MAC Internal Audit Dept. 2016 Annual Audit Plan Brief overview of our audit planning process Request your support for our 2016 Annual Audit Plan

Risk Based Audit Planning Process RISK ASSESSMENT ALLOCATE AUDIT STAFF AND RESOURCES DESIGN AUDIT TESTING PLANS It would not be practical or cost effective to review all areas on a detailed level on an ongoing basis. We use a risk based audit approach to determine what areas need to be audited and focus our audit procedures primarily within those areas.

Risk Assessment Steps Understand the Audit Universe Estimate inherent risk levels by business area Review controls in place (Preventive vs Detective) Review business systems and related financial data Calculate materiality of total dollars in each area Understand reputational risk Consider past history of audit issues Review other audit coverage Auditors must develop an overall understanding of business areas and financial impacts related to each area Estimate inherent risks (risks that exist before controls are applied) and develop expectations as to what financial controls should exist in each area Review actual financial controls in place (preventive or detective) and what their expected impact is on risk levels Understand the application of various business systems in place including their operation and types of data generated. Calculate total dollar amounts processed in each business area to determine which areas are financially material Consider reputational risk to the organization that could exist regardless of the dollars involved Understand past audit issues and corrective actions that have been applied. Understand scope of any external audit procedures and coordinate internal audit testing to avoid duplication.

Internal Audit Resources Independent reporting structure 4 experienced audit staff Ongoing professional training Staff certifications Compliance with professional audit standards Quality assurance program

Continuous Audit Testing Plan Data mining and file definition Analytical procedures Process observation Control testing Compliance testing Reconciliation Exception testing Prior Issue Follow-up Data derived from a variety of MAC systems as well as data provided by business partners. Data must be organized and defined in formats that are usable for audit testing. Data is run through analytic software to analyze current trends and compare to past periods and other established criteria Often our evaluation of financial controls begins with direct observation of processes performed by staff Data is analyzed to determine whether controls are operating as intended. Compliance requirements are reviewed to determine whether legal provisions and contract terms are being met. Wherever practical, data from varying sources is compared and reconciled to assure accurate reporting Analysis identifies exception transactions including voids and various adjustments. These types or transactions present higher risks and require further testing Past audit issues are tracked and new data is reviewed to ensure that corrective actions are in place and working effectively.

Continuous Audit Scope Accounts Receivable Public Parking Revenue Ground Transportation Revenue Auto Rental Revenue Food and Beverage Revenue Retail, Newsstand, Passenger Service Revenue Accounts Receivable testing encompasses all billings and collections of revenue that are recorded on the AR system (includes all rents, fees and cost recoveries from MAC tenants). Public parking revenue includes all revenue recorded on the parking revenue control system. Ground transportation revenue includes all employee parking, commercial vehicle and taxi revenue recorded on the MAVIS system Auto Rental Testing includes percent rent, facilities charges and other fees collected from the auto rental operators. Auditors review and test data generated on the operator systems. Food/Beverage Retail and Newsstand and passenger service revenue. Auditors test data from operator accounting systems and reconcile to revenue reports and payments.

Continuous Audit Scope Accounts Payable Purchasing Card Payments Employee Payroll Employee and Retiree Benefits Procurement Transactions Journal Entry Testing Business System Controls Operating Bank Account Accounts payable includes all cash disbursements recorded on the accounts payable system include purchases of supplies and equipment, capital project and services payments among others. Purchasing card payments include small purchases generally limited to a maximum of $3000 per purchase. Purchasing cards provide staff with greater flexibility and present added risks of misuse of MAC funds. Payroll audit includes analysis of pay rates, pay types and supporting data and documentation to determine whether payments comply with policies, laws and labor agreements. Employee/retiree benefits review is conducted monthly to look at coverage and premium payments to ensure that they are accurate and comply with commission approved rates. Procurement audits review purchase made through purchase requisition system. Audit objectives include compliance with MAC policies and state law. Journal Entry testing reviews adjustments to account balances in the accounting system. Adjustments are reviewed for reasonableness, business purpose and proper approval by management. Business systems are regularly reviewed to ensure that employee access to systems is properly limited to the types of access needed for each employees job duties. System changes are also periodically reviewed Finally the operating bank account balances and reconciliations are reviewed each month to ensure that that accounting records accurately reflect MAC’s cash position.

Special Audit Projects Based on the results of risk assessments, continuous audit testing, and audit requests 2016 Focus on IT system testing System disaster recovery processes Vulnerability scanning process and procedures System backup and recovery processes System logging