Internal Audit Plan For the Fiscal Year Ending June 30, 2013

Your Internal Audit Team OOCEA Audit Committee OOCEA General Counsel Protiviti Engagement Team Phil Fretwell Overall Engagement Managing Director Michael Porier Toll Road Industry Advisor Jeff Tecau Internal Audit Director David Taylor Information Technology Audit Erica Klostermeier Internal Audit Senior Manager Mike Ortlieb Information Technology Audit Senior Manager Other Internal Audit Managers, Seniors and Consultants Level and experience will be matched to project need

Background Risk assessment is a critical element of a high-quality Internal Audit department’s responsibility and provides the opportunity to be “front and center” with senior leadership as a strategic partner in the review and management of key business risks. The objective of the fiscal 2013 risk assessment was to identify and prioritize key areas of risk within the Authority as part of the planning process in designing the fiscal 2013 Internal Audit plan. The approach utilized in conducting the fiscal 2013 risk assessment and in developing the fiscal 2013 Internal Audit plan is depicted below: Identify Key Areas of Risk to be Assessed Confirm and update prior year risk areas based upon review of prior year work papers, audit results, and discussions with senior management and the Board Determine preliminary risk ratings based upon prior year results Review areas of potential fraud risk as identified in prior years Conduct interviews with management and the Board to confirm and validate the current enterprise risk model as well as the fraud risk model and to gain additional insight around risk trending - Aggregate and compile resulting information - Prioritize areas of risk (both enterprise and fraud) and finalize the enterprise risk model Assess & Prioritize Areas of Risk - Evaluate risks based upon the prioritization process and management and Board commentary to determine focus areas - Develop and define a preliminary listing of proposed Internal Audit projects to address areas of focus Select Focus Areas Establish high-level scope statements and levels of effort for proposed projects Finalize budget allotments and propose projects for Audit Committee approval Finalize proposed timing for selected projects -Finalize Audit Plan and obtain Audit Committee approval Develop & Approve Audit Plan

Interview List The following twenty one (21) members of the Board of Directors, management and outsourced vendors were interviewed in gathering information for the fiscal year 2013 Internal Audit Plan: Name Title Walter Ketcham, Jr. Chairman of the Board Joann Chizlett Director of Information Technology Scott Batterson Vice Chairman of the Board Glenn Pressimone Project Manager, Engineering Noranne Downs Board and Audit Committee Member Ben Dreiling Director of Construction Teresa Jacobs Board Member and Secretary/Treasurer Neel Long Director of Human Resources Tanya Wilder Board Member and Audit Committee Chair Michelle Maikisch Manager of PR and Communications Max Crumit Interim Executive Director David Wynne Manager of Toll Operations Joe Berenis Deputy Executive Director Rod Stroupe Manager of Maintenance Laura Kelley Lance Fisher Vendor; ACS Project Manager Joe Passiatore General Counsel Dan Goff Vendor; FTS Project Manager Nita Crowder Chief Financial Officer L.A. Griffin Manager of Expressway Operations Claude Miller Director of Procurement

Enterprise Risk Assessment To assist with the development of the fiscal 2013 Internal Audit Plan, Internal Audit used prior years’ risk models and risk trending data as the starting point for discussions with the Board and management. Internal Audit asked the Board and management to consider the current business environment, critical business initiatives, and prior year audit results to provide input on which risks warranted the most focus in today’s environment. In addition, management was asked to identify any new risks that may not have been considered in past years for inclusion in the current risk model. Internal Audit utilized the aggregated input obtained during interviews with the Board and management to develop a list of potential internal audit projects for fiscal 2013, with the objective being to help the Audit Committee and management mitigate areas of highest residual risk, monitor areas of high inherent risk, or to mitigate areas where risks are trending higher. Internal Audit defined risk as follows: Risk: Is the possibility of an event occurring that will have a negative impact on the achievement of goals and objectives and could also include the cost of missing an opportunity. Inherent Risk: Is the amount of risk to the business given the environment in which it operates, without considering the application of controls. The risks identified on the following page represent the risk areas deemed most important for the Authority to manage and control in order to achieve its goals and objectives. Residual Risk: Is the amount of risk remaining after the application of management controls. Residual risk was judgmentally considered for purposes of this fiscal 2013 audit plan in the selection of potential projects for including on the plan.

