|
Agenda Item
ASR
Control 26-000092 |
||
|
MEETING
DATE: |
03/24/26 |
|
|
legal entity taking action: |
Board
of Supervisors |
|
|
board of supervisors district(s): |
All
Districts |
|
|
SUBMITTING Agency/Department: |
Internal
Audit (Approved) |
|
|
Department contact person(s): |
Aggie
Alonso (714) 834-5442 |
|
|
|
Jose
A. Olivo (714) 834-5509 |
|
Subject: Summary of Reports, Independent
Risk Assessment, Quality Assessment, and Charter
|
ceo CONCUR |
County Counsel Review |
Clerk of the Board |
||||||||
|
Concur |
No
Legal Objection |
Consent
Calendar |
||||||||
|
|
|
3
Votes Board Majority |
||||||||
|
|
|
|
||||||||
|
Budgeted: N/A |
Current Year
Cost: N/A |
Annual Cost: N/A |
||||||||
|
|
|
|
||||||||
|
Staffing Impact: |
No |
# of Positions: |
Sole Source: N/A |
|||||||
|
Current Fiscal Year Revenue: N/A
|
||||||||||
|
Prior Board Action: 12/16/2025 #6, 9/23/2025 #S34B,
9/24/2024 #15, 2/26/2019 #16 |
||||||||||
RECOMMENDED
ACTION(S):
|
1. |
Receive and file Internal Audit
Department's Executive Summary of Internal Audit Reports for the Quarter
Ended December 31, 2025 |
|
2. |
Approve the Internal Audit Department’s
Amended Fiscal Year 2025-26 and 2026-27 Audit Plans as Recommended in Macias,
Gini & O’Connell LLP’s Independent Risk Assessment and Recommendations
for Fiscal Years 2025-26 and 2026-27 Audit Plans Report. |
|
3. |
Receive and file Internal Audit
Department Internal Quality Assessment for FY 2024-25 |
|
4. |
Approve Internal Audit Department's
Charter |
SUMMARY:
Receiving and filing the Executive
Summary of Internal Audit Reports will inform the Board of Supervisors of the
ongoing process of internal audit coverage; approval of the Independent Risk
Assessment and Recommendations for Fiscal Years 2025-26 and 2026-27 Audit Plans
will allow the Internal Audit Department to incorporate audits of high-risk
areas; receiving and filing the Internal Quality Assessment for FY 2024-25 will
confirm Internal Audit Department’s conformance with Global Internal Audit
Standards; and approval of the revised Internal Audit Department Charter will
formally define performance audits in the Internal Audit Department’s
responsibilities and authority.
BACKGROUND
INFORMATION:
The Internal Audit Department (IAD)
issues written reports following the conclusion of each internal audit
engagement. The results of the audits are summarized quarterly for the Board of
Supervisors (Board) and are presented in the Executive Summary of Internal
Audit Reports.
On December 16, 2025, the Board
received and filed the Executive Summary of Internal Audit Reports for the
period of July to September 2025. The report for this quarter (Attachment A)
covers four audit reports issued from October 1, 2025 to December 31, 2025
(Attachments B through E).
IAD supports and assists the Board
and County management in the realization of their business goals and objectives
by testing and reporting on the effectiveness of County internal control
systems and efficiency of business processes. To accomplish this, IAD prepares
an Annual Risk Assessment and Audit Plan, which is a comprehensive plan that
details audits to be completed each fiscal year. On June 24, 2025, the Board
approved IAD’s Fiscal Year (FY) 2025-26 Risk Assessment and Audit Plan, and
directed IAD to contract with a reputable Certified Public Accounting firm to
conduct an independent risk assessment of high-risk areas across the County.
The independent risk assessment would be used to modify IAD’s FY 2025-26 Audit
Plan and develop the FY 2026-27 Audit Plan.
On September 23, 2025, the Board
approved a contract with Macias, Gini & O’Connell (MGO) to conduct the
independent risk assessment and on January 30, 2026, MGO reported on their
results and recommendations for FYs 2025-26 and 2026-27 Audit Plans. IAD agrees
with their results, which were filed with the Audit Oversight Committee (AOC)
at its February 5, 2026 meeting, and are now being presented to the Board for
approval. See Attachment F for a summary of MGO’s results.
IAD adheres to mandatory guidance
issued by the Institute of Internal Auditors (IIA), including the Global
Internal Audit Standards (Standards). The Standards require the Chief Audit
Executive to communicate the results of an Internal Quality Assessment (IQA) to
the Board and to senior management at least annually. An IQA consists of
ongoing monitoring of the internal audit function’s conformance with the
Standards and its progress toward achieving performance objectives.
On September 24, 2024, the Board
received and filed IAD’s IQA for FY 2023-24. In December 2025, IAD conducted
its annual self-assessment that validated its achievement of full conformance
(the highest possible rating) with 51 of 52 Standards, and general conformance
with one Standard. The rating of general conformance was due to a required
update to the IAD Charter related to its new responsibilities over performance
audits. As noted in the paragraph below, the Charter has since been revised and
is pending Board approval to bring IAD into full conformance with that
Standard. See Attachment G for the results of the IQA for FY 2024-25.
On February 26, 2019, the Board
approved the IAD Charter (Charter), which formally defined the purpose and
responsibility of IAD and provided authority to conduct audits of County
departments. In January 2025, the Board approved the transfer of the Performance
Audit function to IAD, and IAD has now revised the Charter to reflect those
responsibilities. IAD also made other non-substantive changes to align the
Charter with the Standards. The revised Charter was filed with the AOC at its
February 5, 2026 meeting, and is now being presented to the Board for approval.
See Attachment H for the revised Charter and Attachment I for the redline
version.
FINANCIAL
IMPACT:
N/A
STAFFING
IMPACT:
N/A
ATTACHMENT(S):
Attachment
A - Executive Summary of Internal Audit Reports for Quarter Ended December 31,
2025
Attachment B - OC Public Works Selected Cybersecurity Controls (Audit No.
2414-F1 Close-Out) dated October 27, 2025
Attachment C - Health Care Agency Environmental Health Division Cash Receipts
(Audit No. 2214-F1) dated November 12, 2025
Attachment D - OCIT Enterprise IT Governance (Audit No. 2242-F2 Close-Out)
dated December 17, 2025
Attachment E - OCIT Selected Internet of Things (IoT) Device Security Controls
(Audit No. 2314-F1 Close-Out) dated December 18, 2025
Attachment F - MGO Independent Risk Assessment and Recommendations for Fiscal
Years 2025-26 and 2026-27 Audit Plans
Attachment G - Internal Audit Department Internal Quality Assessment for FY
2024-25
Attachment H - Internal Audit Department Charter
Attachment I - Internal Audit Department Charter - Redline