager, legal, procurement, etc.

• Coordination and input from all relevant divisions to minimize risk and maximize compliance

Technology

• No contract repository or very basic automated folders for contract storage

5

• Contracts repository supported at division level by basic storage system with little to no reporting capabilities

• Contract automation system that is searchable and allows for the uploading, monitoring and automated reporting of contracts

• Manual compliance reviews

5 • Limited ability to track compliance

• Independent and formal mechanisms in place to track compliance for contract managers

• Developing high level reports with quality contract information is nonexistent or is very labor intensive

5

• High level reports have to be manually created from contract status reports or contract repository

• Amendments can be approved, uploaded, and tracked online

Vendor Relations

3

• Improper or excessive communication with vendors immediately preceding and during an active solicitation phase

• Communication with vendors during the solicitation phase

• Properly routed communication with potential vendors (i.e., through the purchaser) during the active solicitation phase

Legal

• Statutorily mandated terms and conditions are not present

2

• Some statutorily mandated terms and conditions are not present or regularly updated

• All statutorily mandated terms and conditions are present and regularly reviewed and updated by relevant staff

TAB 4E

Employer Data Analysis Project Internal Audit July 2018

TAB 4.5:E

Objectives

Facilitate complete, accurate, and timely submission of employer census data

Perform data analysis and test selected validation rules on employer data from September to December 2017 in TRUST system for data accuracy, completeness, and reasonableness

2

Business Objective

Agreed-Upon Procedure (AUP) Objective

Business Risks and AUP Procedures – Part I

Test 18 of 703 validation rules in TRUST

Recalculate contributions in 11 areas: Member contribution TRS-Care contribution (Member, Employer, and Federal) TRS-Care Surcharge Fed fund/private grant contribution Statutory minimum contribution New member contribution Non-OASDI contribution Community junior college contribution Non-education / general funds contribution

3

Business Risks Incorrect calculation of contribution or surcharges


Test Results – Part I

4

#Contributions Recalculation and Validation Rules

Tested

Discrepancies NotedEmployer

Counts

Member Records

Identified

Net Amount

Over / (Under) Paid

1 Member contributions 1 2 ($56)

2

TRS-Care contribution - Member:

Member not eligible but paid

Member eligible but not paid

Members covered by other group insurance (ERS,

A&M, or UT) but paid TRS-Care contribution

Recalculation of contribution amount

Eligible members with zero compensation amount

19

4

3

0

0

177

12

13

0

0

$2,721

($153)

$156

0

0

3

TRS-Care contribution - Employer:

Member covered by other group insurance but

employer paid TRS-Care contribution

Calculation of contribution amount discrepancies

3

5

13

14

$180

($188)

Test Results – Part I (... continued)

5


Tested

Discrepancies NotedEmployers

Count

Member Records

Identified

Net Amount

Over / (Under) Paid

4TRS-Care contribution – Federal:

Non-eligible member but paid Federal TRS-Care

contribution

9 46 $534

5TRS-Care Surcharge:

Retirees with concurrent employments. The fixed

amount of TRS-Care surcharge is $535

19 42 ($10,560)

6 Federal Fund / Private Grant Contribution 0 0 0

7 Statutory minimum contribution 1 2 ($97)

8Employer’s new member contribution

Recalculation of contribution amount 0 0 0

Test Results – Part I (... continued)

6


Tested

Discrepancies NotedEmployers

Count

Member Records

Identified

Net Amount

Over / (Under) Paid

9Employer’s non-OASDI member contribution

Recalculation of contribution amount

Non-eligible member but RE paid contribution

1

15

3

161

($57)

$4,645

10Junior College Contribution

Recalculation of junior college contribution 2 10 $1,182

11Non-Education / General Funds Contribution

Recalculation of senior college contribution 1 1 ($26)

Business Risks and AUP Procedures – Part II

7

Business Risks

Incomplete employer population Incorrect census data submitted by employers Validity checks overridden or incorrectly programmed in TRUST

Compare population with Texas Education Agency (TEA) school listing Validate social security number (SSN) of new members in TRUST Validate data fields Check data reasonableness of selected data fields:

Birthdate, Gender, and Age fields Total compensation Total hours worked Comparisons of termination date and contract end date; and

employment start date and contract start date


Test Results – Part II

8

# AUP Procedures PerformedDiscrepancy

Count

1 Compare population with Texas Education Agency (TEA) school listing:

6 schools in TRUST system but not in TEA

17 schools in TEA but not in TRUST system

23

2Validate social security number (SSN) of new members in TRUST 0

3Validate data fields and check reasonableness of selected data fields for the entire TRUST population:

