The URL can be used to link to this page

Home My Public Portal About2021-2022 Management Audit Entity-level Controls Review January 17, 2023 2 | P a g e EXECUTIVE SUMMARY OVERVIEW Metropolitan St Louis Sewer District (MSD) management, along with the Internal Audit Department, identified the need to review Entity-level controls. Metropolitan St Louis Sewer District’s Internal Audit Department partnered with UHY Advisors to review the program. The review covered the processes in place during the period January 2021 to April 2022. Entity-level controls are important as they help ensure that management directives pertaining to the company are implemented and functioning as intended. UHY’s philosophy uses the COSO – Internal Control Framework combined with our own project methodology to provide our clients quality audits and great customer service throughout the audit process. OBJECTIVE The objective of the Entity-level controls review was to: i) assess the efficiency and effectiveness of internal controls that adapt to business changes, operating environments and mitigate risks to an acceptable level; ii) determine if all components of internal controls are present and operating; iii) determine if there were gaps or deficiencies requiring mitigating actions. In efforts to continually improve MSD operations, UHY looked for opportunities for improvement that can be applied to MSD and provided examples when possible. SCOPE AREAS IN SCOPE: The scope was to review entity-level controls to identify whether they were in place and operating effectively, and whether staff along with leadership were aware of and performing the controls. The following components were reviewed: ● Control Environment – Integrity and ethical values, commitment to competence, management’s philosophy and operating style, organizational structure, assignment of authority, Human resource policies and procedures ● Risk Assessment – Company-wide objectives, activity-level objectives, risk identification and management, and managing change ● Information and Communication – Information availability, reliability of IT systems, and communication ● Monitoring – Ongoing monitoring, reporting deficiencies and separate evaluations PROCEDURES PERFORMED We executed the testing agreed within the Audit Program/Risk and Control Matrix which included the following: ● Interviewed eight Directors and six Trustees from March to May (Appendix C) ● Analyzed documentation to determine the adequacy of the design and effectiveness of the internal controls, monitoring and management oversight ● Conducted an anonymous survey of approximately 20% of the employees ● Determined the impact of any errors (deficiency, significant deficiency or material weakness) ● Reviewed documentation, including policies, procedures, job aides and standards ● Documented test work in workpapers ● Prepared a Report clearly and concisely communicating results 3 | P a g e CONCLUSION AND RISK RATINGS Metropolitan St Louis Sewer District has a very collaborative leadership team. Open discussions take place regularly, some with challenging conversations. Leadership is open to change and improvement opportunities to strengthen controls and put formal documentation in place. As a result of the review, it was noted that there are several issues that require attention and mitigation plans. The key items include whistleblower line, discipline, Audit Committee and financial results, delegation of authority, segregation of duties, risk management / assessment. In some cases, the activities are being performed, however supporting documentation to demonstrate a co nsistent, formal process does not exist. The remaining issues will require establishing a formal process with documentation. Additionally, we have identified 3 specific areas that are process improvement opportunities: fraud, employee control responsibil ities and employee recommendations. The ratings and the associated conditions for each area of MSD’s performance as assessed by Internal Audit are as follows: Ratings Conditions Effective No significant deficiencies exist, while improvement continues to be appropriate; controls are considered adequate and findings are not significant. Needs Improvement Some improvement is needed to bring the process to acceptable status. If performance continues without attention the result would likely be further deterioration and place the institution at an unacceptable level of performance and/or risk. Unsatisfactory Significant deficiencies exist which could lead to material financial loss, strained business relationships, reputational risk, compliance risk, etc.to the financial institution. The need for strong corrective action is noted and should be given top priority of senior management and the Board of Directors. The following section provides a summary of the results for the Entity-level Controls review. 