Office of the City Auditor
Internal control is a process, designed and adopted by management to meet its missions, goals, and objectives through planning, organizing, directing, and controlling program operations. It includes the systems for measuring, reporting, and monitoring program performance.
Management (The Mayor and his/her Management Team) is directly responsible for internal controls (owners of internal controls), as they set the business objectives that must be met.
The Office of the City Auditor will evaluate the effectiveness of the internal controls through various audit products and report on any control weaknesses identified.
Internal controls serves as a defense in safeguarding assets and in preventing and detecting errors; fraud; violations of laws, regulations, and provisions of contracts and grant agreements; or abuse.
The following are examples of control deficiencies:
Performance audits are defined as engagements that provide assurance or conclusions based on an evaluation of sufficient, appropriate evidence against stated criteria, such as specific requirements, measures, or defined business practices. Performance audits provide objective analysis so that management and those charged with governance and oversight can use the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability.
Performance audits that comply with Generally Accepted Government Auditing Standards (GAGAS) provide reasonable assurance that the auditors have obtained sufficient, appropriate evidence to support the conclusions reached. Thus, the sufficiency and appropriateness of evidence needed and tests of evidence will vary based on the audit objectives and conclusions.
A performance audit is a dynamic process that includes consideration of the applicable standards throughout the course of the audit. An ongoing assessment of the objectives, audit risk, audit procedures, and evidence during the course of the audit facilitates the auditors' determination of what to report and the proper context for the audit conclusions, including discussion about the sufficiency and appropriateness of evidence being used as a basis for the audit conclusions. Performance audit conclusions logically flow from all of these elements and provide an assessment of the audit findings and their implications.
Internal control audit objectives relate to an assessment of the component of an organization's system of internal control that is designed to provide reasonable assurance of achieving effective and efficient operations, reliable financial and performance reporting, or compliance with applicable laws and regulations. Internal control objectives also may be relevant when determining the cause of unsatisfactory program performance. Internal control comprises the plans, policies, methods, and procedures used to meet the organization's mission, goals, and objectives. Internal control includes the processes and procedures for planning, organizing, directing, and controlling program operations, and management's system for measuring, reporting, and monitoring program performance.
The GAGAS Yellow Book defines financial audits as:
An audit primarily concerned with providing reasonable assurance about whether financial statements are presented fairly in all material respects in conformity with generally accepted accounting principles (GAAP), or with a comprehensive basis of accounting other than GAAP. Other objectives of financial audits, which provide for different levels of assurance and entail various scopes of work, may include:
The City of San Diego hires an outside independent audit firm to perform the City's financial statement audit for the City's Annual Comprehensive Financial Report (ACFR).
The Yellow Book defines an attestation engagement as:
An engagement concerned with examining, reviewing, or performing agreed-upon procedures on a subject matter or an assertion about a subject matter and reporting on the results. The subject matter of an attestation engagement may take many forms, including historical or prospective performance or condition, physical characteristics, historical events, analyses, systems and processes, or behavior. Attestation engagements can cover a broad range of financial or non-financial subjects and can be part of a financial audit or performance audit. Possible subjects of attestation engagements could include reporting on:
The Yellow Book establishes that audit organizations that provide nonaudit services (professional services) must communicate to management that the scope of work performed does not constitute an audit under the yellow book. Further, audit organizations that provide nonaudit services must evaluate whether providing nonaudit services creates an independence impairment in fact or appearance with respect to the entities they audit.
|Audit Document||City Auditor Action|
|1. Audit Reports||All audit reports will be made public and copies distributed simultaneously to the Audit Committee members, Mayor, City Council members, City Attorney, and administration officials. All audit reports will be placed on the City Auditor's public website.|
|2. Annual Audit Work Plan||At the beginning of each fiscal year, the City Auditor will propose an annual audit work plan that will identify all proposed audits to be undertaken throughout the year. The work plan will identify 1) all audits in progress; 2) audits not started; 3) required annual audits, such as the Annual Inventory Audit; 4) on-going audit assignments, such as the Fraud, Waste and Abuse Hotline; 5) newly proposed audits based on the Citywide Risk Assessment model; and 6) input from the Mayor, City Council, and Administration on potential audit subjects. Additional information will include audit type and estimated audit hours. Audit requests received during the fiscal year will be addressed through the Audit Committee.|
|3. Annual Activities and Accomplishments Report||Annually, the City Auditor's Office will make public a record of its activities and accomplishments. Beginning in January 2009, the City Auditor will issue an annual report for the period January 1, 2008 to December 31, 2008, with the following information:
|4. Fraud, Waste, and Abuse Hotline Quarterly Report||On a quarterly basis, the City Auditor will provide a summary report to the Audit Committee regarding the number of calls to the hotline, category of calls received, and call disposition.|
|5. Monthly Reports||Each month, the City Auditor will issue a report to the Audit Committee. The report will contain 1) a listing of issued audit reports and memorandums; 2) a listing of all ongoing audit assignments, including information on audit status, hours, and target issuance date; 3) approved audits not started; and 4) a listing of significant City Auditor and staff activities and accomplishments.|
|6. Recommendation Follow-Up Report||In order to ensure recommendations are implemented on a timely basis, the City Auditor will undertake an annual recommendation follow-up process to track the status of all previously issued audit recommendations. In February 2009, the City Auditor will prepare an annual report on the status of all recommendations for the previous 12 month period ending December 31, 2008.|
|7. Risk Assessment||On an annual basis, the City Auditor's Office will conduct a Citywide Risk Assessment to identify potential audit subjects. The City Auditor's Office will complete a Citywide Risk Assessment as a means to help identify, measure, and prioritize the City's potential audits based on the level of risk to the City. The results of the completed Citywide Risk Assessment will be utilized in preparing the City Auditor's annual work plan. When a City Activity Group is selected to be audited, we will perform a more in depth risk assessment to ensure our audit procedures cover the areas of highest risk for that Activity Group.|