The URL can be used to link to this page

Home My WebLink AboutCity Manager - Audit Records - Audit - Other Publications - PublicADMINISTRATIVE POLICY NO. 5 C'11111�r INDEPENDENT INTERNAL AUDIT Glendale PROGRAM A R I Z O N A I Title: Independent Internal Audit Program (HAP) Effective: November 7, 2019 Revised: N/A Contact: Emmanuel Ogutu, IIAP Manager, 623-930-2103 PART I: Internal Audit Charter Introduction and Purpose The International Standards for the Professional Practice of Internal Auditing (The Standards, or IPPF) as issued by the Institute of Internal Auditors (IIA), requires the audit organization to: define the mission, scope, authority, responsibility and accountability of the Internal Audit function using a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes, and incorporating a Code of Ethics of the IIA by adopting an Internal Audit Charter. City of Glendale's Independent Internal Audit Program (IIAP or Internal Audit) has designed this charter to demonstrate commitment by all relevant parties to support and execute an audit program that enhances and protects organizational value by providing risk -bases and objective assurance, advice and insight. Mission The Independent Internal Audit Program (IIAP) provides internal audit and consulting services that strengthen controls, reduce risk, maximize efficiency, enhance government transparency and improve operations. The IIAP provides independent and objective feedback on city programs, activities and functions through an audit process. Audits are vital in maintaining public trust and confidence that city resources are used efficiently and effectively with adequate levels of oversight. Responsibility City management has primary responsibility for establishing and maintaining an effective system of internal controls. The IIAP will evaluates the adequacy of the internal controls, risk management, operating environment, related financial and operational policies and reports the results accordingly. Additionally, staff and contractors of IIAP have responsibility to: • Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the City Manager and the Audit Committee for review and approval as well as periodic updates. • Implement the annual audit plan, as approved, including as appropriate any special tasks or projects requested by City Management, and the Council through the Audit Committee. • Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of the IIAP Policy. • Evaluate and assess significant functions and new or changing services, processes, operations, programs and control processes coincident with their development, implementation, and/or expansion. • Issue periodic reports Executive management and the Audit Committee summarizing results of audit activities in accordance with City laws. Administrative Policy No. 5 Page 2 • Keep the City Management and the Audit Committee informed of emerging trends and successful practices in internal auditing. • Provide a list of significant measurement goals and results to the City Management and Audit Committee • Consider the scope of work of the external firms, as appropriate, for the purpose of providing optimal audit coverage to the organization. • Provide assurance services' to the City Manager and Audit Committee. • As appropriate, provide consulting and advisory services2 to management that add value and improve the governance, risk management, and control processes without the IIAP staff assuming management responsibility. These are usually categorized as non -audit services and may or may not result in a formal report. However, findings are usually reported to management and when appropriate, to the Audit Committee. • Establish a quality assurance program by which to monitor, assess, evaluate and assure the effectiveness of the IIAP. • Ensure the requirements are met regarding IIAP activities as set forth by the Council in the City Code. Authority and Access While conducting its work, the IIAP and its contracted staff will have full, free and unrestricted access, except where prohibited by law, to all city property, records, information and personnel. All employees shall fully cooperate and assist the auditors in fulfilling their roles and responsibilities in a timely manner. Additionally, IIAP Manager shall with the guidance from the Audit Committee, shall allocate resources, set frequencies, select subjects, determine scope of work, and apply the techniques required to accomplish audit objectives. HAP will occasionally provide consulting services to management as deemed appropriate. Independence and Objectivity The IIAP should be free from interference in determining the scope of internal auditing, performing work, and communicating results. IIAP staff and contractors will have no direct responsibility for or authority over any of the activities, functions, or tasks being audited or reviewed. Accordingly, IIAP staff and contractors should not develop or write policies and procedures that they may later be called upon to evaluate. The IIAP Manager reports administratively to the City Manager and functionally to the Audit Committee. The IIAP staff shall have full and independent access to the City Manager and the Audit Committee. Additionally, IIAP staff and contractors will; (1) disclose any impairment of independence or objectivity, in fact or appearance, to the City Manager and the Audit Committee; (2) exhibit professional objectivity in gathering, evaluating and communicating information about the area being audited; (3) make balanced assessments of all available and relevant facts and circumstances; and (d) take necessary precautions to avoid conflicts or interest or undue influence or the appearance of such. 1 Assurance services involve an objective assessment of evidence to provide an independent opinion or conclusion regarding an entity, operation, function, process, program, system or other subject matter. The nature and scope of assurance services are generally determined by the internal auditor. 