HomeMy WebLinkAboutMinutes - Minutes - Audit Committee - Meeting Date: 9/7/2023MINUTES
AUDIT COMMITTEE
CITY HALL, CONFERENCE ROOM B3
5850 W. GLENDALE AVE.
GLENDALE, ARIZONA 85301
SEPTEMBER 7, 2023
2:00 P.M.
1. CALL TO ORDER
Councilmember Aldama called the meeting to order at 2.03 p.m.
2. ROLL CALL
Present: Jamie Aldama, Councilmember, Chairperson
Ian Hugh, Councilmember
Raymond Malnar, Councilmember
Irene Avalos, Member
Kevin Phelps, City Manager
Levi Gibson, Budget & Finance Director
Also Present: Mike Kingery, Independent Internal Audit Program Manager
Vicki Rios, Assistant City Manager
James Gruber, Chief Deputy City Attorney
Jenny Durda, Interim Director, Organizational Performance Office
Jeff Bratcher, Program Manager, Organizational Performance Office
3. CITIZEN COMMENTS
No members of the public were present. No comments.
4. APPROVAL OF THE MINUTES
A motion was made by Councilmember Ian Hugh, Seconded by
Councilmember Raymond Malnar to approve the minutes of the June 7, 2023
Audit Committee meeting as written.
AYE: Councilmember, Chairperson Jamie Aldama
Councilmember Ian Hugh
Councilmember Raymond Malnar
Member Irene Avalos
5. CONSIDERATION AND POSSIBLE VOTE ON PROPOSED CHANGES TO
CITY ADMINISTRATIVE POLICY # 5 AND CITY ORDINANCE 019-43
Mr. Kingery explained to the committee the reason for the proposed changes to
city ordinance 019-43. The changes will make the ordinance verbiage match
the actual procedures as performed currently and historically. As amended, the
ordinance will have the audit committee assign IIAP staff to perform the annual
risk assessment and to forward finalized audit reports to the City Council. As
currently written, the audit committee has those responsibilities. As these
changes were merely to make the verbiage match the procedures,
Councilmember Hugh motioned to adopt the proposed changes to present to City
Council for their review and vote. Chairperson Aldama made the second.
Motion carried unanimously.
• NOTE: A few minutes after the vote, Mr. Kingery noticed that the voice
recorder was not functioning. During the next topic, the machine began
recording.
Mr. Kingery then explained proposed changes to City Administrative Policy
(CAP) # 5. In conjunction with previous audit committee meetings, Mr. Kingery
has recommended that IIAP cease functioning as an "orange book" audit shop
due to the significant administrative burden associated with compliance. CAP #
5, which includes the Audit Charter, states that IIAP will conform to both the
Yellow Book (Generally Accepted Government Auditing Standards or GAGAS,
published by the GAO) and the Red Book (International Professional Practices
Framework or IPPF, published by the IIA). As a one -person audit shop, Mr.
Kingery — through research and discussions with other small audit shops and the
Association of Local Government Auditors (ALGA) — has recommended that IIAP
function under the new Global Internal Audit Standards (GIAS) promulgated by
the Institute of Internal Auditors (IIA).
Ms. Avalos asked if the decision had already been made to switch from following
both the Yellow and Red (hence, Orange) Books to just the new GIAS. Mr.
Kingery said that was his understanding, but that this discussion would confirm
as such. Mr. Kingery replied that as this is a City Policy, it does not necessarily
require formal approval by the audit committee, but would defer to the City
Manager. Mr. Phelps agreed, and added that it is appropriate to get the
committee's feedback for management's consideration. Mr. Phelps asked if
there were any concerns by the committee for switching to the GIAS.
Mr. Aldama asked for clarification as to whether the standards or changes to
CAP # 5 under consideration had come from City management. Mr. Kingery
replied they had not. Mr. Aldama asked if there was a timeframe in which these
needed to be adopted. Mr. Kingery stated that the GIAS are not yet official.
However, the comment period had expired and the IIA plans to publish the final
version this autumn.
Ms. Avalos asked for clarification again as to whether formal audit committee
approval was required to move from an orange shop to the new GIAS, and
whether or not there were specific pros and cons to following certain standards
over others. Mr. Kingery indicated that the GIAS have not only addressed many
aspects of both the Yellow and Red Books, but they function as more of an
industry -wide best practices document that also includes guidance for small audit
shops and auditing in the public sector.