Birthdate field is blank 22

Monthly total hours worked are 700 hours or more 16

4Check reasonableness of selected data fields for 106 selected employers:

36 Termination Date is earlier than Contract End Date

8 Contract Start Date earlier than Employment Start Date

44

Management Response

Management Response

After review, Benefit Accounting discovered these findings are related to migrated data and system defects/issues. Some system issues have already been addressed in TRUST, which would prevent future posting of incorrect data. Other system issues are scheduled to be fixed in future maintenance cycles.

For findings that the reporting entity partners will need to correct, Benefit Accounting plans to communicate the information no later than the end of August.

9

EMPLOYER DATA ANALYSIS AUP PROJECT TRUST Reports (September - December 2017)


July 9, 2018 Project #18-103

Incorrect calculation of contribution or surcharges

Validation rules are built into TRUST and calculations for contribution and surcharges are correct

Legend of Results: Red - Significant to TRS Orange - Significant to Business Objectives

Yellow - Other Reportable Issue Green - Positive Finding or No Issue

Business Objectives

Management Assertions

Results

Facilitate complete, accurate, and timely submission of employer census data

Incorrect census data submitted by employers

Incomplete employer population Validity checks overridden or incorrectly

programmed in TRUST

Business Risks


Validity checks are built into TRUST and functioning as designed

Agreed-upon Procedures

Test 18 of 703 validation rules in TRUST Recalculate contributions: o Member contribution o TRS-Care contribution (Member,

Employer, and Federal) o TRS-Care Surcharge o Fed fund / private grant contribution o Statutory minimum contribution o New member contribution o Non-OASDI contribution o Community junior college contribution o Non-education / general funds

contribution

Validate social security number (SSN) of new members in TRUST

Compare population with Texas Education Agency (TEA) school listing

Validate data fields Check data reasonableness of selected

data fields: o Birthdate, Gender, and Age fields o Total compensation o Total hours worked o Comparisons of termination date and

contract end date; and employment start date and contract start date

Test of selected 106 employers (8%) and analyzed more than 1.2 million payroll records from September to December 2017:

Key discrepancies noted in validation rules testing and recalculation of contributions are as follows: o Member contribution (2) o TRS-Care contribution: member (202);

employers (27); and Federal (46) o TRS-Care surcharges (42) o Statutory minimum contribution (2) o Employer’s non-OASDI member

contribution (164)

No incorrect SSN noted Discrepancies noted in the following: o Comparison with TEA school listing (23

discrepancies)

For entire TRUST population - o Blank birthdate field (22) o Monthly total hours worked 700 or more

hours (16)

For 106 selected employers o Contract start, and end dates;

termination, and employment dates (44)

After review, Benefit Accounting discovered these findings are related to migrated data and system defects/issues. Some system issues have already been addressed in TRUST, which would prevent future posting of incorrect data. Other system issues are scheduled to be fixed in future maintenance cycles. For findings that the reporting entity partners will need to correct, Benefit Accounting plans to communicate the information no later than the end of August.

TRS Internal Audit July 9, 2018 Employer Data Analysis Page 1

July 9, 2018 Barbie Pearson, Chief Benefit Officer Subject: Report on Independent Testing of Employer Data Analysis Project We have completed Employer Data Analysis project, for the period of September to December 2017, as included in the Fiscal Year 2018 Audit Plan. We performed the procedures agreed to by you. One hundred and six (106) employers (8% of population) were selected to perform the data analysis that includes building school profile, data completeness check, testing of reasonableness, and recalculation of contributions. More than 1.2 million records for September to December 2017 were analyzed during this project. The detailed procedures and results of our testing and data analysis are explained in Appendix A. This agreed-upon procedures engagement was performed in accordance with generally accepted government auditing standards contained in the Government Auditing Standards issued by the Comptroller General of the United States. The sufficiency of the agreed-upon procedures performed is solely the responsibility of those parties specified in this report. Consequently, we make no representations regarding the sufficiency of the procedures described in Appendix A either for the purpose for which this report has been requested or for any other purpose. We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion. Accordingly, we do not express an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you. This report is intended solely for information and use by TRS management, the Board of Trustees, and oversight agencies, and is not intended to be and should not be used by anyone other than those specified parties. However, this report is a matter of public record and its distribution is not limited, except as protected by statute.