2 Consulting and advisory services are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Administrative Policy No. 5 Page 3 Standards of Internal Auditing The IlAP will adhere to applicable industry standards and codes of ethics issued by authoritative sources such as the Institute of Internal Auditors (IIA)3 and the U.S. General Accountability Office (GAO)4 Scope and Objectives The scope of work and objectives of the IIAP is management, control, and governance processes, adequate and functioning in a manner to ensure: to determine whether the City's network of risk as designed and represented by management, is • Risks are appropriately identified and managed. • Interaction with the various governance groups occurs as needed. • Significant financial, managerial, and operating information is accurate, reliable, and timely. • Employees' actions are in compliance with policies, standards, procedures, and applicable laws and regulations. • Resources are acquired economically, used efficiently, are effective in achieving intended objectives and adequately protected. • Programs, plans, and objectives are achieved. • Information and other assets are adequately protected against theft, damage or loss, intentional or otherwise. • Quality and continuous improvement are fostered in the organization's control process. • Significant legislative or regulatory issues impacting the organization are recognized and addressed appropriately. Opportunities for improving management control and the organization's image may be identified during audits. They will be communicated to the appropriate level of management. PART II: Attribute Policies Code of Ethics Integrity IIAP staff and contractors will perform engagements with an attitude that is objective, fact -based, nonpartisan and nonideological. This will maintain and strengthen public confidence in government. To this extent, IIAP staff and contractors: 1.1 Shall perform their work with honesty, diligence and responsibility. 1.2 Shall observe the law and make disclosures expected by the law and the profession. 1.3 Shall not knowingly be a parry to any illegal activity or engage in acts that are discreditable to the profession of internal auditing or to the city of Glendale. 1.4 Shall respect and contribute to the legitimate and ethical objectives of the City of Glendale. Objectivity IIAP Staff and contractors shall exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the program, department, activity or process being examined. They shall make a balanced assessment of all the relevant circumstances and shall not be unduly influenced by their own interests or by others in forming judgments. This is the basis for the credibility of auditing in the public sector. Specifically, IIAP staff contractors shall: 3 International Professional Practice Framework (I PPF) of the IIA and includes mandatory elements consisting of Core Principles, the Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (The Red Book). 4 Government Auditing standards (The Yellow Book). Administrative Policy No. 5 Page 4 2.1 Not participates in any activity or relationship that may impair or be presumed to impair their unbiased assessment. 2.2 Not accept anything that may impair or be presumed to impair their professional judgment. 2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. Confidentiality IIAP staff and contractors shall respect the value and ownership of information they receive and shall not disclose information without appropriate authority unless there is a legal or professional obligation to do so. Specifically, IIAP staff and contractors shall: 3.1 Be prudent in the use and protection of information acquired in the course of their duties. 3.2 Not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the City. Competency IIAP staff and contractors shall apply the knowledge, skills, and experience needed in the performance of internal auditing services. To this extent, IIAP staff and contractors shall: 4.1 Engage only in those services for which they have the necessary knowledge, skills, and experience. 4.2 Perform internal auditing services in accordance with the Generally Accepted Governmental Auditing Standards (GAGAS) in conjunction with the International Standards for the Professional Practice of Internal Auditing, the City's Administrative Policy on IIAP Policies and as well as IIAP Procedures Manual. 4.3 Continually improve their proficiency and the effectiveness and quality of their services. PARTM: Operational Guidance Audit Planning and Risk Audit Planning will occur at two levels as required by internal auditing standards; • Annual planning: IIAP will plan activities and engagements to be performed for the upcoming year based on a risk assessment methodology. The IIAP staff will establish use a risk-based approach in developing an annual audit plan which identifies the City departments, programs, systems, processes, activities and/or contracts that will be audited. IIAP staff will engage City Management and the Audit Committee in drafting the audit plan. The annual audit plan will be approved by the Audit Committee and the City Council by June 1 of each year. Additionally, IIAP staff, the Audit Committee or City Manager may initiate and conduct any other audit deemed necessary outside the annual planning process. The annual audit plan may include audit and non -audit work. Engagement Planning: IIAP will plan each audit engagement to sufficiently identify risk, objectives, scope, work to be performed and provide sufficient and appropriate documented evidence to adequately support findings, conclusions and recommendations. For each audit engagement, the IIAP will generally adhere to the following process: Planning, Fieldwork, Reporting and Follow-up. The process is to ensure a constructive, timely and effective working relationship among the parties involved with the audit. Information will Planning IIAP staff will formally notify applicable management of the audit and establish an audit opening meeting. The meeting will facilitate discussion regarding the audit's scope and objectives, define an estimated time of completion and introduce the audit team to s Such participation includes those activities or relationships that may be in conflict with the interests of the City. Administrative Policy No. 5 Page 5 management and subject matter experts (SME). Management will identify a formal audit liaison through which fieldwork will be scheduled and issues or concerns will be addressed. Fieldwork Assigned auditor(s) will use numerous steps to gain information regarding the audit subject, including interviews with staff and SMEs, gather and review documentation and other audit artifacts and conduct audit test work. Ongoing communication regarding progress, potential findings and timing of completion will occur with the audit liaison throughout this phase. Upon completion of the fieldwork, the auditor(s) will summarize the general findings, conclusions and recommendations and review them with the audit liaison during