Fraud Risk Assessment In addition to the Enterprise Risk Assessment and in conjunction with the Fiscal 2013 Internal Audit planning process, Internal Audit executed a fraud risk assessment with the objectives of: Conducting a review of the completeness of the Authority’s fraud risk universe and a refresh of the fraud risk assessments completed during fiscal years 2011 and 2012 in accordance with the COSO framework, Identifying key management activities and prior audits that may help reduce exposure to the highest risk fraud scenarios, and Proposing Internal Audits projects as part of this plan that may help reduce exposure to the highest risk fraud scenarios that have not been previously audited within the past 4 years or that do not appear to receive a high amount of attention from management. Per the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing (“Standards”) Standard 2120.A2 reads, “The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.” The results of the fraud risk assessment work for the top 50% of fraud risk scenarios are provided in Appendix B of this report.

OOCEA Risk Model Strategic Execution Financial Reporting Operational Strategic planning* - Organization structure* - Succession planning* - Regulatory changes - Access to capital - Statewide interoperability* - Governance* - Political environment - Ethical behavior* Communication - Leadership - Outsourcing* RTA/Consolidation Financial reporting* - Contract performance reporting* Cost containment* - Procurement and vendor selection** Budgeting - Management performance reporting* Fraud* - Cash handling** Bond financing and covenant - Treasury and liquidity management compliance Financial Reporting Operational Execution - Toll violations* - IT infrastructure* / business continuity Toll collections** - IT security and access** IT application controls* - IT change management* Human Resources* - Insurance Coverage Regulatory / Compliance Public relations* - Customer satisfaction Maintenance & safety - Contract management** Bold indicates new risks added to the Risk Model in 2012 *Represents risks addressed by internal audits in Fiscal 2012, 2011, 2010, or 2009 ** represents areas to be addressed by Fiscal 2013 Internal Audit Projects

Risks not Addressed through Internal Audit Controls and/or Oversight outside of Internal Audit Audit Committee Evaluation of Additional required Internal Audit Effort Communication Communication risks are principally managed through Board of Directors and Committee oversight. None – not typically an area that can be addressed by internal audit Access to Capital Capital has been achieved through bond offerings – see related risks below. Political Environment The political risks are managed by the Executive Director and frequent communication of issues with the Board and Committees. Leadership Leadership risks are managed by the Board. Budgeting Budgeting risks are managed by the Board and Finance Committee, including a presentation each year on the budget process and results by the CFO. None – remaining risks are not significant enough to cost justify additional internal audit resources. Bond financing and covenant compliance Outside financial advice is provided by third party firms and the external auditor considers covenant compliance in connection with the annual financial statement audit. Treasury and liquidity management Treasury and liquidity risks are managed by the CFO with oversight of the Finance Committee. Insurance Coverage An outside advisor is being engaged to provide advice on insurance coverage. Maintenance and Safety Standards for Maintenance and Safety related risks and other performance areas are monitored by the Florida Transportation Commission.  The Commission submits a report titled the Transportation Authorities Monitoring and Oversight report annually to the Governor and Legislature.  Customer Satisfaction Many customer services are outsourced to third party firms, and the Authority engages an outside firm to do a customer satisfaction survey every other year. None, due to a collaborative effort to consolidate back office services in the future if cost efficiencies and improved customer service can be obtained.

Fiscal 2013 Internal Audit Plan The Internal Audit plan outlined below has been developed based on an Audit Committee approved budget of $369,000. The expected budget allocation, by type of Internal Audit project, is as follows: Performance and Compliance Budget Allocation Prior Audit Recommendations: Semi-annual Follow-up and Reporting $20,000 - Contract Billing Audits $45,000 - Toll Revenue Audit $85,000 - Procurement Audit – Large Contract Awards $35,000 -FTC Report Audit -Dashboard Audit $39,000 $10,000 Information Technology PCI Assessment with Report on Compliance DHSMV Data Security Assessment $65,000 $25,000 Other Fiscal 2013 Internal Audit Plan, including Company Risk Assessment and Fraud Risk Assessment $30,000 Administration - Board and Audit Committee Meetings $15,000 TOTAL $369,000 4% 8% 24% 64%

