The URL can be used to link to this page

2. Fiscal Year 2020-21 Second Quarter Report IITInternal Audit Department OF j6M DENTON Accountability • Transparency • Integrity • Quality MEMORANDUM DATE: May 28, 2021 TO: Audit/Finance Committee A04-1 FROM: Madison Rorschach, City Auditor A4G-- SUBJECT: Fiscal Year 2020-21 Second Quarter Report FY20-21 Annual Audit Plan Status Audit Project Status -The Internal Audit Department is responsible for conducting audits to assess a variety of risks including internal control weaknesses, inefficiencies in City operations, ineffectiveness of City programs, and noncompliance with laws, regulations, and policies. Each year, an annual audit plan is approved by the City Council to establish the workload of the Internal Audit Department. The following table summarizes the status of each audit project included on the FY20-21 Annual Audit Plan at the end of the second quarter. Table 1: FY20-21 Audit Project Status As of 03/31/21 Audit Project Status Months Month Budgeted Actuals Health Insurance Operations Complete 1.00 1.00 Meter Reading & Billing Complete 2.00 3.00 Utility Payment Assistance Program Reporting 2.00 3.25 Municipal Court Payments Process Reporting 2.00 3.00 Building Permit Process Planning 3.00 TBD Water System Operations: Rate Structure Planning Water System Operations: Distribution Planning 4.00 TBD Water System Operations: Production Planning Emergency Medical Services Not Started 4.00 NA Payroll Administration Not Started 2.00 NA Utility Street Cuts Complete 1.00 0.50 COVID-19 Response: Disaster Reimbursements Complete 1.00 0.25 Accounts Payable Complete 1.00 1.00 Roadway Quality Management Not Started 1.00 NA Police Overtime Not Started 1.00 NA Police Property Room: Procedures Not Started 1.00 NA Risk Assessment Not Started 2.00 NA 1 Month actuals reflect the number of months it took to complete fieldwork on the project.This is calculated from the date the project was initiated to the date first draft report was distributed to management. 215 E. McKinney St., Denton, TX 76201 • (940) 349-7228 Post-Audit Feedback Survey Results - Based on the three audit project reports issued during the second quarter of fiscal year 2020-21 , the Internal Audit Department's services were rated 4.8 out of five stars by auditee department's staff with a 61 percent response rate. Avg. Q2 Internal Audit Service Rating: Ad-Hoc Project Updates -The Internal Audit Department completed the following Consultation projects during the second quarter of fiscal year 2020-21 : ➢ Five Advice requests from various City departments including, Community Services, Finance, Development Services, and Technology Services; and ➢ One Data Assistance request from the Water Department. Annual Audit Plan Amendment - On March 16, the City Council approved Ordinance 21-274 which amended the fiscal year 2020-21 Annual Audit Plan to replace a full follow-up review of the Audit of the Police Property Room with a partial follow-up review focused on procedural recommendations and excluding structural recommendations. Additional details on this amendment can be seen in the attached ordinance. Water System Operations Audit Project Split - Planning work for the Water Production & Distribution Audit project began at the end of March 2021 . After having several discussions with Water Department management, Internal Audit has split the project into three phases, which are now part of a Water System Operations Audit series. The first phase will focus on the water utility's rate structure -with a specific focus on how the structure incentivizes conservation. Another phase will be focused on the construction, planning, and maintenance processes for water distribution pipelines managed by the City's Water Department. The last phase will focus on several elements of water production operations including, water plant construction and maintenance, water quality test reporting, and controls of chemical inventory. The Department believes that this will improve the understandability and focus of the reports issued for this project. FY21 -22 Preliminary Budget According to best practices, audit committees may make recommendations to the governing body regarding the audit function's budget. For this reason, Internal Audit is requesting feedback from the Audit/Finance Committee on the Department's preliminary fiscal year 2021-22 budget. Figure 1 summarizes the Department's FY21-22 budget and its expenses over the last few years: Page12 Table 2: Internal Audit Department Budget Summary Expense FYI 9-20 Actual FY20-21 Estimate2 FY21-22 Prelim. Budget Personnel Services: $350,552 $318,276 $358,415 Operations: External Audit $96,000 $116,000 $1 16,000 Consultant Contingency $0 $0 $38,000 Board of Ethics $239 $2,468 $12,000 Contract Services $1,633 $2,503 $8,500 Licenses & Dues $2,376 $2,345 $2,520 Travel &Training $3,072 $1,523 $4,000 Materials &Supplies: $750 $324 $500 Insurance &Transfers: $12,050 $39,214 $40,390 Total: $465,922 $482,829 $581,807 The preliminary budget includes the following four major budget initiatives as shown in Table 3, which are each further described below: Table 3: Major FY2021-22 Budget Initiatives Proposal Priority Recurrence Annual CMO Rank Budgeted Cost Recommended Department Peer Review 1 Triennial $5,000 Yes Certification Support Program 2 Annual $2,000 Yes Audit Intern Program 3 Annual $14,675 Yes Audit Consultant Contingency 4 Annual $38,000 Yes Department Peer Review- According to Generally Accepted Government Auditing Standards, audit organizations must obtain an external, independent peer review at least once every three years. This peer review evaluates if the audit organization is performing and reporting audits in accordance with Government Auditing Standards. In order to comply with this requirement, the Department recommends contracting with the Association of Local Government Auditors (ALGA) to participate in its Peer Review Program. Through this Program, Association members volunteer to perform peer reviews of other audit organizations so that their organization may receive a peer review. To receive a peer review, the City must only reimburse the Association for travel costs associated with the review team. In the future, Denton audit staff may be asked to travel to perform reciprocal peer reviews of other audit organizations. The Department estimates that the maximum direct cost of this peer review will be $5,000. Indirect labor costs will be incurred in the future as Denton audit staff participate on peer review teams. Additional details about the Association of 2 These estimates were made by Internal Audit and are not the official estimates of the Finance Department. Page13 Local Government Auditors Peer Review Program and process can be seen in the attached ALGA Yellow Book Peer Review Guide. Staff Certification Support - In order to demonstrate the competency and credibility of the Internal Audit Department, audit staff are required to obtain or be in the process of obtaining at least one audit-related certification such as the Certified Internal Auditor, Certified Public Accountant, Chartered Accountant, Certified Fraud Examiner, Certified Government Auditing Professional, or Certified Information Systems Auditor designations. In addition, seeking further certifications is encouraged. The Department proposes budgeting a maximum of $2,000 annually to support staff certification efforts. Specifically, $1,000 would be designated to purchase certification-specific training and study systems and another $1 ,000 to reimburse staff for successful exam fees. If approved, the Department will work with the City Attorney's Office and Human Resources Department to determine if staff may be required to sign a reimbursement agreement for certification support, similar to the City's Tuition Reimbursement Program. Audit Intern Program -The proposed Audit Intern Program would aim to work with Denton's local universities to provide students with real-world government audit experience. This Program would allow the Department to expand its services to perform routine audit projects, including but not limited to conducting inventories and cash counts. If this budget proposal is approved, annual routine audit projects would be more clearly defined in the fiscal year 2021-22 Annual Audit Plan. In addition, Audit Interns would provide support for ongoing performance audit projects, allowing them to learn more about local government operations and performance auditing. The budgeted annual cost of the Audit Intern Program is $14,675; this amount would account for personnel expenses for one part-time Audit Intern during each of the fall, spring, and summer school semesters as well as potential training expenses. Audit Consultant Contingency -This budgeted amount was originally approved for fiscal year 2019-20 to provide the Department with the flexibility to hire specialists for audit projects when needed. The budgeted amount was removed as a cost reduction measure during the COVID-19 Pandemic. As the fiscal year 2021-22 Annual Audit Plan has not yet been developed, there is currently no plan on how, or if, these budgeted funds will be spent. This amount may also act as contingency funding if a consultant must be hired to assist the City as part of a fraud investigation. Page14 Additional Items of Note Revised Department Procedure Manual - In January 2021, a revised Internal Audit Department Procedures Manual was distributed to audit staff and relevant City management. This Manual formalizes several critical quality control processes that were not previously addressed including: continuing professional education requirements, a process for performing ad-hoc projects, and the tracking of issued audit recommendations. The formalization of these processes should improve consistency and compliance with Government Auditing Standards. The full manual is attached. In May 2021 some additional guidance related to Consultation Projects was added. Internal Audit Recommendation Tracker- In early January 2021, a cloud-based Internal Audit Recommendation Tracking system was implemented. This system includes all audit recommendations issued since fiscal year 2018-19 and includes information on management's initial response, follow-up review updates, and self-reported implementation progress. This system is not only available for City management to use but can also be viewed by the public by going to the City's Internal Audit webpage, helping to increase transparency and accountability. Since the implementation of this system, the Department has generally seen success with management filling in self-reported information, which should help increase the timeliness of follow-up reviews. Modified Audit Project Reporting Procedure - In February 2021, the Audit/Finance Committee held its first meeting since the beginning of the COVID-19 Pandemic. During this meeting, Internal Audit staff requested direction from the Committee on how audit project results should be reported in the future, specifically regarding the Audit/Finance Committee's review. Before the COVID-19 Pandemic, all audit projects were presented to the Committee prior to being presented to the full City Council. Based on discussion during the meeting, the Committee directed Internal Audit to distribute each audit project report electronically to all members before presentation to the full Council. Any member could then request that the project be presented to the Committee first, effectively delaying the presentation to Council. This request process does not require a consensus of the Committee and is illustrated in Figure 1 . Page15 Figure 1: Modified Audit Project Reporting Procedure - Audit/Finance Committee Review (Feb. 2021 ) Internal Audit A/F Committee Does an A/F Audit is Distributes Final � Members Review � Committee � Presented to the Draft Report. Report. Member Request City Council. an A/F meeting? Audit Presented to A/F Committee at Next Meeting. Attachments: 1 . Annual Audit Plan Amendment (Ordinance 21-274) 2. ALGA Yellow Book Peer Review Guide 3. Internal Audit Procedures Manual (Jan. 2021 ) Page 6 ORDINANCE NO. 21 274 AN ORDINANCE OF THE CITY OF DENTON AMENDING THE FY 2020-21 ANNUAL INTERNAL AUDIT PLAN; AND PROVIDING AN EFFECTIVE DATE. WHEREAS,one of the City Auditor's responsibilities is to create an Annual Audit Plan;and WHEREAS, on September 22, 2020, the City Council considered the FY 2020-21 Annual Audit Plan(the"Plan") and approved the Plan on October 6, 2021 through Ordinance No. 20-1783; and WHEREAS,on February 10,2021,the Audit/Finance Committee considered amendments to the Plan to respond to a request to delay an audit follow-up review,as presented by the City Auditor, and gave direction regarding the amendments; and WHEREAS,the City Council finds that the Plan as amended is in the public interest;NOW, THEREFORE, THE COUNCIL OF THE CITY OF DENTON HEREBY ORDAINS: SECTION 1. The recitals and findings contained in the preamble of this Ordinance are incorporated into the body of this Ordinance. SECTION 2. The City Council hereby approves the City Auditor's Amended FY 2020-21 Annual Audit Plan as depicted in the memorandum attached hereto as Exhibits "A" and "B." All other provisions of Ordinance No. 20-1783 not in conflict or amended herewith, specifically including the City Councilmember Audit and Analysis Request Policy, the shall remain in full force and effect. SECTION 3. This Ordinance shall become effective immediately upon its passage and approval. The motion to ap rove this Ordinance was made by C1 (`n e\�Z e and seconded by e O , the Ordinance was passed and approved by the following vote[ --<a]: Aye Nay Abstain Absent Gerard Hudspeth,Mayor: �L Birdia Johnson,District 1: Connie Baker,District 2: / Jesse Davis,District 3: �L John Ryan,District 4: ✓ Deb Armintor,At Large Place 5: ✓ Paul Meltzer,At Large Place 6: ✓ �L PASSED AND APPROVED this the b day of Mom(- 4- , 2021. C GERARD HUDSPETH, MAYOR ATTEST: ROSA RIOS, CITY SECRETARY • * . BY: dO i� PCD ,01111 ��\\ APPROVED AS TO LEGAL FORM: AARON LEAL, CITY ATTORNEY k.a//!/G / 00'Digitally signed by Mack Reinwand Date:2021.03.0515:14:52-06' BY: Exhibit"A" City of Denton Internal Audit Department FY 2020-21 Annual Internal Audit Plan—Amended Title Details Water Production&Distribution Review the efficiency and effectiveness of the planning, maintenance, and construction process of water production and distribution infrastructure. Building Permit Process Examine the efficiency and effectiveness of the building permitting process including review, inspection, and issuance. Municipal Court Payments Review controls over the collection of municipal fines Process and fees. Payroll Administration Review controls over payroll costs including calculation accuracy, timecard approvals,and system access. Utility Payment Assistance Review the effectiveness of the City's utility assistance Program program including public outreach,vendor contract compliance, and distribution effectiveness. Emergency Medical Services Review efficiency and effectiveness of EMS operations. Overflow Audit—Utility Meter Examine controls over clectric and water utility meter Reading reading processes including billing accuracy, data reliability, and meter maintenance. Overflow Audit—Health Examine controls over health insurance claims and Insurance Fund associated contract compliance. Risk Assessment Identify& evaluate all areas of the City based on financial, safety, and reputational risk level. Audit Follow-Up Reviews Provide information on what changes have been made in response to the following issued audits: • Police Property Room: Procedures(Jun. 2019); • Utility Street Cuts (Aug. 2019); • Roadway Quality Management(Oct. 2019); • Accounts Payable (Oct. 2019); • Police Overtime(Oct. 2019); and • COVID-19: Disaster Reimbursements(Jun. 2020) Ad-Hoc Projects Fraud, waste, and abuse Investigations and Analysis Requests from the City Council or City Management. Exhibit"B" City of Denton Internal Audit Department Division of Police Property Room Follow-Up Reviews Follow-Up Recommendation Review Type 3 Revise the General Order to ensure a background check is performed on all staff before they are assigned to the Property Room. 4 Annually verify that only authorized employees have electronic access to the Property Room. 5 Establish a formal policy for checking out evidence items. 7 Consider requiring the Dispatch Unit to monitor Property Room cameras. 8 Adjust policy to ensure that at least all high-risk inventory items are reviewed annually. 9 Work with Technology Services to implement OCR capability of LaserFische software to capture and manage evidence data to ensure the Procedures integrity of data and improve controls over evidence. 10 Eliminate Property Technicians' privilege to deletes stem records. 11 Establish a procedure to notify Property Room Unit superiors if an item is found missing. 14 Maintain an up-to-date count of currency stored in the Property Room. 15 Require an independent witness to perform or oversee the verification for high-risk items marked for destruction. 16 Maintain an independent record of high-risk items marked for destruction. 17 Necessary funding needs to be provided to the Police Department for analyzing of old,untested sexual assault kits. I Until permanent solution is found, temporarily relocate all property and evidence inventory items to the large empty warehouse behind the Narcotics office to address the short-term, critical need. 2 Require the Property Room Unit to conduct comprehensive inventory Post-Remodel count during the move to account for every item in its inventory with an (TBD-Future increased focus on necessary disposals Audit Plan) 6 Store security camera footage for at least three years and require periodic review by someone independent of Property Room staff. 