4 | P a g e ISSUE SUMMARY Interviews were conducted with all Trustee’s and Directors and organizational documentation was reviewed to assess the design of each control. To determine effectiveness of each control, we tested supporting documentation and performed a survey (~20%) of MSD’s employees to understand their perspective and further support effectiveness testing. We have identified six issues that will require mitigating activities by leadership. There are also a few items noted as process improvement opportunities to provide leadership with other considerations for additional control strengthening. Issue #1 Recommendation Whistleblower Control 10 - Whistleblower program is in place and is monitored by audit committee. Risk - Employees do not have the opportunity to anonymously report misconduct, or the audit committee is not monitoring incidents reported to the line. Employees are unaware of the ‘Whistleblower’ line and its objective. • 2021 ‘Whistleblower’ complaint log had 7 submissions. 1 of the 7 was from a retired employee. The other 6 were from customers. • A policy and procedures are not documented to outline the steps required to review all ‘Whistleblower’ incidents, formal documentation of leadership response and reporting to the Audit Committee. • Audit Committee packets from select months in 2021 and 2022 did not mention the ‘Whistleblower’ line, nor were there meeting minute references. • Survey results: multiple responses indicated lack of knowledge of the ‘Whistleblower’ line and appropriate uses. Management should consider training employees on the ‘Whistleblower’ line and its intended use. It is essential that employees know they have an anonymous mechanism in place to report potential fraud, non-compliance with regulatory requirements, etc. Along with the training formally document a policy and procedures detailing the procedures to review, analyze and report to the Audit Committee. Items to include are how to handle issues noted on the monthly report, what documentation is required to demonstrate analysis and decision made, leadership’s responsibilities and what is required to be reported to the Audit Committee. A monthly summary of matters reported to the hotline should be reported to the Audit Committee. We also understand that MSD has recently amended its contract with its hotline service provider to add a microlearning program to educate MSD employees about the importance of ethical conduct and raising concerns if they observe unethical conduct. MSD agrees with this recommendation. The District does have an ethics hotline and the number is posted throughout the District and on the MSD website but agrees that providing training to employees on the Ethics Hotline and its intended use will make this a more effective tool. MSD also agrees to create written policies and procedures that document the mechanisms in place to ensure anonymity and outline the steps that will be taken to review and respond to Hotline submissions, including how MSD will determine when items will be reported to the Board. Expected Completion: March 2023. 5 | P a g e Issue #2 Recommendation Discipline Control 58 - Inappropriate conduct may not be escalated or remediated. Risk - Reported problems are investigated in a timely manner and disciplinary actions are taken when necessary. The Discipline Policy was last approved in 2008, more than 14 years of changes to business activities and risks have occurred since the last review. • The policy does not outline a formal process and procedures to be followed by leadership to report and document infractions and associated disciplinary action, including notification to Human Resources. • Discipline examples in the policy omit business related infractions that increase risk to the organization or do not comply with regulatory requirements. • When managers are handling discipline internally, Human Resources is only aware of inappropriate conduct when they are contacted by the employee. • Survey results: multiple responses identify the lack of appropriate and consistent discipline. Respondents do not trust the discipline process. Formally document procedures for disciplinary actions. Establish required steps, documentation, escalation, independent validation, and reporting to Human Resources. Review and update the Disciplinary policy at least every three years to maintain relevance. Detail activities such as, non-compliance with regulatory requirements, fraud, etc. as example infractions. This establishes clear expectations for everyone and the organization’s commitment to ethical behavior. MSD agrees with this recommendation. The Discipline policy should be reviewed and updated regularly. Management will review and update the policy to reference other applicable rules such as the Civil Service Rules, Collective Bargaining Agreements, and other policies that include examples of infractions and address