The City’s first ever internal auditor will propose a new audit-review rating system and enterprise risk management framework during Council’s Governance Committee today.
As part of the City’s new internal audit function, approved in 2011 as part of the 2012 operating budget process, the rating system and methodology would allow for internal audits to be done using best practices and standards already established by the Institute of Internal Auditors, the governing body for the audit profession.
“A new audit-review approach would build on lessons learned in phase one of the service and operational reviews and would give us a strong foundation for future reviews,” says Loretta Alonzo, the City’s internal auditor, adding, “We are now in a position to deliver robust and effective reviews that will provide meaningful findings and recommendations to guide our business decisions.”
She further explains that by prioritizing which City services will form the audit annual work plan, residents can be assured that due diligence and oversight of the public purse is focused on areas of greatest risk and potential savings, efficiencies and service improvements.
“The new audit process would ensure accountability, transparency and engagement, as well as strengthen how the City works, enabling Guelph to prosper in the years ahead.”
The types of audits that may be performed by an internal auditor include: operational, financial, compliance, information systems, special investigations, follow-up audits, and consulting.
Alonzo also explains the process by which City services, programs, or activities are chosen for review is most effective when viewed through a risk-based audit methodology.
The new rating system would prioritize audits using a scoring system based on known risks, budget, date of last review and potential savings opportunities. Internal audit projects would be determined annually through collaboration with the Executive Team and Audit Committee.
A complete a list of ranked and rated services with recommendation for selected audits for 2013 will be considered by the Governance Committee later this fall.
As part of the internal audit function, an enterprise risk management strategy would also be implemented in two phases over a two-year period. Phase one would be corporate-level risk management and phase two would expand to include project risk management. In addition, an enterprise risk management program would assist in decision-making processes that will allocate resources to areas of highest risk.
“By identifying and proactively addressing risks and opportunities, the City improves how it protects the interests of the public. Identifying and managing risk is everyone’s responsibility and is one component of good corporate governance,” says Alonzo.