The Weld County Charter states in Section 13-8(6):
“Council shall review all aspects of county government and shall make such periodic reports to the people relating to expenditures, efficiency, responsiveness, adherence to statutes, laws and regulations, and other matters as the Council deems advisable.”
In that article I proposed the idea of hiring a full-time internal auditor. In this article I’d like to expand on this idea by addressing three topics – 1) the types of audits that could be performed by this internal audit staff; 2) the use of external experts to perform certain audits; and 3) the structure of other county audit organizations in Colorado and throughout the nation.
Audits would be performed with the goal of increasing the effectiveness and improving the performance of county procedures. The financial audit currently being performed focuses primarily on large expenditures and does not address data security. Data security is an important topic given the data breach that occurred previously when a jail inmate was able to access employee data, including social security numbers. The County processes three types of critical data - health information (HIPAA data), credit card information (PCI data), and personal information for employees and some County residents (Personally Identifiable Information / PII data). We need to make absolutely certain our systems are secure.
An audit of data security related to the above topics is a good example where the Council would require outside expertise from a firm that specializes in information technology security. Experts could also be sought to review certain state or federal programs administered by the County, to the extent that these programs aren't already being reviewed.
I have researched various audit departments throughout the state and the structures vary significantly. Some are outsourced totally (i.e. Adams County), and some have a sizable internal staff (i.e. Denver County). There is no right or wrong answer as to size and structure. I have proposed what I believe is the best of both worlds with a full-time internal resource along with a small budget for two additional audits by external experts.
I have run a small business for the past 16 years and part of my consulting practice is to help large organizations design internal controls and security. In my experience, every organization has vulnerabilities and opportunities to improve processes.
One thread was consistent in my research – audits can be highly political in nature. We are fortunate to have the Weld County Council who acts as an independent non-partisan voice for the citizens of Weld County.
This article reflects my opinion and not necessarily the views of the rest of the Weld County Council members.
About Jeffrey Hare
Jeffrey Hare is a Certified Public Accountant (CPA), Certified Internal Auditor (CIA), and Certified Information System Auditor (CISA). He serves as an At-Large member on the County Council. He lives in Greeley with his wife Julie to whom he has been married for 21 years. He and Julie have three daughters who all attend Frontier Academy where Jeffrey also serves on the governing board. Jeffrey is also founder and CEO of ERP Risk Advisors, an IT consulting firm.
This article is the second part in a two-part series. In the first article I addressed the mandate of the Weld County Charter and made the case for hiring an internal auditor.