12 Store all high-risk items, including those marked for destruction or deposit, in locations with enhanced security measures. 13 Install an adequate ventilations stem above all narcotics storage areas. P55°GIATIONO T Yellow Book r U) O P 1 u711 ir ,0 PJ 7 Peer Review G tide OOL-FRNMEN" Association of Local Government Auditors Peer Review G ude for Assessing Conformance w th G omernm ent Auditing Standards. 2019 Revision Copyright©2019, by the Association of Local G orernm ent Auditors All rights reserved Printed in the United States of Am erica This publication was last revised by the Association of Local G o✓ernm Ent Auditors in February 2019. The contents of this docum Ent m ay be reproduced for use by participants in ALG As Peer Review Program.Use of this guide for any other purpose requires approval by the ALG APeer Review Com mitee. For additional information, contact ALG AM Em ber Services at(859)276-0686. TABLE O FCO NTENTS ALG APeer Review G ude, 2019 Revision Date: 9/12/19 Purposeand O t ectives...................................................................................................................1 O\,erview of the Peer Review Process.............................................................................................2 Instructions.......................................................................................................................................3 Sum m ay of Steps and Form s.......................................................................................................13 Form sand Templates for a Peer Review ......................................................................................16 Form 1: ALG AStandard Review Agreement....................................................................... 16 Form 2: Q ualifications and Independence Statement.......................................................... 18 Form 3: Review Leader Checklist........................................................................................ 19 Form 4: Audit O Kganization Background Inform etion...........................................................22 Form 5: Engagements Corn Oeted and Nonaudit Services Performed ................................25 Form 6: Em ployee Continuing Professional Education........................................................26 Form 7: Audit O iganization's Description of Q uality Control System...................................27 Form 8: Review of Audit O iganization's Q uality Control System Checklist .........................40 Form 9: Review of Audit Engagement Checklist..................................................................54 Form 10: Review of Nonaudit Services Engagem ents Checklist.........................................67 Form 11: Sum m ay of Exceptions........................................................................................68 Form 12: Peer Review Survey for Audit O iganization .........................................................72 Form 13: Team Leader and Team M ern ber Survey.............................................................74 Tern plate 1: Suggested Workpaper Index............................................................................76 Tern plate 2: Staff Interviews.................................................................................................77 Tern plate 3: Corn m unication Log .........................................................................................79 Tern plate 4: Suggested Report O Onions.............................................................................80 Tern plate 5: M anagem ent Letter Form at..............................................................................86 Intentionally Blank ALG APeer Review G ude for Yellow Book Purpose and O Oectives The Association of Local G o✓ernm Ent Auditors (ALG A) is corn mited to im roving the quality of auditing in local governm Ent. We encourage local auditors to adopt and follow G (vernm Ent Auditing Standards (G AS) issued by the Com ptroller G eneral of the United States. ALG As peer review program is intended to help m em ber organizations in their efforts to m eet these standards. Peer review is a benefit of ALG Am em bership. We encourage m Em bars to use this guide for self- assessment and to prepare for and undergo a peer review. G AS requires audit organizations to have an external peer review at least once every three years. As stated in G AS, the external peer review should determ he whether, during the period under review, the reviewed audit organization's internal quality control system was adequate and whether quality control policies and procedures were being complied with to provide the audit organization with reasonable assurance of conform hg with applicable professional standards. We have designed the form scontained in the ALG APeer Review G ude to assist reviewers in making this determ nation. Audit organizations should take remedial, corrective actions as needed based on the results of the peer review. An audit organization can use the ALG APeer Review G tide as a tool to conduct a self- assessm Ent. By com pleting the Audit O iganization Description of its Q Lality Control System (Q CS Description), an organization can identify weaknesses in its internal quality control system and develop im proved procedures to help ensure com pliance with standards. Audit organizations are advised to conduct such an assessment and have controls in place before undergoing an external peer review. ALGA would like to acknowledge the following past and current m em bers of the Peer Review Comm ttee for their efforts in contributing to the Peer Review G tide: Paul G ab, Com mitee Chair, Perform nice Audit M wager, M iwaukee Public Schools M ay Jo Em aiuele, Review Coordinator, Audit M auger, City of Kansas City M a-tin Petherbridge, Review Coordinator, Audit M anager, City of Raleigh Stan Sewell, Review Coordinator, Director, City of Chattanooga Trevor William s, Review Coordinator, Chief Auditor, Florida International University Corrie Stokes, Review Coordinator, City Auditor, City of Austin Lori Brooks, Review Coordinator, City Auditor, City of Arlington Paula Ward, Review Coordinator, Retired, Washoe County School District Terrie Pyeatt, At Large M em bar, Director, Virginia Beach Public Schools Jennifer An, At Large M em ber, Perform ance Auditor, Los Angeles Police Departm Ent John Sanderlin, At Large M am ber, Retired, City of Norfolk Jim William son, At Large M ern bar, City Auditor, O Wahom aCity Erin Kenney, Com mitee Advisor, Audit M auger, Los Angeles Fire and Police Pension System If you have questions regarding the ALG APeer Review Program,the ALG APeer Review G dde, or if you would like to schedule a peer review, please contact a current Peer Review Com mitee m ember. Peer Review Com mitee m em ber contact inform ation can be obtained from the ALG A web site or M Em ber Services. 1 ALG APeer Review G ude for Yellow Book O \,erview of the Peer Review Process There are three m aior peer review phases: (1) preparation, (2) the site visit, and (3) reporting. Phase 1: Preparation The audit organization should contact ALG Aat least six m cnths before the review. In the preparation phase, a review coordinator assem tiles a team consisting of a team leader and, depending on the nature and extent of the review, a num ber of review m em bers. The coordinator works with the audit organization to ensure that the review agreement is signed and travel arrangem ents are m ade. The audit organization sends the com Oeted background inform ation and description of its internal quality control system to the team m em bers. The team begins assessing the design of the quality control system . Phase 2: The Site Visit During the site visit phase, the review team exam nes the organization's internal quality control system and a sam Oe of the audit organization's work for com Oiance with G (vernm ent Auditing Standards. In addition, the reviewers m eet with audit m anagem ent to discuss their conclusions. The team assesses the overall level of com Oiance and begins drafting their report. The site visit should generally last three to five days. Phase 3: Reporting The audit organization prepares a written response to the reviewers' conclusions. The reviewers complete and issue their final report. From the date of the exit conference, audit m anagem ent has two weeks to prepare their written response, and reviewers have four weeks to issue their report. Please see the "INSTRUCTIO NS" section for m ore detail on the peer review. 2 ALG APeer Review G ude for Yellow Book Instructions This section of the Peer Review G Ode provides instructions for audit organizations that are preparing for peer review. It also provides instructions for peer review team sto prepare for, conduct, and report the results of the review. The chart, Sum m ay of Steps and Forms, summ a zes each m ajor step in the peer review process and indicates who is responsible for each step and when it is to be com Ideted. O iganizations Undergoing Peer Review In order to prepare for the peer review, the audit organization should: • B ecom e fam liar with the ALG Apeer review process and assess its readiness for review. Thoroughly reviewing the Peer Review G Ode and talking to the review coordinator best accom dish this. (M em bers can find out how to reach their coordinator by calling m em ber services or from the ALG Aweb site). Before undergoing review for the first time, many organizations send som Bone to attend the ALG Apeer review workshop, participate in a review of another organization, or review their own work using the ALG APeer Review G Ode. M em bars can also talk to organizations that have had a peer review and obtain peer review reports from other jurisdictions on the ALG Aweb site. • S et the review period. The review period establishes the scope of the peer review. The review team will select audit and attestation reports issued during the review period, as well as nonaudit services, to assess the extent to which the work com Idied with G AS. M ost organizations select a three-year review period because GAS requires a peer review at least once every three years. However, organizations m air undergo peer review m ore often, and organizations undergoing their first review m ay select a shorter period for review. G AS requires organizations to have their first review within three years of the date they initiated their first assignm Ent in accordance with G AS. • Request peer review via ALG Awebsite. Information on the Peer Review request process is available on the ALG Awebsite at the Request a Review page. To request a review, the audit organization should com Mete the request form approximately six m cnths in advance. This form collects various information to assist the coordinator in scheduling the review. The review coordinator is responsible for selecting peer review team m em bers. G AS requires that m em bers of the peer review team have current knowledge of G AS and governm Ent auditing; be independent of the organization under review and its staff; and have knowledge on how to conduct a peer review. The coordinator will recruit a team that m eets these requirem eats. The coordinator will m ake an effort to accom m mute requests— such as recruiting team m Em bers with specific skills or experience or from nearby jurisdictions to reduce travel costs— but cannot guarantee this will always be possible. • Sign the review agreement. O rice the coordinator has recruited a team and confirmed that m Em bers are available for the requested tim e, the audit organization is responsible for entering into a written agreem ant with ALG A The coordinator drafts the agreem ent, which specifies the purpose and scope of the peer review, who will conduct the review, when it will be conducted, and how expenses will be handled. The audit organization signs the agreem Ent and returns it to the coordinator. 3 ALG APeer Review G ude for Yellow Book Peer review is a benefit of ALG Am en bership. M Em ber organizations taking advantage of the peer review program do not pay reviewers for their tim a but agree to provide personnel for peer reviews of other m em ber organizations. A Standard Review Agreem ent is included in this Peer Review G dde. • Coordinate travel arrangements. O iganizations should fully execute the review agreement before making travel arrangements. The audit organization should coordinate with ALGA M Em bar Services for travel, hotel and rental car arrangem efts for team m EM bers, in alignm ant with the ALG Apolicy on travel for peer review team S. The audit organization should ensure that the hotel they are recom m a9ding for the review team is in a safe area, not undergoing any construction or renovations, and affords the team the opportunity to dine at places other than the hotel if a rental car is not provided. The audit organization should provide information on airport transfers and ensure adequate transportation to and from the hotel to the office if a rental car is not provided. • C om#ete and send Audit O iganization Background Inform anon Form and Audit O iganization's Description of Q tality Control System Form to peer review team m ern leers. The organization is responsible for sending com pleted form sand requested supporting docum efts to team m em bars at least one m cnth before the site visit. The Background Inform etion Form provides the team with inform etion about the organization such as the num bar of staff, office budget, audit authority, types of work performed, and time spent on each type of work. Because G AS recognizes that the nature and extent of an audit organization's internal quality control system depends on a number of factors, this information provides context that helps the team understand the organization's internal controls. The Background Information Form requires the organization to quantify all engagements, nonaudit services, and other types of work com pleted during the review period. G AS defines and prescribes standards for conducting financial audits, attestation engagem ants, perform once audits and nonaudit services. The organization lists the num ber of reports or other work products com pleted following these standards on the Background Inform ation Form and estimates the percent of time spent on the different types of work. A related form ,the List of Engagem ents Form, provides a form A for listing all engagements com pleted during the review period. This information helps the coordinator identify team m Em bars and helps the team leader plan the review. The Background Information Form also requires the organization to provide inform etion regarding the audit organization's com pliance with continuing professional education requirem efts. The form requires the organization to list all staff perform hq work in accordance with G AS and quantify the am cunt of CPE received during each year of the reporting period. Evidence supporting the am cunt of CPE reported should be m ade available during the peer review's site visit. The Description of Q CS Form provides the team with a narrative description of how the organization ensures G AS com pliance. Use the form to describe what the organization does and supplem ant the descriptions with references to specific policies and procedures or other relevant documents. The team will use the Description of Q CS Form to begin assessing the organization's internal control system . If additional information or clarification is needed, the Team Leader will com m unicate with the audit organization prior to the site visit, as tim a perm ts. The audit organization should respond to requested 4 ALG APeer Review G ude for Yellow Book inform etion in a tim dy m anner. Developing an understanding of procedures before the site visit will allow the team to conduct engagem Ent reviews effectively. Keep in m hd that the Peer Review G ude and form s sum m atize the requirem efts in the standards. If uncertain about the intent of a question or step, please review the standards and feel free to ask the coordinator questions at any tim eduring the review. • A rrange access to files. If the audit organization uses electronic work papers, all security access should be arranged prior to the site visit, including sign-ons, passwords, etc., for all team m ern bers. The audit organization should test the access and wi-fi capability prior to the team's arrival. The organization should alert the team leader before the on-site portion of the review if work papers for som eengagem eats are not stored on site or are not easily accessible. To facilitate retrieval when records are stored off-site and upon request, the team leader will provide the list of sam Oed engagem ents the Thursday before the scheduled site visit. During the on-site portion of the peer review, the audit organization should: • Provide workspace. The organization should provide the review team with adequate work space, including opportunities for private discussions. The team m air bring their own com puter(s), but m air also need access to a corn puter and/or printer for writing the report. Internet access is required to allow the team to access peer review form s, templates and guidance. If you are unable to provide internet access, the organization should arrange an acceptable