* * * * * We express our appreciation to management and key personnel of Benefit Services and Information Technology divisions for their cooperation and professionalism shown to us during the project. Amy Barrett, CIA, CPA, CISA Mary Presley Chief Audit Executive Internal Audit IT Consultant Lih-Jen Lan, CPA, CIA, CISA, CISSP Senior IT Audit Manager


APPENDIX A

AGREED-UPON PROCEDURES AND RESULTS

Part I – Data Analysis and Validation Rules Testing of Selected 106 Employers

Population and Total Records Tested Testing Period

106 employers (about 8 % of total 1,329)

( Top 10 ISD + Top 10 Higher Ed + 86 SAO selected employers

More than 1.2 million of

payroll records

September to December 2017

1. Contribution Calculation and Validation

Test Purpose Overall Test Description Validate and

Calculate Contributions

Perform recalculation of selected contributions for both active members and retirees of 106 employers using TRUST business validation rules. (Tested 18 of 703 validation rules.)

Contribution Description

Test Description (Validation Rule #) Test Results Management Response

a Member Contribution

#388 - Calculate Member Contribution amounts. Member contribution report amount is not within 5₵ of the calculated amount (member contribution percentage * (Eligible TRS Gross Compensation + Performance Gross Pay).

Discrepancies noted: Two members in

one employer with net underpayment of $56

This is related to system defects/issues. Some system issues have already been addressed which would prevent future posting of incorrect data. Other system issues are scheduled to be fixed in future maintenance cycles.

b TRS-Care Contribution - Member

#355 - Select any member who is not eligible for TRS Membership but paid of TRS-Care Contribution.

Discrepancies noted: 177 records in 19

employers with net overpayment of $2,721

#421 - Select any member who is eligible for TRS membership but not paid of Member TRS-Care Contribution.


employers with net underpayment of $153

#425 - Select any member who is covered by a group insurance plan from ERS, A&M, or UT but member paid of RE TRS-Care Contribution.


employers with net overpayment of $156




b TRS-Care Contribution - Member

#389 - Calculate Member TRS-Care contribution amount. Member TRS-Care contribution amount is not within 5₵ of the calculated amount (member TRS-Care insurance contribution percentage * (Total Eligible TRS Gross Compensation + Total Performance Gross Pay).

No exceptions noted N/A

#422 - Select any member who is eligible for TRS membership but both eligible compensation and performance pay are “0”.

No exceptions noted

c TRS-Care Contribution - Employer

#426 - Select any member who is entitled to Group Benefit Coverage under ERS/UT/A&M but paid of RE TRS-Care Contribution.



Same as items a. and b. above, this is related to system defects/issues. Some system issues have already been addressed which would prevent future posting of incorrect data. Other system issues are scheduled to be fixed in future maintenance cycles.

#390 - Calculate RE TRS-Care Contribution amount. RE TRS-Care contribution amount is not within 5₵ of the calculated amount (RE TRS-Care insurance contribution percentage * (Total Eligible TRS Gross Compensation + Total Performance Gross Pay).


employers with net underpayment of $188

d TRS-Care Contribution - Federal

# 439 - Select any member who is not eligible for TRS membership but paid of Federal TRS-Care contribution.



e TRS-Care Surcharge

#224 - Select any retiree who has concurrent employments and has been reported by more than one RE at the same reporting period. Test the total TRS-Care Surcharge, which should be $535.


employers with net underpayment of $10,560

This issue is related to an existing defect that will be resolved in a future maintenance release.

f Federal Fund / Private Grant Contribution

#391 - Calculate Federal Fund/Private Grant contribution amount. Test net Federal Fund/Private Contribution report amount is not within 5₵ of the calculated amount (current Fed fund-private grant percentage) x Total Eligible Compensation Paid from Federal Funds / Private Grants).



1 OASDI - Old age, survivors, and disability insurance. For payroll purpose, it means a tax deducted from wages or

salary.



g Statutory Minimum Contribution

#547 - Calculate Statutory Minimum Contribution. Test Statutory Min contribution is not within 5₵ of the calculated amount (((Net TRS Eligible Compensation + Net Performance Pay) – Total Net Adjusted Statutory Minimum Compensation) * .068 Statutory Minimum Contribution Percentage) or (((Net TRS Eligible Compensation + Net Performance Pay) - Net Federal Funds/Private Grants) * 6.8% Statutory Minimum Contribution Percentage).

