• What are internal controls?
• Who is responsible for the internal controls in the City of San Diego?
• What role does audit play in the City of San Diego internal controls?
• Why are internal controls important?
• What can jeopardize internal controls?
• What types of audits will the City Auditor's Office conduct?
• What types of audit documents will the City Auditor's Office present to the audit committee for consideration?

What are internal controls?

Internal control is a process, designed and adopted by management to meet its missions, goals, and objectives through planning, organizing, directing, and controlling program operations. It includes the systems for measuring, reporting, and monitoring program performance.

Who is responsible for the internal controls in the City of San Diego?

Management (The Mayor and his/her Management Team) is directly responsible for internal controls (owners of internal controls), as they set the business objectives that must be met.

What role does audit play in the City of San Diego internal controls?

The Office of the City Auditor will evaluate the effectiveness of the internal controls through various audit products and report on any control weaknesses identified.

Why are internal controls important?

Internal controls serves as a defense in safeguarding assets and in preventing and detecting errors; fraud; violations of laws, regulations, and provisions of contracts and grant agreements; or abuse.

What can jeopardize internal controls?

The following are examples of control deficiencies:

1. Insufficient control consciousness within the organization, for example the tone at the top and the control environment. Control deficiencies in other components of internal control could lead the auditor to conclude that weaknesses exist in the control environment.
2. Ineffective oversight by those charged with governance of the entity's financial reporting, performance reporting, or internal control, or an ineffective overall governance structure.
3. Control systems that did not prevent or detect material misstatements so that it was later necessary to restate previously issued financial statements or operational results. Control systems that did not prevent or detect material misstatements in performance or operational results so that it was later necessary to make significant corrections to those results.
4. Control systems that did not prevent or detect material misstatements identified by the auditor. This includes misstatements involving estimation and judgment for which the auditor identifies potential material adjustments and corrections of the recorded amounts.
5. An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for a very large or highly complex entity.
6. Identification of fraud of any magnitude on the part of senior management.
7. Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either to correct it or to conclude that it will not be corrected.
8. Inadequate controls for the safeguarding of assets.
9. Evidence of intentional override of internal control by those in authority to the detriment of the overall objectives of the system.
10. Deficiencies in the design or operation of internal control that could result in violations of laws, regulations, provisions of contracts or grant agreements, fraud, or abuse having a direct and material effect on the financial statements or the audit objective.
11. Inadequate design of information systems general and application controls that prevent the information system from providing complete and accurate information consistent with financial or performance reporting objectives and other current needs.
12. Failure of an application control caused by a deficiency in the design or operation of an information systems general control.
13. Employees or management who lack the qualifications and training to fulfill their assigned functions.

TOP OF PAGE

What types of audits will the City Auditor's Office conduct?

Performance audits are defined as engagements that provide assurance or conclusions based on an evaluation of sufficient, appropriate evidence against stated criteria, such as specific requirements, measures, or defined business practices. Performance audits provide objective analysis so that management and those charged with governance and oversight can use the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability.

Performance audits that comply with Generally Accepted Government Auditing Standards (GAGAS) provide reasonable assurance that the auditors have obtained sufficient, appropriate evidence to support the conclusions reached. Thus, the sufficiency and appropriateness of evidence needed and tests of evidence will vary based on the audit objectives and conclusions.

A performance audit is a dynamic process that includes consideration of the applicable standards throughout the course of the audit. An ongoing assessment of the objectives, audit risk, audit procedures, and evidence during the course of the audit facilitates the auditors' determination of what to report and the proper context for the audit conclusions, including discussion about the sufficiency and appropriateness of evidence being used as a basis for the audit conclusions. Performance audit conclusions logically flow from all of these elements and provide an assessment of the audit findings and their implications.

Internal control audit objectives relate to an assessment of the component of an organization's system of internal control that is designed to provide reasonable assurance of achieving effective and efficient operations, reliable financial and performance reporting, or compliance with applicable laws and regulations. Internal control objectives also may be relevant when determining the cause of unsatisfactory program performance. Internal control comprises the plans, policies, methods, and procedures used to meet the organization's mission, goals, and objectives. Internal control includes the processes and procedures for planning, organizing, directing, and controlling program operations, and management's system for measuring, reporting, and monitoring program performance.

The GAGAS Yellow Book defines financial audits as:

An audit primarily concerned with providing reasonable assurance about whether financial statements are presented fairly in all material respects in conformity with generally accepted accounting principles (GAAP), or with a comprehensive basis of accounting other than GAAP. Other objectives of financial audits, which provide for different levels of assurance and entail various scopes of work, may include:

• providing special reports for specified elements, accounts, or items of a financial statement;
• reviewing interim financial information;
• issuing letters for underwriters and certain other requesting parties;
• reporting on the processing of transactions by service organizations; and
• auditing compliance with regulations relating to federal award expenditures and other governmental financial assistance in conjunction with or as a by-product of a financial statement audit.

