Developing the annual Audit Plan is an ongoing process — conducted by assembling ideas from a variety of internal and external sources, examining a broad range of city activities and data, and then assessing risk factors in tandem with additional considerations. This approach results in a diverse list of agencies, programs, activities, and contracts that auditors examine to determine whether these are operating efficiently, effectively, and in accordance with the law and program or contract requirements. Some agencies could be audited more frequently than others depending on the assessed risks.
In developing a list of potential audits and other types of analyses, ideas come from a variety of sources:
- Assessments of operations and controls in previous internal and external audit reports, including independent audits of the city’s Comprehensive Annual Financial Report, single audits, and audit management letters.
- Input from community members, elected officials, Audit Committee members, external auditors, and agency managers and staff.
- Consideration of current local events, financial conditions, major capital projects, and public policy issues.
- Consideration of risks identified in other government audits that could emerge in Denver.
A robust audit plan assesses a broad range of city activities including:
- Organizational units within a city agency, such as a division or a department;
- Individual city programs and offices.
- Transaction cycles or processes that affect more than one city function or agency, such as contract procurement, purchasing, cash handling, fines, taxes, and assessments or key technology processes.
- Individual financial statement accounts or transactional activities, such as grant programs, construction in progress, tax- funded programs, and special revenue funds.
- City functions that operate like for-profit entities, such as Denver International Airport and other entities associated with enterprise funds.
- Contracts and agreements between the city and third parties.
Our office identifies and prioritizes potential audits and other assessments using a risk-based approach by examining a variety of factors that may expose the city to fraud, misappropriation of funds, liability, or reputational harm. Accordingly, risk factors are assessed by reviewing:
- Significant changes that have occurred in the city.
- Time since the last audit of an area.
- Size of agency, program, activity, or contract.
- Size of budget.
- Compliance and regulations.
- Pending or recent legislation.
- Complexity of transactions.
- Fiscal sustainability.
- Critical information technology systems, including hardware and software.
- Management accountability.
- Quality of internal control systems.
- Age of programs, operations, or contracts.
- Public health and safety.
- Critical infrastructure.
- Short- and long-term strategic risks.
- Equity.
- Related litigation.
- Relevant case law.
- Emerging risk areas.
We periodically evaluate and modify risk factors, as necessary.
After we finalize the Audit Plan, new information may come to light. As we experienced in 2020 and 2021, unanticipated events may occur, and initiatives, priorities, and risks within the city may change. The flexible nature of the Audit Plan as a living document provides the discretion to change course when it is in the best interest of the city.
The Auditor’s Office extends its gratitude and appreciation to the Mayor’s Office, City Council, the Audit Committee, members of the city’s agency leadership, and members of the public for providing input on the 2022 Audit Plan and for supporting the general mission of our office throughout the year.