Discrepancies noted: Two members in



h Employer’s New Member Contribution

#393 - Calculate RE New Member Contribution. Test RE New Member contribution amount is not within 5₵ of the calculated amount (RE new member contribution percentage x (Total Eligible TRS Gross Compensation + Total Performance Pay Gross)).


i

Employer’s Non-OASDI1 Member Contribution

#397 - Calculate RE New Member Contribution. Test RE New Member contribution amount is not within 5₵ of the calculated amount (Current RE Payment for Non-OASDI Percentage * Total Adjusted Statutory Minimum Compensation)

Discrepancies noted: Three members in



#442 - Select and test any member who is not eligible for TRS membership but paid of RE Non-OASDI member contribution.

Discrepancies noted: 161 records in 15 employers with net overpayment of $4,645


2 Validation Rule #s 399, 400, and 401 apply to colleges only. Testing was applied to Top 10 Higher Education

institutions only



j2 Non-Educational / General Funds Contribution

#399 – Senior college’s contribution amount verification

Discrepancies noted: One discrepancy

noted with underpayment amount of $26

This is related to how the system was previously determining the New Member period. Except for 2 specific scenarios, this issue has been resolved. Benefit Accounting will implement additional processes to verify employer contributions.

k

Community Junior College Contribution

#400 - Calculate Community Junior College Contribution amount. Test Community Junior College Contribution is not within 5₵ of the calculated amount ((Current State Contribution Rate x ((Total Eligible TRS Gross Compensation ÷ 2) minus Total Eligible Comp paid from Federal Funds minus Total Eligible Comp paid from Education/General Local Funds))) and Position is Professional/Administrative or Teacher or Full-time Librarian.

Discrepancies noted: 10 members in two

employers with net overpayment of $1,182

This is related to a missed validation to prevent the institution from reporting Community Junior College contribution when the TRS membership flag is N. Requirement update has been logged.

#401 - Calculate Community Junior College Contribution amount. Test Community Junior College Contribution is not within 5₵ of the calculated amount (Current State Contribution Rate x (Total Eligible TRS Gross Compensation minus Total Eligible Comp paid from Federal Funds minus Total Eligible Comp paid from Education/General Local Funds)) and Position is Support Staff or Bus Driver or Full-time Nurse/Counselor or Peace Officer or Support Staff-Food Service Worker.


3 ED - Employee Demographic Report 4 ER – Employment after Retirement Report 5 RP – Regular Payroll Report

2. Data Analysis of Selected 106 Reporting Entities

No Test Purpose Test Description Test Results Management Response

a Build and provide Big School Data View/Profile

Select top 10 Independent School Districts (ISD) and top 10 Higher Education Institutes based on eligible compensation amount. Build profiles on ED3, ER4 and RP5 data.

Informational only – Two sets of school

profiles were built with ED, ER, and RP information.

N/A

b Reasonableness, Validity Check, and Data Quality

For 106 reporting entities, select ED, ER and RP data from September 1, 2017 to December 31, 2017. Verify critical or required data fields for reasonableness and completeness.

Discrepancies noted: 36 Termination Date

earlier than Contract End Date

8 Contract Start Date earlier than Employment Start Date

This issue is related to an existing defect that will be resolved in a future maintenance release. A database update was made recently to reconcile and correct the current data.


Part II – Data Analysis across the TRUST system

No Test Purpose Test Description Test Results Management Response

1. Completeness of School Population Identify any

schools in Texas Education Agency (TEA) but not in TRUST or in TRUST but not in TEA

Compare TEA AskTed website school list with TRS TRUST system. Build cross-walk between TEA ID and TRUST RE No. Set the process as continuous monitoring to run annually.

a. 6 schools in TRUST system but not in TEA

b. 17 schools in TEA but not in TRUST system.

The process has been set to run annually

No true exceptions: 6 schools will be

inactivated in TRUST. 17 schools are reported

either by the parent institution or not eligible for TRS.

2. Social Security Number (SSN) Validation Validate new

members social security numbers

Select new members who started on or after September 1, 2017 and use Social Security Administration Area Code, Group Code, and TRS business rules to validate new members’ social security numbers.


3. Data Analysis of Entire Population a Data Validity

Check Select entire population data for September to December 2017 in the TRUST system for active members. Test birthdate, gender, and age data fields.