disciplinary actions. The updated policy will also document that disciplinary actions need to be reported to Human Resources and factored into performance reviews. Expected Completion: March 2023 Issue #3 Recommendation Segregation of Duties Control 25 - Incompatible duties are segregated (e.g., separation of accounting for and access to assets). Risk - MSD doesn't have proper segregation of duties. Management’s review of incompatible duties needs improvement. Management’s review is supported by a signed form by the business owner with the date. • The review does not demonstrate required supporting details, who has access to certain systems and transactions and the type of access that each resource had during that period of time. Develop a standard template with required data to demonstrate Management’s review of segregation of duties. Management should be able to determine if access is excessive and that write capabilities align with each resource’s responsibilities, particularly as roles change. Questionable items should be discussed, and modifications should be made timely to reduce the 6 | P a g e MSD does not maintain a segregation of duties matrix. The Internal Auditor was able to provide review and signoff for segregation of duties support for the following systems: • Oracle/HR – reviewed on 10/27/21 • Oracle/Treasury – reviewed 10/27/21 • Oracle/Engineering – reviewed 10/13/21 • EPBCS – reviewed 4/30/20 – next review to be completed by June 2022. • Finance – reviewed 5/7/20 – next review to be completed by June 2022. • Maximo Asset Management – reviewed 5/28/20 – next review to be completed by June 2022. However, were unable to review a SOD Matrix and determine what was reviewed (supporting documentation) and actual sign-off for the review. Control 50 - There are defined responsibilities for individuals responsible for implementing, documenting, testing, and approving changes to computer programs and systems. Risk - Appropriate segregation of duties is unclear for system updates, allowing an employee to implement an unapproved change. Based on our review of the Change Management (CAB) SOP. There was no delineation of clear accountability for individuals responsible for implementing, documenting, testing, and approving changes to computer programs and systems. • In addition, we inspected the “All ChangeesJuly1- May13.pdf” provided by MSD. From the report, we can clearly see who performed which processes. However, a list of existing roles and responsibilities, or a quarterly review of these responsibilities, was not provided. opportunity for errors and/or fraud. Example provided Appendix B Consider preparing a matrix of available transactions, along with the associated systems to validate segregation of duties conflicts do not exist. Example provided Appendix B MSD agrees with this recommendation. MSD does use Separation of Duties (SOD) to protect against fraud and errors and requires management to review and sign off on the appropriateness of user access for key systems. To strengthen controls in this area, 1. A Segregation of Duties (SOD) matrix will be created as part of the Oracle Cloud migration project. The SOD will be provided to management for review and approval. 2. The IT onboarding process will be modified to provision access per job title to consistently administer access in alignment with employee job responsibilities. 3. The IT Security Team will own the facilitation of annual access review process and document evidence (date stamped) of the review by business owners. 7 | P a g e 4. The SOP for the Change Advisory Board (CAB) will be updated to reflect the change approval process with a list of roles and responsibilities (including segregation of duties) for implementing changes to computer programs and systems. 5. The IT Service Management system will be modified to capture and report out evidence of compliance to the change approval process by involved resources. These controls will be designed and built throughout the Oracle Cloud migration. Estimated Completion: September 2023 Issue #4 Recommendation Audit Committee and Review of Financial Results Control 40 - Audit committee charter is in place; board approved a 3-year strategic plan; board has several active committees Risk - The organization does not have an Audit Committee charter establishing a process to identify, review and resolve audit issues. There is an Audit Committee; however, there is no charter to establish its role and responsibilities. An Audit Committee Charter clearly defines the (GAO best practice) fundamental goals: 1) maintenance of sound internal controls, 2) objectively assess management’s financial reporting practices, and 3) ensure satisfaction with audit performance and resolution of issues. MSD agrees with this recommendation. A Board Audit Charter should be reviewed by the Board at least annually. The District will work with