The URL can be used to link to this page

Home My WebLink AboutStaff Report 11039City of Palo Alto (ID # 11039) City Council Staff Report Report Type: Action Items Meeting Date: 2/10/2020 City of Palo Alto Page 1 Summary Title: CAO Committee Discussion and Recommendation - City Auditor's Office Title: Council Appointed Officers Committee Recommendation That Council Discuss and Accept the Report "Internal Auditing Practices: City of Palo Alto Relative to Industry Practices" and Provide Direction on Next Steps(Continued From January 21, 2020) From: Council Appointed Officer's Committee In February 2019, the City Auditor retired after five years of service. Upon the City Auditor’s retirement, Council authorized the engagement of external experts to assist the City with two scopes of work related to the City Auditor’s Office: (1) assist with the continuity of operations and work product in the City Auditor’s Office; and (2) conduct a review of internal auditing practices in the public sector and Palo Alto. Council approved two contracts: •Senior Consultant Services: After reviewing several firms that provide audit services, the consulting firm of Management Partners was selected to provide a senior consultant to oversee the ongoing work from the City Auditor’s Office. The senior consultant’s assignment began in March 2019 and continued through mid-November 2019, approximately eight months. The senior consultant is no longer available to continue this assignment in Palo Alto because of other obligations and the contract term has ended. In the absence of an external senior consultant, the existing City Auditor staff of three full- time employees are continuing their assignments and providing deliverables in accordance with pre-established workplans. •Review of Internal Auditing Practices: The City published a public Request for Proposal (RFP 174966)1 for an Auditor Organizational Review. The RFP invited individuals and firms 1 The Auditor Organizational Review was publicly published in accordance with City protocols as RFP 174966, with a submission deadline of April 18, 2019. City of Palo Alto Page 2 with the appropriate professional expertise to submit proposals for this work. The Council Appointed Officers (CAO) Committee met in a public session on May 2, 2019 to evaluate and rate the proposals. From this review, Kevin Harper CPA & Associates was selected to perform the review. The scope of work included a final report, which was presented at a public CAO Committee meeting on December 19, 2019. The CAO Committee approved the report to proceed to the City Council as a public agenda item for discussion. As such, the report is on agenda as an Action Item on January 21, 2020, for a discussion and acceptance by the full Council. In accordance with the scope of services, the report for discussion on January 21 includes a comparison of Palo Alto’s City Auditor function to other local governments and industry standards, as well as a comparison of the City’s practices to best industry practices and professional standards. In addition to reviewing and accepting the report, the Council may also wish to discuss and direct additional next steps with respect to the City Auditor function. Attachments: • Attachment A: Harper Study • Attachment B: ALGA response • Attachment C: Article -Auditor Independence • Attachment D: At Places Items Internal Auditing Practices: City of Palo Alto Relative to Industry Practices Kevin W. Harper CPA & Associates 20885 Redwood Road, Suite 202 Castro Valley, CA 94546 (510) 593-5037 kharper@kevinharpercpa.com December 5, 2019 Kevin W. Harper CPA & Associates Table of Contents Page I. Purpose and Objectives ................................................................................ 1 II. Scope and Approach ..................................................................................... 2 III. Results of Review and Related Recommendations ....................................... 4 1. Organizational Placement 2. Staffing and Budget 3. Performance Measures 4. City Auditor Qualifications 5. Outsourcing Considerations IV. Other Findings and Recommendations ....................................................... 14 Attachment - Summary of Surveys………………….……………………………..………….…..……A Kevin W. Harper CPA & Associates Page 1 I. Purpose and Objectives The City of Palo Alto engaged us to compare certain elements of the City Auditor’s Office to other local governments and industry standards. The review included a survey of the internal audit functions of several California cities and counties, as well as comparison of the City’s practices to best industry practices and professional standards. The objectives of our review were to: 1. Review organizational placement of City Auditor’s Office. 2. Compare staffing and budget to other cities and counties, including comparison of the number of audits and cost per audit. 3. Review objective measures of audit productivity and effectiveness. 4. Provide recommendation on City Auditor minimum qualifications. 5. Provide considerations for outsourcing the internal audit function. Kevin W. Harper CPA & Associates Page 2 II. Scope and Approach Following is a summary of the procedures we performed during the review: 1. Met with City officials to understand their concerns, the strengths and weaknesses of current organization, goals/vision for the City Auditor’s Office, and the current staffing and budget. 2. Met with Interim City Auditor and read relevant City documents to gain an understanding of City Auditor’s Office organization, duties, mission, budget, and staffing. Identified and gathered relevant documentation such as Audit Policies and Procedures Manual, organization chart, budget, Fiscal Year 2019 Audit Work Plan, job descriptions, recent audit reports, and key performance measures. 3. Surveyed similar governments (“the Palo Alto survey”) to benchmark internal audit activities such as who the chief audit executive reports to, staffing levels, number of audit completed, annual budget, and measures of productivity/effectiveness used. Survey questionnaires were sent to the Cities of Alameda, Berkeley, Cupertino, Fremont, Fresno, Oakland, Redwood City, Santa Clara, Sunnyvale, the Counties of San Mateo and Santa Clara, and the City & County of San Francisco. 4. Researched professional standards including: • Institute of Internal Auditors (IIA) – International Standards for the Professional Practice of Internal Auditing • American Institute of Certified Public Accountants – Generally Accepted Auditing Standards • Comptroller General of the United States – Government Auditing Standards We also reviewed the results of internal audit surveys and best practices of various organizations, including the Government Finance Officers Association, Moody’s Best Practices in Audit Committee Oversight of Internal Audit, and the American Institute of Certified Public Accountants. 5. Developed findings and recommendations based on our interviews, document reviews, surveys, research of professional standards, knowledge of best practices, and considering the City’s goals and vision. 6. Wrote report that includes: • Objectives of the organizational review. • Scope of project and procedures performed. • Observations related to organizational placement, staffing and budget, performance measures, City Auditor qualifications, outsourcing, and other matters that came to our attention during the review. Kevin W. Harper CPA & Associates Page 3 • Recommendations for improvement or consideration. 