The City of San Diego hires an outside independent audit firm to perform the City's financial statement audit for the City's Comprehensive Annual Financial Report (CAFR).

The Yellow Book defines an attestation engagement as:

An engagement concerned with examining, reviewing, or performing agreed-upon procedures on a subject matter or an assertion about a subject matter and reporting on the results. The subject matter of an attestation engagement may take many forms, including historical or prospective performance or condition, physical characteristics, historical events, analyses, systems and processes, or behavior. Attestation engagements can cover a broad range of financial or non-financial subjects and can be part of a financial audit or performance audit. Possible subjects of attestation engagements could include reporting on:

• an entity's internal control over financial reporting;
• an entity's compliance with requirements of specified laws, regulations, rules, contracts, or grants;
• the effectiveness of an entity's internal control over compliance with specified requirements, such as those governing the bidding for, accounting for, and reporting on grants and contracts;
• management's discussion and analysis presentation;
• prospective financial statements or pro-forma financial information;
• the reliability of performance measures;
• final contract cost;
• allowability and reasonableness of proposed contract amounts; and
• specific procedures performed on a subject matter (agreed-upon procedures).

The Yellow Book establishes that audit organizations that provide nonaudit services (professional services) must communicate to management that the scope of work performed does not constitute an audit under the yellow book. Further, audit organizations that provide nonaudit services must evaluate whether providing nonaudit services creates an independence impairment in fact or appearance with respect to the entities they audit.

What types of audit documents will the City Auditor's Office present to the Audit Committee for consideration?

{C}

Audit Document	City Auditor Action
1. Audit Reports	All audit reports will be made public and copies distributed simultaneously to the Audit Committee members, Mayor, City Council members, City Attorney, and administration officials. All audit reports will be placed on the City Auditor's public website.
2. Annual Audit Work Plan	At the beginning of each fiscal year, the City Auditor will propose an annual audit work plan that will identify all proposed audits to be undertaken throughout the year. The work plan will identify 1) all audits in progress; 2) audits not started; 3) required annual audits, such as the Annual Inventory Audit; 4) on-going audit assignments, such as the Fraud, Waste and Abuse Hotline; 5) newly proposed audits based on the Citywide Risk Assessment model; and 6) input from the Mayor, City Council, and Administration on potential audit subjects. Additional information will include audit type and estimated audit hours. Audit requests received during the fiscal year will be addressed through the Audit Committee.
3. Annual Activities and Accomplishments Report	Annually, the City Auditor's Office will make public a record of its activities and accomplishments. Beginning in January 2009, the City Auditor will issue an annual report for the period January 1, 2008 to December 31, 2008, with the following information: Audit authority and responsibility. Mission statement. Information on types of audits performed. Benefits to city, in terms of cost savings and increased revenues, or strengthening internal controls in comparison to audit costs. Audit recommendations by type-Improve operations or program effectiveness, or improve economy and effectiveness. Office information, including budget and number of personnel. Audit work plan and Citywide Risk Assessment process. Organizational chart. Staff information including education, certifications, and work experience. Noteworthy recognition, appointments, and awards. Website information and statistics. Summary of audit work performed - executive summary of audit reports. Most recent peer review report.
4. Fraud, Waste, and Abuse Hotline Quarterly Report	On a quarterly basis, the City Auditor will provide a summary report to the Audit Committee regarding the number of calls to the hotline, category of calls received, and call disposition.
5. Monthly Reports	Each month, the City Auditor will issue a report to the Audit Committee. The report will contain 1) a listing of issued audit reports and memorandums; 2) a listing of all ongoing audit assignments, including information on audit status, hours, and target issuance date; 3) approved audits not started; and 4) a listing of significant City Auditor and staff activities and accomplishments.
6. Recommendation Follow-Up Report	In order to ensure recommendations are implemented on a timely basis, the City Auditor will undertake an annual recommendation follow-up process to track the status of all previously issued audit recommendations. In February 2009, the City Auditor will prepare an annual report on the status of all recommendations for the previous 12 month period ending December 31, 2008.
7. Risk Assessment	On an annual basis, the City Auditor's Office will conduct a Citywide Risk Assessment to identify potential audit subjects. The City Auditor's Office will complete a Citywide Risk Assessment as a means to help identify, measure, and prioritize the City's potential audits based on the level of risk to the City. The results of the completed Citywide Risk Assessment will be utilized in preparing the City Auditor's annual work plan. When a City Activity Group is selected to be audited, we will perform a more in depth risk assessment to ensure our audit procedures cover the areas of highest risk for that Activity Group.