Our Process


How Audits are Selected

DIA develops a risk-based audit plan at the beginning of each year. The audit plan can be based on the following factors:

  • Annual Risk Assessment - An annual review of risk to the County categorized and scored by departments and divisions. Risks include:
    • Operational Risk - The type of risk the county is exposed to if operating objectives are not being met through the effective and efficient use of resources. This includes potential for fraud, business disruptions, profitability, customer service, safety, credit quality, etc.
    • Compliance Risk - Type of risk the county is exposed to if it operates (or could potentially operate) outside of applicable laws and regulations.
    • Financial Risk - Risk impact related to revenues, expenditures, assets, liabilities, and equity decisions.
    • Strategic Risk - Risk impact that affects or is created by an organization’s business strategy and strategic objectives.
    • Residual Risk - The level of risk that remains after management’s response to inherent risks.
  • Requests from Stakeholders - This may include Internal Audit Committee, County Executive, County Council, management of Cuyahoga County, or other sources.

Audit Process

informational graphic showing the audit process

 


  1. Department/function identified for audit
  2. Pre-audit meeting
  3. Audit planning and fieldwork
  4. Audit report drafted and sent to auditee
  5. Post audit meeting
  6. Management’s responses received within 30 days
  7. Report sent to Audit Committee for review
  8. Following Audit Committee approval, report distributed to county management, County Council, and posted to the county’s web site
  9. Follow-up review via issue tracker process

Planning

Steps during planning include the following:

  • Obtaining background information related to the department, division, or process being audited
  • Assessing risks and identifying potential controls
  • Defining scope of audit, to focus resources on areas of higher risk rather than broader assessments of entire agencies
  • Typical documents requested:
    • Policies and Procedures
    • Organizational Chart
    • List of Contracts

Fieldwork

This part of the audit usually includes tests of transactions and/or analysis to provide reasonable assurance that controls are adequate, operating effectively, and to ensure audit objectives are met. We often select a sample of a group of transactions for testing as opposed to reviewing an entire population.

During or when this process is completed. DIA will provide the auditee with any documented issues, the cause of these issues, potential impact, and recommendations for improvement. The auditee will have an opportunity to ask questions or seek clarification on any of the recommendations.


Draft Report and Response

A formal exit conference is held to signify the end of the audit. A complete Draft Report will be submitted to the auditee. The Draft Report will incorporate the auditee responses to the audit issues and recommendations. The response will also include a tentative timeline for corrective action to be taken.

Audit Committee and Final Report

The Internal Audit Committee receives the Draft Report with management responses. They may ask questions or give comments on the Report. Unless it is decided that Report is to be held, the Report will be publicly released on County website two weeks later.

Follow-Up Issue Tracking

DIA will reach out to auditee, after time is allowed for corrective action to be implemented, to see if corrective action has taken place. DIA will obtain management response as to status of corrective action and supporting documentation necessary to provide reasonable assurance that corrective action has been implemented and is working.


  
How could we make it better? Leaving an email can assist us in troubleshooting the issue.
  
Thank you for your feedback
Your feedback means a lot to us. We use it to improve the experience of all of our users.