REPORT TO COUNCIL
SUBJECT
Title
Overview of the Citywide Risk Assessment and Proposed 2023 and 2024 Internal Audit Work Plans
Report
BACKGROUND
Per Section 909 of the City Charter, and SCCC Section 2.29.010, the City Auditor’s duties and responsibilities include conducting in-depth financial and performance audits, overseeing the City’s performance management system, auditing and approving all bills, invoices, payrolls, demands or charges against the City government before payment and, with the advice of the City Attorney, making reports to the City Council as to the regularity, legality and correctness of such claims, demands or charges. The City Auditor’s Office conducts its work under the auditing standards prescribed by the Institute of Internal Auditors (IIA). The IIA International Standards for the Professional Practice of Internal Auditing (Standards) requires the City Auditor’s Office to “establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals” and consider the input from senior management and a governing board.
DISCUSSION
The City Auditor’s Office engaged Baker Tilly US, LLP (Baker Tilly) to conduct a citywide risk assessment and prepare an annual audit work plan for the next five years. The purpose of the internal audit function’s risk assessment is to develop an audit plan that assigns internal audit resources to the activities that add the most value to the City. The risk assessment process involves identifying and measuring risks associated with the audit universe (a list of specific departments, functions, processes, programs, etc. that can be subject to an audit, i.e. auditable units). Risk is defined as “the possibility of an event or condition occurring that will have an impact on the ability of an organization to achieve its objectives.” The risk assessment is an ongoing process and will be updated each year. These updates may alter previously identified audit plans based on these ongoing assessments.
This report summarizes Baker Tilly’s risk assessment methodology, analysis, and results. The 2023-2024 audit plan proposed in this report is based on the results of this risk assessment. The risk assessment involved collaboration with City Council and executive management from 14 main departments across the organization. In conducting the risk assessment, the following activities occurred:
• Developed an understanding of the City’s environment, businesses, and objectives
• Met with members of City Council and the Executive Management Team representing the major operations and administrative functions of the City
• Reviewed key documentation such as the City Council Priority Matrix, the annual budget documents, financial statements, departmental strategic plans, and prior audit reports
• Evaluated the results of interviews and documentation reviews and considered industry factors to identify areas of risk to the City
In developing the 2023 and 2024 Audit Plan, the following were considered:
• Risk assessment - Internal audit activities to target high and moderate risk areas based on the results of the risk assessment
• Adding value - Internal audit activities to add value through independent and objective analysis
• City Council - The City Auditor’s Office reports to the City Council and seeks input on audit priorities
• Coverage and other audits - Consideration of prior and other audits as well as pervasiveness of the process or control to ensure audit coverage and to avoid duplication of efforts
• Scheduling - Consideration of the timing of an audit and other on-going initiatives to avoid putting an undue burden on City staff that may exacerbate the risk at hand or other interrelated risks
Staff and Baker Tilly, LLC presented the results of the risk assessment to the Audit Committee and presented the audit work plan for input and approval. After discussion, the Audit Committee recommended staff proposed revisions so that items from the 2024 work plan could be advanced to the current year workplan. The Committee accepted the report and proposed workplan and moved to bring it to the City Council for note and file.
ENVIRONMENTAL REVIEW
The action being considered does not constitute a “project” within the meaning of the California Environment Quality Act (“CEQA”) pursuant to CEQA Guidelines section 15378(a)(4) in that it is a fiscal activity that does not involve any commitment to any specific project which may result in a potential significant impact on the environment.
FISCAL IMPACT
Costs associated with the preparation of this report are included in the City’s FY 2022/23 Adopted Operating Budget.
COORDINATION
This report has been coordinated with the City Manager’s Office and City Attorney’s Office.
PUBLIC CONTACT
Public contact was made by posting the Council agenda on the City’s official-notice bulletin board outside City Hall Council Chambers. A complete agenda packet is available on the City’s website and in the City Clerk’s Office at least 72 hours prior to a Regular Meeting and 24 hours prior to a Special Meeting. A hard copy of any agenda report may be requested by contacting the City Clerk’s Office at (408) 615-2220, email clerk@santaclaraca.gov <mailto:clerk@santaclaraca.gov> or at the public information desk at any City of Santa Clara public library.
RECOMMENDATION
Recommendation
Note and file the citywide risk assessment report from Baker Tilly, LLC and note the proposed 2023 and 2024 audit work plans as approved by the Audit Committee.
Staff
Reviewed and Approved by: David Noce, Audit Manager
ATTACHMENTS
1. City of Santa Clara - Citywide Risk Assessment and 2023 and 2024 Audit Work Plan