Fiscal 2013 Internal Audit Projects # Project Project Description Risks Estimated Cost 1 Prior Audit Recommendations: Semi-annual Follow-up and Reporting This work will focus on semi-annual follow-up on the status of all OPEN action plans from prior year audits. In addition, internal audit will consider re-auditing closed recommendations for selected areas from prior year audits as requested by management or the audit committee. DATE LAST COMPLETED: February 2012 Various $20,000 2 Annual Contract Billing Audits This audit will encompass a selection of 3 - 4 large engineering, construction, maintenance, operations, or legal contracts on an annual, rotational basis, with the objective of verifying that internal controls are in place to ensure work performed for the Authority under large contracts has been billed in accordance with contractual terms and conditions. The work will include testing pricing and hours worked for accuracy and validity, testing invoice approvals, testing vendor compliance with other contractual obligations, using data analytics to identify high risk vendors and/or change orders, and trending key spend data and other data points for management review and consideration. DATE LAST COMPLETED: April 2012 Contract Management Contract Performance Reporting Cost Management Procurement and vendor selection $45,000 3 Toll Revenue Audit The toll revenue audit will focus on the two processes driving Toll Revenue: cash toll collections and electronic tolling collections, with the objectives to review (1) controls exist to ensure revenue data captured at the point of origin is completely and accurately recorded to the financial statements, (2) physical safeguarding controls exist around cash (including the use of security and surveillance, data analytics, monitoring and reporting, and counts / other reconciling activities), (3) review and ensure controls in place around processing revenue adjustments to customer accounts are operating according to policy, and (4) appropriate monitoring and measurements are in place to review toll revenue. We will also test to ensure that the previous audit recommendations around toll revenue have been implemented. Additionally, IT general controls around supporting systems and information technology will be reviewed. DATE LAST COMPLETED: KPMG 2009 Toll Collections Cash Handling $85,000 4 Procurement Audit of Large Contract Awards This audit will encompass a selection of large engineering and construction contract awards. The work will include testing the awarding process of contacts that are not “low bid” awards. Internal audit will also evaluate the process for short-listing vendors and for scoring proposals and consider procedures in place at Orange County and the City of Orlando to the extent they can be obtained. We will obtain the bid packages and awarding criteria for each of the contracts, and verify there is proper justification for the awarding of contractors. We will also review for evidence of excessive vendor preference. This audit will be done in two phases: phase one will be to evaluate the policy that is currently in place, phase two will be to test the award process against the policy. DATE LAST COMPLETED: County Audit - October 2007 Fraud $35,000

Fiscal 2013 Internal Audit Projects # Project Project Description Risks Estimated Cost 5 Florida Transportation Commission (‘FTC’) Data Input Audit The FTC will be conducting a study of the potential for cost savings which may be achieved by sharing of resources between Florida Expressway Authorities (Orlando-Orange County Expressway Authority (OOCEA), Tampa Hillsborough Expressway Authority (THEA), Miami-Dade Expressway Authority (MDX), and Florida’s Turnpike Enterprise (FTE)). The purpose of this audit is to review the data inputs that went into this study to verify accuracy, consistency, and comparability. (CONTINGENT UPON EXTENDED PROCEDURES PERFORMED BY TTI) Reporting $39,000 6 Board Quarterly Reporting Dashboard Audit Test the accuracy and completeness of the new quarterly dashboard that is being prepared for the Board. (CONTINGENT ON WHETHER THE NEW DASHBOARD PROCEDURES REMAIN IN PLACE WITH THE NEW EXECUTIVE DIRECTOR) Management Reporting $10,000 7 DHSMV Data Security Assessment The objectives of this assessment is to review internal controls for gaps in design related to the requirements set forth in Section V – Safeguarding Information, of the DHSMV Drivers License or Motor Vehicle Record Data Exchange Memorandum of Understanding (MOU). IT Security $25,000 8 PCI Assessment with Report on Compliance This project will be to fully test the Authority’s compliance with the PCI Data Security Standard, (PCI-DSS) version 2.0 and issue a Report on Compliance (ROC). The testing will cover all twelve sections of the PCI-DSS. DATE LAST COMPLETED: April 2012 (Gap assessment only) $65,000 9 Fiscal 2014 Internal Audit Plan, including Company Risk Assessment and Fraud Risk Assessment We will conduct a risk assessment to highlight the Authority’s current year risk profile, to identify risk trends, and to form the foundation for the fiscal year 2014 Internal Audit Plan. In addition, we will conduct the annual review of the completeness of the fraud risk universe and annual refresh of the fraud risk assessment in accordance with the COSO framework, The information and findings will be utilized to develop the 2014 Internal Audit plan, with a focus on addressing opportunities identified during the risk assessment process. Strategic Planning Fraud $30,000

