The Weld County Charter states in Section 13-8(6):
“Council shall review
all aspects of county government and shall make such periodic reports to the
people relating to expenditures, efficiency, responsiveness, adherence to
statutes, laws and regulations, and other matters as the Council deems
advisable.”
In that article I proposed the idea of hiring a full-time
internal auditor. In this article I’d
like to expand on this idea by addressing three topics – 1) the types of audits
that could be performed by this internal audit staff; 2) the use of external
experts to perform certain audits; and 3) the structure of other county audit
organizations in Colorado and throughout the nation.
Audits would be performed with the goal of increasing the effectiveness
and improving the performance of county procedures. The financial audit currently being performed
focuses primarily on large expenditures and does not address data security. Data security is an important topic given the
data breach that occurred previously when a jail inmate was able to access
employee data, including social security numbers. The County processes three types of critical
data - health information (HIPAA data), credit card information (PCI data), and
personal information for employees and some County residents (Personally
Identifiable Information / PII data). We
need to make absolutely certain our systems are secure.
An audit of data security related to the above topics is a
good example where the Council would require outside expertise from a firm that
specializes in information technology security.
Experts could also be sought to review certain state or federal programs
administered by the County, to the extent that these programs aren't already
being reviewed.
I have researched various audit departments throughout the
state and the structures vary significantly.
Some are outsourced totally (i.e. Adams County), and some have a sizable
internal staff (i.e. Denver County).
There is no right or wrong answer as to size and structure. I have proposed what I believe is the best of
both worlds with a full-time internal resource along with a small budget for
two additional audits by external experts.
I have run a small business for the past 16 years and part
of my consulting practice is to help large organizations design internal
controls and security. In my experience,
every organization has vulnerabilities and opportunities to improve processes.
One thread was consistent in my research – audits can be
highly political in nature. We are fortunate
to have the Weld County Council who acts as an independent non-partisan voice
for the citizens of Weld County.
This article reflects my opinion and not
necessarily the views of the rest of the Weld County Council members.
About Jeffrey Hare
Jeffrey Hare is a Certified Public Accountant (CPA),
Certified Internal Auditor (CIA), and Certified Information System Auditor
(CISA). He serves as an At-Large member
on the County Council. He lives in
Greeley with his wife Julie to whom he has been married for 21 years. He and Julie have three daughters who all attend
Frontier Academy where Jeffrey also serves on the governing board. Jeffrey is also founder and CEO of ERP Risk
Advisors, an IT consulting firm.
Note:
This article is the second part in a two-part series. In the first article I addressed the mandate
of the Weld County Charter and made the case for hiring an internal auditor.