alternative. If access to electronic records retention systems is required, the organization shall ensure access is provided to the team concurrently with the start of the peer review. • Participate in an entrance conference. The entrance conference provides an opportunity for audit m anagem Ent to m eet the team and discuss any issues or concerns about the review. • Ensure requested staff and documents are available to reviewers. GAS requires the peer review to include review of policies and procedures, audit and attestation reports, other docum efts related to standards such as CPE records and personnel m aiagement files, and interviews with various levels of professional staff to assess their understanding of and com pliance with procedures. G AS requires peer reviewers to select engagem ents for review that provide a reasonable cross section of the organization's work. All auditors who have performed work on engagements reviewed by the peer review team should be on site or be m ade available if requested by the peer review team . The organization should ensure that prior peer review work papers, if applicable, are available to the team . • Ensure communication. The audit organization shall designate a liaison to ensure daily com m unications with the peer review team .Audit m anagem ent, directors, and staff, shall be available as required for peer review purposes. The liaison shall work with the peer review team leader in the event interviews with board m er bers or other senior officials are requested. • D iscuss prelim nary findings and conclusions with team. The review team will m eet with audit m aiagem eit to discuss prelim hary conclusions. This m eeting should provide an opportunity for the audit organization to respond to the team's questions and offer 5 ALG APeer Review G ude for Yellow Book additional inform ation as needed. • Participate in an exit conference. The review team will brief audit m anagem ent on its final conclusions during the exit conference. The team should share a draft report or outline before or during the meeting. Audit management may provide additional comments at this tim e The exit conference also provides an opportunity for reviewers to share inform al com m Ents. After the on-site portion of the peer review, the audit organization should: • Prepare written response to the report. M anagem ent's response is appended as part of the final written report. The organization is responsible for preparing the written response and sending it to the review team leader within two weeks after the review. Organizations are often able to com plete the response while the team is still on site. • Alb ke report available. G AS requires audit organizations to transm it their peer review reports to the appropriate oversight body. G AS also requires the audit organization to m eke peer review reports publicly available. • C om p'ete travel reim bursem ants. ALG AM em ber Services will submit an invoice to the organization for travel, hotel, and other agreed upon expenses for team m em bers. The audit organization should pay this invoice promptly. • Retain peer review work papers. The peer review team will com pile a set of work papers documenting their review. The work papers are the property of ALGA Audit organizations are responsible for m antaining the work papers at least until com pletion of the following peer review. ■ Provide feedback about the review to the ALGA Peer Review Com mtitee. The Peer Review Com mtitee appreciates feedback from organizations undergoing review. Please com Pete the Peer Review Survey for Audit O iganization form contained in this Peer Review G Ode and send it to the Peer Review Com mtitee Chair. The Peer Review Com mtitee will use the inform ation to im prove the peer review process and tailor training to address identified needs. Peer Review Team Throughout the review, the review leader should refer to the Review Leader Checklist to ensure all tasks are accom plished. Before the on-site portion of the review, the team leader and team m em bers should: • 05 twin copy of signed Review Agreem ent. The team leader will retain the signed copy for the work papers. • C om#ete the Q Lalifications and Independence Statem Ent. The Q ualifications and Independence Statem ent docum ents that each m em ber of the team com plies with the GAS requirements for m em bers of an external peer review team . M em bers should send copies of the com pleted Q ualifications and Independence Statement to the review coordinator who will send them to the organization under review and the team leader. The 6 ALG APeer Review G ude for Yellow Book team leader will retain copies for the work papers. • D eterm he the audit organization's dress code and needs. Communicate with audit organization regarding organization's dress code. Inquire whether the organization would like a form al presentation of the peer review report or a m eating with officials for whom the organization reports. If a presentation or m eating will be held, m cre form al attire m air be needed. • Coordinate with ALG AM en bar Services on travel arrangements. Review team m em bers should coordinate with ALG AM em bar Services to m eke travel arrangements in accordance with the Peer Review Travel Policy. No travel arrangements should be made prior to a fully executed Review Agreem ent. • R eview the Peer Review G tide and G aernm ant Auditing Standards. M em bars of the review team should review the Yellow Book Peer Review G ude and the form sand related docum ents provided by the organizations. Team m ern bars should keep in m hd that the Peer Review G ude and form ssum maize the requirem ants in the Standards. If uncertain about the intent of a question or step, team m em bars should read the standard and discuss with the team leader. The team leader should feel free to ask the review coordinator questions at any tim a during the review. • Review form sand related documents provided by the audit organization. The audit organization is responsible for sending com Meted forms and supporting documents to team m em bars at least one m cnth before the on-site portion of the peer review. Team Leaders should coordinate a review of the docum ants by all team m Em bars. The purpose of the docum eit review is for all team m em bars to gain an understanding of the audit organization's procedures, the organizational environm Ent, and the types of work the audit organization conducts prior to arrival. If team m em bars have questions or areas needing further clarification, the Team Leader should communicate this with the organization prior to the site visit as tim a perm ts. The team leader should use the docum ants to begin assessing the quality control system and to plan the review— including types of engagem ants, additional supplem entary docum entation, and potential interview questions. • A ssess com#eteness of audits/engagem ents com#eted and nonaudit services perform ed. The team leader should test the com pleteness of the engagement list using operational reports issued by the organization such as annual reports, audit plans, or internal m anagem eit records such as tim a reports and engagem Ent num bering control logs. Determ he whether there are incom Oete or term hated projects and/or perform a reasonableness test of hours charged to projects to available time. • S elect engagem efts for review. The team leader is responsible for selecting engagem ants for review. The engagem ents should represent a reasonable cross-section of types of work, audit supervisors, and auditors-in-charge throughout the review period. The review should be sufficiently com prehensive to provide a reasonable basis for concluding whether the audit organization com died with its system of quality control and whether the system provided reasonable assurance that the organization's work com plied with standards. There is no prescribed form da for sam ple size, but it does depend to som eextent on the num bar and type of engagem ants conducted during the review period. As an exam Pe, a team reviewing an organization with 30 engagem ents during the review period m fight select 6 to 8 engagem efts to review. If nonaudit services are perform ed, at least 1 or 2 of these activities should be reviewed. The team leader should determ he 7 ALG APeer Review G ude for Yellow Book whether work papers for som eengagem ents are stored off site or are not easily accessible. To facilitate retrieval of off-site work papers, the list of sam ple engagem arts m ay be provided to the audit organization on the Thursday before the site visit. • Verify access to audit docum entation. If the audit organization uses electronic work papers, the team should ensure that all security access has been arranged prior to the site visit, including sign-ons, passwords, etc., for all team m en bers. O nce on site, the peer review team should: • C onduct a planning m eeting. The reviewers should hold a planning m eeting prior to the entrance conference with the audit organization. The m eeting provides an opportunity for the team leader to orient team m en bers, m ake assignm ents, and set a tim dine for com pleting the Q CS and audit engagement reviews. The team leader should follow the Review Leader Checklist included in this G ude to ensure all review steps are com pleted. • Conduct entrance conference. The team leader is responsible for holding an entrance conference with the team and audit organization to introduce the team,provide an overview of the process, and discuss any issues or concerns the organization m ay have about the review. Request the audit organization designate a liaison responsible for com m unicating all issues to audit personnel. Rem hd audit organization to com plete Peer Review Survey upon conclusion of the review and send to the Peer Review Com mitee Chair. • S et up tim dine with the Peer Review Coordinator for the week's activities. Plan to provide a Sum m ay of Exceptions to the Peer Review Coordinator by Wednesday and schedule m eeting for Wednesday or Thursday to discuss the results of the review with the Peer Review Coordinator. • Follow-up on issues from m cast recent peer review. Assess whether any uncorrected weaknesses from the previous review will im pact the current review procedures, report, or m anagem eit letter. • Conduct peer review fieldwork, including Q CS and engagem Ent reviews. GAS requires that peer review m ethods include a review of policies and procedures, audits and attestation reports, and other documents related to standards such as CPE records and personnel m anagem eit files related to hiring, evaluating, and assigning em ployees. G AS also requires that the review include interviews with professional staff to assess their understanding of and com pliance with relevant internal quality control procedures. The purpose of the Q CS review is to assess whether the organization's system of internal control is adequate to ensure that the organization is following applicable G cvernm Ent Auditing Standards. The team leader is responsible for com pleting the final QCS review form. This should be accom plished by reviewing the Q CS description, soliciting input from team m en bers, and com paring relevant policies and procedures, and other docum efts as necessary including training records and personnel files to confirm com pliance with procedures. The team should also interview select m ariagem eit and staff to clarify actual practices and assess their understanding of controls and follow-up on prior peer reviews, if applicable. The organization should m eke work papers from the prior peer review available to the team . 8 ALG APeer Review G ude for Yellow Book The purpose of the review of audit engagem ents is to test whether the organization followed its system of internal control and com died with applicable G overnm Ent Auditing Standards on a representative sam ple of engagem ents conducted throughout the review period. Peer review team m ern bers com Mete one form for each engagem Ent selected by reviewing the report and supporting working papers. The reviewers should also interview the auditor in charge or audit staff as necessary. Frequent com m unication with m aiagem ent and staff throughout the review is helpful to prevent m sunderstanding. Prelim nary issues and questions should be discussed with the audit organization liaison as fieldwork is conducted to ensure the audit team has a thorough and accurate understanding of their process. Further, the team leader should be communicating with the Peer Review Coordinator throughout the week, beginning early in the week, to update the Coordinator on progress of the review and any issues that appear to be developing. At a m him um,contact the Coordinator by Tuesday afternoon to report on the team's progress and any identified issues. Corn m unication between the team,the review coordinator, and the audit organization can be documented using a communication log. • How and when to review nonaudit work. GAS recognizes that the provision of nonaudit services m ay create an im pairm ent to audit organization independence. Therefore, G AS prescribes safeguards the audit organization m ust follow when perform ng certain types of nonaudit work. The organization is required to docum Ent its assessm Ent of independence threats created by perform ng the nonaudit service and all safeguards applied. G AS requires that for individual audits selected for inspection during peer review, all related nonaudit services should be disclosed to the peer review team and the required docum entation m ade available for review. The ALG Apeer review process requires that the audit organization describe its body of work, including nonaudit services, to the peer review team before the team selects engagements for review. O iganizations are also required to list the num ber of hours spent on nonaudit services related to audits com Ideted during the review period. The peer review team should consider whether nonaudit services were performed when selecting audits for review. In addition, the team may wish to exam he nonaudit docum entation for work unrelated to audits the organization conducted in order to test whether the organization docum ented their assessment of independence threats and application of required safeguards. • Routine activities not considered nonaudit services. O iganizations m ay also conduct routine activities as described in G AS, such as answering technical questions that do not require the organization to im Idem ent safeguards required when conducting nonaudit services. The purpose of an ALG Apeer review is to assess whether the organization's internal quality control system is suitably designed to provide reasonable assurance that the organization is following applicable standards. In general, the team would not need to review work relating to routine activities if it represents an insignificant am cunt of the organization's overall body of work, and the organization has clear policies and procedures describing how it determ nes whether G AS are applicable. • C om#ete Sum m.Ty of Exceptions Form. The review team records exceptions (item s m a-ked "No" on the Q CS and engagem Ent reviews) on the Sum m ary of Exceptions Form and determ nes whether the exception was likely to have had a negative im pact on audit quality. Team m ern bars should use professional judgm Ent when m aking these determ nations. Keep in m nd that the nature and extent of an organization's quality control system depends on a num ber of factors — including the size of the shop, 9 ALG APeer Review G ude for Yellow Book experience of staff, and type of work performed. Com pliance can be achieved in m ultiple ways and the team should keep in m nd the purpose is to assess the organization's quality control system from a global perspective. Further, the team should consider com pensating controls that are in place. The sum m ay should provide the basis for identifying patterns or recurring noncom pliance. • D iscuss prelim nary findings and conclusions with the Peer Review Coordinator. The review team should discuss conclusions and the resulting overall opinion, recom m(ndations, and m anagem Ent letter com m eits. The review team should then share with the Coordinator prior to discussing with audit organization. • D iscuss prelim nary findings and conclusions with m anagem ent. The review team is responsible for m eeting with audit m anagem ent to discuss prelim nary conclusions. As mentioned above, the audit team should have been discussing questions and areas of concern with the organization throughout fieldwork so there are little to no surprises during this discussion. This m eeting should provide an opportunity for the organization to respond to questions and offer additional inform etion as needed. • D eterm i7e the overall level of com#iance. The peer review process is designed to assess the audit organization's overall level of com pliance with G overnm ant Auditing Standards based on the answers to two questions: 1. Lid the audit organization have an internal quality control system that provided reasonable assurance that audit work conducted was in accordance with applicable governm Ent auditing standards? 