7. Reviewed findings and recommendations with Mayor and City Manager. Kevin W. Harper CPA & Associates Page 4 III. Results of Review and Related Recommendations 1. Organizational Placement IIA Standards The IIA’s International Standards for the Practice of Internal Auditing (“the IIA Standards”) state: 1110 - Organizational Independence The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity. 1110.A1 - The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The IIA defines independence as: Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels. The IIA goes on to explain organizational independence as the authority to: • Approve the internal audit charter; • Approve the risk based internal audit plan; • Approve the internal audit budget and resource plan; • Receive communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters; • Approve decisions regarding the appointment and removal of the chief audit executive; • Approve the remuneration of the chief audit executive; and • Make appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations. Palo Alto’s Current Structure The City’s reporting structure for internal audit is very formal with virtually no involvement by the City Manager, except for being interviewed for risk identification and to receive draft findings and recommendations at the end of each audit. The Audit Policies and Procedures Kevin W. Harper CPA & Associates Page 5 Manual is thorough, professional, up-to-date, and is approved by the Policy and Services Committee. The City Auditor’s time sheets are reviewed by Payroll and expense reports are reviewed and approved by the City Manager’s Office. This formal reporting relationship assures internal audit’s independence from the influence of senior City management. However, it also leads to a less cooperative relationship that is important to implement solutions to risks identified by the audits. Analysis The chief audit executive should report to the board of directors or its audit committee for strategic direction, reinforcement, and accountability; and to executive management for assistance in establishing direction, support, and administrative interface. The IIA Standards clearly indicate that the board (usually through its audit committee) must have a prominent role in setting the scope of internal audit activities, but do not explicitly prohibit other reporting relationships as long as the reporting relationship meets the overall criterion of ensuring broad audit coverage, free from any interference in setting the scope of work, the choice of audit procedures, and the free and unfettered communication to any level within the organization needed to ensure adequate attention to the findings and appropriate follow-up action. The audit committee and the internal auditors are interdependent and should be mutually accessible. The board or its audit committee should be responsible for the appointment, removal and compensation considerations of the chief audit executive. It is critical that internal audit be seen by everyone in the organization as an arm of the audit committee. One of the questions that needs to be answered to determine the size, focus and success of an internal audit function is what type of internal audit department do you want. Below is a continuum of the approach used to deliver internal audit services: Internal Audit Operating Continuum • Assurance Provider – delivers objective assessment of the effectiveness of internal controls. Takes little responsibility for cost vs benefit considerations nor implementation of recommendations. • Problem Solver – Brings analysis and perspective on root causes of issues identified in audit findings to help auditees take corrective action. • Trusted Advisor – Provides value-added services and proactive strategic advice well beyond effective execution of the audit plan. The continuum moves left to right from assurance providers that focus on finding and pointing out problems for management to address to trusted advisors who focus on teaching the organization how to identify and address risk. Trusted advisors focus more on the following Assurance Provider Problem Solver Trusted Advisor Kevin W. Harper CPA & Associates Page 6 than assurance providers: critical risks and issues the organization is facing, aligning scope and audit plan with stakeholder expectations, promoting quality improvement and innovation, obtaining training and/or sourcing the right level of talent for audit, and leveraging technology effectively in the execution of audit services. It is important for the City to determine where on this continuum it wants its internal audit function to act. This decision has ramifications for everything related to internal audit, including annual budget, staffing, experience of staff, selecting and scoping audits, and working with others in the organization. For example, if the City prefers for Internal Audit to be in the Trusted Advisor level of service, it may be appropriate for Internal Audit to devote significant resources to Control Self Assessment, developing tools and training for departments to assess and report the adequacy of their controls. Recommendation #1 The City should determine where along the internal audit operating continuum it wants its internal audit function to operate. It should consider revisions to its budget, staffing levels and experience, written procedures, and interaction with auditees, as appropriate. It should consider whether to designate a portion of its internal audit efforts to providing management advisory services, while maintaining a portion of its efforts for formal internal audits. The City should follow IIA’s recommendation that internal audit has a dual-reporting relationship, whereby it reports functionally to the audit committee and administratively to the City Manager. All decisions about audits to be conducted; audit scope; audit timing; and City Auditor appointment, termination, evaluation and compensation, should continue to be made by the audit committee. The City Manager should provide administrative oversight, including review of time sheets and expense reports, consultation about timing of audits based on operational considerations, and involvement in discussion of cost vs. benefit decisions of audit recommendations. Additional involvement by the City Manager’s Office may improve cooperation with the City Auditor’s Office and may improve the quality and quantity of implemented recommendations. 2. Staffing and Budget There are no recommended levels of internal audit staffing per industry standards. The IIA Standards advocate a strong system of internal control that is monitored by a well-resourced internal audit activity as a fundamental feature of good governance. The amount of resources that an organization devotes to its internal audit activities varies based on many factors including its industry, the risks it faces, the role of others in the organization to monitor risk and control (e.g., operational management, Risk Management Group, Compliance Officer), and the organization’s risk appetite. Kevin W. Harper CPA & Associates Page 7 The results of the Palo Alto survey show the following staffing and budgeting levels for comparable cities: City1 City-wide budget (000s) Internal audit budget (000s) Internal audit budget (% of city- wide budget)2 Internal audit FTEs Average # audits Cost per Audit2 # Audits per FTE2 Berkeley $387,217 $1,600 0.41% 6 5.5 $291,000 0.9 Fresno 655,423 272 0.04% 2 3.5 78,000 1.8 Oakland 1,060,720 2,200 0.21% 10 6.5 338,000 0.7 Santa Clara 907,828 1,238 0.14% 2 3.5 354,000 1.8 Palo Alto $508,426 $1,458 0.29% 5 3.5 $417,000 0.7 1 Survey questionnaires were sent to twelve cities and counties. Responses were received from seven cities and from the City and County of San Francisco. Three of the responding cities do not have dedicated internal audit functions and the City and County of San Francisco is not comparable due to its size. The remaining four cities are included in the table above. 