REPORT TO COUNCIL
SUBJECT
Title
Study Session: Overview of the Citywide Risk Assessment and Proposed 2024 and 2025 Internal Audit Work Plans
Report
BACKGROUND
Per Section 909 of the City Charter, and SCCC Section 2.29.010, the City Auditor’s duties and responsibilities include conducting in-depth financial and performance audits, overseeing the City’s performance management system, auditing and approving all bills, invoices, payrolls, demands or charges against the City government before payment and, with the advice of the City Attorney, making reports to the City Council as to the regularity, legality and correctness of such claims, demands or charges. The City Auditor’s Office conducts its work under the auditing standards prescribed by the Institute of Internal Auditors (IIA). The IIA International Standards for the Professional Practice of Internal Auditing (Standards) requires the City Auditor’s Office to “establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals” and consider the input from senior management and a governing board.
DISCUSSION
In 2022, the City Auditor’s Office engaged Baker Tilly US, LLP (Baker Tilly) to conduct a citywide risk assessment and prepare an annual audit work plan for the next five years. The purpose of the internal audit risk assessment is to develop an audit plan that assigns internal audit resources to the activities that add the most value to the City. The risk assessment process involves identifying and measuring risks associated with the audit universe (a list of specific departments, functions, processes, programs, etc. that can be subject to an audit, i.e. auditable units). Risk is defined as “the possibility of an event or condition occurring that will have an impact on the ability of an organization to achieve its objectives.” The risk assessment is an ongoing process and will be updated each year. These updates may alter previously identified audit plans based on these ongoing assessments.
This report summarizes Baker Tilly’s current risk assessment methodology, analysis, and results. This second-year risk assessment is designed to be an update to the more comprehensive assessment done in year one. Whereas in year one, all City Council Members, Senior Leadership Team (SLT), and other City management were interviewed, this year only Council members and select SLT members were interviewed. Additionally, an online survey was done across a broad range of City employees to get input on areas of risk they felt the City Auditor’s Office should be aware of. The 2024 and 2025 audit plan proposed in this report is based on the results of this information gathering.
In conducting the risk assessment, the following activities occurred:
• Continued to develop an understanding of changes to the City’s environment, businesses, and objectives
• Met with members of City Council and select SLT members representing the major operations and administrative functions of the City
• Reviewed key documentation such as the City Council Priority Matrix, the annual budget documents, financial statements, departmental strategic plans, and prior audit reports
• Conducted an online survey of select City employees for input on areas of risk that may affect their roles and City risk as a whole
• Evaluated the results of interviews, survey responses, documentation reviews and considered industry factors to identify areas of risk to the City
• Updated the risk assessment matrix accordingly
In developing the 2024 and 2025 Audit Plan, the following were considered:
• Risk assessment - Internal audit activities to target high and moderate risk areas based on the results of the risk assessment
• Adding value - Internal audit activities to add value through independent and objective analysis
• City Council - The City Auditor’s Office reports to the City Council and seeks input on audit priorities
• Coverage and other audits - Consideration of prior and other audits as well as pervasiveness of the process or control to ensure audit coverage and to avoid duplication of efforts
• Scheduling - Consideration of the timing of an audit and other on-going initiatives to avoid putting an undue burden on City staff that may exacerbate the risk at hand or other interrelated risks
Staff and Baker Tilly, LLC presented the results of the risk assessment and proposed audit work plan to the Audit Committee for input and approval. After discussion, the Audit Committee recommended projects from the proposed recommendations in the work plan for 2024 and 2025. The Committee accepted the report and proposed workplan and moved to bring it to the City Council for acceptance. On May 7, 2024 Council accepted the Risk Assessment and Work Plan and directed the Auditor’s Office to return and conduct a study session with the Council to review the Report.
ENVIRONMENTAL REVIEW
The action being considered does not constitute a “project” within the meaning of the California Environment Quality Act (“CEQA”) pursuant to CEQA Guidelines section 15378(a)(4) in that it is a fiscal activity that does not involve any commitment to any specific project which may result in a potential significant impact on the environment.
FISCAL IMPACT
Costs associated with the preparation of this report are included in the City’s FY 2024/25 Adopted Operating Budget.
COORDINATION
This report has been coordinated with the City Manager’s Office and City Attorney’s Office.
PUBLIC CONTACT
Public contact was made by posting the Council agenda on the City’s official-notice bulletin board outside City Hall Council Chambers. A complete agenda packet is available on the City’s website and in the City Clerk’s Office at least 72 hours prior to a Regular Meeting and 24 hours prior to a Special Meeting. A hard copy of any agenda report may be requested by contacting the City Clerk’s Office at (408) 615-2220, email clerk@santaclaraca.gov <mailto:clerk@santaclaraca.gov> or at the public information desk at any City of Santa Clara public library.
RECOMMENDATION
Recommendation
Review and provide input on the Annual Risk Assessment and 2024/2025 Audit Work Plan.
Staff
Reviewed and Approved by: David Noce, Audit Manager
ATTACHMENTS
1. City of Santa Clara - Citywide Risk Assessment and Proposed 2024 and 2025 Audit Work Plan