an exit meeting to ensure there is no misunderstanding of facts. Reporting Pre -Draft Audit Report. A pre -draft audit report will be issued to department management in order to communicate audit findings, conclusions and recommendations. IIAP staff will establish an audit closing meeting with department management to discuss the pre -draft audit report, focusing on the key findings and recommendations. Management may suggest changes to the pre -draft report should there be any material errors in fact. DraftAuditReport. A draft audit report will be issued to the Audit Committee to communicate audit findings, conclusions and recommendations. The draft report may include changes the auditor deemed relevant from the closing meeting. The Audit Committee is responsible to forward the draft report to the City Manager. Management will provide a written response to the recommendations in the draft audit report indicating concurrence or lack of concurrence with recommendations, plans for implementing solutions to the recommendations and a deadline by which corrective action will take place. Management's written response must be provided to IIAP staff within fifteen (15) calendar days from the date the department receives the draft audit report. Final Audit Report. The final audit report will incorporate the draft audit report and management's response. IIAP staff shall be responsible for transmitting each final audit report to the impacted departments, the City Manager and the Audit Committee. The Audit Committee shall be responsible for forwarding final audit results to the City Council within 30 days of receipt of the final audit results. Should management not concur with the auditor's recommendations, management's acceptance of underlying risk will be communicated to the Audit Committee. Program staff will work with the City Attorney's Office to ensure appropriate redaction and/or protection of confidential or sensitive materials prior to making final audit reports available to the public on the City's website. It is the City's intent to be as transparent as possible, but recognize there may be certain legal, privacy and other confidential information which may need to be redacted. Audit Follow-up IIAP staff shall periodically follow-up on audit recommendations and related management action plans to determine if adequate corrective action has been taken. IIAP staff will report findings and status updates to the Audit Committee and the City Manager. Administrative Policy No. 5 Page 6 Quality Control and Assurance • IIAP shall establish and maintain a system of Quality Control that provides relevant parties with reasonable assurance that: - IIAP staff (including contractors) comply with professional standards and applicable legal and regulatory requirements; and - IIAP has an external peer review conducted every 3 years (in compliance with GAGAS AND IIA requirements). • The system of Quality Control adopted will define and monitor the IIAP's - Leadership; - Emphasis on high quality work; and - Design and effectiveness of Quality Control Policies and Procedures. • The IIAP will develop and maintain Policies and Procedures for the IA function, which addresses Quality Assurance (QA) through standards of management, practice, proficiency, competency, execution, communication, documentation, reporting and review. The IIAP Policies and Procedures Manual will be reviewed and updated at least annually. • Each engagement will have a review process specifically for QA to provide an assessment of work to: - Ensure adherence to the policies and procedures, and a related system of quality; and - Determine if the Policies and Procedures, including those of QA, are suitably designed and operating effectively. • IIAP will perform reviews to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, relevant GAGAS and IIA Standards. • To the extent possible the work of every staff in an engagement will be subjected to supervisory review and no staff will review their own work. • The internal process, which is outlined in greater detail in the policies and procedures manual includes: - Review of administrative and personnel records (related to Quality Control and Continuing Professional Education- CPE); - Review of audit and attestation documentation, including reports; - Periodic summarization of audit findings with related systemic causes; - Determination of corrective actions and/or improvements to engagement or quality processes; and - Written report of communication of findings and timely follow-up. The QA function develops, adheres, reviews and modifies metrics associated with its' performance. • The IIAP develops, adheres, reports, reviews, and modifies metrics associated with its' performance. Consideration of Information Systems • IIAP shall consider and incorporate the use of Information Systems (IS) including data analytics at the following levels: - The organizational level as for information systems that are significant enough to impact IIAP's objectives; and - At the individual audit project/ engagement level, as embedded in the business processes that are significantly part of audit objectives and within the context of the audit scope. • IIAP shall assess and evaluate data reliability as part of its planning process for each specific engagement. This will include an evaluation of completeness and consistency in the processing of data. • In order to help IIAP fulfil its mission and increase its efficiency and effectiveness in the deployment of resources, IIAP shall to the extent possible incorporate the use of Computer Aided Audit Techniques (CAATs). Examples of these include: Administrative Policy No. 5 Page 7 Data analytics software for sampling and analysis related to audit objectives and substantive testing; - Microsoft Office suite of tools, including MS Excel for data analysis and some substantive audit procedures; and - Automated Workpaper Software. Consideration of Fraud, Waste and Abuse • The IIAP will evaluate the occurrence of fraud as part of its risk assessment. To the extent possible the risk assessment on annual planning with include evaluation of fraud risk. • The IIAP will inform the City Management and Council or risks of fraud as part of its audit planning and audit engagement processes. • The IIAP procedures manual will address the specific procedures for IIAP staff and contractors to follow in consideration of fraud during audit engagement process. Kevin . Phelps City Manager Councilmember Iar ugh Chair, Audit Committee