2 Shaded columns represent calculated amounts based on survey results and information from comprehensive annual financial reports. This survey shows: • The City’s internal audit budget as a percent of the city-wide budget is the second highest of the comparable cities. This indicates City has devoted more resources to internal audit than most comparable cities. • The City’s cost per audit is the highest of any of the comparable cities, and the number of audits per full-time equivalent employee is tied for the lowest. This can be caused by many factors such as working on non-audit projects (e.g., National Citizen Survey, Annual Performance Report, Sales Tax Allocation Reviews), larger audits, significant time devoted to administrative activities, or inefficiencies. • The cost per audit calculated at $417,000 above is very high. By comparison, the 2019- 20 budgeted cost for the City’s annual independent financial audit (including audits of the City, its federal grant programs, and several smaller entities managed by the City), which is a more comprehensive audit than most internal audits, is $168,000 per year. Kevin W. Harper CPA & Associates Page 8 Following is a list of audits completed by Palo Alto during the last three years: FY 2018-19: • Code Enforcement • ERP Planning - Data Standardization • ERP Planning - Separation of Duties • Business Registry FY 2017-18 • Accuracy of Water Meter Billing • Continuous Monitoring: Overtime • Information Technology and Data Governance FY 2016-17 • Community Service Department: Fee Schedule • Continuous Monitoring: Payments • Green Purchasing Practices • Utilities Department: Cross Bore Inspection Contract Recommendation #2 We understand the City is already in process of transferring responsibility for non-audit services from Internal Audit to other personnel. We also recommend that internal audits generally be scoped with a smaller number of hours in order to increase the number of risk areas they can look into each year. Audits that yield surprising negative results can be expanded. In addition, as discussed in Recommendation #5 below, the City should consider contracting out some of its internal audits. 3. Performance Measures The IIA’s Global Summary of the Common Body of Knowledge compiled the eight most commonly used performance metrics within internal auditing: • Recommendations accepted/implemented • Customer/auditee surveys from audited departments • Reliance by external auditors on the internal audit activity • Cost savings and improvements from recommendations implemented • Number of management requests for internal audit assurance or consulting projects • Number of major audit findings • Budget to actual audit hours • Cycle time from entrance conference to draft report Kevin W. Harper CPA & Associates Page 9 It is very important that any metrics used be closely aligned to stakeholder expectations. The goal is to demonstrate that services delivered adds value. When metrics are aligned with what matters most to internal audit’s stakeholders, they help assure that daily operations are focused on what matters most. The City of Palo Alto’s internal audit performance metrics are limited to the average cost per audit, average hours incurred by auditor, and elapsed time to clear findings. Of the four comparable cities listed in the table on page 7, the only performance metrics reported in the survey are audit hours incurred, cost per audit, and number of recommendations implemented. Other common performance metrics for the internal audit function are: • Number of auditors vs total employees or vs total revenue • Actual vs budgeted department costs • Percent of audit plan completed • Number (or percent) of audit findings resolved prior to report issuance • Number (or percent) of audit findings resolved within 30, 60, 90 days • Absence of regulatory or reputation issues/failures • Management/auditee satisfaction survey results • Productive hours vs. admin hours • Percent reduction in risk exposure • Percent of audit plan aligned to enterprise risks • Business process improvements resulting from internal audit • Satisfactory Findings from last external peer review • Number of professional certifications • Percent of staff meeting continuing professional education requirements • Adherence to IIA Standards and City policies and procedures • Turnover of audit personnel • Audit committee meeting attendance • Training sessions or involvement with enhancing internal control/risk management knowledge of the organization • Percent of audits using Computer Assisted Audit Techniques (e.g., data analytics, dashboards, databases, continuous auditing, thought leadership) • Percent of audits using data analytics to drive scoping decisions Recommendation #3 The City should select and track a small number of performance measures that align with stakeholder expectations, are quantifiable and efficiently gathered. A suggested list of appropriate metrics may be: • Recommendations accepted/implemented • Customer/auditee surveys from audited departments Kevin W. Harper CPA & Associates Page 10 • Number of management requests for internal audit assurance or consulting projects • Percent of audit plan completed • Absence of regulatory or reputation issues/failures • Productive hours vs. admin hours • Percent of audit plan aligned to enterprise risks The metrics selected should be projected each year, tracked during the year and reported at the end of each year, with explanations for variances between projected and actual results. For any metric falling below projections, the City Auditor should develop an improvement plan and communicate it to stakeholders. 