internal audit report -...

Internal Audit Report

Procurement Cycle: Efficiency/Effectiveness of Performance Monitoring, Data Reliability, and System Access TxDOT Office of Internal Audit

Procurement Cycle: Perf. Monitoring/Data/Access TxDOT Office of Int. Audit – Limited Scope

July 18, 2014 2

Objective To evaluate the efficiency and effectiveness related to performance monitoring, data

reliability, and system access of the procurement cycle.

Based on the scope/coverage performed during the Planning phase of this engagement, the

title and focus of the audit was changed to Procurement Cycle: Efficiency/Effectiveness of

Performance Monitoring, Data Reliability, and System Access.

Opinion Based on the audit scope areas reviewed, control mechanisms require improvement and

only partially address risk factors and exposures considered significant relative to impacting

reporting reliability, operational execution, and compliance. The organization's system of

internal controls requires improvement in order to provide reasonable assurance that key

goals and objectives will be achieved. Improvements are required to minimize existing

process variation and control gap corrections that may result in potentially significant

negative impacts to the organization including the achievement of the organization's

business/control objectives.

Overall Engagement Assessment Needs Improvement

Findings

Title Control Design

Operating

Effectiveness Rating

Finding 1 Access Controls x x Unsatisfactory

Finding 2 Data Reliability, Reporting, and

Efficiency x x Unsatisfactory

Finding 3 Segregation of Duties in the

Automated Purchasing System x x Needs Improvement

Management concurs with the above findings and prepared management action plans to

address deficiencies.

Control Environment TxDOT’s Procurement Division (PRO) once operated under four geographical areas (North,

South, East, and West) and provided administrative purchasing support to TxDOT’s 25

districts. PRO became centralized and all area staff began reporting to the statewide

procurement director on September 1, 2013 to help ensure consistency across the branch

offices.


July 18, 2014 3

Summary Results

Finding Scope Area Evidence

1

IT

Infrastructure

&

Data

Reliability

Former TxDOT employees still have access to the Automated

Purchasing System (APS):

168 terminated employees had active user IDs in APS after

termination date

o 20 of 168 (12%) terminated employee IDs were used

to access the system after the employees’

termination dates:

8 of 20 (40%) terminated employee user IDs

were used to request/receive goods after the

employees’ termination date. Three of these

employee IDs produced 274 transactions

($1.2M of expenditures). This information was

sent to TxDOT’s Office of Compliance Ethics and

Investigations (OCEI) for further review and OCEI

did not detect any fraud, waste, or abuse in

those transactions.

177 of 1,243 (14%) employees had APS access that was no

longer required for their current job roles and responsibilities

2

IT

Infrastructure

&

Data

Reliability

Reporting

Efficiency of

Process

Improvements are needed in the monitoring, utilization, and

reporting reliability of Automated Purchasing System (APS) data:

Performance Monitoring: Procurement does not track the

time it takes to submit, approve, and obtain a good/service.

For various requisitions initiated in the South, East, and

Central field offices, some requisitions took over 30 days for

each of the various process stages to occur (i.e., from

initiation of requisition to submission, submission to

approval, approval to PO issuance, and from PO issuance to

receipt of goods/services). Several of these purchases

included items such as parts/tools and office supplies

Open Purchase Orders (PO’s): As of March 14, 2014, 925 of

2,151 (43%) PO’s were over 6 months old (100 of which

were over 3 years old) in the APS system for all four field

offices (North, South, East, West)

Cancelled Requisitions: Data to monitor user-cancelled

requisitions and requisition cycle time was not retained.

Without this data, Procurement Division’s monitoring

capability was limited

Data Reliability:

o 14,207 of 252,380 (6%) requisitions were identified

where goods and services were received prior to

requisition being initiated, submitted, and approved

o For 50 of these requisitions, the promise delivery

date entered by the APS user was between the years

2021 – 2127 due to manual entry errors


July 18, 2014 4

3

IT

Infrastructure

&

Data

Reliability

Automated controls for segregation of duties are not functioning

as intended in APS:

From August 2012 through January 2014, there were 171

requisitions that had the same requisitioner, approver, or

purchaser performing a combination of these functions.

