1. MAC Internal Audit Dept.
2016 Annual Audit Plan
Brief overview of our audit planning process
Request your support for our 2016 Annual Audit Plan

2. Risk Based Audit Planning Process
RISK ASSESSMENT
ALLOCATE AUDIT STAFF AND RESOURCES
DESIGN AUDIT TESTING PLANS
It would not be practical or cost effective to review all areas on a detailed level on an ongoing basis. We use a risk based audit approach to determine what areas need to be audited and focus our audit procedures primarily within those areas.

3. Risk Assessment Steps Understand the Audit Universe
Estimate inherent risk levels by business area
Review controls in place (Preventive vs Detective)
Review business systems and related financial data
Calculate materiality of total dollars in each area
Understand reputational risk
Consider past history of audit issues
Review other audit coverage
Auditors must develop an overall understanding of business areas and financial impacts related to each area
Estimate inherent risks (risks that exist before controls are applied) and develop expectations as to what financial controls should exist in each area
Review actual financial controls in place (preventive or detective) and what their expected impact is on risk levels
Understand the application of various business systems in place including their operation and types of data generated.
Calculate total dollar amounts processed in each business area to determine which areas are financially material
Consider reputational risk to the organization that could exist regardless of the dollars involved
Understand past audit issues and corrective actions that have been applied.
Understand scope of any external audit procedures and coordinate internal audit testing to avoid duplication.

4. Internal Audit Resources
Independent reporting structure
4 experienced audit staff
Ongoing professional training
Staff certifications
Compliance with professional audit standards
Quality assurance program

5. Continuous Audit Testing Plan
Data mining and file definition
Analytical procedures
Process observation
Control testing
Compliance testing
Reconciliation
Exception testing
Prior Issue Follow-up
Data derived from a variety of MAC systems as well as data provided by business partners. Data must be organized and defined in formats that are usable for audit testing.
Data is run through analytic software to analyze current trends and compare to past periods and other established criteria
Often our evaluation of financial controls begins with direct observation of processes performed by staff
Data is analyzed to determine whether controls are operating as intended.
Compliance requirements are reviewed to determine whether legal provisions and contract terms are being met.
Wherever practical, data from varying sources is compared and reconciled to assure accurate reporting
Analysis identifies exception transactions including voids and various adjustments. These types or transactions present higher risks and require further testing
Past audit issues are tracked and new data is reviewed to ensure that corrective actions are in place and working effectively.

6. Continuous Audit Scope
Accounts Receivable
Public Parking Revenue
Ground Transportation Revenue
Auto Rental Revenue
Food and Beverage Revenue
Retail, Newsstand, Passenger Service Revenue
Accounts Receivable testing encompasses all billings and collections of revenue that are recorded on the AR system (includes all rents, fees and cost recoveries from MAC tenants).
Public parking revenue includes all revenue recorded on the parking revenue control system.
Ground transportation revenue includes all employee parking, commercial vehicle and taxi revenue recorded on the MAVIS system
Auto Rental Testing includes percent rent, facilities charges and other fees collected from the auto rental operators. Auditors review and test data generated on the operator systems.
Food/Beverage Retail and Newsstand and passenger service revenue. Auditors test data from operator accounting systems and reconcile to revenue reports and payments.

7. Continuous Audit Scope
Accounts Payable
Purchasing Card Payments
Employee Payroll
Employee and Retiree Benefits
Procurement Transactions
Journal Entry Testing
Business System Controls
Operating Bank Account
Accounts payable includes all cash disbursements recorded on the accounts payable system include purchases of supplies and equipment, capital project and services payments among others.
Purchasing card payments include small purchases generally limited to a maximum of $3000 per purchase. Purchasing cards provide staff with greater flexibility and present added risks of misuse of MAC funds.
Payroll audit includes analysis of pay rates, pay types and supporting data and documentation to determine whether payments comply with policies, laws and labor agreements.
Employee/retiree benefits review is conducted monthly to look at coverage and premium payments to ensure that they are accurate and comply with commission approved rates.
Procurement audits review purchase made through purchase requisition system. Audit objectives include compliance with MAC policies and state law.
Journal Entry testing reviews adjustments to account balances in the accounting system. Adjustments are reviewed for reasonableness, business purpose and proper approval by management.
Business systems are regularly reviewed to ensure that employee access to systems is properly limited to the types of access needed for each employees job duties. System changes are also periodically reviewed
Finally the operating bank account balances and reconciliations are reviewed each month to ensure that that accounting records accurately reflect MAC’s cash position.

8. Special Audit Projects
Based on the results of risk assessments, continuous audit testing, and audit requests
2016 Focus on IT system testing
System disaster recovery processes
Vulnerability scanning process and procedures
System backup and recovery processes
System logging