4. City Auditor Qualifications The IIA Standards do not specifically address the chief audit executive’s qualifications, but state that the chief audit executive should possess “the knowledge, skills, and other competencies needed to perform their individual responsibilities.” The IIA’s Model Internal Audit Legislation for State Governments states the chief audit executive shall possess one or more of the following qualifications: • A bachelor’s degree and five years of progressively responsible professional auditing experience as an internal auditor or external auditor, information technology auditor, or any combination thereof; or • A master’s degree and four years of progressively responsible professional auditing experience as an internal auditor, external auditor, information technology auditor, or any combination thereof; or • A certificate as a Certified Internal Auditor (CIA) or Certified Government Auditing Professional (CGAP) and four years of progressively responsible professional auditing experience as an internal auditor, external auditor, information technology auditor, or any combination thereof. In the absence of a CIA certificate or CGAP certificate, consideration should be given to require a Certified Public Accountant (CPA) license or Certified Information Systems Auditor (CISA) credential. Government Auditing Standards, promulgated by the Comptroller General of the United States, do not specifically address the chief audit executive’s qualifications, but state that staff collectively should have the necessary “technical knowledge, skills, and experience.” They provide some specificity by requiring audit staff members to have knowledge of GAO Audit Standards, the audited entity’s specialized areas or industry, and the subject matter under review; along with oral and written communication skills. The American Institute of Certified Public Accountants has guidelines for hiring the chief audit executive and recommends the individual should have a CPA or CIA credential and have significant experience (10 years or more) in a management role, along with strong technical Kevin W. Harper CPA & Associates Page 11 skills in accounting and auditing. In addition, the preferred qualifications include an advanced business degree such as an MBA. The Government Finance Officers Association recommends, at a minimum, the head of the internal audit function should possess a college degree and appropriate relevant experience. It also states it is highly desirable that the head of the internal audit function hold some appropriate form of professional certification such as CIA, CPA, or CISA. The minimum qualifications listed in Palo Alto’s City Auditor job description are: • Possession of Bachelor’s degree in accounting or a related field; Master’s of Business Administration preferred. • Certification as a public accountant or internal auditor preferred. • Five years experience in internal audit in a lead or assistant capacity. • Experience in public sector organization preferred. Recommendation #4 We recommend the following set of minimum qualifications for the City Auditor as well as preferred qualifications to be sought: Required Minimum Qualifications • Bachelor’s degree in accounting or related field. • Five years progressively responsible experience conducting or managing one or more of the following: audits, examinations, or program reviews, and, in addition, two years in a supervisory capacity. • Extensive knowledge of professional audit standards. • Demonstrated oral and written communication skills. Preferred Qualifications • Professional certification (CIA, CPA, or CISA). • Master’s degree in accounting, business, public administration, economics, management, or a closely related field to the agency’s service sector. • Extensive knowledge of public sector operations. 5. Outsourcing Considerations The IIA believes a fully internally resourced audit function is most effective and can be supplemented by external experts in specialty knowledge areas. Nevertheless, several sources (including IIA’s Common Body of Knowledge survey) indicate most internal auditing practitioners agree it is appropriate to use a combination of external resources, in cosourcing or outsourcing models, to complete the audit plan. However, there is little agreement on the appropriate amount or allocation of external vs internal resources. Kevin W. Harper CPA & Associates Page 12 There are several reasons an internally resourced internal audit function would engage external resources, such as: • Temporary staff shortages • Specialized skill needed (e.g., for audits of information systems, actuarial calculations, police conduct) • Unexpected special project • Supplemental staff to meet tight deadlines Outsourcing alternatives include: • In-house – All resources are employees of the organization with only occasional use of external service providers. External service providers are used to supplement capability (specialist expertise, rather than capacity). • Total outsourcing – 100% of the internal audit services are obtained from external service providers. • Cosourcing through which external resources participate on joint engagements with in- house internal audit staff. • Contracting for a specific engagement or portion of some engagement is performed by an external service provider, typically for a limited time period. Management and oversight of the engagement normally is provided by in-house internal audit staff. In cases where total outsourcing is selected as the method for obtaining internal audit services, oversight and responsibility for the internal audit activity cannot be outsourced. An in-house liaison (designated chief audit executive or optionally a senior management-level employee), should be assigned responsibility for management of the internal audit activity, including selecting and overseeing consultants, clearing roadblocks, creating and maintaining a Quality Assurance and Improvement Program, and assuring compliance with City policies and procedures. If the liaison is a senior management-level employee, qualifications should include knowledge of the government’s systems, procedures and controls, and commitment to improving operations and controls. The benefits of internal resources are that they know the culture of the organization, the people, where to find information, how to use information systems, and the policies and procedures. Local governments often have difficulty maintaining an effective internal audit staff due to the difficulty of providing career path opportunities. The benefits of external resources are that they will have worked with a large number of organizations so have a good understanding of best practices. An experienced external audit firm is more likely to have specialized skills on staff. The cost per audit is usually lower than the cost per audit shown in the Palo Alto survey results on page 7. In some cases, the cost per audit is lower for external firms because there is less scope creep, there are less demands on the time of auditors, or auditors are more experienced with the audit outsourced to them. Kevin W. Harper CPA & Associates Page 13 The City Auditor’s Office has not contracted with external service providers except occasionally for certain specialists. The City’s Audit Policies and Procedures Manual contemplates the use of external specialists but does not address outsourcing or cosourcing with external resources. Recommendation #5 The City should consider contracting one or two of its internal audits with external service providers. This will bring the average cost per audit down, and will give the City the opportunity to better assess the costs vs. benefits of outsourcing for future consideration. The Audit Policies and Procedures Manual should be updated to contemplate the use of external service providers in roles other than a specialist. Kevin W. Harper CPA & Associates Page 14 IV. Other Findings and Recommendations Unimplemented Audit Findings There are 41 uncleared audit findings. 