Mr. Gibson provided further details with respect to Ms. Avalos' question. He
indicated that the annual financial (external) audit and audits of federal
expenditures (grants) are performed under Yellow Book standards because
those are performed by much larger audit functions with their own quality control
and assurance departments.
Ms. Avalos asked if this change to the new GIAS means our contracted audit
firms would also need to comply with only these standards. Mr. Kingery
indicated that the draft of the new IIAP Policy & Procedures Manual (PPM) is
written that way, with the allowance of auditing against Yellow Book standards
as well if warranted for a particular audit. Ms. Avalos asked if audits done by
IIAP would ever be held to Yellow Book plus the GIAS. Mr. Kingery replied they
likely would not be, and a disclosure in the audit report would specify which
standards were followed regardless.
Mr. Phelps added that while reviewing the proposed audit plan each year, the
audit committee could recommend that certain engagements be performed
under Yellow Book standards, which generally means the work would be
contracted out. He added that the larger, more complex engagements should go
to our qualified vendors, rather than take up so much of the IIAP Manager's
time. Ms. Avalos liked the idea of the PPM stating that at a minimum, the GIAS
would be followed but that the audit committee and/or City management could
suggest performing an audit under Yellow Book standards when warranted. Mr.
Aldama asked Mr. Kingery to change the PPM and the audit charter verbiage to
clarify as such.
Mr. Phelps noted that the goal of performance audits is to improve the efficiency
of the organization under review. He said we should determine how much value
there is when going between the Yellow Book and Red Book, especially with the
new strengthened GIAS coming into use. He noted that the additional
administrative work associated with Yellow Book audits may not bring the
corresponding value to the recommendations. He continued that the committee
could utilize the completed risk assessment to recommend certain engagements
be performed under Yellow Book standards.
Mr. Aldama agreed and asked if there was a vote necessary to make these
changes. Mr. Kingery said he would make the recommended changes and
share the updated version with the committee members. Mr. Phelps said the
recommendation of the audit committee could be to adopt the updated audit
charter and PPM under the new GIAS, conditioned upon the formal adoption of
the GIAS when published later this year. Mr. Aldama asked if large changes by
the IIA to the draft GIAS would be problematic and Mr. Phelps said we didn't
anticipate any issues. Mr. Phelps asked the IIAP Manager if this would affect
IIAP policy; Mr. Kingery responded that we are not required to formally adopt any
standards, although we typically do.
Ms. Avalos asked that when the IIA officially publishes the final version of the
new GIAS, that the IIAP Manager notify the committee. Mr. Kingery said he
would do so. Mr. Aldama read under the "Consideration of Fraud, Waste, and
Abuse" section of CAP # 5 and asked who would be notified of these. Mr.
Kingery replied that his interpretation is this is part of the overall risk assessment
process, but that some areas or processes may be inherently subject to more
fraud risk than others. Mr. Kingery explained a little more about the process,
and Mr. Aldama said he was fine with the wording as written.
Mr. Aldama asked for next steps on this item and when it would have to go to
City Council. Mr. Kingery and Mr. Phelps both indicated that because this is an
operational policy created by senior management, it does not have to go for
council action. Mr. Kingery clarified that only the changes to the ordinance
already approved earlier in this meeting require council action. There was no
further discussion on this item.
6. REVIEW OF NEW IIAP POLICY & PROCEDURES MANUAL (PPM)
The IIAP Manager (Mr. Kingery) explained that he wrote the PPM based on the
new GIAS, which are shown in green type throughout the document. He
continued that under each section (or multiple sections if they were easily
combined) was written what IIAP would do to comply with the standard(s). Mr.
Kingery said that for any item highlighted in yellow, it was either something new,
or was an action item, or indicated where IIAP practice discloses deviation from a
specific standard. He gave the example of workpapers being reviewed by
someone else in the audit department, but that as a one -person audit shop, no
workpaper reviews are performed.
Mr. Aldama asked for an explanation of the standards related to reviewing IIAP's
work. Mr. Kingery explained the process of reviewing a staff person's work to
ensure that the testing and conclusions were appropriate and reasonable. Mr.
Aldama asked what the standards say with respect to a one -person audit shop.
Mr. Kingery said that is not specifically addressed, but he is part of a group of
small (one and two person) audit shops in the valley that meet regularly to
discuss challenges and issues we're facing. Mr. Kingery has proposed to the
group that we do a courtesy review of each other's work from time to time, just so
that a different set of eyes can look at it and provide feedback to each other.