its internal audit firm, Armanino, to bring an updated Board Audit Charter to the Board for review and approval. It will outline the Board’s authority, roles, and responsibilities. MSD’s Internal Audit Charter will also be updated and brought to the Board for review and approval. Expected Completion: March 2023 Process Improvement Opportunities Control Finding Recommendation Fraud Control 74 - Management identifies fraud risk factors, including management override of controls Risk - Fraud risks are not being properly identified exposing the organization to theft or manipulation of finances. Control 81 - Fraud risk assessment including fraud scenarios is prepared by management and presented to the audit committee or board of directors at least annually Risk – Fraud risk assessments that are not performed or presented to the Audit Committee and Board could provide Develop a comprehensive fraud risk assessment by including manual processes (with a significant potential for financial loss or reputational harm) and management overrides. Consider performing the fraud risk assessment every 2 or 3 years given the significant change that occurs in today’s environment. 8 | P a g e a false sense of comfort or lack of knowledge for opportunities of fraud. The last Fraud Risk Assessment performed in Q4 2018 • The assessment did not specifically or broadly identify any departmental manual controls or processes that could potentially be overridden as a fraud risk factor. MSD agrees with this recommendation. Internal Audit is currently performing a Fraud Risk Assessment but the District agrees that comprehensive fraud risk assessments should be performed more frequently (every two to three years) and presented to the Board/Audit Committee. Internal Audit will take the lead on developing a Fraud Awareness/Prevention Policy that will address: ▪ Definition of Fraud ▪ Fraud categories and potential scheme types ▪ Responsibility of employees for reporting potential fraud ▪ District’s maintenance of confidentiality and obligation to protect employees making reports ▪ Use of the District’s Ethics Hotline ▪ Role of Internal Audit ▪ Overall process for reviewing allegations, conducting investigations and reporting on fraud investigation Expected Completion: June 2023 Employee Responsibilities for Controls Control 54 - Employee duties and control responsibilities are timely and effectively communicated. Risk - Operations could be impacted if an employee is unaware of their responsibilities. We inquired with the Director of Finance and Director of Information Systems and noted there currently is no formal process to communicate responsibilities to employees. Human Resources should redesign job descriptions to include responsibilities for control performance and monitoring. Annually require a formal acknowledgement from each employee that they have read and understand their responsibilities to perform internal controls. MSD does not agree with this recommendation. MSD’s position is that an employee’s duties and responsibilities, including control responsibilities, are timely and effectively communicated through training, policy and procedure guidance, and supervision. Key controls for identified risk areas are reviewed and/or tested through internal audits and annual financial audits. Ongoing training, annual policy acknowledgments, and performance reviews also aid knowledge monitoring and retention. UHY Response – We have considered management’s response, and our finding remains as indicated. 9 | P a g e Employee Recommendations Control 59 - There are realistic mechanisms in place for employees to provide recommendations. Risk - Employees and ideas are not taken into consideration, leading to poor employee satisfaction. Based on discussion, there is no policy or procedure around how employees provide recommendations. Establish a single, formal mechanism and process for all employees to provide recommendations. Clearly communicate how the information will be maintained, reviewed and how it will benefit the organization. MSD agrees with this recommendation. The updated Ethics Hotline will include a portal for submission of employee recommendations. A written policy will be created to describe how suggestions will be maintained, reviewed and considered. Expected Completion: March 2023 Risk Management / Assessment Control 71– Management identifies risk related to each of the established objectives Risk - Business objectives may not be achieved if risks are not identified, analyzed and mitigated. Control 76 - Risks are evaluated as part of the business planning process Risk - The business planning process is not property identifying risks which could result in not meeting the strategic goals. Control 78 - The responsibilities and expectations for the entity's business activities and the entity's philosophy about identification and acceptance of business