Fiscal 2013 Internal Audit Projects # Project Project Description Risks Estimated Cost 10 Board and Audit Committee Meetings Protiviti will attend Board meetings and prepare for and present at all Audit Committee meetings during fiscal year 2013. This includes all prep time with management and the Audit Committee in advance of meetings. N/A $15,000 TOTAL Consistent with the Fiscal 2013 Internal Audit Budget $369,000

Other Potential Internal Audit Projects not Selected for Fiscal 2013 # Project Project Description Risk Estimated Cost 1 ISO 27001 Information Security Review This review will compare, at a high level, OOCEA’s information security practices and procedures to the ISO 27001 framework. This framework is widely recognized as the benchmark for assessing / creating overall information security programs. Protiviti will utilize an adapted version of the Carnegie Mellon Capability Maturity Model (CMM) to report on the results of this effort.  The CMM helps to identify critical areas that must be addressed before an organization can progress to a more mature state. DATE LAST COMPLETED: N/A IT Security $45,000 2 IT General Controls Review This review will focus on the OOCEA Information Systems area. To accomplish this, we will assess the policies and procedures that are utilized to support the business critical applications and systems at OOCEA. Our approach will be to focus on the IT General Computer Controls which include the following components: Change Management, Logical Security, Physical Security, Security Administration, IT Organization & Management. DATE LAST COMPLETED: N/A IT Infrastructure Application Controls Change Management $36,000 3 Disaster Recovery Review This review will focus on the Business Continuity and Disaster Recovery plans, including existing policies and procedures. The review will include an assessment of the documented plans as well as the foundational efforts that were performed to create them (such as a Business Impact Analysis). DATE LAST COMPLETED: N/A Business Continuity $40,000 4 Document Retention and Records Management Audit The Florida Secretary of State has established a documentation retention schedule specific to document classification (different types must be kept for a different lengths of time). Expressway is currently revising it’s policy around document retention and records management and likely won’t be ready for internal audit to look at it until fiscal 2014. DATE LAST COMPLETED: N/A Document Retention and Records Management $35,000 5 Sensitive Data / Data Management Review The objectives of the project will be to identify if sensitive data is inappropriately stored in locations on the OOCEA network - in violation of company policy and leading practices. In addition, we will perform a high-level evaluation of the controls over the sensitive data repositories that are identified (if applicable) to determine if potential gaps exist. LAST COMPLETED: N/A

Other Potential Internal Audit Projects not Selected for Fiscal 2013 # Project Project Description Risk Estimated Cost 6 Bond Financing Audit This audit will encompass reviewing the process for bond financing and the use of financial advisors. In addition, we will review the assumptions / inputs used in determining the appropriate structure of recent financing arrangements to verify the assumptions / inputs are reasonable. We will utilize our financing subject matter specialists to assist with this work. DATE LAST COMPLETED: N/A Treasury and Liquidity Management $35,000 7 Safety Plan Compliance Audit The objective of this audit would be to verify that the safety plan in place is being followed/practiced according to policy/plan. Maintenance & Safety $30,000 8 EPass Asset Management Review – with a focus on complimentary transponders The purpose of this audit is to take a full inventory of the complimentary EPass transponders to verify that they are all accounted for on approved vehicles. Revenue Asset Management $20,000 9 Budgeting/Capital Process Review The purpose of this review is to review the budgeting, forecasting, and change management processes for capital funding and to determine if there are any efficiencies that can be gained in this process or opportunities to improve the current process to manage capital spending. This will include how projects are added and subtracted to the work program and a review of the risks and controls around making sure funding appropriately matches the work program. Budgeting 10 Marketing and Communications Plan Audit IA will utilize subject matter experts from it’s Creative Options Group to review the authorities new marketing and communications plan. Specific items that may be included in this review include a review of the communications policies, approach, use of a creative marketing vendor, communications tool, Board member/employee training, social media, and measurement of the plan (short term versus long term impacts). Communications $45,000