25 of these uncleared findings are more than a year old, 18 are more than two years old and one is eight years old. Approximately one-third of audit findings of the past few years remain unresolved. Findings frequently take a full business cycle to implement, so findings may legitimately remain unimplemented for up to a year. Uncleared audit findings older than a year are generally due to one of the following: (a) Either internal audit is not making practical cost-beneficial recommendations, or (b) the auditees are not prioritizing implementation of audit recommendations. Determining the reason for uncleared findings is not within the scope of this review. The City Auditor prepares a list of open recommendations as part of the City Auditor’s Quarterly Report and presents it to the Policy and Services Committee and the City Council. Recommendation #6 The City should determine whether the backlog of unimplemented recommendations result from internal audit not making practical cost-beneficial recommendations, or from the auditees not prioritizing implementation of audit recommendations. If the former, then the considerations discussed in Recommendation #1 above can address. If the latter, the City should improve training and understanding of risk and control by managers throughout the City. Auditors should prioritize findings to allow the auditee and the Policy and Services Committee to distinguish significant deficiencies in internal controls, less significant control deficiencies, and improvements to effectiveness or efficiency. Stakeholder Survey Internal audit is a service function and their stakeholders are the audit committee, auditees, and senior City management. A service organization cannot determine their success nor whether their service is improving or deteriorating without getting consistent feedback from stakeholders regarding how well their needs are being met. There has been no formal process to assess stakeholder satisfaction in recent years. In fiscal 2014-15, there was a single-question survey of departments regarding their assessment of the quality of audit services provided. Recommendation #7 The City Auditor should conduct an annual survey or other formal method of stakeholder feedback. The questions asked for each stakeholder group should be tailored to their interactions with internal audit. For example, auditees should not be asked to assess the scoping of audits and the audit committee should not be asked about interactions with departmental staff. Appropriate survey questions will follow after from the decision made in Recommendation #1 above about the approach used to deliver internal audit services. For any survey response that indicates that the City Auditor’s Office is not successful in serving its Kevin W. Harper CPA & Associates Page 15 stakeholders, the City Auditor should develop an improvement plan. The results of each stakeholder survey, the related improvement plans, and the resulting performance improvements accomplished should be regularly and proactively shared with stakeholders. Risk Assessment The IIA Standards state: 2010 – Planning The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. 2010.A1 – The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process. The City has not conducted an assessment of major risks in several years. There is no formal method to identify new risks as they arise (e.g., electronic payments, pfishing). Without a clear and ongoing understanding of the major risks the City faces, it is not possible for City management to know whether internal controls are adequate to assure that assets are safeguarded, that financial statements are prepared accurately and that likelihood of achieving operations objectives are maximized. Recommendation #8 The City should conduct a City-wide risk assessment annually as part of the annual audit plan. Steps should include: • Identify all key risks affecting the City’s ability to meet its business objectives, safeguard its assets, operate efficiently and effectively, and comply with laws and regulations. This step can be performed via interviews of employee experts or senior management brainstorming. • Prioritize risks based on their likelihood of occurring and the severity if they occur. • Identify controls already in place to manage each key risk identified. • Conclude whether each key risk is adequately controlled. • For each key risk not adequately controlled, develop an improvement plan to improve controls, transfer risk or revise business objectives. • Implement a process to identify new risks as they arise. CITY OF PALO ALTO SUMMARY OF SURVEYS - INTERNAL AUDIT FUNCTION OCTOBER 2019 ATTACHMENT A City of City of City of City of City of City of City & County of City of City of City of City of County of County of Palo Alto Berkeley Fresno Oakland Santa Clara Cupertino San Francisco Alameda Fremont Redwood City Sunnyvale San Mateo Santa Clara SIZE OF MUNICIPALITY:NO RESPONSE DECLINED TO RESPOND NO RESPONSE Population 66,649 121,874 538,330 426,074 129,604 60,091 892,701 78,863 235,439 86,271 Annual Expenses $508,426,000 $387,216,873 $655,422,508 $1,060,720,000 907,827,980 $91,194,554 $10,165,820,000 $226,047,079 $286,065,650 $258,976,774 # Employees 1,059 1,532 3,599 3,418 1,105 193 33,045 531 922 566 SURVEY QUESTIONS:1 Do you have one or more employees or contractors dedicated to management/performance audit activities? No = skip to question 10 Yes Yes Yes Yes Yes No Yes No No No 2 What is the title of the chief internal auditor?City Auditor City Auditor Principal Internal Auditor City Auditor City Auditor NA Chief Audit Executive NA NA NA Is this person an employee or contractor?Employee Elected official Employee Employee Employee NA Employee 3 How many employees in the internal audit function?5 6 2 10 2 NA 34How many contractors in the internal audit function?0 0 0 0 0 Likely <3 varies 4 Supervision of the internal audit function: a. Who prepares the annual audit plan? City Auditor Staff Principal Internal Auditor Asst City Auditor/City Auditor City Auditor CMO w/input from Admin Services Audits Division b. Who approves the annual audit plan? City Council City Auditor Controller City Auditor City Council via Audit Committee Audit Committee (City Council)Chief Audit Executive c. Who evaluates the performance of the chief auditor? City Council Voters every 4 years Controller NA - Elected City Council All the above (CM directly Controller d. Who approves or accepts internal audit reports? City Council City Auditor Council Audit Committee Reports sent to elected officials City Council via Audit Committee CM, Audit Committee Chief Audit Executive e. Who approves the internal audit budget and staffing? City Council City Council City Manager City Council City Council Admin Services Director, CM, CC Board of Supervisors f. Who can revise the scope or timing of internal audits? City Auditor City Auditor Principal Internal Auditor City Auditor City Auditor CM, Audit Committee, CC Chief Audit Executive 5 Are any internal audits or portions thereof contracted?Yes No No Yes Yes Yes (they will be)Yes If yes, describe what is contracted and the approximate costs or FTEs for a typical contracted audit. Periodically, on as-needed basis, a contracted specialist is utilized for an audit where expertise in a particular area is required. Examples include specialists used for a franchise fee audit (approx. $15,000) and for risk assessment of the Utilities Department (approx. $20,000) We have not cntracted out audits that I know of, but we have considered contracting out non-audit reports, like financial condition analysis of city Some audits are contracted if the Office lacks expertise or capacity to perform the audit The internal audit at the City was created in FY 18/19. The current annual contracted budget for the division is approximately $200,000. We plan to outsource