risk are clearly communicated to the executives in charge of separate functions Risk - Unclear and inconsistent understanding of responsibilities and expectations for business risks could lead to inappropriate risks not being documented, communicated, considered or discussed by executive leadership for consideration of its impact to the entire organization. The Fiscal Year 2021 Budget and the Strategic Business and Operating Plan (SBOP) was reviewed for risks • References and inferences about risk may be assigned to some company objectives, not all and not consistently documented, or presented. • Lack of a documented comprehensive risk assessment, communication to department executives, board of Establish a standard procedure to assess risks during the annual business planning process. Document identified risks categorizing them using COSO’s three categories of objectives: operations, reporting or compliance. Identify and document risks that could impede the ability to accomplish goals/objectives even if it is remote. Rate each risk by likelihood and impact, determine indicators for monitoring, and develop mitigating actions monitored as a possible indicator that the risk may become a reality and determine potential mitigating factors. Incorporate this practice in the entity’s business activities establishing responsibility and expectations to identify and manage risk across all functions. Documentation of risks with standard business processes should be aggregated to build a risk register. Maintaining and analyzing the risk register provides a broad picture of potential impact to the entire organization and facilitates consideration of 10 | P a g e directors, and the audit committee, the district’s risk may not be adequately, presented in a clear, consistent, and comprehensive manner. impact if more than one of the risks were to occur simultaneously. MSD agrees with this recommendation. Risks are addressed via several avenues including the SBOP process, Director's meetings, Committee meetings, Board meetings, budget process, Rate Commission process, Consent Decree monitoring/reporting, and DEC procedures and processes for monitoring and ensuring regulatory and environmental compliance. We believe current procedures have been effective in addressing risk but agree that ongoing and consistent risk monitoring and mitigation can be improved with a framework to identify risks in a repeatable way that aids understanding, prioritization, documentation, and communication. The District will evaluate risk framework tools and establish a procedure to identify, categorize, and rate risks. Appropriate documentation for this procedure will be developed and maintained. Expected Completion: December 2023 11 | P a g e Appendix A The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct. Internal Control – Integrated Framework, May 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control - Integrated Framework COSO Attribute Control # Point of Focus / Control Objective Overall Finding Control Environment Integrity and Ethical Values 1 A code of conduct and other policies exist regarding acceptable business practices, conflicts of interest, or expected standards of ethical and moral behavior ⧫ Effective 2 Employees clearly understand what behavior is acceptable under the company's code of conduct and know what to do when they encounter improper behavior. ⧫ Effective 3 There is an established "tone at the top" including explicit guidance about what is right and wrong. This tone is communicated and practiced by executives and management throughout the organization. Employees are aware of what to do when they encounter improper behavior. ⧫ Needs Improvement 4 Management follows ethical guidelines in dealing with employees, suppliers, customers, investors, creditors, insurers, competitors, regulators, and auditors. ⧫ Effective 5 The importance of high ethics and controls is discussed with newly hired employees through orientations or interviews. ⧫ Effective 6 Management removes or reduces incentives or temptations that might cause personnel to engage in dishonest or unethical acts. ⧫ Effective 7 Management takes appropriate disciplinary action in response to departures from approved policies and procedures or violations of the code of conduct. ⧫ Effective 8 Situations involving pressure to meet unrealistic targets do not exist or are properly controlled - particularly for short-term results. ⧫ Effective 9 Individual compensation awards are in line with the ethical values of the company, and foster an appropriate ethical tone (e.g., bonuses are given to those that meet objectives, but in the process circumvent established policies, procedures or controls). ⧫ Effective 10 Whistleblower program is in place and is monitored by audit committee. ⧫ Unsatisfactory Commitment to Competence 11 Company personnel have the competence and training necessary