Mr. Aldama asked what the time commitment would be to providing these
courtesy reviews; Mr. Kingery replied it would depend upon the scope of the
engagement. Mr. Aldama expressed his concern with IIAP not having a formal
review process in place and suggested we implement one. He continued that he
wasn't sure if the audit committee had the expertise to provide this review and
whether that was even appropriate. Mr. Kingery said he did not know if
committee members had the knowledge and/or time to perform this
administrative function. Mr. Aldama indicated that he felt there should be
something in policy to address secondary review.
Mr. Phelps said that typically there is the peer review process of a random
sampling of audits and felt that is what the small audit group was trying to
accomplish informally. He added that the committee could use some sort of
assessment tool to select one or more sets of audit workpapers to be reviewed,
either by the committee members or an external party. Mr. Phelps also noted
that IIAP performs the smaller audits that make sense to be done internally while
the larger scale audits are done by bigger professional firms that have their
review processes built into the work they perform for us. He felt that what IIAP
was trying to do as part of the small audit shop group was a good, proactive
practice. Mr. Aldama agreed but wanted the practice to be included within our
written policy and procedures.
Ms. Avalos stated that she appreciated the spirit of what the small audit shop
group was trying to accomplish. She suggested that the auditors provide a list of
the audits they've completed to the other group members so they could select
the engagement they'd like to review, keeping more in line with the formal peer
review process. Ms. Avalos suggested that the committee should have the right
to perform a review as well, if they have the bandwidth to do so.
Mr. Malnar asked about the level of expertise needed to adequately perform
such a review. Mr. Kingery replied that the review validates the scope,
approach, data gathered, conclusions, findings, recommendations, and potential
for actionable management response, while also assessing if the work was
performed in compliance with the standards. Mr. Malnar stated the committee
should inherently have the power already to ask for a review of any workpapers
and that said power does not necessarily need to be written into policy. Mr.
Aldama felt it would be good to have the process in writing, even if that was
simply to acknowledge that the committee has asked management to hire a party
to provide outside review. Mr. Kingery said there would be an associated
budget impact for those services, which may require council action through the
current budget processes.
Ms. Avalos — who is a Certified Internal Auditor (CIA) — asked if it would be a
conflict of interest if she performed the secondary review. Mr. Phelps expressed
concern that there may be an appearance of conflict. He asked if there were
assessment tools available on how to perform a workpaper review and/or if there
are tools that perform automated assessments. Mr. Aldama noted that he's not
asking for reviews all the time, just that whatever process adopted is written into
our documents. Mr. Phelps added that having an outside person review the
work is a good way to strengthen our skillset, but that he did not know what
these services may cost. He said upon research of costs, we could build it into
the annual budget process.
Mr. Aldama asked the IIAP Manager to summarize the changes discussed
during this meeting and share that with the committee. He affirmed that this
process is administrative only and no council action is needed. He and Mr.
Malnar inquired as to the timeframe that changes need to be agreed upon. Mr.
Phelps said because the PPM is an internal document in its initial creation stage,
we can incorporate any changes at any time. The committee agreed to review
the latest version of the PPM during the December meeting.
Mr. Kingery explained that the idea for the small audit shop group was to be a
sounding board and bounce ideas off each other, providing a free resource for
peer feedback. While informal in nature, the small audit shop group could be
listed as a resource within the formality of the PPM. Ms. Avalos asked if the
PPM also needed to specify the continuing education requirements for the
practicing CIA versus non -practicing status. Mr. Kingery affirmed that he is a
practicing CIA and Certified Fraud Examiner (CFE), among other designations,
and that the PPM verbiage matches the current requirements. There was no
further discussion on this item.
7. FY2023-24 AUDITOR'S ANNUAL INDEPENDENCE STATEMENT
Mr. Kingery explained the background of the annual independence statement
and affirmed that he's had no issues with potential conflicts of interest or
impairments to independence. He noted that the only change to the statement
itself was replacing the Yellow Book citations from prior versions with the
corresponding applicable sections of the new GIAS.
Mr. Phelps asked the chair if he could briefly revisit the last topic. He wanted the
committee to recognize that having a complete PPM was a significant
undertaking. He said he knows it was a large effort that took a lot of time for the
IIAP Manager to create. Mr. Aldama acknowledged and added that while
councilmembers probably don't say it enough, they do appreciate the amount of
work done by staff, especially as a one -person department such as IIAP. He
thanked the IIAP Manager for the work and standing behind it through committee
scrutiny. Ms. Avalos also expressed her appreciation for the efforts and work of
the IIAP Manager and willingness to accept the committee's feedback. There
was no further discussion on this item.