the majority of audits to contractors and will look to adjust the budget as we move forward. Scope of services will include initial risk assessment followed by IA testing of city processes/procedures (e.g., credit card program, cash handling @ various sites including golf course All concession, franchise fee and some construction audits are contracted out. Besides the contract costs, 1 Audits Division FTE usually manages the contract and acts as the internal project lead 6 How many management/performance audits do you typically complete each year?3 to 4 5 to 6 3 to 4 5 to 8 3 to 4 3-4 anticipated 7 or more 7 If there is an internal audit function, what is its annual budget? $1,458,175 $1.6 million $272,400 $2.2 million $1,237,543 Currently $50,000, potential increase to $100,000 .2% of the City's budget 8 How do you assess audit quality? To ensure audit quality in accordance with Muni Code, the City Auditors Office performs audits using GAGAS (the Yellow Book). This ensures each audit is independent, objective, well- documented and includes sufficient appropriate evidence to support each finding. Audit quality is also assessed during the peer review every three years. The most recent peer review (2017) praised the Office for many professional certifications and extensive training of the audit staff, the "thorough and well-organized" Policy and Procedures manual, and the fact that the "audit excellence of the organization has been recognized multiple times by the Association of Local Government Auditors (ALGA) Knighton Award. We follow Government Auditing Standards put out by US Government Accountability Office, and all our audit reports state we follow these standards, which includes 80 hours of training every 2 years. We also are peer reviewed by ALGA every 3 years Number of recommendations implemented within a given time period A peer review is conducted every three years See performance measures in the annual adopted budget pages enclosed in Attachment 2 Respect and tact during performance of said prcedures. Thoroughness of review. Clarity and validity of results and findings. Efficiencies identified. Cost/benefit over time. The Audits Division complies with GAGAS and has policies and procedures and quality control systems to ensure its compliance. We hire and train qualified staff, ensure audit teams comprise of staff with knowledge, skills & abilities to perform the audit, and we have a rigorous quality assurance function CITY OF PALO ALTO SUMMARY OF SURVEYS - INTERNAL AUDIT FUNCTION OCTOBER 2019 ATTACHMENT A 9 Is the City Council satisfied with the value (effectiveness, efficiency and transparency) of the internal audit function? Both the City's Policy & Services Committee (comprised of Council members) and the full Council review and approve each audit performed by the City Auditor's Office. To my knowledge, every audit presented has been approved. That said, the high degree of satisfaction the Council has with the value of the City's audit function would be best addressed by that body. City Council is generally pleased with our work, even though we don't report to them. They provide suggestions for areas to audit, and have used our reports to create legislation and other guidance for the city. Some have large impact, like creating a reserve fund and trust fund to address unfunded liabilities Yes They are requesting more audits Yes, however, the internal audit function at the City was created in FY 18/19 and it is fairly new NA as of today Yes 10 If your agency has no internal audit function, how does it assess the adequacy of its internal controls? NA NA NA NA NA External audit. City had a comprehensive review of its internal control environment performed by a CPA firm in FY 2018-19 NA External audit Fremont does not have an internal audit function The Financial Services Manager is an ex CPA firm Audit Manager that specialized in municipal audits. He is responsible for supervising Finance Division and ensuring adequate internal controls. Internal controls are also observed and tested annually in conjunction with the annual financial statement audit. 11 Provide copies of the following documents (if they exist): a. Internal audit mission/vision Yes No Yes - website Yes NA Yes NA NA NAb. Annual budget for internal audit Yes Yes Yes, website?Yes Yes c. Annual audit plan Yes No Yes, not provided Yes Yes, websited. List of audits completed in FY 2018-19 and FY 2017-18, along with the estimated number of hours spent on each Yes No Yes, website NA, new function Yes, website e. Written internal audit policies and procedures Yes No Yes, not provided Yes Yes, not provided, being updatedf. Job description of City Auditor (or equivalent)Yes Yes Yes, website Yes Yesg. Performance metrics (e.g., cost per audit, audit hours incurred by auditors, audit hours incurred by auditees, elapsed time to clear findings)Yes No Nothing in writing NA, new function Kevin W. Harper CPA & Associates 20885 Redwood Road, Castro Valley, CA 94546 (510) 593-5037 kharper@kevinharpercpa.com January 13, 2020 Council Appointed Officers Committee City of Palo Alto 250 Hamilton Avenue Palo Alto, CA 94301 Dear Committee Members: I have reviewed the Association of Local Government Auditors letter to Members of the Palo Alto City Council dated December 19, 2019 (“the ALGA letter”). I have the following thoughts: 1. Government Auditing Standards, issued by the General Accounting Office, Comptroller General of the U.S., is also known as "the Yellow Book" or "GAS" or "GAGAS". You are required to follow GAS because the writers of the City Charter said that the City Auditor would do so. Otherwise, you would be free to follow any set of standards you want, or even establish your own. Most government internal audit functions choose to follow GAS but some choose Institute of Internal Audit (IIA) International Professional Practices Framework. The two sets of standards are similar in most ways in that they address the most important elements of an effective internal audit function, including independence of the auditor, ethics, documentation requirements, auditor qualifications, organizational placement, quality control, and reporting requirements. The two sets of standards vary in extent such as how independence is defined, whether risk assessment is performed at the audit level or entity level, the frequency of external quality assurance reviews, and the specificity of required continuing professional education. 2. I looked at both GAS and the IIA Standards in forming my recommendations. But I also looked at best practices, the results of the survey, and considered your city's particular situation. If it seems that there are more references to IIA documents than GAS documents in my report, it is because IIA seems to have done more studies that were relevant to the subject. Both sets of standards are relevant for the purposes of my report because they both give insight into best practices. 3. The ALGA letter says that if the City Auditor reports to the city manager in an administrative manner, it would be a significant structural threat. It depends on how you define "in an administrative manner". All decisions about auditing (e.g., areas to be audited, scope, timing and approach) should continue to made only by the Audit Committee and the City Auditor. See the attached article about auditor independence. 