for their assigned duties. ⧫ Effective 12 Personnel are cross trained to understand other functions and the impact of their duties on other areas of the company. ⧫ Effective 13 Management possesses broad functional experience (i.e., management comes from several functional areas rather than just a few, such as production and sales). ⧫ Effective 14 Management provides personnel with access to training programs on relevant topics. ⧫ Effective 15 Formal job descriptions or other means of defining tasks that comprise particular jobs exist and are effectively used. ⧫ Effective 16 Adequate staffing levels are maintained to effectively perform required tasks. Employees have the requisite skill levels relative to the size of the entity and nature and complexity of activities and systems. ⧫ Effective 12 | P a g e COSO Attribute Control # Point of Focus / Control Objective Overall Finding Control Environment Management’s Philosophy and Operating Style 17 Management analyzes the risks and potential benefits of ventures. ⧫ Effective 18 Turnover in management or supervisory personnel is monitored and the reason for significant turnover is evaluated. ⧫ Effective 19 Senior management maintains contact with and consistently emphasizes appropriate behavior to operating personnel. ⧫ Effective 20 Management exemplifies attitudes and actions reflecting a sound control environment and commitment to ethical values including financial reporting as it relates to appropriate resolution of disputes over application of accounting treatments. ⧫ Effective 21 Management adopts accounting policies that best reflect economic realities of the business. ⧫ Effective Organizational Structure 22 Executives clearly understand their responsibility and authority for business activities and how they relate to the entity overall. ⧫ Effective 23 The entity establishes appropriate lines of reporting, giving consideration to its size and the nature of its activities. ⧫ Effective 24 The structure of the entity facilitates the flow of information to appropriate people in a timely manner, including reliable and timely disclosure of material information, monitoring the performance of the disclosure infrastructure and effective flows of material information to the group responsible. ⧫ Effective 25 Incompatible duties are segregated (e.g., separation of accounting for and access to assets) ⧫ Needs Improvement 26 There is an appropriate assignment of responsibility and delegation of authority to deal with organizational goals and objectives, operating functions and regulatory requirements. ⧫ Effective Assignment of Authority 27 Employees throughout the entity are assigned authority and responsibility related to their specific job functions. ⧫ Effective 28 Job descriptions contain specific references to control-related responsibilities. ⧫ Effective 29 Employees are empowered, when appropriate, to correct problems or implement improvements. ⧫ Effective 30 There is a structure for assigning ownership of information including who is authorized to initiate or change transactions. ⧫ Effective 31 There are policies and procedures for authorization and approval of transactions. ⧫ Effective 32 The board of directors and/or audit committee gives adequate consideration to understanding how management identifies, monitors and controls business risks affecting the organization (i.e., strategic, operational, financial and disclosure risk). ⧫ Effective 13 | P a g e COSO Attribute Control # Point of Focus / Control Objective Overall Finding Control Environment Human Resource Policies and Procedures 33 Management establishes and enforces standards for hiring the most qualified individuals, with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior. ⧫ Effective 34 Screening procedures, including background checks, are employed for job applicants, particularly for employees with access to assets susceptible to misappropriation. ⧫ Effective 35 Recruiting practices include formal, in-depth employment interviews and informative, insightful presentations on the entity's history, culture, and operating style. ⧫ Effective 36 Training policies communicate prospective roles and responsibilities and illustrate expected levels of performance and behavior. ⧫ Effective 37 Job performance is periodically evaluated and reviewed with each employee, (accurately and candidly communicating performance and differentiating levels of performance.) ⧫ Effective 38 Disciplinary actions send a message that violations of expected behavior will not be tolerated ⧫ Needs Improvement 39 An ongoing education process enables people to deal effectively with evolving business environments. ⧫ Effective 40 Audit committee charter is in place; board approved a 3-year strategic plan; board has several active committees ⧫ Unsatisfactory 41 IT strategic plan aligns with company’s business plan; IT management understands its roles