Fourteen of these requisitions involved the same APS user

having multiple IDs (issued to them) and using the dual IDs

to request and approve their own requisitions by utilizing the

first ID to initiate the requisition and second ID to approve

the requisition. This information was sent to TxDOT’s Office

of Compliance Ethics and Investigations (OCEI) for further

review and OCEI did not detect any fraud, waste, or abuse in

those transactions.

o The total amount approved and requested by the

same user was almost $700,000

Audit Scope

The scope of the audit work focused on activities by the Procurement Division (PRO), as well

as, end users and approvers who request goods and services, approve requests, issue

purchase orders, and receive goods and services. These activities were reviewed to assess

the efficiency of the procurement process, evaluation of reporting and monitoring functions

of PRO, and application of the general information technology controls environment. The

testing population obtained for audit fieldwork included 323,650 requisitions initiated in the

Automated Purchasing System (APS) from August 2012 through January 2014. Certain tests

were performed on sample periods and types of purchases initiated.

The audit was performed by Jill Emery, Yania Munro, graduate students in the TxDOT and

University of Texas at Austin internal audit program, and Karen Henry (Engagement Lead).

The audit was conducted during the period from January 13, 2014 to March 24, 2014.

Methodology The methodology(s) used to complete the objectives of this audit included:

Reviewing TxDOT internal documents, including procurement policy and procedure

manuals, organization charts, process maps, and management reports

Reviewing state codes and manuals, including State of Texas Procurement manual,

Texas Government Code, and Texas Administrative Code sections for purchase rules

Inquiring, interviewing and observing personnel performing procurement functions

Reviewing prior audit reports from TxDOT’s Office of Internal Audit, TxDOT’s Office of

Compliance Ethics and Investigations, Texas State Auditor’s Office, and Texas

Comptroller of Public Accounts

Evaluating control design and operating effectiveness of the procurement system

Conducting data analysis and sampling

Identifying reporting functions utilized by other agencies in monitoring procurement

for best practice(s)

Reviewing communication and management philosophy of overall organizational tone

Performing an overall risk assessment of the procurement function

These procedures were applied as necessary to perform the audit fieldwork.


July 18, 2014 5

Background This report is prepared for the Texas Transportation Commission, TxDOT Administration and

Management. The report presents the results of the Procurement Cycle: Efficiency/

Effectiveness of Performance Monitoring, Data Reliability, and System Access Audit

(formerly titled Procurement Policies and Procedures Audit) which was conducted as part of

the Fiscal Year 2014 Audit Plan.

PRO is responsible for the purchase of all goods and services statewide and performs

purchasing oversight for all purchasing actions by the TxDOT districts.

TxDOT’s procurement process follows the requirements of the State Purchasing Act and

sources for department purchasing policies such as the Texas Constitution, the State

Purchasing Act (Subtitle D, Title 10, Texas Government Code), and the Texas Comptroller of

Public Accounts Purchasing Rules (34TAC 20).

The agency procures goods and services through one of two primary purchasing methods,

payment cards and purchase orders, generated through the Automated Purchasing System

(APS). In order to evaluate the efficiency of the procurement process, as a part of the overall

audit objective, the audit scope focused on purchases generated through APS (e.g., payment

cards were not reviewed). There are currently approximately 3,000 users of APS including

TxDOT employees who request or approve goods or services, purchasers, and warehouse

and finance division personnel. The agency is in the process of transitioning to a new

software system, PeopleSoft, for procurement with an anticipated roll out date of September

2014.

The annual volume for purchasing in Fiscal Year 2013 was over $1 Billion, which included

over 130,000 purchase orders.

