HomeMy Public PortalAbout151.2 - Executive Offices - City Attorney's Office - Office of Audit Services and Management Support PolicyExecutive Offices
Office of Audit Services and Management Support Section 151.2
Policies and Procedures Manual Page 1
151.2 SUBJECT: POLICY - OFFICE OF AUDIT SERVICES AND MANAGEMENT
SUPPORT
:1 OBJECTIVE:
Provide an explanation of the audit services and management support function.
:2 AUTHORITY:
This procedure amended by City Council amended July 9, 2007, Item A-2; amended January 28,
2013, Item A-3; amended March 11, 2019, Item A-1.
:3 DIRECTION:
The Audit Services and Management Support Director, as an appointed official, serves at the
pleasure of, and receives direction from the Mayor.
FUNCTIONS:
A. Role and Responsibilities
1. Audit Services and Management Support performs independent, objective assurance
(i.e., audit) and advisory (i.e., consulting) activities designed to add value and improve
the City’s operations. It helps the City of Orlando accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness
of risk management, control and governance processes.
2. The fundamental objective of Audit Services and Management Support is to assist City
managers to discharge their responsibilities effectively. This objective is met by
furnishing City management with analyses, appraisals, and recommendations
concerning the activities reviewed.
3. Audit Services and Management Support meets its objective by performing audits and
consulting services, as described herein. Audits will be conducted in accordance with
the International Standards for the Professional Practice of Internal Auditing
(Standards). Any variances from these standards will be documented.
B. Independence and Objectivity
1. The Office of Audit Services and Management Support shall be organizationally
independent as defined by the standards. The Office Director is responsible directly to
the Mayor for the performance of audits and consulting services and for the
independent reporting of findings and recommendations.
2. City Code Chapter 2 Article XVII created the Audit Board to advise the City Council on
financial and audit matters. The Audit Board is comprised of five members appointed
by the Mayor and confirmed by City Council. The Audit Board meets periodically
with the Office Director and other City officials. Its purpose and duties are defined in
City Code and further described in the Procedures of the Audit Board.
Each employee assigned to Audit Services and Management Support should be independent and
objective in performing his or her work. Office staff shall have an impartial, unbiased attitude
and avoid conflicts of interest. If independence is impaired, this fact will be disclosed as
required by the standards.
C. Scope
1. Audit Services and Management Support’s scope of operations encompasses
every phase and sector of City operations. This requires going beyond the
Executive Offices
Office of Audit Services and Management Support Section 151.2
Policies and Procedures Manual Page 2
accounting and financial records to obtain an understanding of the operations
under review.
2. Audit Services and Management Support must have full access to all City of
Orlando records, properties, and personnel. Accordingly, all officers and
employees of the City shall furnish to Audit Services and Management Support
any information and records within their custody and respond to any questions
regarding powers, duties, activities, organization, property, financial
transactions, and methods of business. In addition, access shall be provided by
all employees of the City for the inspection of all City property, equipment,
and facilities within their custody and to observe any operations for which they
are responsible.
The confidentiality of information gathered is subject to the public records
laws of the State. Florida Statutes section 119.0713 2(b) states that audit
working papers and notes related to audits are confidential until the audit is
completed and the report becomes final or when an investigation is no longer
active. After the report is finalized, whether the document is a public record
will depend on other applicable laws.
D. Role of City Management
1. Each Department Director, Division Manager, and Office Head is responsible
for instituting and maintaining a system of internal controls over his or her area
of responsibility. Internal controls include the processes and procedures for
planning, organizing, directing and controlling City operations, and the
systems put in place for measuring, reporting, and monitoring program
performance. Internal control procedures should be designed to provide
reasonable assurance that a program is effective and efficient, that operational
information about the program is valid and reliable, that program
implementation is consistent with applicable laws, regulations, contract
provisions and grant agreements and that assets and resources utilized are
safeguarded.
2. Audit Services and Management Support is charged with periodically
appraising the soundness of these controls and testing to determine whether
they are operating as intended. Internal control objectives that are significant
within the context of the audit objectives should be assessed and tested to
determine whether specific internal control procedures have been properly
designed and placed in operation.
E. Relations with City Management
Audit Services and Management Support will inform the Chief Administrative Officer,
Chief Financial Officer, City Attorney or Chief of Staff (collectively, Executive
Management) as well as the appropriate Department Directors, Office Heads and/or
Division Managers of the nature and purpose of an audit or non-audit service before
beginning.
F. Planning
Executive Offices
Office of Audit Services and Management Support Section 151.2
Policies and Procedures Manual Page 3
1. Audit Services and Management Support shall, on an annual basis, develop a
risk-based plan of operations to determine its priorities, consistent with the
City of Orlando’s goals. This will be given to the Audit Board for review and
comment and submitted to the Mayor for approval.