2 4. The advisory/consulting services that I recommended you to consider can be performed as part of the City Auditors Office or can, as we discussed, be provided by another department because independence is not required for those types of services. The ALGA letter states these services can create threats to independence, but the only example it cites is when the City Auditor agrees not to audit an area that had received advisory services; the City Auditor would not and should not agree to such a requirement. The letter concedes that GAS outlines processes for conducting non-audit services and identified safeguards to protect the City Auditor's independence when providing such advisory services. See the attached article about auditor independence. I have attached an article from the Journal of Accountancy that identifies five threats to auditor independence and discusses how to determine an acceptable level of independence risk. You may find it useful while determining changes to the City’s internal audit function. Please let me know if you would like to discuss further. Sincerely, Kevin W. Harper CPA A Framework for Auditor Independence BY SUSAN MCGRATH, ARTHUR SIEGEL, THOMAS W. DUNFEE, ALAN S. GLAZER AND HENRY R. JAENICKE December 31, 2000 n November the Independence Standards Board (ISB) issued an exposure draft (ED) of a conceptual framework for auditor independence containing the concepts and basic principles that will guide the board in its standard setting. The framework defines auditor independence as “freedom from those factors that compromise, or can reasonably be expected to compromise, an auditor’s ability to make unbiased audit decisions.” It will help practitioners, investors, regulators and other standard setters understand the significance of auditor independence and provide a common language so that those involved in the ongoing independence debate can contribute to the development of ISB standards. The framework does not provide easy answers to specific independence questions but it supplies a structure and methodology for analyzing issues. This article describes the framework and some of the reasoning behind it. A HODGEPODGE OF REGULATIONS The need for a framework arose from the jumble of confusing independence rules and regulations—many in the form of interpretations issued in response to specific independence questions—that applied to public companies and their auditors. The guidance in those interpretations, issued over the years and under changing circumstances, sometimes conflicted and lacked theoretical consistency. Auditors also faced challenges in applying such guidance if the facts and circumstances of an auditor’s relationship with his or her audit client did not match those in the interpretation. While the independence regulations helped to ensure quality audits and contributed to the high level of financial reporting we enjoy in the United States, in today’s increasingly complex business environment the ISB believes that some revisions are in order. The recent SEC rule on auditor independence (see “SEC Approves Rules on Auditor Independence”) updates many of the independence rules and regulations, but numerous issues remain. The framework is the product of an open process. A task force of academics, lawyers, audit committee members, regulators, auditors and others helped identify the issues and reviewed drafts for clarity and completeness. The group included representatives from international standard setters so board standards could be harmonized where possible with those used in other countries. A board oversight task force provided direction. In addition, many individuals and groups provided comments on the discussion memorandum, which the ISB issued earlier to alert them to a possible ED and to solicit opinions. The board hopes the ED will receive the same level of participation. THREE STEPS The framework defines, and identifies the goal of, auditor independence. The model for standard setters is based on three key steps: Identify threats to the auditor’s independence and analyze their significance. Evaluate the effectiveness of potential safeguards, including restrictions. Determine an acceptable level of independence risk—the risk that the auditor’s independence will be compromised. Under the model, the ISB and other standard setters are to analyze the costs and benefits of regulations and consider the views of investors, other users of financial information and additional interested parties. The definition of independence does not require the auditor to be completely free of all the factors that affect the ability to make unbiased audit decisions, but only free from those that rise to the level of compromising that ability. For example, the audit client pays the auditor’s fee, so complete independence is impossible and not necessary to meet the framework’s definition. The framework doesn’t spell out specific examples of what would constitute “rising to the level of compromising” an auditor’s independence, but it does offer a structure that will allow an auditor to analyze whether undue bias exists in a particular situation. Further, independence is defined as more than just compliance with the independence rules. The proposed definition compels the auditor to make a personal assessment of his or her objectivity—to determine if pressures and other factors compromise the ability to make unbiased audit decisions. While this “introspective” evaluation is critical, the definition also calls for an assessment of how activities and relationships with the audit client would appear to others; the guidance explains that the auditor should consider the “rationally based expectations of well- informed investors and other users.” This inclusion of perceptions in the definition reflects the ISB’s belief that The idea that independence is entirely a personal matter, which varies from auditor to auditor in a given set of circumstances, is not useful in setting standards for all auditors. The ability to be objective does not well serve the auditor or the client if no one believes that the auditor can be objective in a given set of circumstances. The goal of independence is “to support user reliance on the financial reporting process and to enhance capital market efficiency.” With this aim, the ISB looks beyond the immediate benefit of the auditor’s independence—unbiased audit decisions—to these broader targets. If standards reduce independence risk slightly but carry unintended consequences that harm the quality of financial reporting or capital market efficiency, they do not serve the public interest. THREATS AND SAFEGUARDS The framework, in identifying five types of threats to the auditor’s independence, follows the approach of European standard-setters. These classifications are illustrations only; it is not necessary, under the model, for an auditor to place identified threats into one of these categories: Self-interest. The threat that arises when an auditor acts in his or her own emotional, financial or other personal self-interest. Self-review. The threat of bias arising when an auditor audits his or her own work or the work of a colleague. Advocacy. The threat that arises when an auditor acts as an advocate for or against an audit client’s position or opinion rather than as an unbiased attestor. Familiarity (or trust). The threat that arises when an auditor is being influenced by a close relationship with an audit client. Intimidation. The