Discrepancies noted: 22 members with

blank birth dates

This is related to data migration and system issues. In some instances, this is also an employee training issue as some DOB were deleted internally but not re-entered.

b Reasonableness Checks

Select entire population data for September to December 2017 in the TRUST system and tested reasonableness of age data and monthly total hours worked greater than 700 hours.

Discrepancies noted: 16 members showed

monthly total hours worked 700 or more hours

TRUST programmed for the maximum allowable hours in the month. Need to revisit validations for reasonableness.

c Statistical Data Analysis

From entire population, select top 20 salaries, eligible compensation, monthly hours worked from ED, ER, and RP reports from September 1, 2017 to December 31, 2107.

Informational only - Information provided to Benefit Reporting Team

N/A

TAB 4F

Status of Prior Audit & Consulting RecommendationsInternal Audit July 2018

TAB 4.6:F

TRS Internal Audit Summary of Audit Recommendations Status

As of June 2018

July 2018 Board Audit, Compliance and Ethics Committee Meeting 1

Project Recommendation Status Issue Type Estimated Date

Revised / Actual Date

17-305 Commission Credit (soft dollar) Audit

Strengthen monitoring of contractual allowance balances to ensure no available amounts are lost Implemented Significant

to Business 12/2017 12/2017

17-306 Funston Evaluation of TRS Real Assets Investment Program

Board should consider adopting a stand-alone Compliance Policy in order to place Board emphasis on the importance of compliance and greater clarity to the respective roles and responsibilities throughout TRS respecting this area.

Implemented Other Reportable 12/2017 4/2018

Real Assets should undertake a cost/benefit analysis of the potential for active direct real estate investing. Implemented Other

Reportable 12/2017 6/2018

17-503 Audit of Trust Expenses Allocation

Develop and implement a written, comprehensive, and approved cost allocation policy that emphasizes the fiduciary duty in the equitable allocation of fund expenses; and that includes definitions, defined roles and responsibilities, and the basis for each allocated cost

In Progress Other Reportable 8/2018

Develop procedures to implement the new comprehensive cost allocation policy that include documented approvals to be obtained for methodologies used and final year-end calculations


Develop procedures to implement the new comprehensive cost allocation policy that include materiality thresholds for determining whether a year-end adjusting journal entry is required to ensure equitable fund allocations


Significant to Business Objectives

Other Reportable

Past original estimated completion date, and No management action plan or No progress on management action plan

Past original estimated completion date Progress on management action plan

Original estimated completion date has not changed Progress on management action plan

Satisfactory implementation of management action plan or Acceptance of risk by management

Implementation of management action plan pending Internal Audit validation

Past first revised estimated completion date No management action plan or No progress on management action plan

Past first revised estimated completion date Progress on management action plan

Within original or first revised estimated completion date Progress on management action plan

Satisfactory implementation of management action plan or Acceptance of risk by management


As of June 2018


Project Recommendation Status Issue Type Estimated Date

Revised / Actual Date

17-503 Audit of Trust Expenses Allocation (continue…)

Develop procedures to implement the new comprehensive cost allocation policy that include defined roles and processes for the initial and periodic assessment of new capital projects to determine the appropriate method of finance


Develop procedures to implement the new comprehensive cost allocation policy that include a routinely reviewed and approved schedule of direct and indirect costs by TRS department


Develop procedures to implement the new comprehensive cost allocation policy that include defined roles for department managers in the determination and approval of rates used for facilities costs


Develop procedures to implement the new comprehensive cost allocation policy that include defined roles for department managers in the determination of rates used to allocate indirect costs and in the confirmation that the rates reflect current conditions


SAO Audits of FY 2014 - 2017 Comprehensive Annual Financial Report

Strengthen controls over census data Implemented Significant 8/2016 06/2018


As of June 2018


Status of Reporting Entity Audit Recommendations

Note: The Benefit Accounting Reporting Team has resolved the issue with the school. Fixes to system defects have been implemented on 6/28/2018 and inputs into the TRUST system are pending.