2. ❑d the audit organization follow its system of internal control and com Oy with applicable governm Ent auditing standards in the work it conducted during the period under review? The Q CS review and related testing answers the first question. The engagement reviews and related testing answer the second question. The answers to these questions help the team develop an opinion on overall com Piance. There are no quantitative criteria for determ ping the overall level of com Oiance. The peer review team m ist exercise professional judgment in considering the pattern, pervasiveness, and significance of exceptions given the overall size and nature of the audit organization reviewed. Keep in m nd, there are m ultiple ways to achieve com pliance. The ALG Apeer review process results in the issuance of one of three types of reports, depending on the level of com pliance: Peer Review Rating of Pass. The Pass rating is expressed when the audit organization was in full com Fiance with G overnm ent Auditing Standards over the review period. Reviewers are expressing their professional opinion that the quality control system was suitably designed and operating effectively to provide reasonable assurance of com pliance with applicable G AS. A rating of pass does not necessarily im ply that the organization com plied with G AS in every case— individual judgm Ent and perform ance vary and can affect the extent of com pliance. Peer Review Rating of Pass w kh Deficiencies. The Pass with Deficiencies rating is expressed when the audit organization was in substantial com pliance with G overnm ent 10 ALG APeer Review G ude for Yellow Book Auditing Standards over the review period. Reviewers are expressing their professional opinion that the audit organization had some deficiencies in its quality control system that resulted in recurring instances of noncom pliance with G AS, although the m a ority of its work substantively com plied with G AS. Peer Review Rating of Fail. The Fail rating is expressed when the audit organization did not com ply with G overnm ant Auditing Standards over the review period. Reviewers are expressing their professional opinion that the audit organization had serious deficiencies in its quality control system that resulted in recurring noncom pliance with G AS and there was a strong likelihood of negative im pact on audit quality. • D raft rating report and m anagem ent letter. The peer review team should draft the rating report and m anagem Ent letter prior to the exit conference. Suggested form ats for the opinion report and m anagem ent letter are included in this Peer Review G ude. The team leader should am al the drafts along with the Sum m ay of Exceptions form to the Peer Review Coordinator prior to providing drafts to the audit organization. The Peer Review Coordinator and Team Leader should aim to discuss the draft and sum m ay of exceptions by the close of business on Wednesday. Suggested form ats for the report are included in this G ude. The rating report should indicate the scope of the review and any lim Cations to scope and should express an opinion on whether the organization's system of quality control was adequate and effectively operating during the review period to provide the organization with reasonable assurance of G AS com pliance. In cases of m odified or adverse com pliance, the report should describe the reasons for the modified or adverse opinion, along with a detail description of the findings and recom m e9dations. Each finding should refer to a specific standard. The rating report should refer to a m anagem ent letter if one is issued. The m anagem Ent letter provides an opportunity for the team to provide form d feedback to the organization — both to recognize strengths and to m eke recom m a9dations for im p-ovem ants. In cases of Pass with Deficiencies or Fail ratings, the m anagem ant letter should not repeat the findings included in the report. The letter should provide observations related to standards for which com pliance was at risk of not being m et and suggestions for strengthening related processes. A m anagem Ent letter is not required in cases of full com pliance, but m ost audit organizations appreciate the feedback from their peers. The team should develop com m aits based on their review work, sum m ay of exceptions, and feedback from audit m anagem ent. M anagem ent letter com m a9ts should refer to a specific standard and should be a result of noncom pliance. The team leader should talk to the Coordinator about proposed com m ants and recom m e9dations before drafting the m anagem rant letter or should ask the Coordinator to review a draft of the m anagem ent letter before sharing it with the audit organization. Advocacy-related com m a9ts should not go into the m anagem ent letter but m ay be referred to the Advocacy Com mtitee. • C onduct an exit conference. The review team provides audit m anagem ent with a briefing on final conclusions during the exit conference. The team should share a draft opinion report and m anagem rant letter before or during the m eating. Audit m anagem Ent m ay provide additional com m(nts at this tim e The exit conference also provides an opportunity for reviewers to share verbal com m eits. Verbal com m a9ts do not need to be documented in the work papers. Determ he whether the audit organization will be providing a written response prior to you leaving for hom e 11 ALG APeer Review G ude for Yellow Book • Prepare the final report(s). Teams typically com Mete and sign the report before leaving the site. However, ALG As agreem Ent provides that the review team has four weeks from the exit conference to issue the final report(s), which includes the audit organization's written response. The team leader should address all reports to the head of the audit organization. The standard report cover, report, and m anagem ent letter tem Oates are available on ALG As web site The report should state that the team used the Peer Review G Ode to conduct the review in accordance with Standards for conducting an ALG Apeer review. The team leader is responsible for distributing copies of the final report to the audit organization, Peer Review Com mitee Chair, and Review Coordinator. • C om ple work papers. The team leader is responsible for com pling work papers. A suggested work paper index is included in this G Ode. At a m him urn,work papers should include: a copy of the signed review agreem Ent, copies of the reviewers' Q Lalification and Independence Statem ents, all Peer Review G Ode form scom{feted as part of the review, sum m aies of m aor item sdiscussed at the entrance and exit conferences, and copies of the opinion report, m anagem eit letter, and audit m anagem ent's form al written response. The team leader should complete work papers to the extent possible while still on site but no later than four weeks after the exit conference. The audit organization is responsible for retaining the work papers. • R em nd audit organization to com pete the Peer Review Survey for Audit O ganization. The audit organization should em ail the com Oeted survey to the Peer Review Com mitee Chair. • R em nd audit team to com#ete Team Leader and Team M em bar Survey. Ask team m em bers to em al their com Meted Team Leader/M em ber Surveys to the Peer Review Com mitee Chair. The team leader should complete a Team Leader/M em ber Survey and em al it to the Peer Review Com mitee Chair. • Com#ete the Travel Expense Report and subm t to M em ber Services. Each team m en ber should complete the travel expense report for out-of-pocket costs (e.g. ground transportation, per diem m eals and incidentals) and subm k it along with supporting docum entation to M Em ber Services. Expenses should com py with the ALG Atravel policy for peer review team s. 12 CITY OF DENTON Internal Audit Department Procedures Manual January 2021 Version 2.0 Approved and distributed by: Madison Rorschach, City Auditor &I- 1010M Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 Table of Contents AuditDepartment Structure.....................................................................................................................3 Authority & Duties ...................................................................................................................................3 CoreValues.............................................................................................................................................3 Standards.................................................................................................................................................4 Ethics.........................................................................................................................................................5 AuditDepartment Services.....................................................................................................................6 AuditProjects ..........................................................................................................................................6 ConsultationProjects..............................................................................................................................7 InvestigativeProjects..............................................................................................................................9 AuditProject Selection..........................................................................................................................10 AnnualAudit Plan................................................................................................................................. 10 City-wide Risk Assessments .................................................................................................................. 10 AuditFollow-Up Reviews......................................................................................................................11 CityCouncil Project Requests............................................................................................................. 1 1 ProjectScheduling................................................................................................................................1 1 Audit Project Initiation............................................................................................................................12 ProjectOrganization............................................................................................................................. 12 StaffAssignment....................................................................................................................................13 StaffIndependence.............................................................................................................................13 InitiationLetter.......................................................................................................................................14 Entrance Conference..........................................................................................................................15 AuditProject Planning...........................................................................................................................16 Reference Information Collection...................................................................................................... 16 ProcessPacket...................................................................................................................................... 16 WorkPlan............................................................................................................................................... 17 AuditProject Fieldwork..........................................................................................................................19 ConductingFieldwork..........................................................................................................................19 Audit Methodology and Evidence.....................................................................................................19 AuditSampling......................................................................................................................................20 Responsibilities Regarding Fraud.........................................................................................................21 Audit Fieldwork Work Papers...............................................................................................................22 AuditProject Reporting..........................................................................................................................24 EvidenceAssessment...........................................................................................................................24 Overviewof Findings ............................................................................................................................25 Reference and Draft Report................................................................................................................25 ExitConference ....................................................................................................................................28 Management Response & Final Report.............................................................................................29 Presentation...........................................................................................................................................29 PublicRelease.......................................................................................................................................30 QualityControl Program........................................................................................................................31 Standards Verification Processes........................................................................................................31 Recommendation Tracking.................................................................................................................31 Post-Audit Feedback Survey...............................................................................................................32 Continuous Professional Development..............................................................................................32 AnnualEthics Pledge.............................................................................................................................35 StaffAssignment Form ...........................................................................................................................36 Auditor Independence Evaluation Form..............................................................................................37 Page12 &I- 100M Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 Audit Department Structure The purpose of this manual is to establish policies and procedures to help ensure that the City Auditor and the Internal Audit Department's work is conducted in a consistent, fair, and professional manner and complies with Generally Accepted Government Auditing Standards (GAGAS). Authority & Duties The Internal Audit Department was established in accordance with the City of Denton Charter Article VI, Section 6.04. The City Internal Auditor is appointed by and serves at the pleasure of the City Council and the position must be held on a continuous, fulltime basis. The Internal Audit Department functionally reports to the Audit and Finance Committee and City Council and is considered structurally independent in accordance with GAGAS 3.56. Section 6.04 of the City Charter states, "the City Internal Auditor is responsible for providing: (a)An independent appraisal of City operations to ensure policies and procedures are in place, and complied with, inclusive of purchasing and contracting; (b)Information that is accurate and reliable; (c)That assets are properly recorded and safeguarded; (d)That risks are identified and minimized; (e)That resources are used economically and efficiently, and that the City's objectives are being achieved; and The City Internal Auditor is responsible for directing all internal audit functions of the City of Denton to eliminate waste, fraud, and abuse." Core Values This manual is intended to reflect the following core values of the Internal Audit Department: • Accountability. The Internal Audit Department believes that government officials and agencies, including itself, are accountable to all Denton residents for their performance, use of resources, stewardship of assets, and ethical conduct. Page13 &I- MMOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 • Transparency. The Internal Audit Department believes free and open access to information is necessary for government officials and agencies to be accountable to all Denton residents. • Integrity. The Internal Audit Department conducts work and reports results fairly, honestly, objectively, and independently. The Department strives to be accurate but will publicly acknowledge and correct its mistakes. • Quality. The Internal Audit Department is committed to producing high- quality work that adds value to City operations and the public well-being. The Internal Audit Department continuously strives to evaluate and improve its performance. Standards The Internal Audit Department is committed to producing high-quality, value- add audit work. This is accomplished by performing audit work in accordance with Generally Accepted Government Auditing Standards (GAGAS), which are promulgated by the Comptroller General of the Unites States and published by the United States Government Accountability Office (GAO). These standards relate to the scope and quality of audit work and establish characteristics for professional and meaningful audit reports. The Internal Audit Department will follow GAGAS when