and responsibilities as it relates to internal controls. ⧫ Effective Information & Communication Information Availability 42 Management monitors relevant external information and considers the impact on the entity. ⧫ Effective 43 Internal information regarding financial results is generated by the entity's financial information systems and that information is reported regularly. ⧫ Effective 44 Entity-wide operating results are reviewed and compared against budgets at regular intervals. ⧫ Effective 45 The adequacy of the information technology structure is considered by senior management. ⧫ Effective 46 Managers and other personnel have the required information in sufficient detail to carry out their responsibilities and there are mechanisms in place to ensure changing needs are met. ⧫ Effective Reliability of IT Systems 47 Management has a strategic plan for IT systems that is linked to the entity's overall strategies. ⧫ Effective 48 Procedures are in place to provide assurance that relevant information is identified, captured, processed and reported by IT systems in an appropriate and timely fashion. ⧫ Effective 49 Management adequately staffs and designs the IT department to support the entity's overall business objectives. ⧫ Effective 50 There are defined responsibilities for individuals responsible for implementing, documenting. testing, and approving changes to computer programs and systems. ⧫ Needs Improvement 51 There is a regular back-up of application programs and data files. ⧫ Effective 52 The entity has a disaster recovery plan in place that allows for the timely recovery of information. The disaster recovery plan is tested regularly and is updated as the business changes. ⧫ Effective 53 There is a high level of user satisfaction with the IT systems, including reliability and timeliness of reports. ⧫ Effective Communication 14 | P a g e 54 Employee duties and control responsibilities are timely and effectively communicated. ⧫ Needs Improvement 55 Management performs timely and appropriate follow-up regarding communications received from customers, vendors regulators and other external parties. ⧫ Effective 56 Communication across the organization is adequate, complete and timely to enable people to perform their responsibilities effectively. ⧫ Effective 57 There is an established channel of communication for people to report, anonymously when appropriate, suspected improprieties and management encourages employees to utilize such channels when necessary. ⧫ Effective 58 Reported problems are investigated in a timely manner and disciplinary actions are taken when necessary. ⧫ Needs Improvement 59 There are realistic mechanisms in place for employees to provide recommendations. ⧫ Needs Improvement 60 Financial results are communicated at least quarterly to senior management, board of directors, and audit committee; relevant information on ethics and policies is communicated to employees and management. ⧫ Effective 61 Company has a policy for the distribution of critical information to the public. ⧫ Effective Risk Assessment Company Wide Objectives 62 Board of directors and/or strategy committee oversees the risk assessment process and takes action to address the significant risks identified. ⧫ Effective 63 Management has a business planning process in place to examine existing objectives and establish new objectives as necessary. ⧫ Effective 64 Management establishes business plans and budgets realistic goals, and incentives for achievement of plans are balanced. ⧫ Effective 65 Management has established and clearly communicated the company's mission, strategy and business objectives. ⧫ Effective 66 Objectives are communicated at the appropriate levels and are understood and adopted by the responsible parties. ⧫ Effective 67 Management has established a process to periodically review and update entity-wide strategic plans and objectives. ⧫ Effective Activity-Level Objectives 68 Activity-level objectives are linked with entity-wide objectives and strategic plans. ⧫ Effective 69 Activity-level objectives are consistent with each other (e.g., objectives for the sales organization are consistent with the manufacturing organization). ⧫ Effective 70 Resources are generally sufficient to achieve objectives for processes in key business function and plans are in place to acquire additional resources as needed. ⧫ Effective Risk Identification & Management 71 Management identifies risks related to each of the established objectives. ⧫ Needs Improvement 72 Management has mechanisms in place to identify business risks resulting from entering new markets or lines of business or from offering new products and services ⧫ Effective 73 There have not been financial reporting or disclosure related issues identified by internal or external auditors. ⧫ Effective 74 Management identifies fraud risk factors, including management override