Statuses:

Under Legal Services Review – TRS Benefits team has requested Legal Services review before taking any further action In Progress – TRS Benefits team is working with RE on corrections/adjustments Closed – TRS Benefits team has resolved all RE audit findings No Audit Findings – the audit resulted in no audit findings

Audit Project # Audit Report Date Reporting Entity (RE) Status

1 17-401b 8/31/2017 Dallas ISD In Progress (See note below)

Chief Audit Executive Goals for FY 2018 *

Goal 1

Sustain a Financially SoundPension System

Goal 3

Facilitate Access to Competitive,Reliable, Health Care Benefits

1

Goal 2

Continuously Improve Our Benefit Delivery

-- Planned-- Complete -- In Progress

July 2018 Board Audit, Compliance and Ethics Committee Meeting

Provide assurance on performance calculations

Provide assurance on private equity fees

Test compliance with investment policies

Coordinate CAFR and TRICOT financial audits

Provide assurance on TRICOT cost benefit Coordinate TEAM program

assessment vendor activities

Review key TEAM Phase I controls and participate in TEAM activities

Test benefit annuity payments

Analyze full payroll data and provide assurance on employer reports

Consult on benefit disbursements

Test implementation of select TRS-Care legislative changes

Provide assurance on TRS procurement

Provide assurance on TRS-ActiveCare billing, procurement and administrative fees

Follow-up on outstanding HIPAA audit recommendations

• Goals have been updated to reflect board-approved changes to annual audit plan

Chief Audit Executive Goals for FY 2018

Goal 4

Align Technology to Achieve the TRS Mission

Goal 4

Align People to Achievethe TRS Mission

Goal 4

Align Processes to Achieve the TRS Mission

2July 2018 Board Audit, Compliance & Ethics Committee Meeting

Test executive incentive compensation

Test investment incentive compensation

Participate in the management continuity program and nominate staff for leadership program

Develop new auditor training modules and revisit career paths

Consult on board reporting timeliness

Measure and trend internal audit activities and present on audit value add

Re-engineer reporting entity audit processes

Implement department records management changes

Participate in Executive Council & Risk Oversight Committees

Participate in hotline triage team

Participate in TRS rules review related to reporting entities

Communicate on reporting entity audit issues found

Follow up on innovation top 10

Advise on the CAPPS project

Review info security tests and risk assessments

Observe disaster recovery and business continuity tests

Internal Audit Goals and Performance Measures Fiscal Year 2018 – 3rd Quarter Ending May 2018


Target Performance Annual Target

Cumulative Score Activity / Comment Status

Goal 1: Facilitate Audit Committee Governance

1. 80% or more of audit and agreed-upon procedures projects are completed in the fiscal year (80% allows for flexibility due to changes in TRS business practices and special requests)

80% 62% Activity through June 2018 On Task

2. 70% or more of total available department hours (excluding uncontrollable leave) are spent for internal audit staff on direct assurance, consulting, and advisory services

70% 76% On Task

3. 100% of internal audit processes are in accordance with internal auditing standards as reported in the annual quality assurance and improvement (QAIP) report

100% N/A QAIP to be completed in September 2018 N/A

4. 80% (4.0/5.0) or higher score received for audit project client surveys in overall satisfaction 80% 92% Score based on nine responses

from five projects. On Task

5. 76% (3.8/5.0) or higher score on staff 360 evaluations in accountability, critical thinking, and initiative 76% 79%

Score based on staff 360 evaluations completed in October 2017

Achieved

6. 90% (4.5/5.0) or higher score received for CAE 360 evaluation in “Leads the Agency” (aka Firm Leadership) and “Leads the Team” (aka Managerial Leadership)

90% N/A CAE 360 evaluation cancelled N/A

7. 80% (4.0/5.0) or higher score received for audit project client surveys regarding communication of the audit purpose, results, and reports

80% 90% Score based on nine responses from five projects On Task

8. 80% (4.0/5.0) or higher score on staff 360 evaluations in the area of verbal and written communication and collaborative audit perspective

80% 81% Score based on staff 360 evaluations completed in October 2017

Achieved

9. 100% of relevant current “Tone at the Top” articles uploaded to Diligent 100% 75% Score based on 25% per

quarter. On Task

10. One speaker on the topic of the benefits of an effective audit function presents at the February board meeting 1 1

Jim Pelletier from the IIA presented at the February 2018 board meeting

Achieved





Goal 2: Support TRS Initiatives

1. 86% (4.3/5.0) or higher score for CAE 360 evaluation in contribution goals 86% N/A CAE 360 evaluation cancelled N/A

2. 80% (4.0/5.0) or higher score received for audit project client surveys in TEAM-related projects, when applicable 80% N/A No formal projects scheduled N/A