8. GOAL SETTING AND TOPICS FOR DISCUSSION
Mr. Kingery explained that this is the annual addresal of affirming, changing,
and/or adding new committee goals. He indicated that the current first goal
related to the external peer review and that it should now occur in FY25 as ALGA
recommends the new PPM be in place for at least one year prior to the review.
He continued with the second committee goal being the quarterly update of
outstanding audit findings. Mr. Kingery asked the committee if they wished to
keep these two goals in place, or change them or add additional goals. The
committee was satisfied with keeping the two current goals as is.
Mr. Kingery then directed the committee's attention to the spreadsheet that
provides the current status of outstanding findings. He explained that each
quarter he reaches out to departments for the latest info on each, adds new
findings that have become due since the previous audit committee meeting, and
confirms that management action is complete where indicated as such. For
those that have now been shown as complete, they will be removed from the
spreadsheet for the next meeting.
Mr. Aldama had a question for Ms. Rios related to the p-card findings on the
spreadsheet. She deferred to Mr. Gibson who explained that Budget & Finance
completed in -person training last fall and has rolled out online annual training
through the City's new Learning Management System (LMS or NeoGov). Mr.
Gibson said they will be able to track those who had not yet taken the training
and email reminders will be sent to the cardholders and their supervisors.
Ms. Durda asked if we needed a vote or consensus on the goal setting. Mr.
Malnar stated that adoption of the goals is implied through this discussion as a
committee; Mr. Phelps agreed. Mr. Malnar then motioned to accept the goals as
written, which was seconded by Mr. Hugh. All the voting committee members
present approved the motion. There was no further discussion on this item.
9. UPDATE TO FY23 AND FY24 AUDIT PLANS
Mr. Kingery reviewed the status of the FY23 audit plan, noting that four are still in
process and the remaining audits were complete. For the FY24 audit plan, he
explained that most of them were awarded to Moss Adams and the IT audit was
awarded to Securance. He added that for the other two engagements on the
FY24 audit plan — Landfill regulatory compliance and the audit of Parks &
Recreation — we did not receive adequate bids from our qualified vendors. Mr.
Kingery said there were some options in motion with the Procurement
department. He said he did some research online for potential vendors in case
we need to go through a separate RFP process, but did not contact any vendors
— all but one of which were located outside Arizona.
Mr. Aldama said that he was unsure of the year, possibly 2018, that he asked the
council to consider a disparity review and report of all the City's parks and its
amenities. He said it was a good report and that the City built its plan around
that. He felt that the consultants did a good job with that engagement and may
be one that could perform this audit as well. He asked Mr. Rios if she recalled
which year that was done. She could not, but said she has the report and it was
part of the Parks & Rec master plan.
Ms. Avalos noted that if other members of the small audit shop group had gone
through similar audits, they might have recommendations for potential vendors
as well. Mr. Kingery indicated that Procurement is going through the list of state
and county contracts to see if Glendale can piggyback on one of those,
potentially not needing the RFP process. He added that the two contracts for
Moss Adams and Securance had been sent from Procurement to the City
Attorney Office in the last few days and should be executed soon.
Mr. Phelps stated that for the ADA compliance of Parks & Recreation and the
Landfill regulatory compliance engagements, there likely are many consulting
firms in the market that could do a sound review. However, he was unsure if
they could be done within the appropriate auditing standards without severely
reducing the potential vendor pool. He felt it might be a challenge to fit the work
into a peer reviewed audit. Mr. Aldama agreed. Mr. Phelps thought one
approach may be to have a consulting review first, and then depending on the
outcome, the committee could determine if additional, peer -reviewable audit
work was needed.
Mr. Aldama agreed and noted that the ADA compliance engagement for Parks &
Rec also may be more of a consulting review and not necessarily an audit. He
felt that as a review (versus an audit), there will likely be more potential vendors
to choose from that can provide this service. Ms. Avalos asked what during the
annual risk assessment process brought these two specific engagements to the
fore. Mr. Kingery replied that management of each area recognized they present
risks to the City and may benefit from a set of external eyes to assess their
operations and compliance. Ms. Avalos continued that maybe a review for both
of these made sense as discussed just prior. Mr. Phelps added that the
committee could then assess the results of the review and determine if a more
formal, in-depth audit was warranted. Mr. Gibson offered that the reviews could
even be done as an Agreed Upon Procedures (AUP) report, where the City
specifies what aspects they want reviewed to quickly determine levels of risk and
compliance.