of controls. ⧫ Needs Improvement 75 Identifying risks includes estimating the significance of the risks identified, assessing the likelihood of the risks occurring, and determining the need for action. ⧫ Effective 76 Risks are evaluated as part of the business planning process. ⧫ Needs Improvement 15 | P a g e 77 Senior management develops plans to mitigate significant identified risks. ⧫ Effective 78 The responsibilities and expectations for the entity's business activities and the entity's philosophy about identification and acceptance of business risk are clearly communicated to the executives in charge of separate functions. ⧫ Needs Improvement 79 Risks are reviewed periodically with the appropriate corporate governance functions (e.g., executive management, disclosure committee, audit committee and level - Legal?) . ⧫ Effective 80 There are effective processes for sourcing, measuring and monitoring internal business risks. For example, process risk and information for decision-making risk. ⧫ Effective 81 Fraud risk assessment including fraud scenarios is prepared by management and presented to the audit committee or board of directors at least annually. ⧫ Needs Improvement 82 Management creates and follows a 3-year strategic plan. ⧫ Effective 83 Management performs annual risk assessment and presents to board of directors. ⧫ Effective Managing Change 84 The business planning process includes a broad spectrum of personnel with collective knowledge of all areas of the entity. ⧫ Effective 85 The business planning process includes consideration of changes in the business environment, including the industry, competitors, the regulatory environment, and customers. ⧫ Effective 86 Changes in risks are identified in a timely manner. ⧫ Effective 87 Changes are appropriately communicated to the proper level of management (depending on the significance). ⧫ Effective 88 Management has identified the resources needed to achieve the objectives and has a plan to acquire the necessary resources. ⧫ Effective 89 Budgets and forecasts are updated throughout the year to reflect changing conditions. ⧫ Effective 90 Management’s budget, forecast, and strategic plans are communicated to board of directors and employees. ⧫ Effective 91 Accounting department has a process in place to identify and address changes in GAAP, the operating and regulatory environment, and related party transactions. ⧫ Effective Monitoring Ongoing Monitoring 92 Management monitors relevant external and internal information and considers the impact on the control structure. N/A 93 Procedures are in place to monitor when controls are overridden and to determine if the override was appropriate. N/A 94 Management takes appropriate action on exceptions to policies and procedures. ⧫ Effective 95 Management responds timely to comments identified in management letters from the external auditor. ⧫ Effective 96 Internal audit has the authority to review any aspect of the entity's operations. ⧫ Effective 97 Controls are reviewed to ensure that they are being applied as expected. N/A 98 Internal audit is independent of the activities they audit. ⧫ Effective 99 Internal auditors are prohibited from having an operating role in the activities they monitor. ⧫ Effective 100 Management is required to respond in a timely manner to the internal audit department's findings and recommendations. ⧫ Effective 101 Audit committee effectively oversees the company’s antifraud program and meets at least once a year to discuss the anti-fraud program and fraud risks. ⧫ Effective 16 | P a g e 102 Board of directors’ monitors company’s performance, risk, and operations. ⧫ Effective 103 Audit committee monitors financial results and reviews financial statements ⧫ Effective Reporting Deficiencies 104 Internal and/or external audit comments and management responses are provided to the audit committee or board of directors. ⧫ Effective 17 | P a g e Appendix B Example Quarterly Review of User Access Example Detail Transaction Review for Segregation of Duties 18 | P a g e Example Segregation of Duties Matrix Risk and Controls Matrix Example Example 19 | P a g e Fraud Concerns for management overrides: 20 | P a g e Appendix C – Interview/Discussion Listing Name Title Date of Discussion Brian Hoelscher President and CEO 3/17/22 Bret Berthold Director of Operations 3/22/22 Marion Gee Director of Finance 3/30/22 Rich Unverferth Director of Engineering 3/21/22 Susan Myers General Counsel 3/18/22 Todd Loretta Internal Auditor 3/29/22 Tracey Coleman Director of Human Resources 3/22/22 Tim Snoke Secretary Treasurer 3/30/22 Jonathon Sprague Director of Information Systems 4/14/22 Amy Fehr Board of Trustees 4/6/22 Greg Nicozisin Board of Trustees 4/19/22 Brian Wahby Board of Trustees 4/6/22 Brian Watson Board of Trustees 4/29/22 Ret. Col. Richard Wilson Board of Trustees 4/19/22 Michael Evans Board of Trustees 3/31/22