performing all audit projects. Those standards should be considered to be incorporated into this manual by reference. This manual describes the policies and procedures to be followed when conducting audits, as well as the quality control systems to monitor and ensure compliance with GAGAS. The Internal Audit Department will routinely refer to GAGAS when performing its work to ensure compliance with the detailed requirements of each standard. If a situation arises where any GAGAS standard was not followed, the City Auditor will: 1 . Assess the significance of the noncompliance to the engagement objectives; 2. Document the assessment, along with the reasons for not following the requirement(s); and 3. Determine the type of GAGAS compliance statement to be issued in the report. Page14 &I- MMISM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 Ethics The following ethical principles provide a framework for applying GAGAS. Each year, Internal Audit Department audit staff will be required to complete an Annual Ethics Pledge at the beginning of each fiscal year attesting that they will adhere to these ethical principles throughout the course of that year's audit work. • The Public Interest. A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest, which is defined as the collective well-being of the community of people and entities that the auditors serve. • Integrity. Public confidence in government is maintained and strengthened by auditors performing their professional responsibilities with integrity, which includes auditors performing their work with an attitude that is objective, fact-based, nonpartisan, and nonideological with regard to audited entities and users of the audit reports. • Objectivity. Auditor's objectivity in discharging their professional responsibilities is the basis for credibility of auditing in the government sector. Objectivity includes independence of mind and of appearance when conducting engagements, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest. • Proper Use of Government Information, Resources, and Positions. Government information, resources, and positions are to be used for official purposes and not inappropriately for the auditors' personal gain or in a manner contrary to law or detrimental to the legitimate interests of the audited entity or audit organization. • Professional Behavior. High expectations for the auditing profession include complying with all relevant legal, regulatory, and professional obligations and avoiding any conduct that could bring discredit to the auditors' work, including actions that would cause an objective third party with knowledge of the relevant information to conclude that the auditors' work was professionally deficient. Page15 &I- 100M Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 Audit Department Services In order to carry out the duties of the City Internal Auditor while aligning with the values of the Internal Audit Department, the Department generally offers three types of services under which projects can be performed. The type of service to be performed is dependent on the objectives of the project. Audit Projects During an audit project the Internal Audit Department performs an evaluation of City processes in general. GAGAS defines different types of audit projects that can be performed depending on the objectives. Projects may have a combination of objectives that include more than one type of audit, which include the following: • Performance Audits. The primary purpose of a performance audit is to evaluate the performance and management of government programs or functions compared with objective criteria or best practices. Performance audits may be broad or narrow in scope and encompass a variety of objectives, including assessing program efficiency, effectiveness, internal control and compliance with legal or other requirements; and objectives related to providing prospective analyses, guidance, or summary information. Performance audits provide information to improve program operations and also facilitate decision making by management with responsibility for overseeing or initiating corrective action and improving public accountability. This is the primary type of audit project that the Internal Audit Department performs. Follow-up reviews of a performance audit are considered to be part of the audit project and should be performed per the audit project procedures laid out in this Manual. To prevent project scope creep, the objectives of an audit follow-up review are largely limited to verifying and evaluating process changes made in response to issued audit recommendations. • Attestation Audits. The primary purpose of an attestation engagement is to determine whether a management report or assertion is consistent with stated criteria that are the responsibility of another party. Attestation engagements may cover a broad range of financial or non-financial subjects, provide different levels of assurance based on user needs, and can be part of financial or performance audits. The three types of Page16 &I- MMOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 attestation engagement as defined by GAGAS 1 .18 are as follows: Examinations, Reviews, and Agreed-upon Procedures. • Financial Audits. The primary purpose of a financial statement audit is to provide financial statement users with an opinion by an auditor on whether an entity's financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework. Reporting on financial statement audits conducted in accordance with GAGAS also includes reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements that have a material effect on the financial statements. While the City Internal Audit Office does not conduct the annual audit of the City's financial statements, financial audits in conjunction with other audit objectives may be conducted. Consultation Projects As the independent, objective appraisal function of the City, the Internal Audit Department is uniquely suited to be a resource to City departments as they work to improve their operations. As such, departments may reach out to the Internal Audit Department to request a consultation. In general, these consultation projects may be the following types: • Analysis. The primary purpose of an analytical consultation project is to provide City management or City Council with an objective, independent evaluation of a specific process or procedure in a defined situation. These projects should generally be performed and documented per audit project procedures; however, they differ in several critical ways: 1 ) Scope. While audit projects evaluate a process or function in general, analyses evaluate a process or function in a defined instance. For example, the City has a standard procurement process that may be evaluated as part of a performance audit project. An analytical consultation project may evaluate how this process was applied to a specific procurement. 2) Objectives. The objectives of analysis reports are typically collaborative developed and agreed upon by the Internal Audit Department and the consultation requester, whereas the objectives of audit reports are defined by the Internal Audit Department alone based on the risks identified. Page17 &I- MMOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 3) Recommendations. The Internal Audit Department does not issue recommendations as part of Analysis Reports and so does not perform associated follow-up reviews. 4) Reporting. The Internal Audit Department does not make recommendations based on analytical consultation projects. In addition, while the results of all audit projects must be communicated to the City Council, this is not a requirement for Analyses. Still, if an analysis report is not communicated to the City Council, the reasons for this should be clearly documented. Per TSLAC GR1 000-41 a(2), Analysis reports should be permanently retained. • Advice. The primary purpose of an advisory consultation project is to provide information to City management or City Council based on the Internal Audit Department's internal control and process improvement expertise. This type of consultation may involve reviewing draft policies and procedures, serving on City committees or task forces, responding to questions about audit recommendation implementation, and more. The Internal Audit Department should take care to document the information and advice provided to departments as part of advisory consultation projects. • Data Assistance. The primary purpose of a data assistance consultation project is to aid City management by using specialized audit analytical software to perform specific analytical tasks that management may otherwise be unable to perform efficiently or effectively. These types of analytics may include comparing sets of data to identify duplicates or discrepancies, manipulating sets of data to improve their usability or provide more meaningful information, or evaluating sets of data to identify trends and exceptions. The Internal Audit Department should take care to document the analytics performed and data provided to departments as part of data assistance consultation projects. GAGAS recognizes that provision of these non-audit services may create a personal impairment to the independence of an audit organization and therefore limits the type of non-audit work that may be conducted. Before beginning any consultation project, the City Auditor should assess whether providing such services would create a threat to the Internal Audit Department's independence by referring to GAGAS 3.64 through 3.84. Specific actions to avoid include: ➢ Voting on any issue that include internal controls, program objectives, etc.; Page18 &I- MMOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 ➢ Participating in designing or implementing internal controls; ➢ Providing management functions or making management decisions; and ➢ Accepting responsibility, such as a director or member of management, of a program that may be audited. In order to facilitate this assessment, the City Auditor shall be responsible for maintaining a log of all consultation projects performed. This log should include information about when the consultation was performed, the consultation type, the requesting Department, and a brief description of the services provided. In addition, the City Auditor should document on the log their assessment of the non-audit service with respect to the GAGAS Conceptual Framework for Independence. Per TSLAC GR1 000-41 a(5), Consultation Project Logs should be retained for three years. Investigative Projects [Reserved] Page19 &I- 1010M Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 Audit Project Selection Annual Audit Plan The Internal Audit Department is responsible for preparing and submitting an annual audit plan to the Audit/Finance Committee and City Council for review, comment, and approval before the beginning of each fiscal year. The City Attorney's Office requires the annual audit plan be approved by the City Council via ordinance to exempt audit work papers from the Texas Open Records Act. When developing the annual audit plan, the Internal Audit Department identifies potential audit topics based on several factors: ➢ City-wide assessments of financial and operational risk; ➢ Feasibility of audit projects including sensitivity, complexity, and difficulty; ➢ Impact of the audit projects including the types of risks and processes to be reviewed; ➢ Breadth and depth of audit coverage across the City; ➢ Availability of resources including staff time and training, technology, and budget. The Internal Audit Department may amend the annual audit plan based on requests, legislative directives, unanticipated developments in projects, or unprecedented events. Annual audit plan amendments must be presented to the City Council for approval via ordinance. If an audit project is terminated before completion and a report is not issued, the City Auditor will report to the Audit/Finance Committee the results of the work to the date of termination and why the engagement was terminated. Per TSLAC GR1000-41 a(1), Annual Audit Plans should be permanently retained. City-wide Risk Assessments The Internal Audit Department mainly selects audit projects using a risk-based identification process. In order to ensure risks are identified and reevaluated adequately, the Internal Audit Department conducts a City-wide risk assessment every three to five years. This risk assessment evaluates risk across the City both quantitatively and qualitatively and the results are reported to the Audit/Finance Committee. During years in which no City-wide risk assessment is conducted, the Internal Audit Department performs a limited risk assessment when developing the Page 110 &I- 1WOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 annual audit plan. This risk assessment serves as an updated to the City-wide risk assessment and detailed results are not reported to the City Council. Audit Follow-Up Reviews In order to facilitate accountability and measure effectiveness, the Internal Audit Department performs audit follow-up reviews as necessary for each audit performed. These reviews should generally be scheduled between six and eighteen months after an audit report has been issued and should be included on the Annual Audit Plan as an audit project. City Council Project Requests Occasionally, the City Council may request the Internal Audit Department perform services outside of the established annual audit plan. A process to address these requests has been adopted by the City Council via Ordinance 20- 1783. This Ordinance and the adopted processes are incorporated by reference into this manual. Any changes to the City Council Project Request process must then be presented to the City Council and adopted via Ordinance. Project Scheduling Once an annual audit plan has been established, the Internal Audit Department will develop an annual audit schedule that generally outlines when each project will begin and how long it will last. In addition, key dates throughout each audit project are recorded on the schedule. This schedule is updated as needed and shared with the City Manager's Office Review Team who communicates it to City leaders as appropriate. Page 111 &I- 1010M Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 Audit Project Initiation Project Organization An audit project is generally made up of a collection of work papers that should be organized in a logical manner and consistently filed. All information used in an audit should be documented in a work paper and stored electronically on the Internal Audit Department's S: Drive in one of the following folders: A. Administration. Stores information that is generally used to manage the project; B. Background & Criteria. Stores information that is referenced throughout the project such as key documents, data and reports produced by City management; C. Fieldwork. Stores all information and analysis produced by the Internal Audit Department to conduct the audit; and D. Reporting. Stores all documents used to communicate audit findings and recommendations. Other folders may be created as needed. For example, the auditor may create a folder to house analytical information created by the audit analytical software. In addition, it is standard to have a non-indexed Temp folder. Work papers within each folder are then assigned a numerical number and labeled with an index and short description (e.g. A-1 Independence Statement). Similarly, a separate folder should be created for each follow-up review conducted as part of an audit project. A similar file organization system should be used within the follow-up folder for retaining associated work papers. Over the course of the audit, care should be taken to ensure work papers are safeguarded appropriately. Work papers for projects specifically approved on the Annual Audit Plan are exempt from Texas Open Records requirements. In addition, auditors should use their professional judgement when preparing work papers to exclude personal information that is not relevant to the purpose nor necessary to establish the sufficiency or appropriateness of evidence. Similarly, auditors should exercise judgment when deciding what should be stored in the project. Documents that are readily available (e.g. the Code of Ordinances, CARF, budget, etc.) may be summarized and referenced instead of completely copied to the project folders. In addition, it may be more Page 112 &I- 1WOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 appropriate to include only certain pages of reports or other reference materials in the project folder. Per TSLAC GR 1000-41 a(5), audit project work papers should be retained for three years but should not be destroyed prior to completion of an external peer review. Staff Assignment At the beginning of each project, the City Auditor will assess the knowledge, skills, and abilities of the Internal Audit Department and assign appropriate staff based on the project's complexity. The Internal Audit Department may hire consultants or specialists to assist on a project when additional knowledge or skills are needed. The Staff Assignment Form appended to this Manual shall be used to formally assign staff to each audit project. A Staff Assignment Form will be completed before beginning work on an audit project and retained as a work paper in the Administration folder of the corresponding project. Qualified consultants or specialists will be hired in accordance with the City's contracting procedures. Consultants and specialists who are