3. 80% (4.0/5.0) or higher score on staff 360 evaluations in the area of organizational awareness 80% 81%


Achieved

4. 83% (5.0/6.0) or higher score for departmental organizational health on the annual Workplace Dynamics Survey 83% N/A Survey results to be reported in

September 2018 N/A

Goal 3: Enhance Internal Audit Staff Competence and Expertise

1. 80% (4.0/5.0) or higher score received for audit project client surveys regarding the usefulness of audit recommendations in improving business processes and controls

80% 94% Score based on nine responses from five projects On Task

2. 80% (4.0/5.0) or higher score on staff 360 evaluations in the area of audit acumen 80% 79%


Not Achieved

3. 92% (4.6/5.0) or higher score for CAE 360 evaluation in “Leads the Self” (aka Technical Leadership) 92% NA CAE 360 evaluation cancelled N/A

4. 100% of audit staff complete annual training plans and obtain a minimum of 40 hours of continuing education credits 100% 100% Staff expected to complete 40

hours/each towards year end On Task

5. 100% of audit staff maintain professional certifications or actively pursue certifications and related eligibility requirements

100% 100% Staff expected to maintain or pursue professional certifications during year

On Task

6. 100% of audit staff participate in professional organizations 100% 100% On Task





7. 100% of audit staff acknowledge an understanding of their career path 100% 92%

March 2018 survey results indicate that one staff member is uncertain of his/her career path

Below Target

8. 92% or more of audit staff remain in internal audit or TRS (excluding retirements and transfers) 92% 93% One staff member left TRS in FY

2018 On Task

Legend: Target Status

Target not achieved Below target but expect to achieve On task to achieve Achieved target

Fiscal Year 2018 Audit Plan Status As of June 2018


Title and Project # Type Status

Executive and Finance

Board Reporting Process and Materials Review Consulting Complete

General Accounting Change in Management Audit Audit Cancel

Capital Improvement Planning Process Consulting Defer

Coordination for State Auditor’s Office (SAO) Comprehensive Annual Financial Report (CAFR) Audit for Fiscal Year 2017

Advisory Complete

Teacher Retirement Investment Company of Texas (TRICOT) Financial Audit Coordination (Grant Thornton) Advisory Complete

Executive Incentive Pay Testing Agreed-Upon Procedures

New Financial System – CAPPS Implementation Meeting Participation Advisory Ongoing

Committee and Workgroup Meetings Participation Advisory Ongoing

TRS Investment Company of Texas (TRICOT) Cost-Benefit Audit Audit Complete

Special Requests and Emerging Issues (IT Governance – outsourced project) Consulting In progress

TEAM Program

TEAM Independent Program Assessment (IPA) Vendor Support Advisory Ongoing

TEAM Committees, Projects and Controls Assessment Participation Advisory Ongoing

Pension Benefits

Annuity Payment Testing for SAO CAFR Audit of FY 2017 Audit Complete

Annual Benefits Testing Agreed-Upon Procedures In Progress

Employer Data Analysis Testing Agreed-Upon Procedures Complete

Employer Audits Audit In Progress

TRS Reporting Entity Website Audit Information and Communication Activities Advisory Complete

Benefit Disbursement Review Consulting In Progress

Fiscal Year 2018 Audit Plan Status As of June 2018


Health Care

TRS-Care Legislative Change Management Review Consulting Complete

TRS-ActiveCare Eligibility, Enrollment, and Billing Process Pre-implementation Audit Audit Complete

Vendor Procurement Audit Audit Complete

Health Care Administrative Expenses Audit Audit Defer

Health Care Vendor Update Meetings Attendance Advisory Ongoing

Information Technology

Disaster Recovery, Network Penetration Tests, Security Risk Assessment Review Advisory

Investment Management

Private Equity Management Fees and Carried Interest Desk Audits Audit In Progress

Performance Calculations Audit Audit Complete

Quarterly Investment and Ethics Policies Compliance Testing Agreed-Upon Procedures 3rd Quarter Complete