threat that arises when an auditor is being, or believes that he or she is being, overtly or covertly coerced by an audit client or by another interested party. Some of these categories may overlap. In addition, although some involve conscious acts by an auditor in his or her own self interest, others may result from subconscious biases. Once an auditor identifies such threats and evaluates their significance, he or she should analyze potential safeguards. These include procedures firms can perform to protect auditor independence, such as review by a second partner, consultation with designated professionals in the firm or disclosure to the audit committee. Safeguards also include restrictions on an auditor’s relationships with an audit client, such as prohibitions on owning the stock of an audit client or on assigning to an audit client firm professionals whose family members are employed in certain positions at the client. Standard setters must analyze the significance of threats and the effectiveness of potential safeguards to ensure that their standards sufficiently reduce independence risk. THE APPEARANCE OF INDEPENDENCE The ED, and the discussion memorandum that preceded it, raise some significant issues. For example, one of the most controversial aspects of the auditor independence debate is the role that “appearance” should play in setting standards. The “appearance” concept—though not well defined—is ingrained in the existing independence literature. Indeed, everyone who has taken an introductory auditing course knows that auditors must be independent in both fact and appearance. But what does it mean to “appear” independent? Whose perceptions count? In assessing appearances, the existing literature directs the auditor to consider whether a “reasonable investor knowing all the facts and circumstances” would believe a particular relationship or activity with an audit client might affect the auditor’s independence. Implicit in this guidance is the notion that independence lends credibility to the audit process and to the client’s financial reporting process. Some of those who commented on the discussion memorandum, while acknowledging the importance of credibility, point out the difficulties involved in identifying and assessing appearances, the probable lack of consensus about the circumstances and relationships likely to affect the auditor’s independence and the resulting difficulty in determining whose views are “reasonable.” Others ask why standard setters should worry about perceptions. Rules that promote actual auditor independence theoretically should lead to a public perception of the independence of the profession. Standards that promote the appearance of independence without an actual enhancement would be misleading. We suspect that the requirement to consider appearances arose with the recognition that “independence in mind”—actual auditor independence—is impossible for investors and others to assess. In determining whether to avoid a particular activity or relationship, therefore, the auditor should be guided not solely by the effect the activity or relationship would have on his or her objectivity, but by the effect it would be expected to have on most auditors’ objectivity. The literature directs the auditor to consider how investors and others would view the activity or relationship in question. Similarly, a standard setter, charged with working to protect the independence of auditors generally, cannot set standards based on an individual auditor’s state of mind but on situations or relationships that would likely threaten the independence of most auditors. How should the ISB consider appearances in its standard setting today? The discussion memorandum suggested that appearances could be incorporated into the standard-setting process in one of three ways if the board concludes that enhancing financial statement credibility—in addition to financial statement reliability—is an appropriate goal of auditor independence. One method is to solicit the views of all interested parties and develop independence standards that reflect them. If the views of all stakeholders are weighted evenly, this could result in standards “by majority rule.” Another option is to solicit the views that reflect the likely perceptions of a hypothetical group— “reasonable, fully informed users of financial information.” The difficulty with this approach, of course, for the ISB is that it must infer the views of the hypothetical group. A third approach, and the one the board favors, is to solicit the views of all interested parties, but to develop independence standards based on the board’s judgment about how best to meet the goal of auditor independence. The board would neither ignore appearances nor base its decisions solely on the perceptions of interested parties. After all, board members were selected for their judgment, experience and knowledge. They have spent a great deal of time over the past three years educating themselves on the issues and are uniquely positioned to be “fully informed” of both the threats to auditor independence and the systems in place to protect it. As long as the standards are effective (and penalties for noncompliance swift and firm), audit failures related to independence impairments should be minimal, and investors’ belief in the independence of the auditors should reflect that reality. It is noteworthy that the ED, in its discussion of the definition and goal of independence, stresses that the ISB and other standard setters should consider the perceptions of investors and other users of financial information. While the board’s policies require, and the framework principles endorse, the board’s consideration of the views of all interested parties in auditor independence, the ED emphasizes that independence is designed to promote the reliability and credibility of financial information for investors and other users. THE RIGHT BALANCE Perhaps the framework’s most significant contribution will be its formal recognition that auditor independence is merely a means to an end—not the ultimate goal. Quality audits and reliable and credible information that contribute to efficient capital markets are the objectives. In other words, the ISB and other standard setters must look at the big picture and at the possible consequences of their regulations. For example, a standard that enhances auditor independence slightly but discourages qualified people from entering the profession may, in the long run, harm audit quality. This thinking is reflected in ISB Standard no. 3, the board’s pronouncement on employment with audit clients. In it, the board concluded that prohibiting former firm partners and other professionals from accepting jobs with audit clients could significantly reduce the profession’s appeal and harm clients seeking to improve their financial management. Mandating safeguards, the board concluded, would achieve the same independence benefits without the adverse consequences. The framework is designed to be the foundation for broad and nuanced independence standards that reflect the complexities of the issues they address. For more information… To obtain a copy of the ISB exposure draft (ED 00-2, A Conceptual Framework for Auditor Independence ), go to the board’s Web site at www.cpaindependence.org or call the ISB at 212- 596-6133. The comment period ends February 28, 2001.