retained to assist with an audit project are subject to the same competence and independence requirements as the Internal Audit Department's auditing staff. Staff Independence GAGAS requires that audit staff assigned to a project be free of impairments, both in fact and appearance, that could prevent it from exercising objective and impartial judgement on all issues associated with conducting and reporting on an assigned project. In order to evaluate if any threats exist, staff members will complete an Independence Evaluation Form for each project they are assigned. Consultants and specialists shall be required to complete an Evaluation Form as part of the contracting process. An Independence Evaluation Form should be completed every twelve months if work on a project is ongoing. This Form is appended to this manual and is designed to comply with the GAGAS conceptual independence framework. All Independence Evaluations will be retained as work papers in the Administration folder of the corresponding project. If a threat to independence is identified, the City Auditor is responsible for assessing how an impairment effects an audit project. Acting in the public Page 113 &I- 1WOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 interest shall take precedence over assigning the Internal Audit Department to a project where impairment exists. As such, if the City Auditor believes the impairment will affect the Internal Audit Department's ability to exercise objective and impartial judgement on issues associated with conducting or reporting on an audit project, or believes it could lead a reasonable third party to question the Department's independence with regard to an audit project the impairment will be reported to and discussed with the Audit/Finance Committee to determine if the project should be reassigned to another Department. The City Auditor shall use the following guidelines to address any identified impairments for projects that are not reassigned: • Personal Impairments to Independence. If the Internal Audit Department must be assigned to an audit project where an impairment exists, the City Auditor shall prepare a written statement describing the facts surrounding the impairment and the steps to mitigate it. If the impairment cannot be mitigated, it must be disclosed in the audit report. • External Impairments to Independence. If the Internal Audit Department is denied access to records and property within the custody of the City, the City Auditor should alert the City Council of the external efforts to interfere with or limit the scope of an audit. The City Auditor, the City Manager, and the Audit/Finance Committee will discuss how to resolve the impairment. If the impairment cannot be resolved it will be disclosed in the audit report. If an impairment to independence is identified after an audit report is issued, the City Auditor will evaluate the impairment's effect on the engagement and on GAGAS compliance. If it is determined that the newly identified impairment could have resulted in the audit report being different from the report issued, the City Council, known users of the report, and appropriate City officials will be notified, and the report will be removed from the City's website. A public notification that the report was removed will be posted and the City Auditor will determine the necessity of performing additional work to reissue the report. Initiation Letter The Internal Audit Department will transmit a formal Audit Initiation Letter to auditees before work begins on an audit project. At minimum, the Audit Initiation Letter should identify the topic to be audited and indicate that the audit will be conducted in accordance with GAGAS. In general, the Audit Initiation Letter should be transmitted to the following individuals based on discussion with the City Manager's Office Review Team: Page 1l4 &I- 1WOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 ➢ The Department head and key directors, managers, or supervisors for the audit topic area; ➢ The appropriate City Manager's Office representative; and ➢ The City Council. The Audit Initiation Letter should be retained as a work paper in the Administration folder of the corresponding project. Additional Audit Initiation Letters should be sent for each follow-up review conducted. Entrance Conference The Internal Audit Department will schedule an Entrance Conference for each audit project within 10 business days of transmitting the Audit Initiation Letter. The purpose of the Entrance Conference is to communicate with management the reasons for the audit, describe the audit process, address management's questions or concerns, identify key contacts, and discuss necessary logistics. Those who typically attend the Entrance Conference include: appropriate department heads; key directors, managers, or supervisors for the audit topic; assigned members of the City Manager's Office Review Team; assigned audit staff; and the City Auditor. The entrance conference may cover a variety of topics including: ➢ Describing the audit process, including timing and dates for the audit; ➢ Informing management of the scope and objectives as far as they are known; ➢ Obtaining audit suggestions and input from the auditees; ➢ Identifying key contacts for the audited entity; ➢ Determining the owners of critical data and documents and how to obtain this information during the audit; ➢ Setting the tone for the turnaround and expectations; and ➢ Requesting preliminary information, if known. The Internal Audit Department is responsible for documenting who attended the Entrance Conference, the matters discussed, and any decisions made. The record should be documented per the standard work paper format and retained in the Administration folder of the corresponding project. Page 115 &I- 1010M Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 Audit Project Planning Reference Information Collection When planning an audit project, the Internal Audit Department must establish three key parameters: scope, objectives, and methodology. When determining these parameters, audit staff should identify and review reference information which generally falls into the following categories: • Audit Area Background. This may include publicly available budget and staffing information, reports and data produced by the audited entity, organizational information, coverage by the media, concerns raised by City officials, etc.; • Audit Area Environment. This may include professional literature regarding best practices, industry trends and general challenges within the audited area as well as applicable policies, procedures, and state or federal laws and regulations; and • Similar Audit Work. This may include previous audits of the audited area by the Internal Audit Department or the work of auditors in other jurisdictions within the same audit area. Reference information should generally be retained in the Background & Criteria folder of the corresponding project when used as part of an audit. Process Packet GAGAS requires that auditors obtain an understanding of an audited area's internal controls in order to determine and document whether internal controls are significant to the audit objectives. For this reason, the Internal Audit Department documents critical processes for the audited area in a Process Packet when planning each audit project. Process Packets are based on interviews with auditees and include the following: ➢ A flowchart of each critical process; A step-by-step narrative explaining the process that corresponds to the flowchart; and ➢ A table listing out the internal controls for each process. Once a draft Process Packet is developed by audit staff, it is shared with the auditees to ensure it is accurate and complete. Once this review is complete, Page 1l6 &I- 1MOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 the auditee is asked to certify the Process Packet to document that the Internal Audit Department understands the processes being audited. Audit staff then use the certified Process Packet to assess the risks of each critical process under review. When performing the risks assessment based on the Process Packet, audit staff should identify internal control deficiencies based on the Government Accountability Office's Standards for Internal Control in the Federal Government also known as the Green Book. For each identified deficiency, staff should assess the impact and the likelihood of the deficiency being exploited to determine a risk level for the process under review. Table 1 below provides guidance on how to perform this assessment: Table 1: Control Deficiency Risk Assessment Matrix Low Likelihood Medium Likelihood High Likelihood Low Impact Minimal Risk Low Risk Medium Risk Medium Impact Low Risk Medium Risk High Risk High Impact Medium Risk High Risk The assessed risk level of each process should inform audit testing including sampling methodology. The process risk assessment should be documented per the standard work paper format with the certified Process Packet attached and retained in the Fieldwork folder of the corresponding project. Occasionally, an audited entity may have adequate process narrative documentation to forego the development of a Process Packet. In this situation, Internal Audit staff should still conduct and document a risk assessment in the standard work paper format. Work Plan The next step when planning an audit project is to draft an audit Work Plan to formalize the audit objectives and detail the audit steps need to accomplish these objectives. Audit objectives should be worded as questions to provide clear guidance to the auditor about what each objective is trying to achieve. Audit steps will vary for each project; however, they should always clearly identify the purpose and method for conducting the work and be linked to an objective. Collectively, the audit Work Plan should: ➢ Outline steps that will allow internal audit staff to answer the question(s) posed by the objectives; Page 117 &I- MMOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 ➢ Identify how to collect evidence for each relevant element of a finding (condition, criteria, cause, and effect); ➢ Provide for sufficient appropriate evidence to support findings and conclusions relevant to the audit objectives; and ➢ Be consistent with the planned audit scope and budgeted resources. A draft Work Plan should be presented to the City Auditor for review and approval before fieldwork begins. The finalized Work Plan should be documented per the standard Work Plan format and retained in the Administration folder of the corresponding project. During the audit project, it may be necessary to revise the Work Plan including eliminating or adding steps, expanding or reducing the scope, or changing an audit objective. The reasons for these changes must be documented in the audit's work paper and approved by the City Auditor. Any substantive changes made to the Work Plan document should be made with Track Changes. Page 1l8 &I- 1010M Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 Audit Project Fieldwork Conducting Fieldwork The purpose of audit fieldwork is to gather sufficient, appropriate evidence in order to provide a reasonable basis for the conclusions about an audit's objectives. Audit staff are responsible for completing the assigned audit steps and documenting the results in Work Papers as described later in this section. Throughout this process, auditors must exercise professional judgement by continuously evaluating the gathered evidence, exercising professional skepticism, and refraining from assuming that management is either honest or dishonest. Communication is critical to effective audits. Everyone on the audit team should be aware of what is going on and share information as work progresses in order to continuously evaluate evidence and make judgements about appropriate next steps. The Internal Audit Department will periodically brief the audited entity on the status of the audit work and tentative conclusions; however, auditors must avoid reporting audit findings or making recommendations during fieldwork before all audit evidence has been collected and examined. Audit Methodology and Evidence The audit methodology selected depends on the reasons for doing the audit, the time and resources available, the audit objectives, and the types of data available. Things to consider include: ➢ What sources of data are available to address the objectives? Are data available for the different elements of a finding (i.e. condition, criteria, cause, and effect)? ➢ How are data collected, stored, verified, retrieved, and used? Are data accurate, timely, authoritative and authentic? Being able to answer these questions helps to assess reliability. Specific audit steps should be written to assess data competence if not already completed. Ways to test data reliability include: o Corroborating evidence (comparing to other sources for consistency); o Verifying the evidence (direct testing with confirmation through other sources); o Validating the evidence (testing the control environment); or o Obtaining additional evidence. Page 1l9 &I- 1MOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 ➢ Methods for collecting data and the extent to which the auditor can rely on them depend on the type. Often, there are alternate sources of needed data and alternative ways to collect them. It is usually best to get the strongest evidence available - subject to resource constraints and considering the purpose and risk. From strongest to weakest the types of audit evidence are: o Analytical Evidence derives from the auditor's analysis (such as computations and comparisons) and logical reasoning using data previously obtained. The strength of analytical evidence in supporting a conclusion depends on methodological soundness as well as the underlying data; o Observational Evidence is obtained by direct inspection or observation of people, property, or events and can be documented in memos, charts, or photographs; o Documentary Evidence consists of created information such as letters, contracts, accounting records, invoices, and management information on performance; and o Testimonial Evidence is obtained through inquiry, interviews, or questionnaires. ➢ What types of analysis would be most persuasive or easiest for the users of the audit to understand regarding the performance aspect being evaluated? Choose methods for measuring and assessing performance, and tools for analyzing and displaying data (such as flowcharts, tables, aging schedules, descriptive figures and diagrams) with users in mind. Audit standards require that evidence be sufficient and appropriate in order to provide a reasonable basis for the audit findings and conclusions. The Work Plan directs the Internal Audit Department to obtain and evaluate evidence that will ultimately support their audit conclusions and findings about the audit objectives. Audit Sampling In many cases, the entire population of data is not used for testing and analysis during fieldwork. Audit sampling is frequently used and, when properly planned and performed, satisfies GAGAS. For some types of testing, a sample may be unnecessary because the use of computer software allows the Internal Audit Department to test 100 percent of the population. In addition, computer software can be used to reduce the size of the population sampled by selecting data with certain characteristics. The types of sampling typically used are described below: Page 1 20 &I- MMOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 ➢ Statistical sampling is a sampling of units that must be randomly selected and quantitatively evaluated through the application of probability theory. The results of the sample are projected to the entire population. ➢ Non-statistical (judgmental) sampling occurs if units cannot be randomly selected or quantitatively evaluated. The auditor determines sample size and evaluates results based on subjective audit experience. Conclusions drawn from the results of the sample only represent the sample population. Responsibilities Regarding Fraud Conducting a performance audit in accordance with GAGAS provides reasonable assurance - but no guarantee - that auditors will detect illegal acts or fraud related to the audit objective. GAGAS requires auditors to be alert to situations or transactions that could be indicative of fraud and extend audit steps if a potential fraud could significantly affect audit results. The Internal Audit Department will use professional judgment in pursuing indications of possible fraud so as not to interfere with investigations or legal proceedings. If, during the course of fieldwork, the Internal Audit Department becomes aware of situations or transactions that could be indicative of fraud, the City Auditor will decide whether to extend audit steps, or to report the potential fraud to the City Attorney's Office, law enforcement, or a third party based on available guidance. The Internal Audit Department is responsible for communicating potential fraud to city officials or external parties. The Internal Audit Department will ordinarily make such communication in writing and will file a copy of the written communication in the administrative file of the audit workpapers. When reporting fraud, the Internal Audit Department should consider the following: • Reporting Fraud to Officials in the Organization. GAGAS require auditors to use judgment in reporting instances of fraud or likely fraud to officials of the audited entity. Auditors should include information in the