Other Potential Internal Audit Projects not Selected for Fiscal 2013 # Project Project Description Risk Estimated Cost 11 Call Center Review The purpose of this review is to develop an understanding of the authority’s current state of operations and determine if there are any factors impeding the authority’s ability to achieve the best possible performance. Customer Service $50,000 12 Social Media Policy Audit The purpose of this audit would be to review the authority’s Social Media program, including reviewing the current social media policy and process documentation; interview senior management to understand how social media is utilized within the authority; identify key risks related to social media and map them to existing controls; perform testing of the controls in place and identify any gaps. Communications $25,000 13 Whistleblower Hotline The purpose would be to review the process for letting people know about the whistleblower hotline, how calls are escalated and what the reporting processes is. Human Resources $5,000

Internal Audit Timeline FY 2013 Estimated Project Timeline July Aug Sept Oct Nov Dec Jan Feb Mar Apr May June Selected Audits Prior Audit Recommendations: Semi-annual Follow-Up Annual Contract Billing Audits Toll Revenue Audit Procurement Audit of Large Contract Awards FTC Data Input Audit Board Reporting Dashboard Audit DHSMV Data Security Assessment PCI Assessment with Report on Compliance Fiscal 2014 Internal Audit Plan, including Company Risk Assessment and Fraud Risk Assessment Administration Board and Audit Committee Meetings

Appendix A Internal Audit Charter

Internal Audit Charter Orlando – Orange County Expressway Authority Fiscal 2013 Internal Audit Department Charter MISSION The mission of the internal audit department is to provide the Authority Board with unbiased, objective assessments of whether Expressway resources are responsibly and effectively managed to achieve intended results. PURPOSE Internal audit’s purpose is to add value, improve operations, and enhance transparency. It helps the Expressway accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. INDEPENDENCE The Internal Auditor Director is appointed by the Expressway Authority Board, and reports to them through the Audit Committee. The role of the Internal Audit Director may be filled by an outside firm that provides internal audit services to the Expressway Authority on an outsourced basis. For administrative purposes, the Internal Audit Director reports to the General Counsel. To ensure independence, the internal audit function has no direct responsibility or any authority over any of the activities or operation of the Expressway.

Internal Audit Charter AUTHORITY Everything the Expressway Authority does is subject to assessment by internal audit. Internal Audit shall have full, free, and unrestricted access to all activities, records, properties and personnel. The Internal Audit Director shall have direct and independent access to members of the Audit Committee. The internal audit department is authorized to allocate resources, set frequencies, select subjects, determine scopes of work for projects as approved by the Audit Committee, and apply the techniques required to accomplish audit objectives. In addition, the Internal Audit Director may obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organization, as approved by the Audit Committee. SCOPE Management is responsible for establishing and maintaining risk management, control, and governance processes. The scope of work of internal audit is to determine whether management’s processes are adequate and functioning in a manner to ensure: Risks are appropriately identified and managed. Interaction with the various governance groups occurs as needed. Significant financial, managerial, and operating information is relevant, reliable and understandable. Employee actions comply with policies, standards, procedures, and applicable laws and regulations. Resources are acquired economically, used efficiently, and adequately protected. Programs, plans, and objectives are achieved. Quality and continuous improvement are fostered in control processes. Significant legislative or regulatory issues are recognized and addressed properly.  