2. The plan shall include identification of each project to be conducted in terms of
the programs, functions, and activities to be reviewed. In the event Audit
Services and Management Support receives a request to perform an audit or
consulting service not included in the annual plan of operations, the Office
Director will consider accepting such request based on the staff resources
available and whether the review will add value and/or improve the City’s
operations. The projects accepted will be added to or substituted for a project
in the annual plan of operations. In addition, the annual plan of operations may
be amended during the year at the direction or the approval of the Mayor.
G. Types of Audit Services
1. Revenue Audits
These include audits of external entities to determine their compliance with
City ordinances and agreements and to determine whether they have remitted
the proper revenue due to the City. Included in these audits are applicable
businesses, entities, or other government organizations that provide City
residents and businesses with taxable services or that collect revenues on
behalf of the City. Taxable services may include, but are not limited to solid
waste disposal, and water, electric, and gas utilities. These businesses, entities
or other government organizations are responsible for remitting to the City a
tax, franchise fee or other payment based on sales to their City customers or on
some other method. Such audits are intended to ensure that the businesses,
entities or other government organizations are properly remitting these taxes
and fees to the City on a timely basis.
2. Performance Audits
These are periodic audits that include a review of Department, Division or
Office procedures and operations to address:
a) The effectiveness of a program or activity and whether it is achieving its
goals and objectives;
b) The economy and efficiency of a program or activity, including whether it
is acquiring, protecting and using its resources in the most productive
manner.
c) The adequacy and functionality of the internal controls established by a
program or activity to support the accomplishment of its mission, goals
and objectives; and
d) The conformance of the operations of a program or activity to applicable
laws, regulations, policies, and industry standards in all material respects.
3. Financial Audits
Executive Offices
Office of Audit Services and Management Support Section 151.2
Policies and Procedures Manual Page 4
The primary purpose of a financial audit is to determine whether an entity’s
financial statements are presented in conformance with generally accepted
accounting principles (GAAP) or using a basis of accounting other than
GAAP. Financial audits may include providing special reports for portions of
financial statements or reviewing interim financial information.
The Office assists the external auditors to conduct the annual external audit
required by City Code Article VI Section 2.33. The Office will also perform
financial audits upon request by City officials.
4. Fraud Assessment and Investigations
The principal mechanism for deterring fraud is internal control. Primary
responsibility for establishing and maintaining internal control rests with City
management. In planning its audits, Audit Services and Management Support
will assess the risks of potential significant fraud within the context of its audit
objectives. This will include discussions between management and members
of the audit team about potential fraud risks and the opportunity for fraud to
occur. Audit procedures will be designed based on this assessment.
Any allegations of wrongdoing or fraud should be reported by City
management and other personnel to Audit Services and Management Support.
When fraud is suspected, an independent investigation may be performed as
provided in Section 151.3.
Information Systems (IS) Audits
Whenever possible, use of the latest information systems technology will be
utilized to perform audit activities most efficiently. In addition the following
types of IS audits may be performed:
a) Existing Applications - These audits are performed to determine that
existing computer applications function in an accurate and efficient
manner, and include adequate internal controls.
b) New Applications - These are reviews of new computer applications to
help ensure that internal controls of the application being developed are
adequate. Participation may include a review of the system development
methodology and the effectiveness and efficiency of the system being
implemented. It may also include a review of the new system to determine
whether there are features in the system that would improve the ability to
audit it after implementation.
Primary responsibility for sound internal controls over systems being
developed rests with the sponsor and the implementation committee. The
sponsor is generally the person most familiar with the operational and
internal control objectives of the new system. Audit Services and
Management Support staff may participate as independent advisors with
the implementation committee. This independence is necessary so that the
application may be audited objectively after implementation.
Executive Offices
Office of Audit Services and Management Support Section 151.2
Policies and Procedures Manual Page 5
c) General Controls Review - These include a review of IS controls which
affect all computer applications. Examples of areas that may be reviewed
include computer security, disaster recovery, program change controls,
and quality control procedures.
5. Compliance Audits
These are audits that may be performed to ensure compliance with Federal or
State laws and/or the requirements of Federal or State grants.
H. Types of Consulting Services
All consulting services provided by Audit Services and Management Support will be
documented as such in advance. This documentation will include the objectives of the
consulting service engagement, the scope of work, and any deliverables. Audit Services
and Management Support will also document its consideration of a possible effect on its
ability to perform any ongoing, planned or future audits of the area under review, as
more fully described in the standards. Any reports resulting from consulting services
will specifically state that the report is not an audit.