Annual Testing of Investment Incentive Pay Plan Agreed-Upon Procedures Complete

Investment Committees Attendance Advisory Ongoing

Internal Audit Department

Annual Internal Audit Report Administrative Complete

Data Analysis Process Buildout Administrative

Quarterly Audit Recommendations Follow-up Administrative Ongoing

Internal Quality Assurance Review Administrative In Progress

Fiscal Year 2019 Audit Plan Administrative In Progress

Employer Audit Process Re-engineering Administrative Complete

Internal Audit Staff Training Initiative Administrative In Progress

Audit Committee Meetings Preparation Administrative Ongoing


Internal Audit Advisory Services1 Fiscal Year 2018 – 3rd Quarter

BENEFIT SERVICES

Participated in the TEAM Program o Enterprise Projects Oversight Committee (EPOC) o Organizational Change Management Advisory Group (OCM) o Monthly meetings with TEAM Program Manager and vendor personnel o Independent Program Assessment (IPA) Vendor Coordination

Facilitated discussions on observations around TRUST access controls and segregation of duties controls

HEALTH INSURANCE BENEFITS (HIB)

Attended the Health Plan Administrator (HPA) and Pharmacy Benefit Manager (PBM) Vendor Quarterly Update Meetings

Participated in discussions with Legal and Compliance regarding outstanding audit recommendations regarding privacy and breach issues from HIPAA Gap Assessment Project

INVESTMENT MANAGEMENT DIVISION (IMD)

Attended Internal Investment Committee (IIC) meetings Participated in quarterly Proxy Voting Committee meeting Participated in monthly Securities Lending monitoring calls

FINANCIAL SERVICES

Liaison for the State Auditor’s Office (SAO) Fiscal Year 2018 Comprehensive Annual Financial Report (CAFR) Audit and associated Census Data and Allocation Schedule Audits

Participated in project team meetings for Centralized Accounting and Payroll/Personnel System (CAPPS)

Participated in workgroup discussions related to obtaining and monitoring of Business Associate Agreements associated with the procurement process

Participated in a workgroup discussions relating to review of current agency-wide procurement guidance documents

EXECUTIVE

Facilitated SAO’s Quarterly Update Meetings Participated in the Risk Oversight Committee Participated in Health and Safety Committee Quarterly Meetings Participated in monthly collaboration meetings with Enterprise Risk Management (ERM)

management Participated in the Records Management Cross-functional Workgroup

INFORMATION TECHNOLOGY (IT)

Tracking outstanding audit recommendations from HIPAA Gap Assessment Project and Audit of On/Off Boarding Processes of Non-TRS Workers

Liaison for an outsourced consulting project on IT Governance Participated in the Information Security Advisory Team (ISAT) meetings

1 Advisory Services (non-audit services) - The scope of work performed does not constitute an audit under Generally Accepted Government Auditing Standards (GAGAS).


Promotions and Certifications

Kate Rhoden obtained the Certified Internal Auditor (CIA) designation in May

Mary Presley passed the Certified Information Systems Auditor (CISA) exam in June

Professional Organization Activities and Conferences

Internal Audit (IA) Department hosted the semi-annual Association of Public Pension Plan Auditors (APPFA) conference. Brian Guthrie welcomed participants and TRS staff made many presentations about their areas including Barbie Pearson, Frank Williams, Heather Traeger, Jay LeBlanc, Anandhi Mani, Rodrigo Dominguez, Simin Pang, and Lih-Jen Lan. Art Mata and Karen Marino coordinated the logistics.

Internal Audit hosted a training class of Private Equity Accounting and Fee Validation to which employees from other TRS departments and other local public pension plans attended

Internal Audit hosted a training class of State Agency Internal Audit Forum (SAIAF) External Peer Review to which TRS internal auditors and auditors from other state agencies attended.

Kate Rhoden finished her Presidency Year with the Austin CPA Chapter and continues her service on the Board of Texas Society of CPAs and the Accounting Advisory Committee of the Austin Community College (ACC). She spoke to ACC students on accounting/auditing profession and importance of certifications.

Nick Ballard appointed to Vice President of the Association of Public Pension Fund Auditors (APPFA). APPFA’s purposes include encouraging cooperation among public pension fund auditors, providing professional development on pension related topics, and promoting and maintaining high professional standards for internal auditors of public retirement systems.

Internal Audit Training Initiative Art Mata held Employer Audit information sessions for the Department

Kate Rhoden led training sessions for the Department on Public Speaking, Coaching, and Workpaper Elements

Anandhi Mani led a training session for the Department on the Audit Lifecycle

Mary Presley held a couple of demonstration sessions on navigating member information in the new TRUST system

Simin Pang held an ACL (data analysis software tool) training to demonstration her data analysis work in investment performance calculation project

Internal Audit Staff Accomplishments

TAB 6

The information for this agenda item is confidential.