Mr. Aldama stated that regardless of what level of review or what it is called,
there will be some recommendations prompting management corrective action.
He asked if a review or AUP goes through the department first and then
somehow to the audit committee. Mr. Phelps gave the example of dust
abatement at the Landfill and indicated it would be helpful to know how and
where improvements could be made, which seems more like a consulting role
than an audit role due to their industry expertise.
Mr. Aldama agreed and continued with a Parks & Rec example related to ADA
compliance. He noted there are specific risks associated with ADA that may
require the City to pay out a claim if injuries occur. Ms. Rios noted that Parks &
Rec may already have concerns and need to know the process to best identify
and correct potential issues. In years past, she felt the focus may have been on
ADA as part of the Parks & Rec master plan, but now has evolved to the process
of assessing compliance and planning for corrections if needed. Mr. Aldama
agreed. Ms. Rios continued that we need to know the process of being notified
of a potential hazard or someone requesting an accommodation. Ms. Avalos
suggested that perhaps we're looking more for best practices and Ms. Rios said
that might be why these aren't necessarily a true audit.
Mr. Aldama indicated most municipalities were eligible for federal funding for
ADA compliance, such as the ramps/approaches to sidewalks. He asked how
the City identified which sidewalks needed modifications to be compliant. Ms.
Rios said that was a project within the Streets (Transportation) department and
likely depended upon when improvements were being made to affected
streets/intersections. She noted that their process may differ from Parks & Rec,
but wondered if there was anything at the citywide level to address this type of
thing.
Mr. Aldama asked what the best way is to address these two engagements on
the audit plan and whether or not they should first be done as reviews. Mr.
Phelps said the management team would do some further research and discuss
options, and then revisit with the committee in the December meeting. Ms.
Avalos said she's not sure the decision falls to the committee but would like to
know ultimately what is done and where it belongs as part of the City's risk
portfolio. Mr. Gibson noted there are many different types of risk that can be
associated with each, and that while these two may not end up being audits,
internal audit is a risk mitigation tool and it would still be a good thing for the
committee to understand. There was no further discussion on this agenda item.
10. COMMITTEE COMMENTS AND SUGGESTIONS
Ms. Avalos asked if there were any plans in the budget to provide IIAP with
another staff member, perhaps a college intern on a part-time basis. Mr. Aldama
then asked Mr. Phelps to whom the IIAP Manager currently reports. Mr. Phelps
replied that ultimately it is to the City Manager but that most recently it had been
the Director of Organizational Performance who terminated employment a few
weeks ago. Mr. Aldama asked that if the IIAP needed assistance, is that an
administrative process or does it require council action. Mr. Phelps said it could
go either way. If senior management determined additions to IIAP staff levels
were necessary, it would be presented to City Council through the annual budget
process.
Mr. Phelps said we would need to discuss further because the original idea for
structuring the internal audit function as it currently exists was to leverage outside
firms for performing more and larger scale audits than a small internal team
could. He continued that there is a rotational intern program at the City and that
may be an option for use in the IIAP. Ms. Avalos added that she knows the IIAP
Manager has a very heavy workload and that at each quarterly committee
meeting it seems that more work is assigned to him. She added that her
organization has a large audit shop that frequently utilizes college interns who
produce excellent work, which is a win -win for both parties.
Mr. Aldama asked if the IIAP Manager has an administrative assistant, and Mr.
Kingery replied that he does not. Mr. Aldama asked the City Manager to
research possible options for administrative support to the IIAP. Mr. Phelps said
they would see if some internal resources are available and come back to the
December meeting with more details. With plans to recruit for the now vacant
Department of Organizational Performance Director, along with an assessment
of current IIAP workload, those may also factor into potential options available.
Mr. Aldama affirmed that he would like to see the data upon conclusion of
researching the options. Mr. Phelps said again he would like to utilize internal
support resources if available, adding that the biggest concern is making sure the
IIAP Manager can spend less of his time on administrative items and more time
on items within his industry's skillset. There were no additional comments,
suggestions, or questions.
11. NEXT MEETING
The next regular meeting of the Audit Committee will be held on December 13,
2023, at 2:00 p.m., at a location to be determined. All committee members
agreed on that date/time.
12. ADJOURNMENT
With no further business, Councilmember Aldama adjourned the meeting at 3:15
p.m.
The Audit Committee meeting minutes of September 7, 2023 were
submitted and a proved this 13th day of December, 2023.
Michael Kingery
Internal Audit Progra M nager