Internal Audit Charter RESPONSIBILITY The internal audit department’s responsibility includes, but is not limited to: Develop a flexible annual audit plan using appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the Audit Committee for review and approval. Implement the annual audit plan, as approved, including, and as appropriate, any special tasks or projects requested by management and the Audit Committee. Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter. Establish a quality assurance program by which the Internal Audit Director assures the operation of internal auditing activities. Perform consulting services, beyond internal audit's assurance services, to assist management in meeting its objectives. Examples may include facilitation, process design, training, and advisory services. Evaluate and assess significant merging/consolidating functions and new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion. Issue periodic reports to the Audit Committee and management summarizing results of audit activities as well as results of internal and external assessments conducted in association with the Quality Assurance and Improvement Program. Keep the Audit Committee informed of emerging trends and successful practices in internal auditing. Provide a list of significant measurement goals and results to the Audit Committee. Assist in the investigation of significant suspected fraudulent activities within the organization and notify management and the Audit Committee of the results. Consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the organization at a reasonable overall cost.

Internal Audit Charter STANDARDS Internal audit shall comply with the International Standards for the Professional Practice of Internal Auditing of The Institute of Internal Auditors. Consistent with the IIA Standards, internal audit recognizes the mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the IIA Standards.

Appendix B Fraud Risk Assessment Results

Fraud Risk Assessment Results Risk assessment results and a gap coverage analysis for the top 50% of fraud risk scenarios are depicted below, considering management control activities, prior Internal Audits, and potential next steps / proposed future audits.   Fraud Scenario Relative Rating / Trend Management Key Activity Prior Audits Potential Next Steps / Audits 1 Unauthorized / improper use of corporate credit cards / misuse of company funds High 1. The Director of Procurement reviews all monthly statements for receipt support. 2. Periodic P-Card audits are performed by the Deputy Director Administration. Prior Audit Recommendations: Semi-annual Follow-up and Reporting 2011 Fraud Risk Assessment with P-Card Audit None 2 Management disclosure of confidential information during procurement Bids / proposals are sealed and opened only after the due date. 2011 and 2012 Contract Audits Procurement Audit - Large Contracts - Will be considered in 2013 3 Theft or misuse of confidential financial information, e.g. credit card numbers, bank account information, etc. Call center employees cannot see customer financial information once it is entered into the system. PCI Assessment with Report on Compliance 2013 PCI Assessment 4 Circumvention of procurement Procurement policies and procedures are in place. 2011 Limited Procurement Compliance Audit 5 Theft of cash Reconciliations are performed between cash collected, what the collector's system says should have been collected, and the treadles. 2009 Toll Revenue Audit Toll Revenue Audit - Will be considered in 2013

Fraud Risk Assessment Results   Fraud Scenario Relative Rating / Trend Management Key Activity Prior Audits Potential Next Steps / Audits 6 Toll violations High Unpaid Toll Notices are sent to violators 2012 Violations Audit None 7 Payment of false invoices / invoices do not match contract terms Invoices are reviewed on multiple levels prior to payment 2011 and 2012Contract Audits 2011 Vendor Billing Audits  2013 Annual Contract Audit 8 Bribery / kickback to award bids Procurement policies and procedures are in place.  None; typically reviewed as part of a whistleblower complaint 9 Adjustment to customer accounts Customer service personnel cannot adjust customer accounts without supervisor approval. 2011 Contract Audits (ACS)  2013 Toll Revenue Audit 10 Selective disclosure to Board or public (Intentionally omitting detrimental information, debt covenant violations, ethics violations, etc.) 2010 Ethics Policy Compliance Review 2009 Corporate Governance Review 2013 Board Reporting Dashboard Audit 11 Billing for work not performed or vendor overbillings 2011 and 2012 Contract Audits 2010 Purchasing Spend Audit 2013 Annual Contract Audit

Fraud Risk Assessment Results   Fraud Scenario Relative Rating / Trend Management Key Activity Prior Audits Potential Next Steps / Audits 12 Solicitation (the act of a Company purchasing agent or other representative demanding payment to allow the contractor to continue) High Procurement policies and procedures are in place. 2010 Ethics Policy Compliance Review  None; typically reviewed as part of a whistleblower complaint 13 Off-contract agreements None  None proposed; typically reviewed as part of a whistleblower complaint 14 Counterfeit cash Toll collectors use counterfeit detection pens on large bills 2009 Toll Revenue Audit 2013 Toll Revenue Audit