2025 Audit Plan

The Denver Charter states the Auditor shall conduct:

• Financial and performance audits of the City and County of Denver in accordance with generally accepted government auditing standards;

• Audits of individual financial transactions, contracts, and franchises; and

• Audits of financial and accounting systems and procedures, including records systems, revenue identification, and accounting and payment practices, for compliance with generally accepted accounting principles, best financial management practices, and any applicable laws and regulations governing the financial practices of the City and County of Denver.

The 2025 Audit Plan ensures broad audit coverage throughout the city while also addressing specific performance, financial, contractual, information technology, and regulatory risks. According to the charter, the ultimate decision to perform any audit is at the sole discretion of the Auditor. Our approach to scheduling audits is flexible and subject to change throughout the year based on newly identified risks.

Integrated audits incorporate elements of performance, financial, and information technology auditing. This produces a more effective outcome through a holistic audit approach with a focus on improving governance, compliance, performance, and operations.

Integrated auditing incorporates diverse approaches, including:

• Performance Auditing – We identify opportunities to improve the efficiency and effectiveness of city activities. Our performance audits also assess the viability or strength of the internal control environment of the city’s agencies and programs. We analyze policies, evaluate programs, and assess the city’s ability to mitigate risk. We may also select performance audits that align with the city’s major strategic initiatives.
  
  
• Financial Auditing – The 2025 Audit Plan continues our focus on the overall financial management and fiscal activities of the city. These audits will assess the financial internal control environment, compliance with city polices, financial governance, accounting and reporting practices, and high-risk financial transactions.
  
  
• Information Technology Auditing – Our audits will continue to address identified information technology risks by focusing on the effectiveness of cybersecurity defenses, data protection, data privacy, and management of critical systems and applications.
  
  
• Contract Compliance Auditing – The 2025 Audit Plan reflects a continued emphasis on auditing city contracts for compliance with contract terms and fulfillment of the scope of work.

As part of Auditor O’Brien’s original vision for the Auditor’s Office, the Audit Analytics Program expands the office’s risk assessment and auditing capability and continues leading- edge audit practices to provide greater value and impact. Using data science tools, auditors sorts through large numbers of transactions and entire datasets to identify the highest risks.

• Audit Analytics – The Auditor’s Office uses quantitative and qualitative risk-finding analytics of audit-related data and applies survey and sampling methodologies to support audits of city processes and internal controls. Audit analytics can be used to ensure data is accurate, consistent, and complete; to identify, analyze, and create graphic visual representations of anomalies and patterns; to build statistical models; and synthesize analytical results in audit reports.
  
  
• Continuous Auditing – Continuous auditing is an audit analytics method that allows auditors to directly connect with city data systems, use an entire data population rather than samples, and automate ongoing analyses of that data. These ongoing analyses of data systems are used to identify high-risk areas and test controls in the city’s financial and operational systems in a timely fashion. The information gained from continuous auditing helps inform audits and our annual risk assessment. It also helps audit teams improve efficiencies in planning and fieldwork by identifying trends and exceptions earlier than through audit traditional methods.

The city’s management is responsible for establishing internal controls to detect and prevent fraud for each city entity. Although fraud detection is not a primary responsibility of the Auditor’s Office, our audits consider the possibility that fraud, waste, or abuse may be occurring.

We follow up on every audit we publish to assess whether city personnel implemented the agreed-upon audit recommendations for improvement and impact.

The Auditor’s Office regularly issues follow-up audit reports to the Audit Committee and the City and County of Denver’s operational management. These reports show the status of audit findings and our recommendations for improved business practices.

Our office measures the audit recommendation acceptance rate, and recommendation implementation rate, as indicators of the degree to which the city is using information our audit reports provide to mitigate identified risks and to enhance efficiency, effectiveness, and economy of operations.

Although the Auditor’s Office operates independently from other city entities, Auditor O’Brien and Auditor’s Office leaders meet regularly throughout the year with City Council members, the mayor, other elected officials, city agency leaders, neighborhood groups, and civic leaders to solicit input regarding risks. Our objective is to improve services and stewardship of city resources.

Developing the annual Audit Plan is an ongoing process — conducted by assembling ideas from a variety of internal and external sources, examining a broad range of city activities and data, and then assessing risk factors in tandem with additional considerations. This approach results in a diverse list of agencies, programs, activities, services, systems, grants, and contracts that auditors examine to determine whether these are operating efficiently, effectively, and in accordance with both the law and any defined requirements. Some agencies could be audited more frequently than others depending on the level of assessed risks and outcomes of previous audits.

In developing a list of potential audits and other types of analyses, ideas come from a variety of sources:

• Assessments of operations and controls in previous internal and external audit reports, including independent audits of the city’s Comprehensive Annual Financial Report, single audits, and audit management letters.
• Input from community members, elected officials, Audit Committee members, external auditors, and agency managers and staff.
• Consideration of current local events, financial conditions, major capital projects, and public policy issues.
• Consideration of risks identified in other government audits that could emerge in Denver.

A robust audit plan assesses a broad range of city activities and entities including:

• Organizational units within a city agency, such as a division or a department.
• Individual city programs and offices.
• Transaction cycles or processes that affect more than one city function or agency, such as contract procurement, purchasing, cash handling, fines, taxes, and assessments or key technology processes.
• Individual financial statement accounts or transactional activities, such as construction projects in progress, tax- funded programs, special revenue funds, and grant programs.
• City functions that operate like for-profit entities, such as Denver International Airport and other entities associated with enterprise funds.
• Contracts and agreements between the city and third parties, including cultural facilities and non-profit organizations.

We identify and prioritize potential audits and other assessments using a risk-based approach by examining a variety of factors that may expose the city to fraud, misappropriation of funds, liability, or reputational harm. Accordingly, we assess risk factors by reviewing:

• Significant changes that have occurred in the city.
• Time since the last audit of an area.
• Size of agency, program, activity, or contract.
• Size of budget.
• Compliance and regulations.
• Pending or recent legislation.
• Complexity of transactions.
• Fiscal sustainability.
• Critical information technology systems, including hardware and software.
• Management accountability.
• Quality of internal control systems.
• Age of programs, operations, or contracts.
• Public health and safety.
• Critical infrastructure.
• Short- and long-term strategic risks.
• Equity.
• Related litigation.
• Relevant case law.
• Emerging risk areas.

We periodically evaluate and modify risk factors, as necessary.

After we finalize the Audit Plan, new information may come to light during the year. Unanticipated events may occur, and initiatives, priorities, and risks within the city may change. The flexible nature of the Audit Plan as a living document provides the discretion to change course when it is in the best interest of the city.

The Auditor’s Office extends its gratitude and appreciation to the Mayor’s Office, City Council, Audit Committee, agency leaders, and members of the public for providing input on the 2025 Audit Plan and for supporting the general mission of our office throughout the year.

The Denver Auditor’s Office Audit Services Division provides independent oversight of how tax dollars and other funding resources are spent on the city’s many services, initiatives, and programs. Article V of the Denver Charter establishes this independence and provides for the Auditor’s general authority and duties. The charter also establishes the Audit Committee, through which we report our audit findings.

Our History
Originally, the Auditor served as the general accountant for the city, maintaining the city’s financial records and paying city expenses, including payroll. In November 2006, Denver voters approved an amendment to the city charter, completely changing the duties of the Auditor that had been in place since 1904. Based on this charter revision, accounting and payroll functions moved in June 2007 to the Controller’s Office under the chief financial officer. This revision, plus other ordinances, authorized the Auditor to conduct audits of any entity that uses city or county dollars, property, or other resources. Today, Denver’s elected Auditor oversees one of the most structurally independent government audit functions in the country.

Several key components serve as the cornerstone for Denver’s auditing framework. These elements provide the Auditor with the independence that results in the office’s ability to conduct meaningful audits.

• Elected Auditor – The City and County of Denver has an elected Auditor who is independent from all other elected officials and operational management.
• Audit Committee – The Denver Charter establishes an independent Audit Committee, chaired by the Auditor, with six other members appointed by the mayor, members of the City Council, and the Auditor.
• Comprehensive Access – The Denver Charter and city ordinance authorize the Auditor to have access to all officers, employees, records, and property maintained by the City and County of Denver, and to all external entities, records, and personnel related to their business interactions with the city. When an external partner refuses access as required by contract after repeated requests, the Auditor may work with the independent Audit Committee to issue a subpoena.
• Audit Response Requirements – City ordinance requires that audited agencies formally respond to all audit findings and recommendations, establishing the Auditor’s ability to work in conjunction with these agencies while maintaining independence.
• Adherence to Professional Audit Standards ― The Auditor’s Office conducts all audits in accordance with the Generally Accepted Government Auditing Standards published by the U. S. Comptroller General. These standards contain requirements and guidance on important topics such as ethics and independence.