We conducted this performance audit in accordance with Generally Accepted Government

Auditing Standards and in conformance with the International Standards for the

Professional Practice of Internal Auditing. Those standards require that we plan and

perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis

for our findings and conclusions based on our audit objectives. Recommendations to

mitigate risks identified were provided to management during the engagement to assist in

the formulation of the management action plans included in this report. We believe that the

evidence obtained provides a reasonable basis for our findings and conclusions based on

our audit objectives. The Office of Internal Audit transitioned to Committee of Sponsoring

Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework

version 2013 in December 2013.

A defined set of control objectives was utilized to focus on reporting, operational, and

compliance goals for the identified scope areas. Our audit opinion is an assessment of the

health of the overall control environment based on (1) the effectiveness of the enterprise

risk management activities throughout the audit period and (2) the degree to which the

defined control objectives were being met. Our audit opinion is not a guarantee against

reporting misstatement and reliability, operational sub-optimization, or non-compliance,

particularly in areas not included in the scope of this audit.


July 18, 2014 6

Detailed Findings and Management Action Plans (MAP)

Finding No. 1: Access Controls

Condition

Former TxDOT employees’ access to the Automated Purchasing System (APS) was not

disabled, as required. Three of these employees’ credentials were used to access the

system to request goods and services. Additionally, reasonableness of system access for

APS users is not being monitored.

Effect/Potential Impact

Former employees can access APS and have the ability to purchase goods and services,

which could result in misappropriation of TxDOT equipment, supplies, and resources.

Criteria

Title 1, Texas Administrative Code, Section 202.25(3)(B), requires a user’s access

authorization to be modified or removed when the user’s employment or job responsibilities

change. In addition, the TxDOT Purchasing Manual Chapter 1, Section 3 states that each

region will have a Region Purchasing Manager (RPM) who will review and recommend

approval for access to the Management Information System subsystems related to

purchasing and inventory management (i.e. Automated Purchasing System (APS), MSMS,

Minor Equipment System, and Equipment Operating System).

Supervisors in the districts and divisions have responsibility for requesting, reviewing and

terminating access, as appropriate, for TxDOT computer and software systems’ access. The

Procurement Division (PRO) has ownership, responsibility, and governance in ensuring

compliance with purchasing procedures for all levels of purchasing within the department,

which includes APS system oversight.

Cause

APS system termination and access change procedures have not been developed to ensure

network and application/software access is terminated upon separation of an employee

from TxDOT employment. Process and procedures have not been set up to regularly monitor

the APS to ensure employee transfers, employee terminations, and reasonableness of

system access is correct on an ongoing basis.

Evidence

Based on fieldwork performed:

168 terminated employees (obtained from a Human Resources terminated employee

listing for the period of 2/14/2013 – 2/14/2014) still had APS access:

o 20 of 168 (12%) terminated employees had active APS user IDs that were

used to access the system after their termination date

8 of 20 (40%) terminated employee IDs were used to request/receive goods. Three

of these employee IDs created 274 transactions ($1.2M in expenditures). The case

was referred to TxDOT’s Office of Compliance Ethics and Investigations (OCEI) for

further assessment on February 28, 2014. OCEI found no indications of fraud,

waste, or abuse in those transactions.


July 18, 2014 7

1,243 user IDs (APS access listing as of January 2014) in 10 districts were reviewed

to identify if access to APS was still appropriate (i.e., transfers etc.):

o 177 of 1,243 (14%) employees had access that was no longer required for

their current job roles and responsibilities

Management Action Plan (MAP):

MAP Owner:

Glenn Hagler, Director, Procurement Division (PRO)

MAP 1.1:

PRO will coordinate a review process through Information Technology Division (ITD), aligned

with the Information Security Manual, to notify the applicable Districts, Divisions, and Offices

to review and validate the current employee access security profiles. PRO will coordinate

with ITD the necessary changes to accomplish access changes/deletions and will support or

deny any requests for security access exemption. PRO will work with ITD to make immediate

corrective actions for needed changes identified by districts as part of the audit review. PRO

will also report back to ITD in accordance with the requirements of the IT security manual.

Completion Date:

September 15, 2014

MAP 1.2:

On an annual basis, PRO will coordinate a review process through ITD, which will be aligned

with the Information Security Manual to notify the applicable Districts, Divisions, and Offices

to review and validate the current employee access security profiles. PRO will support ITD on

any questions resulting from the review, and PRO will support or deny any requests for

security access exceptions resulting from the review.

Completion Date:

October 15, 2014

MAP 1.3:

PRO will review the list of terminated employees from Human Resources Division against the

procurement system access list to ensure terminated employees no longer have an active

user ID in the system. ITD is currently in the process of identifying and removing APS access

from terminated employees and employees with duplicate keys held by the same employee.

Completion Date:

August 15, 2014


July 18, 2014 8

Finding No. 2: Data Reliability, Reporting, and Efficiency

Condition

Procurement does not monitor certain elements that provide insight on how long it takes a

requisitioner to request a good/service and receive it. Procurement does not track how

many requisitions were cancelled, how long it took to obtain a requisition approval, or how

long it took to receive the good/service. Information on how long a purchase order has been

opened without fulfilment is also not tracked.

Procurement does monitor performance measures from the date requisitions are approved

to the time purchase orders (PO’s) are created.

In addition, system generated reports rely on some data from the Automated Purchasing

System (APS) that is unreliable due to data reliability controls not functioning as intended.


Monitoring duties may not be effective in facilitating issues with timely receipt of

goods and services

Data inaccuracies and unreliability impact reporting and monitoring by management,

administration, and regulatory agencies to which incorrect or unintentional

conclusions may be made

Risk of purchasers rejecting requisitions to facilitate meeting performance measures

or requisitions constantly cancelled due to lack of knowledge/education/training to

initiate requests properly

Potential inefficiencies in the procurement process may not be detected, causing

lower performance and higher customer dissatisfaction and employee turnover

Criteria

Title 34, Texas Administrative Code, Section 20.108 and The State of Texas Procurement

Manual 2.36, requires agencies to report vendor performance for purchases of $25,000 or

more to the Texas Comptroller of Public Accounts. Vendor performance should include the

time it takes the vendor to deliver the good/service after the PO has been issued.

As an industry best practice, implementing an array of additional reporting and monitoring

tools to increase the effectiveness of the procurement operating model, may result in

greater efficiencies to be realized. The reporting should include performance measures for

the entire procurement cycle (e.g., from the time the requisition is created to receipt of

good/service) to identify any issues with the users, purchasers, and vendors.

Data in the APS system should be accurate and reliable to facilitate use of the information

for the intended purpose. Specifically, purchase orders that have been fulfilled or are no

longer needed for business purposes should be closed to ensure the information in APS is

an accurate reflection of TxDOT’s liabilities and items that have not been received.


July 18, 2014 9

Evidence

Performance Monitoring:

Procurement does not track the time it takes to submit, approve, produce, and obtain the

good/service. From September 2012 to August 2013, 49,892 requisitions were initiated in

the South, East, and Central field offices. In these offices, the time it took to submit,

approve, produce a PO, and obtain the good/service for each requisition varied:

2,310 requisitions took over 30 days to obtain the good/service after the PO had

been issued

80 requisitions took over 30 days for the requisitions to be approved after the

requisition had been submitted for approval

20 requisitions took over 30 days to be submitted for manager approval

3,559 requisitions, that were processed through receipt of goods and services, were

received over 30 days after the approval of the requisition

Several of these purchases included items such as parts/tools and office supplies.

Open Purchase Orders:

As of March 14, 2014, 925 of 2,151 (43%) PO’s (not including blanket PO’s) from the North,

South, East, and West field offices were over 6 months old, including 100 POs that were

over 3 years old. Auditors were not able to determine which POs still needed to be open

because of a legitimate business need or if the goods were not received.

Cancelled Requisitions Monitoring:

Data to monitor user-cancelled requisitions was not retained. Without this data,

Procurement Division’s monitoring capability was limited.

Data reliability:

252,380 requisitions, not including after-the-fact purchases (i.e. goods/services provided

prior to PO issuance) initiated statewide, were processed through receipt of goods and

services.

14,207 (6%) requisitions were identified where goods and services were received

prior to requisition

o 41 of these requisitions were over $25,000 each and therefore impact the

vendor performance report required by the Texas Comptroller’s office. These

41 requisitions totaled over $3.5M

50 requisitions were identified wherein goods and services were received and the

promise dates were between the years 2021 – 2127

Deleted requisitions are removed from the system database and therefore

eliminating an audit and documentation trail (i.e., sequence of user requisitions

created)


July 18, 2014 10


MAP Owner:


MAP 2.1:

PRO concurs that purchasing system data should be analyzed from the submission of the

request through the receipt of goods or services to help optimize efficiency and

effectiveness of processes and procedures. PRO will produce, analyze, and monitor this

data on a semi and annual basis beginning in FY 2015 with the implementation of

PeopleSoft.

MAP 2.2:

PRO concurs with recommendation to monitor cancelled e-Pro requisitions that were

cancelled by a purchaser once in the PeopleSoft environment to determine why e-Pro

requisitions were cancelled. A query will be developed to analyze this type of data to look for

trends and ensure that purchasers are complying with requirements to have lead worker

approval before cancelling a request. PRO will produce, analyze and monitor this data on a

semi and annual basis beginning in FY 2015 with the implementation of PeopleSoft. No

changes will occur in APS during the last few months of existence.

While PRO agrees to monitor the cancelled e-Pro requisitions, it does not consider it a high

risk area and will work on developing the query once the PeopleSoft system is further in

place. During this time, a manual control (e.g., review process) will be in place to address

the business risk.

MAP 2.3:

PRO concurs with the recommendation for an informal and systematic data review on a

periodic basis. A process will be developed to identify outliers and period-to-period changes

in historic trends. PRO will work through the ERP division director requesting a system

configuration for edit checks to enhance the accuracy of data entry for date required fields.

Completion Date:

April 15, 2015

MAP 2.4:

PRO concurs purchase orders should be closed that have no business reason for being

open. PRO will cleanse the open purchase order data in APS by advising the purchasing

managers of the need to close purchase orders that are open for no business reason. In

addition, PRO will require purchasers to run APS “open PO reports” to review for purchase

orders that have been paid but have remaining balances and wherein terms of service have

expired. Purchase managers will report (i.e., in a staff meeting) as to the completion effort

for their branch. This effort will also serve as the preparation for data conversion, as only

active purchase orders will be converted into PeopleSoft. PeopleSoft will offer an automated

process that will close purchase orders that meet certain criteria liquidating any

encumbered funds as well.

Completion Date:

August 15, 2014


July 18, 2014 11

MAP 2.5:

PRO concurs with recommendation to track requisitions that were deleted by the

requisitioner. In the PeopleSoft system, e-Pro requisitions cannot be deleted, but rather they

are cancelled. When cancelled, the requisitioner will be required to provide a reason for the

cancellation. A query will be developed to analyze this type of data to look for trends and

ensure function is being completed by users with the appropriate security role. PRO will

produce, analyze and monitor this data on a semi and annual basis beginning in FY 2015

with the implementation of PeopleSoft. No changes will occur in APS during the last few

months of existence.

Completion Date:

April 15, 2015


July 18, 2014 12

Finding No. 3: Segregation of Duties in the Automated Purchasing System

Condition

Automated controls for segregation of duties are not functioning as intended in the

Automated Purchasing System (APS). Employees that have access to request goods and

services can also approve the requisition or the Purchase Order (PO), as well as, receive

goods and services in APS.


Improper segregation of duties in a system can lead to susceptibility to fraud, errors, and

purchasing of goods and services that may not be appropriate or intended for TxDOT

purposes.

Criteria

Title 1, Texas Administrative Code, Section 202.20(8), requires agencies to ensure adequate

controls and separation of duties for tasks that are susceptible to fraudulent or other

unauthorized activity.

TxDOT’s policies and procedures require the requisition and PO approval actions to be

separate duty functions and not be performed by the same person.

Industry best practices state that no one person should perform more than one of the

following functions:

Initiate a requisition

Approve a requisition

Prepare a purchase order

Receive goods and services from vendor

Approve access to purchase-related data files and systems

Evidence

Testing included reviewing 323,650 requisitions initiated from August 2012 through January

2014:

171 requisitions had the same requester, approver, or purchaser:

o 87 requisitions where the requisitioner was the same person as the purchaser

o 62 requisitions where the purchaser was the same person as the approver

o 8 requisitions where the requisitioner was the same person as the last

approver of the requisition

o 14 requisitions where the requisitioner had multiple IDs to request and also

approve the requests

The total amount approved and requested by the same user is almost

$700,000

This information was sent to TxDOT’s Office of Compliance Ethics and

Investigations (OCEI) for further assessment on May 7, 2014. OCEI

found no indications of fraud, waste, or abuse.


July 18, 2014 13


MAP Owner:


MAP 3.1:

PRO concurs that until PeopleSoft is implemented, it should implement controls to ensure

purchasers do not create/approve a PO that has been requested and approved by the same

individual and a system fix is in progress by Information Technology Division (ITD).

MAP 3.2:

PRO concurs with the recommendation to ensure system automated controls are planned

for implementation in PeopleSoft for the proper segregation of duties for requesting,

approving, purchasing, receiving and payment as separate functions at all stages and for the

system to prevent any one user from performing more than one function in these areas.

PRO will continue to monitor Enterprise Resource Planning (ERP) project development to

ensure the purchase order module is aligned with the Information Security Manual for

proper segregation of duties for purchasing.

MAP 3.3:

PRO concurs that segregation of duties controls should be regularly monitored to ensure

they are functioning as intended and following the completion of the annual review by ITD,

PRO will request a list of exceptions for review and perform data analytics to insure the data

is aligned with security access criteria. This list of exceptions will be reviewed and analysis

performed on an annual basis.

Completion Date:

September 15, 2014

MAP 3.4:

PRO concurs that corrective actions should be taken to restrict the purchaser from

requesting goods and services, and corrective actions are in process to systematically

restrict a purchaser from requesting goods and services. All PRO employees are being

reviewed for appropriate access to APS using the TxDOT Mainframe Application Access

Report for its division employees. Help Desk tickets are being submitted to change or delete

access as appropriate.

MAP 3.5:

PRO concurs that controls should be in place to prevent employees from obtaining and using

more than one system ID to perform multiple functions and is working with ITD on a project

to identify and removing APS access with duplicate keys held by the same employee.

Completion Date:

August 15, 2014


July 18, 2014 14

Observations and Recommendations

Audit Observation (a): Procurement Process Efficiency

Areas for improvement (as part of the oversight function) and gained efficiency in the

procurement process have been identified to assist with facilitating issues with timely

receipt of goods and services:

National Institute of Governmental Purchasing (NIGP) codes are cumbersome for

users

User guides and the procurement training curriculum need improvement

Clearly defined roles and responsibilities for users, approvers, and purchasers are

not included in the procurement manual

DDOs limit the number of users and the amount they can approve, which can cause

inefficiencies with procuring goods and services in a timely manner

Better communication between users and purchasers to ensure expectations are

communicated and less delays in the approving of the Purchase Order have not fully

been established

Manual paper files and Electronic Data Management System (EDMS) scanned files

are kept in one of the field offices visited. Manual paper files are duplicative, creating

an opportunity for missing documentation in the case of paper files awaiting EDMS

scan, they may be forgotten or later purged, misfiled, or lost

Provide notifications to the user when actions (e.g., approvals, cancellations, and

changes) are made in APS for each requisition

Not all sampled purchase orders were signed in accordance with Section 19 of the

TxDOT Purchasing Manual. The unsigned purchase orders were not blanket POs


Inefficiency of the procurement process, including but not limited to:

Risk of mistakes due to duplicative information being retained

Ordering items not intended causing additional resources and spending of more

taxpayer dollars

Not complying with laws, state statutes, or TxDOT policies and procedures

Audit Recommendation

Establish a method for obtaining/identifying NIGP codes that is less cumbersome to

the users making requisitions in the system.

Establish detailed and clear user guides and training and education for users,

approvers and purchasers. User guides should be designed to help users of a system

to understand requirements; operational and functional knowledge; and demonstrate

how to precisely and pragmatically use the APS system in a way that is easily

understood. As best practice, user guides should be developed in partnership with

anticipated users of the system to capture details from the perspective of the users

of the system, as well as, the administrators and programmers.

Consider including clear and concise defined roles and responsibilities for users,

approvers, and purchasers in the TxDOT procurement manual to promote a clear

understanding and identification of the responsibilities of all function areas

(user/requester, approver, and purchaser) in the requisition and purchasing process.


July 18, 2014 15

On a regular basis, monitor the appropriateness of number of users, approvers, and

dollar limit authorities by district/division to help facilitate efficiency in the requisition

creation and approval process and identify root causes of inefficiencies.

Eliminate the use of duplicative files and records in conjunction with the

requirements of State law and TxDOT policy.

Establish an automated notification of status requisitions to the requisitioners,

approvers, and purchasers to let them know the status of their requisition.

Establish a periodic audit review of procurement files by management to ensure all

required documentation exists, including appropriate signatures obtained. Checklists

or other tools should be created to assist managers in fulfilling the requirement and

ensure consistency in the review process.


July 18, 2014 16

Summary Results Based on Enterprise Risk Management Framework

Closing Comments The results of this audit were discussed with the Statewide Procurement Division Director.

We appreciate the assistance and cooperation received from personnel in the Procurement

and Finance Divisions; Austin, Houston and San Antonio districts; Office of Compliance

Ethics and Investigations; and Office of General Counsel during this audit.

ERM Component Control Activit ies

Organizational Tone

Planning

Forecasting

Goal-Sett ing

Cost-Benef it Analysis

Business Continuity

Evaluations/Analysis

Management Action Plans

Policies/Procedure Development & Maintenance

Approvals/Authorizations

Support ing Evidence/Records Availability

Segregation of Duties

Safeguarding Assets

Information Classif ication

Information Input

Information Processing

Output/Report ing and Messaging

Exception Report ing Review

Reconciliat ions/Root-Cause Analysis

Peer Reviews

Management Representations

Rating Assessment Grid Exemplary SatisfactoryNeeds

ImprovementUnsatisfactory

Monitoring

2 2

2

2, (a)

2

2

2

Scope Area Assessment

2 2 (a)Control Activit ies

2, (a) 2, (a) 2, (a)

1 (a)

3 (a)

Information &

Communication

Risk Assessment 1, 2 2, (a)

Control

Environment

Audit Results Dashboard

Procurement Cycle: Efficiency/Effectiveness of Performance Monitoring, Data Reliability, and System Access

Scope Areas Evaluated

Business Objectives (Report ing, Operational, Compliance) R, O, C O O, C

IT Infrastructure &

Data ReliabilityReport ing Eff iciency of Process

internal audit report -...

Documents