The following are explanations of the types of non-audit services provided by the Office
of Audit Services and Management Support:
1. Special Reviews
These consulting services are carried out in conformance with the
specifications of the requesting party. A Special Review may include an
assessment of a particular function or activity of an Office, Department, or
Division. In these instances, the level of involvement by Audit Services and
Management Support is limited and does not rise to the level normally
experienced in an audit. For example, Special Reviews might be undertaken to
advise management on specific and limited operational, organizational or
performance questions. Such activities include evaluating/analyzing
organizational units, structures, functions or systems. Special reviews often
result in a report.
2. Advisory Services
These are consulting services where Audit Services and Management Support
is asked to provide information or data to a requesting party without providing
verification, analysis or evaluation of the information or data. The work does
not usually provide a basis for conclusions, recommendations or opinions on
the information or data. These services may or may not result in the issuance
of a report.
I. Request for Assistance
City departments requiring the assistance of Audit Services and Management
Support should direct all such requests to the Office Director who will determine
whether the requested assistance can be provided and when it can be scheduled.
J. Reports
Executive Offices
Office of Audit Services and Management Support Section 151.2
Policies and Procedures Manual Page 6
1. An “Exit” conference will be held with the top level of management and
appropriate staff of the area reviewed to discuss the identified issues and
related recommendations.
2. After the Exit conference, it is the responsibility of the assigned staff to
develop an original draft of the report. The report is to communicate, in a clear
and concise manner, the objectives, scope, methodology, and significant issues
and recommendations to management. Its preparation should be of the highest
quality in every detail as to substance, form, and content, as well as wording
and punctuation. If the report is an audit, it will state whether it was made in
accordance with the standards.
3. The Office Director is responsible for reviewing the original draft and making
changes deemed appropriate. The resulting draft will normally be submitted to
the management of the function being audited.
4. Official written responses to specific report recommendations are requested
from management to be included in the issued report. The responses should
include the degree of agreement or acceptance of each recommendation. The
preferred methods follow:
a) "Concur." Management is in full agreement with the recommendation;
b) " Partially Concur." Management is in agreement with a portion of the
recommendation; and
c) " Do Not Concur." Management is in total disagreement with the
recommendation.
Management of the area reviewed is requested to provide an action plan
including details of the management actions taken/to be taken along with
actual/target implementation dates. The responses should be forwarded to
Audit Services and Management Support after obtaining the responsible
Department Director’s concurrence with the proposed action plan.
5. Two weeks are usually allowed for management to provide written responses
to the recommendations. If management does not provide responses in the
requested timeframe, the report may be issued without responses at the
discretion of the Office Director.
K. Report Distribution
The normal report distribution will be to the Mayor, Chief of Staff, City Attorney,
Chief Administrative Officer, Chief Financial Officer and senior management
(Office Head, Division Manager, Department Director). Any other City programs
(areas) identified in the report may be included in the distribution.
L. Follow-up
1. Within twelve months of issuance of a report, Audit Services and Management
Support will notify management of its responsibility to report the status of its
action plan included in the original report.
Executive Offices
Office of Audit Services and Management Support Section 151.2
Policies and Procedures Manual Page 7
2. Management shall report the status of the action plan to Audit Services and
Management Support for review and distribution to the original report
recipients. The report generally shall be in a matrix format and may include
comments regarding the implementation status of the recommendations.
3. Audit Services and Management Support will review the status report
submitted by management to determine unfulfilled actions or whether
additional follow-up may be needed.
4. Once per year, Audit Services and Management Support shall report any
management actions that have not been implemented to City Executive
Management.
M. Ethics
Audit Services and Management Support is relied upon by management in fulfilling its
stewardship obligation and, therefore, office personnel must maintain high standards of
conduct, honor and character so that credibility and integrity are not open to question. All
auditors will subscribe to the Codes of Professional Ethics and Standards as promulgated
by the Institute of Internal Auditors and the American Institute of CPAs as applicable.
N. Records Retention
Audit Services and Management Support shall retain for the required number of years a
complete file of each audit and consulting service report made under its authority in
accordance with the Florida records retention law. The file should include audit work
papers and other supportive material directly pertaining to the report.
:5 FORMS:
None.
:6 COMMITTEE RESPONSIBILITIES:
None.
:7
REFERENCE:
This procedure adopted by City Council March 31, 1980, Item 16 (as Section 115.2); amended
June 28, 1982, Item 21; amended August 15, 1983, Item 8A-16; amended October 21, 1991,
Item 2/G; amended April 19, 1993, Item VV; amended August 11, 1997, Item 6-A; amended
January 24, 2000, Item 4LL, amended November 26, 2001; amended August 9, 2004, Item A4;
amended July 9, 2007, Item A2; amended January 28, 2013, Item A-3.
:8 EFFECTIVE DATE:
This procedure effective March 11, 2019.