The Office of Internal Audit (OIA) recognizes that an overall strategy and plan is important to meet the goals, objectives, and mission of our office.
In compliance with the Accountability in Government Ordinance, § 2-10-11, Annual Audit Plan:
Prior to the beginning of each fiscal year, the Director shall submit an annual audit plan to the Committee for review and comment. As part of these deliberations, the officials shall be invited to recommend areas for inclusion in the plan. The plan shall include the auditees scheduled for audit during the year, a statement of the scope of the audit and the estimated time required to complete the audit. The annual audit plan shall be transmitted to the Council for final approval as a resolution.
An annual audit plan benefits the organization by:
- Establishing what departments, contracts, or other areas will be prioritized for audits on an annual basis.
- Permitting an efficient allocation of limited resources.
- Providing a flexible basis for managing audit personnel.
- Audits are selected and prioritized using a risk-based approach. OIA utilizes several techniques to identify and prioritize audits in the annual plan. These techniques include:
- Input from the Administration and the City Council;
- Knowledge of operations and internal controls derived from previous audits;
- Utilization of risk assessment criteria
Audits considered for the audit plan are compiled from suggestions by OIA staff, Administration staff, City Council members, as well as complaints and other sources of information. The suggestions are evaluated and rated using a risk assessment matrix. The number of audits selected for the plan is based on the impact the audit would have (the problem or risks it would address and the likely types of findings and recommendations to result); the sensitivity, complexity, and difficulty of the project compared to its likely impact; staff qualifications and other resources available; and the breadth and depth of audit coverage across City government.
Part of the annual plan is devoted to follow-ups. A follow-up audit assesses the progress made on issues identified in a previous audit, one or more years after its release. The remaining projects include:
- Contract Audits,
- Special Audits,
- Cash Counts.
Staff is assigned based on combinations of experience, qualifications, interests, and availability. During this process, we may identify projects that require additional expertise from consultants.
Principles for Audit Plan Development
In order to provide practical guidance and an authoritative framework for the development of the annual audit plan, the following basic principles are recognized and observed:
- Audit resources are limited, thus prohibiting one hundred percent audit coverage each year. This limiting factor is inherent in the concept of utilizing risk assessment to help prioritize audits.
- The plan is viewed as a flexible and dynamic tool that can be amended throughout the year to reflect changing City risks and priorities.
- The audit plan gives consideration to work performed by other auditors.
- The audit plan gives consideration of those audits which may be mandated by ordinance.
- The risk assessment criteria used in the ranking of the audit suggestions places an emphasis on perceived or actual knowledge of systems of internal control.
The audit plan is developed with the understanding that there are inherent risks and limitations associated with any method or system of prioritizing audits. As a result, the risk factors and scoring process are periodically evaluated and modified, if necessary, in order to improve the audit plan.
Audit Prioritization and Selection
The objective of utilizing a risk-based audit plan is to identify and prioritize various operational and other issues posing the greatest potential risk and liability to the City. The risk assessment process provides a tool for assigning available audit personnel to perform audits for the purpose of reducing risk and liability exposure to the City.
Risk assessment is a process used to score potential audits based upon specific risk factors related to an entity’s operations, internal controls, and estimated liability to the City. The development of an annual risk-based audit plan is a dynamic process. Throughout the year, the audit staff obtains current information about departments and contractors for use in the risk assessment process. Additionally, the Director obtains input from the Administration, City Council and the Accountability in Government Oversight Committee throughout the year to identify key risks related to various operational areas. The risk factors and scoring process are annually reviewed and refined as needed.
The following risk factors are used to determine the audits included in the audit plan:
- Perception of risk from the Administration, City Council, contractors, or audit staff;
- Economic factors such as financial impact, volume of transactions, number of personnel, revenue generated, the alignment of responsibility with authority and trends;
- Changes in organization, management, key personnel and information systems;
- Time since last audit;
- Environmental factors such as control, regulatory, and public perception.
Preparing the Annual Audit Plan
The objective of the annual planning process is to establish and schedule audit activities. A critical component of the annual audit planning process is to ensure that qualified audit personnel are assigned to the highest priority assignments. The principles and procedures discussed in this document have been developed to provide a process for fulfilling these objectives.
The final step to complete the annual audit plan is to estimate the number of available staff hours in the year and apply these to the estimated hours needed to complete selected audits and projects. The results of the fiscal year (FY) 2011 Audit Plan are presented along with the estimated time allocation for audits and projects. Actual scheduling of selected projects may be affected by personnel turnover, special audits, and unforeseen circumstances in a scheduled audit.
The FY2011 Proposed Budget deleted two Staff Auditor/Investigator positions which were vacant. A Principal Auditor and a Senior IT Auditor position were funded for half of FY2011. These positions represent 27% of the total professional audit and investigation staff positions in OIA. The estimated total hours of 7,000 for the FY2011 audit plan is approximately the equivalent of 4.5 FTEs, assuming 1,560 hours per FTE. The 4.5 FTEs assumes 4 full-time auditors and the .5 recognizes the management time spent on audits. We estimate the number of audit hours available to be 1,560 per FTE, 75% of 2080. We use that figure because 2080 hours must be reduced by vacation leave, sick leave, administrative time, and the annual required training to maintain certifications and meet Government Auditing Standards.
The number of hours estimated per audit is made by reviewing the average of hours spent on previous audits. The estimate is just a starting point for planning an audit. After the auditor receives responses to the preliminary survey for each audit, the auditor, in partnership with the audit management staff, performs a risk assessment on the processes and auditable areas for an assignment. The final budget to perform the test work and other necessary steps to complete the audit is reevaluated and frequently adjusted.