audit report about a fraud or likely fraud unless public reporting would compromise investigative or legal proceedings, or the fraud is not significant. If public reporting could compromise proceedings, the auditor should limit the extent of reporting to information that is already part of the public record. If the fraud is not significant, the auditor should communicate with management in a separate letter and refer to the letter in the audit report. Standards require auditors to document all communications with management or officials of the audited entity about instances of fraud. Page 121 &I- 1MOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 • Reporting Fraud to a Third Party. In some cases, laws or regulations require the audited entity to report fraud directly to outside parties such as a federal inspector general or state attorney general. If management fails to report the fraud as required, the Internal Audit Department needs to communicate this failure to the governing body. If the audited entity does not then make the required report as soon as possible, the Internal Audit Department is required to report the fraud directly to the specified external agency. Auditors should also report fraud directly when they cannot confirm through evidence that City officials reported the fraud as required. Even in cases where the entity isn't required by law or regulation to report fraud to an external agency, auditors may have a duty under the standards to report instances of fraud to government funding agencies when officials fail to take timely steps to remedy identified fraud or other illegal acts. Audit Fieldwork Work Papers All work conducted as part of an audit should be electronically documented in an audit work paper. Work papers are intended to provide a systematic, written record of the work performed to fulfill the audit objectives and should clearly link the evidence obtained to the reported findings and conclusions. While the content of work papers varies, the format of fieldwork work papers should be consistent to facilitate external peer review and enhance usefulness in completing the project. In general, a work paper should include the following: • Index. The audit project number and title and a work paper reference number; • Date. The date the work paper was completed and submitted for review; • Auditor. The auditor primarily responsible for the contents of the work paper and their title; • Purpose. The purpose of the work paper including a reference to the objective(s) to which the work is related. It is often useful to write the purpose as a question or series of questions; • Methodology. The methodology should be a separate section of the work paper that includes a general description of what the auditor did to complete the work. The description should be clear enough that a reviewer can assess the competence of the evidence presented. • Analysis/Summary. A summary of the work conducted, including any analyses performed should be documented in a separate section of the Page 1 22 &I- MMOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 work paper. This section is generally the bulk of a work paper and should include the criteria, condition, and cause elements of any findings; • Sources. The sources of information contained in the work paper should generally be referenced within the body of the Analysis/Summary section via hyperlinks to other reference work papers or work papers attachments. If the source of information is an individual, the name and title of the person should be noted in a separate Attendees section. If the source of information is an observation, the location and date should be noted in the work paper. • Conclusion. A brief summary of the auditor's conclusions based on the information contained in the Work Paper should be documented in a separate section. The conclusion should relate to the purpose of the work paper and should include the effect elements of any findings and potential recommendations based on those findings. • Attachments. Any files created or researched to support the work paper should be included as an attachment. Attachments should be index and stored in the correct project folder. For example, a spreadsheet that stores the data analysis described in Work Paper C-2 could be indexed as "C-2 Attachment A - Data Analysis." A list of all attachments should be included in a separate section of the work paper. • Review. When work paper is complete, the auditor should notify either the City Auditor or Audit Lead for review. A reviewer should examine the Work Paper to ensure clarity, accuracy, the sufficiency and appropriateness of the collected evidence, and the logic of conclusions. Any changes made to a work paper after it is submitted for review should be made with track changes. A reviewer may also make comments on the work paper and return it to the auditor for additional work. The date of reviews and the reviewer should be documented in a separate section of the Work Paper. Work papers should be clear, concise, objective, and limited to matters that are significant and relevant to the audit objectives. Auditors should avoid creating unnecessary work papers and should ensure that they contain sufficient information to demonstrate compliance with GAGAS in planning, conducting, and reporting on work, and should be understandable without supplementary explanations. Page 1 23 &I- 1010M Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 Audit Project Reporting Evidence Assessment In order to ensure that the evidence gathered during an audit is sufficient and appropriate to support the conclusions about the audit objectives, the Internal Audit Department will conduct an Evidence Assessment as part of the reporting process. To perform the Evidence Assessment, auditors will summarize the results of fieldwork in a copy of the Work Plan. The length and nature of the summary will vary depending on the project but should include citations to relevant work papers. The following is guidance for assessing the gathered evidence: • Sufficient evidence is enough evidence to support the audit findings. Auditors may evaluate sufficiency of evidence by considering the questions: Is there enough evidence to persuade a reasonable person that the findings are valid? Sufficiency can vary depending on how sensitive the topic is. • Appropriate evidence is of high quality that encompasses the relevance, validity, and reliability of the evidence to support the audit findings. Auditors may evaluate appropriateness by considering the questions: Is the evidence accurate? Is this evidence valid? Does this evidence come from strong sources? Does this evidence bear a logical, sensible relationship to the finding it supports? From strongest to weakest the types of evidence sources are: • Data gathered by the auditors. This evidence is the auditors' own observations and measurements, usually gathered through questionnaires, structured interviews, direct observations, and computations. Professional judgment should be exercised in order to ensure that this evidence is sufficient, competent, and relevant. • Data gathered by third parties. The auditors' evidence may also include data gathered by third parties, such as outside audit reports, the Law Department's interpretation on complex laws or regulations, etc. • Data gathered by management. If the auditors use data gathered by officials of the audited entity, they should determine its validity and reliability by direct testing of the data. The entity's internal controls over the validity and reliability of that data can be tested in order to establish this. Page 1 24 &I- 1WOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 The Evidence Assessment should be completed and submitted to the City Auditor for review before the audit report is finalized. The City Auditor should review the Evidence Assessment to verify that the evidence obtained is sufficient and appropriate and provides a reasonable basis for the findings and conclusions based on the audit objectives. The finalized Evidence Assessment should be certified by the City Auditor and retained in the Reporting folder of the corresponding project. Overview of Findings The Overview of Findings is prepared before the first draft of the audit report is complete and is intended to provide the auditee with a summary of findings and recommendations from the audit. This document is essentially an outline of the written report and should: ➢ Format the results of the audit into meaningful sections; ➢ Concisely summarize key audit findings including the results of audit testing; and ➢ Communicate corresponding audit recommendations - if any- for each section. Once a draft of the Overview of Findings is complete, it should be submitted to the City Auditor for review and discussion. Once finalized, the Overview of Findings should be transmitted to the auditee including the Department head, key directors, managers, or supervisors for the audit area, and the assigned City Manager's Office Review Team members. Reference and Draft Report The Internal Audit Department prepares written audit reports to communicate and memorialize the results of each audit project. The entire audit team, including the City Auditor, is responsible for drafting the audit report. In general, the audit report should be written so that a member of the public could understand the conclusions and findings; however, the Internal Audit Department recognizes that the auditee is the biggest user of the written report. The final draft audit report should generally contain the following sections: ➢ At a Glance. This section is an executive summary of the report and is intended to provide members of the public with a one-page overview of the audit. The Internal Audit Department currently has this section of the report translated into Spanish to increase the accessibility of audit reports. The one-page summary generally includes the following sections: Page 1 25 &I- MMOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 o Why we did this Audit - This section gives a brief background on the audited area including why it was selected for review. In addition, it should indicate on which Annual Audit Plan it was initially approved; o What we Found - This section briefly summarizes the findings of the report; and o What we Recommend -This section summarizes the report recommendations. When combining recommendations for summary, the auditor should consider how recommendations work together to address a risk. ➢ Introduction. This section contains introductory paragraphs that state the responsibilities of the Internal Audit Department and City management and includes a standard statement of compliance with GAGAS. In addition, the section should state the audit's scope and objectives and outline the major work performed during the audit. The introduction may also include background information about the audited area. Background information should only be included to provide necessary context for a member of the public reading the report. The auditor should avoid putting the same information in the background and the body of the report when possible and should not include conclusions. ➢ Findings & Analysis. This section lays out the audit findings, conclusions, and recommendations and generally includes subsection divided by major finding. Information should then be communicated per the elements of a finding as follows: o Heading (Finding) - each major finding subsection should have a one sentence Heading that summarizes the finding. o Background (Criteria) - immediately following the Heading, there should be a description in paragraphs of any relevant background information and the criteria used to develop the finding. o What we Found (Conditions - under this subheading, the auditor should include a description of the function's condition in a bulleted list. In general, each major bullet should describe a control and any sub bullets should describe the results of testing those controls. o Why it Matters (Cause & Effect)- under this subheading, the auditor should describe the risks associated with any control deficiencies identified. This section should also generally include an acknowledgement of any controls that are functioning effectively. Page 1 26 &I- 1WOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 o Recommendation(s) - under this subheading, the auditor should include recommendations that address the risks associated with the finding. There should also be space allocated in the report for management response comments for each recommendation. If all controls described in a subsection appear to be functioning, no recommendations need be issued. This should be noted as follows: "Recommendation: None." ➢ Appendices. Information that would be useful to some readers but is too detailed to include in the body of the report may be included in appendices. Examples include the full text of a City Ordinance or a technical description of an audit method - such as sampling, forecasting, or modeling. Interim reports to management are included as appendices in most cases. Number each appendix sequentially and refer to each in the body of the report. The Management Response Matrix should always be included as the first appendix. The draft should meet the quality elements identified in GAGAS. The extent to which a report meets the quality elements is a matter of professional judgment. The Internal Audit Department recognizes the inherent tensions between the elements (complete and concise; accurate and clear; objective and convincing) and will draw upon staff experience and professional judgement to balance them. In drafting the Findings & Analysis section, auditors should ensure it is: ➢ Complete -The report should contain sufficient and appropriate evidence to support audit conclusions and provide context and perspective about the significance of the findings. The report should state clearly what was and was not done during the audit process. ➢ Accurate - The report must be factual. Even minor inaccuracies can cast doubt on the entire audit and damage the credibility of the Internal Audit Department. Keep in mind that misplaced precision - while accurate - can detract from the audit report's meaning. ➢ Objective - The report should be balanced in content and tone. Findings should be kept in perspective. Avoid unnecessary adjectives and adverbs. ➢ Convincing - The report should be presented persuasively with conclusions and recommendations flowing logically from the facts. Techniques to express the relationships between main ideas within and among paragraphs (parallel structures; coordination, subordination and transition phrases; and running heads) help make the report convincing. The key controlling idea should be in the first sentence of the paragraph to help make a clear and convincing case. Page 1 27 &I- MMOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 ➢ Clear- The report should be easy to read and understand. Use active voice. Avoid acronyms and jargon. Define technical terms or abbreviations at their first use in the text or in a glossary if they are essential to understanding (but it's better to avoid using them). Simple sentence structures are usually easiest to understand (subject-verb- object). Put statements in positive form (what is, rather than what is not). Graphs, charts, maps and other visuals also aid in clarity. ➢ Concise -The report should be no longer than necessary to convey the message. Shorter is better if the report is complete. Too much detail can obscure the message of the report. Omit needless words. Using strong verbs and limiting adverbs and noun phrases helps with clarity and conciseness. When finalizing the draft report, The Internal Audit Department will attempt to ensure that the report format matches with the City of Denton's style guide. In addition, the Internal Audit Department has developed a supplemental style guide to facilitate consistency for all reports. Once the draft report is complete, the Internal Audit Department distributes the it to the audited area's management via email. Typically, whoever received the Initiation Letter should also receive the draft report. The draft report should be sent in WORD format so that reviewers may make language change suggestions if they wish; however, the auditor should make clear that these will not necessarily be accepted, and any edits should be made using track changes. The Internal Audit Department should also prepare a version of the draft report that includes references to supporting Work Papers. Referencing is the process in which the auditor notes on the draft the Work Paper source for each fact, figure, date, or other piece of evidence described int eh report. As the report is referenced, corrections should be made to errors found to ensure consistency. The draft report should be referenced by the audit team and reviewed by the City Auditor for completion before the clean draft is distributed to the audited area's management. Exit Conference The Internal Audit Department will schedule an Exit Conference after the draft report is distributed. This provides an opportunity to discuss report language and tone, perceived inaccuracies, or disagreements to find common ground. The Internal Audit Department will carefully assess management's comments and concerns raised in the written response and the Exit Conference and decide whether and how to revise the report. If the Internal Audit Department decides Page 1 28 &I- 1WOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 to revise the