Determining What to Audit
A high-quality and transparent annual audit plan is critical for meeting the mission of the Denver Auditor’s Office. Developing the plan is an ongoing process, conducted by assembling ideas from a variety of sources, examining a broad range of City activities, and then assessing risk factors in tandem with some additional considerations. By evaluating potential audits from a variety of perspectives, the Auditor’s Office seeks to provide widespread audit coverage both in terms of the types of audits performed and the entities assessed. This approach results in a diverse list of departments, programs, activities, and contracts that are examined to determine the extent to which they are operating efficiently, effectively, and in accordance with program or contract requirements.
In developing a list of potential audits, ideas come from a variety of sources:
- Assessments of operations and controls derived from previous internal and external audits, including independent audits of the City’s Comprehensive Annual Financial Report (CAFR), the audit of federal compliance, and audit management letters;
- Input from the community, elected officials, Audit Committee members, operational management, and staff;
- Benchmarking against the audit priorities of other governmental entities;
- Consideration of current local events, financial conditions, major capital projects, and public policy issues; and
- Established industry risk-assessment criteria, including from the U.S. Government Accountability Office and the Institute of Internal Auditors.
A robust audit plan will assess a broad range of City activities, including:
- Organizational units within a City agency, such as a division or a department;
- Individual City programs and activities;
- Transaction cycles or processes that affect more than one City function or department, such as contract procurement and purchasing, cash handling, human resources, and/or information technology;
- Individual financial statement accounts and transactional areas, such as capital assets, leave liability, accounts payable, and payroll;
- City functions that operate similarly to for-profit entities, such as Denver International Airport and the Golf Enterprise Fund; and
- Contracts and agreements between the City and third parties.
Potential audits are identified and prioritized using a risk-based approach by examining a variety of factors that may expose the City to fraud, misappropriation of funds, liability, or reputational harm.
Accordingly, risk factors are assessed by reviewing:
- Size of department, program, activity, or contract
- Size of budget
- Compliance and regulations
- Pending or recent legislation
- Complexity of transactions
- Fiscal sustainability
- Critical IT systems, including hardware and software
- Management accountability
- Quality of internal control system
- Age of program, operation, or contract
- Audit history
- Public health and safety
- Critical infrastructure
- Short-term and long-term strategic risks
- Related litigation
- Relevant case law
- Emerging risk areas
Risk factors are periodically evaluated and modified as necessary. In tandem with risk-based considerations, some additional considerations also provide practical guidance in determining which audits to pursue. First and foremost, resource constraints within the Auditor’s Office inherently limit the amount of audit work performed in one year. Furthermore, deference is given to the unique interests and responsibilities of the Auditor as an elected official and the risks the Auditor identifies as a priority to serve the interests of the City and its people. After the plan is finalized, new information may come to light; situations, initiatives, priorities, and risks within the City may change. The flexible nature of the audit plan as a living document provides the discretion to change course when it is in the best interest of the City.
The Auditor’s Office extends its gratitude and appreciation to the Mayor’s Office, the City Council, the Audit Committee, members of the city’s operational management, and members of the general public for providing input on the 2017 Audit Plan and for supporting the general mission of our Office throughout the year.