report, management will be provided a brief opportunity to amend their response for inclusion in the final report for publication. During the Exit Conference, the Internal Audit Department and management will also come to an agreement about the final reporting timeline including: when a possible revised report will be sent to management, when a completed Management Response Matrix will be provided to the Internal Audit Department, and when the audit will be presented to the City Council. The Internal Audit Department or management may request additional presentations be made at this time. The Internal Audit Department prefers to make recommendations that management concurs with so that risks are more likely to be addressed. However, when the Internal Audit Department cannot come to agreement with management, or management's written response contains comments the Internal Audit Department believes are not valid, rebuttal comments may be prepared. Management Response & Final Report Before the report is finalized, the Internal Audit Department will provide the auditee with a Management Response Matrix. This matrix summarizes each recommendation made in the body of the report and provides an area for management to respond. This response should include: ➢ An indication of if management concurs, partially concurs, or disagrees with the recommendation; ➢ An expected completion date; ➢ An indication of who is responsible for completing the recommendation; and ➢ Any comments management feels are necessary to explain their planned implementation actions. Once the completed Management Response Matrix is received, it should be attached to the report as an appendix. In addition, any comments should be included in the body of the report where appropriate. Once this is complete the report is finalized and should be distributed to the audited area's management. Presentation Finalized audit reports are verbally presented to the City Council to ensure findings are communicated to the public. As such, audit presentations should be Page 1 29 &I- 1WOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 prepared with members of the public - including the City Council - in mind. In general, audit presentations are prepared and made by the City Auditor with assistance from the Audit Lead. Presentations may be made to the Audit/Finance Committee, City management, or others as appropriate before presentation to the City Council. For each presentation, a slide deck will be prepared to explain the major findings of the audit by result function. Audit presentation slide decks generally include the following: • Purpose of the Audit. Provides a brief background on the audited area including why it was selected for review and outlines the audited functions. • Audit Findings by Audited Area. Divides the audit into major audited functions and outlines the major findings for each. Auditors should consider including tables, figures, pictures, and animation where appropriate to engage the reader and increase understanding through illustration. In addition, each slide should have bullets summarizing the major finding, Care should be taken to ensure slides are not overly wordy but remain complete and accurate. • Management Response Summary. Summarizes each audit recommendation made, discloses whether management concurred, partially concurred, or disagreed with the recommendation and paraphrase implementation actions for each recommendation. In addition, an Agenda Information Sheet (AIS) must be prepared that includes a brief background on the audited area including why it was selected for review and indicate on which Annual Audit Plan it was originally approved. Finally, each department involved - including the Internal Audit Department - must complete a section of the Audit Response Cover Letter, which is circulated and finalized by the City Manager's Office Review Team. Public Release After the report is presented to the City Council, the final report, including the Spanish translation of the At a Glance section - is uploaded to the Internal Audit Department's public facing Laserfiche Drive under the correct project folder. Each project folder should contain the original audit report and any follow-up reports after their completion. Per TSLAC GR1000-41 a(2), performance audit reports are considered permanent records for historical reasons and should not be destroyed. Page 1 30 &I- 1010M Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 Quality Control Program Standards Verification Processes A critical part of the Department's quality control program is verifying compliance with GAGAS. The Internal Audit Department verifies this in the following ways: • Yellow Book Checklist. The Audit Lead shall complete a Yellow Book Checklist for each report issued for an audit project (i.e. after each audit and follow-up report is issued). This Checklist requires staff to identify the work papers of each project that evidences compliance with GAGAS. • Annual Verification Assessment. The City Auditor shall annually verify that applicable audit standards were followed for a sample of audit projects completed. This verification shall be performed at the end of each fiscal year and subsequent results reported to the Audit/Finance Committee. • Periodic Peer Review. External peer reviews should provide an objective, independent opinion on whether the Department's internal quality control system provides reasonable assurance of compliance with applicable auditing standards. GAGAS requires that the Internal Audit Department undergo an external peer review every three years. The City Auditor shall work with the Audit/Finance Committee and City Council to ensure that external peer reviews are performed as required. External peer reviewers shall be provided full access to any need documentation. The City Auditor shall ensure the results of the external peer review are communicated to the Audit/Finance Committee, the City Council, and the City Manager as well as made publicly available. The Internal Audit Department shall review any findings with the peer review team and shall take steps to correct identified deficiencies in a timely manner. Recommendation Tracking Recommendations issued as part of each audit project are intended to address risks that the City faces and should be tracked to facilitate accountability and to measure the Internal Audit Department's effectiveness. In order to track recommendations, the Internal Audit Department maintains an Internal Audit Recommendation Tracker on the City's internal network. This Tracker includes: ➢ Recommendations issued for every audit project; Page 131 &I- 1WOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 ➢ Management responsibility information including who the recommendation was addressed to, the tentative completion date, and if management concurred, partially concurred or disagreed; and ➢ Implementation status including follow-up review determinations and self- reported department progress information. The City Auditor is responsible for ensuring that this Tracker remains up to date with issued recommendations including management responses and verified implementation status. Post-Audit Feedback Survey In order to promote continuous improvement and facilitate communication between the Internal Audit Department and auditees, a Post-Audit Feedback Survey is distributed after each report issued during an audit project. Feedback is generally requested from the primary contacts and department directors involved in each audit project. The City Auditor is responsible for developing and distributing the Post-Audit Feedback Survey after each report is issued. Results of the Feedback Survey shall be presented to the Audit/Finance Committee and City Council at least annually. Continuous Professional Development GAGAS requires that Audit staff are required to have the knowledge, skills, and abilities, necessary to conduct an audit project. This competence is derived from a combination of education and experience and is generally demonstrated through the following methods: • Professional Certification. Audit staff are required to hold an audit-related professional certification or be in the process of obtaining one after beginning employment. Audit-related professional certifications include, but are not necessarily limited to: o Certified Internal Auditor (CIA); o Certified Public Accountant (CPA); o Chartered Accountant (CA); o Certified Fraud Examiner (CFE); o Certified Government Auditing Professional (CGAP); and o Certified Information Systems Auditor (CISA). Page 1 32 &I- 1WOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 To support audit staff in meeting this requirement, the Internal Audit Department will provide current study guides and cover costs associated with taking a professional certification exam the first time. In addition, audit staff may schedule with the City Auditor up to twelve hours of work time to prepare for each professional certification exam. Administrative leave may be granted for taking an exam upon request. • Continuing Professional Education (CPE). Per GAGAS, audit staff are required to develop and maintain their competency by completing continuing professional education as follows: o At least 80 hours of CPE for every two years of employment; o At least 20 hours of CPE during each year of employment; and o At least 30 percent of CPE hours must be related to government auditing. Audit staff are required to document their compliance with these requirements by maintaining CPE certificates in the designated CPE Tracking repository. If the sponsor of a CPE course does not provide a certificate, the auditor will prepare a memo to be stored in the CPE Tracking repository. Once prepared, this memo should be certified by the City Auditor. A CPE Completion Memo should include the following information: o The name of the organization that provided the training; o The title and subject matter of the training; o The date attended (or date completed for individual study); and o The number of CPE hours earned related to government and nongovernmental topics. In order to easily monitor compliance with these CPE requirements, each auditor shall maintain a CPE attendance log that is updated at least annually. This log should include: o The date of attendance (or completion if self-study) of the CPE hours; o The calendar year during which the CPE is reported, o The organization offering the CPE, o The subject of the training, o The number of CPE hours earned; o Any specific CPE categories that the training addressed such as government auditing, IT auditing, fraud, ethics, etc.; and Page 1 33 &I- MMOM Effective Date: 01/21/2021 DENTON Last Update: 05/12/2021 o The price of each CPE event. Annually, the City Auditor should report to the Audit/Finance Committee on the Internal Audit Department's compliance with this CPE requirements. For reporting purposes, required CPE is calculated assuming ten hours must be completed for every three months of employment. Audit staff that have not been employed with the City for more than one year of the two-year reporting period should be included in the report; however, their compliance with GAGAS should not be formally determined. PerTSLAC's GR1050-28a, individual CPE documentation should be retained for five years after an employee separates from the City. Per TSLAC's GR1000-41a(4), CPE compliance reports should be maintained for 3 years. • Participation in Professional Organization. Professional organizations offer opportunities to establish relationships with other auditing professionals whose experience the Internal Audit Department may be able to draw on to more efficiently and effectively conduct audit work. For this reason, audit staff are encouraged to participate in professional organization activities related to government or auditing, such as: o The Association of Local Government Auditors; o The Institute of Internal Auditors; o Association of Certified Fraud Examiners; o The Information Systems Audit and Control Association; and o The Government Finance Officers Association. Page 1 34 &I- 1010M Effective Date: 01/01/2019 DENTON Last Updated: 05/12/2021 Annual Ethics Pledge Auditor Name: Pledge Fiscal Year: Auditors within the Internal Audit Department are expected to conduct all project per the ethical principles outlined below. Annually, auditors must pledge to adhere to these principles before conducting any projects. Supplemental information regarding each ethical principle can be found in Generally Accepted Government Auditing Standards. • The Public Interest. A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest, which is defined as the collective well-being of the community of people and entities that the auditors serve. • Integrity. Public confidence in government is maintained and strengthened by auditors performing their professional responsibilities with integrity, which includes auditors performing their work with an attitude that is objective, fact-based, nonpartisan, and nonideological with regard to audited entities and users of the audit reports. • Objectivity. Auditor's objectivity in discharging their professional responsibilities is the basis for credibility of auditing in the government sector. Objectivity includes independence of mind and of appearance when conducting engagements, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest. • Proper Use of Government Information, Resources, and Positions. Government information, resources, and positions are to be used for official purposes and not inappropriately for the auditors' personal gain or in a manner contrary to law or detrimental to the legitimate interests of the audited entity or audit organization. • Professional Behavior. High expectations for the auditing profession include complying with all relevant legal, regulatory, and professional obligations and avoiding any conduct that could bring discredit to the auditors' work, including actions that would cause an objective third party with knowledge of the relevant information to conclude that the auditors' work was professionally deficient. I have reviewed the ethical principles, including supplemental guidance in GAGAS, and pledge to adhere to the principles to the best of my ability. In the event I cannot comply with or adhere to the identified ethical principles, I will immediately notify my supervisor of the circumstances. Signature: Date: &I- 1010M Effective Date: 01/01/2019 DENTON Last Updated: 05/12/2021 Staff Assignment Form Audit Title: Project Number: Audit Plan: Audit Type: Considerations: Will this assignment result in audit previous Department work? Has the Department performed any management functions or made any management decisions relative to the auditee? Has the Department provided non-audit services that are significant or material to the subject matter of the audit? Audit Lead: Additional Staff Assigned: Initiation Date: Est. Fieldwork Completion Date: Est. Council Presentation Date: Notes: I have reviewed the assigned staff resumes, and current training records. The assigned staff collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed. Further, I have reviewed each assigned staff person's signed annual independence statement and found that no known impairments exist. Approved By: Date: City Auditor &I- 100M Effective Date: 01/01/2019 DENTON Last Updated: 05/12/2021 Auditor Independence Evaluation Form Audit Title: Project Number: Audit Plan: For each audit project, the City of Denton's Internal Audit Department requires each staff member on an audit to complete the following independence evaluation exercise. This exercise is intended to help audit staff identify threats to their independence for each audit in accordance with the conceptual framework of the Yellow Book. If you are unsure whether a threat applies to you, please review Standard 3.36-3.44 of the Yellow Book and discuss your concerns with the City Auditor. The threats below may impact the independence of mind or appearance. Check All Threat Description That Apply Self-Interest I have a financial or other interest that may inappropriately influence my judgement or behavior. I have provided nonaudit services and may not appropriately Self-Review evaluate the results of previous judgements made or services provided as part of those nonaudit services when forming a judgement significant to a GAGAS engagement. Bias I may, as a result of political, ideological, social, or other convictions, take a position that is not objective. I have a relationship with management or personnel of the Familiarity audited entity, such as a close or long relationship, or that of an immediate or close family member, that may lead me to take a position that is not objective. Undue The influences or pressures from sources external to the Influence Department may affect my ability to make objective judgements. Management I have taken on the role of management or am otherwise Participation performing management functions on behalf of the audited entity, which may lead me to take a position that is not objective. I believe the Department's placement within the City, in Structural combination with the structure of the audited entity, will affect the Department's ability to perform work and report results objectively. If you indicated that any of the threats above apply, provide additional information below: If at any time during the audit the above conditions change, I will promptly notify the City Auditor ensure appropriate safeguards are utilized in accordance with the conceptual framework. Auditor: Signature: