Audit Plan


The 2019 Audit Plan consists of integrated audits that incorporate performance, financial, information technology, and fraud-detection objectives. The Plan is flexible and could change as conditions evolve. Auditor O’Brien meets regularly with elected officials, agency leadership, and community members to gather input related to operational risks so as to concentrate the work of the Auditor’s Office in areas where it will have the greatest impact.

Download the 2019 Audit Plan

The vision of the Denver Auditor’s Office is to deliver value and impact for Denver by performing audits that follow the highest professional standards. Our mission is to deliver independent, transparent and professional oversight; safeguarding and improving the public’s investment in the City and County of Denver. Our work is performed on behalf of everyone who cares about the city, including its residents, workers and decision-makers.

The Auditor and the Auditor’s Office provide an important and valued function for Denver, a responsibility that requires a high level of expertise
and professionalism. The 2019 Audit Plan reflects Auditor O’Brien’s steadfast
commitment to continuous improvement by enhancing the value, products, staffing, communications and overall positive impact of the Denver Auditor’s Office on behalf of Denver’s residents, businesses and visitors.

Developing the annual Audit Plan is an ongoing process, conducted by assembling ideas from a variety of  internal and external sources, examining a broad range of city activities and then assessing risk factors in tandem with additional considerations. This approach results in a diverse list of departments, programs, activities and contracts that are examined to determine whether they are operating efficiently, effectively and in accordance with the law and program or contract requirements.
The Auditor’s Office’s authority is granted by the City Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor.

2019 Planned Audits

City Auctions This audit will review the controls and process for city auctions of property.
City Real Estate Management This audit will review the city’s process for planning, coordinating and managing city real estate needs.
Construction Audits These audits will focus on various aspects of the city’s construction projects, including proper city oversight.
Contracts and Agreements The Auditor’s Office will continue to audit selected city contracts and agreements as required under Denver City Charter, §5.2.1, to evaluate and ensure performance, value and proper city oversight.
Contracting Practices The audit series will review the economy, efficiency and effectiveness of the city’s complex contracting processes.
Cybersecurity The assessment will examine the city’s vulnerability to cybersecurity attacks and information theft. The assessment will build on the results of the prior cybersecurity assessments by examining additional areas of potential vulnerability, including an updated security risk analysis of the city’s system infrastructure.
Financial Audits The Auditor’s Office will conduct audits of selected city agencies’ accounting processes. Audits may focus on specific financial balances, transactions, programs, funds and processes and their related internal controls, determine whether the transactions were properly accounted for, or whether the internal control systems are efficient and effective and in compliance with city accounting policies.
Grant Audits These audits will review compliance with Federal Grants Requirements for receiving departments such as Office of Economic Development, Human Services or Parks and Recreation.
Workday Financial Implementation The audit will review the effectiveness of the implementation of the Workday financial system.
Assessor's Office
Property Tax Assessment Process The Assessor’s Office is implementing a new system to track and report on all property taxes assessed and collected on behalf of the City and all other property taxing entities within the City’s boundaries. The audit will analyze the efficacy of the processes and controls the City uses to assess and collect taxes. The audit will also examine implementation and controls around the new property tax system.

City Attorney’s Office
CORA Requests This audit will review the process used by the City Attorney’s Office to receive, track and respond to Colorado Open Records Act data requests.

Clerk and Recorder’s Office
Public Trustee Function This audit will review the Public Trustee function, including accounting practices, compliance with laws and regulations and governance structure.

Controller’s Office
Denver Preschool Program Sales Tax This audit will assess the city’s oversight of this longstanding sales tax that is distributed to a non-profit under a contract with the city.

Cultural Facilities
Cultural Facilities This audit is part of an audit series exploring city oversight, efficiency, effectiveness and financial operations of an SCFD Tier 1 recipient under the cooperative agreement with the city.

Denver International Airport
Accounting and Finance Management Various planned audits involving the airport will evaluate the internal control environment associated with the financial functions at the airport.
Airport Capital Assets Similar to the 2018 audit performed for the rest of the city, the audit reviews the accuracy and internal controls over the classification, recording and inventory of the airport’s purchased or constructed buildings and equipment as reported in the city’s Comprehensive Annual Financial Report.
Airport Hotel Contract The audit will assess whether DEN and the Westin DIA Operator, LLC, are in compliance with the Hotel Management Agreement covering the Westin Denver International Airport.
IT Security Operations Center This audit will evaluate the documentation, standardization of processes and detection and response capabilities of Denver International Airport’s Information Technology Security Operations Center.

Denver Public Library
Social Services This audit will examine the extent to which the Denver Public Library is equipped to provide certain social services, and the effect of these additional services on the library’s ability to meet its stated mission.

General Services
Physical Security of City Facilities The audit will examine physical security and security services provided at city facilities to determine if the safety of city employees and visitors is adequately addressed.

Human Services
Child Welfare Placement
This audit will review the oversight of the foster care and residential child care facilities for the city.
Community Center Board Mill Levy Expenditure
This audit will review Denver Human Services’ (DHS) oversight and monitoring of the contract with Denver’s Community Center Board (CCB), which provides case management and coordinates services for Denver’s children and adults with intellectual and developmental disabilities. The audit will include a look at how the CCB is managing, allocating and expending the mill levy funds that it receives under the contract with DHS.

Public Health and Environment
Substance Misuse and Overdose Prevention This audit will review the effectiveness of efforts of the Community Health Division in addressing opioid and other substance misuse. The audit may include an assessment of coordination efforts with needle exchange programs in the area and the department’s regulation efforts of needle exchange programs.

Public Safety
Jail Safety The audit series will review the extent to which jail operations and the implementation and enforcement of the use-of-force policy have been effective in reducing harm experienced by staff and inmates.

Public Works
Neighborhood Sidewalk Repair Program The audit will review the newly enforced sidewalk repair program for equity, efficiency and effectiveness.
Solid Waste Recycling The audit will review the economy, efficiency and effectiveness of the recycling and composting program.

Technology Services
Application Reviews This audit will review the IT general controls, specific application controls and the maintenance processes for various city applications.
Disaster Recovery The audit will review the IT systems disaster recovery plan to evaluate its ability to restore critical systems in a timely manner.
IT System Patching Process This audit will review the controls and process around applying system and security patches to servers and network hardware.
Network Access The audit will review the change management and access controls in place to manage the citywide network system.

Monitoring - Citywide
Follow-up Audits All audits by the Auditor’s Office provide recommendations for improvement, to which the audited agency must respond whether they agree or disagree. For recommendations that were agreed to by the responsible entity, we complete a follow-up audit after the agreed-upon recommendation implementation date. Each follow-up audit will assess the status and quality of implementation for each recommendation.
Monitoring of Financial and Operational Data Using Analytics Throughout the year, the Auditor’s Office will assess possible risk areas by working with departments to analyze specific data relevant to ongoing audits as well as analyzing general financial and operations information. Data analytics and audit tools will be used to identify anomalies in the data for further review.

Plan Description

I am pleased to present the Denver Auditor’s 2019 Audit Plan for the City and County of Denver. Denver residents appreciate the complete independence that comes from having an elected Auditor answerable only to the voters. As a certified public accountant, I am bound by a code of ethics and professional standards. In determining the Audit Plan, I bring the obligations of my professional license as well as the sacred trust of the voters.

My office has crafted an Audit Plan that incorporates risk-based performance, financial, information technology, and contract compliance objectives into a variety of audits and informational reports for 2019. The plan delivers value and impact for Denver and will be conducted with the highest professional standards.

In drafting this plan, we considered input from a wide range of sources and the people of Denver. My staff and I met with Denver elected officials and management about their unique operational risks and challenges. We performed data analysis of diverse sources to identify existing or emerging risks, allowing us to concentrate our work in areas where it will have the greatest impact.

Based on this overall risk assessment, I am pleased to share the important work we have for the year ahead. Cybersecurity, construction contract oversight, social services and grant recipient contract compliance are all high priorities in our rapidly-growing city and in my plan this year. Our work in 2019 will continue using data analytics to assess the quality of data gathered in the city and will use confirmed reliable data to inform our audits. This innovative approach will strengthen our audit analysis, evidence and recommendations, and keep my office at the forefront of the government auditing community. We will also continue to turn to professional resources in the community for audits and assessments that require specialized expertise, such as cybersecurity testing.

I look forward to carrying out these audits to deliver independent, transparent and professional oversight, thereby safeguarding the public’s investment in the City and County of Denver. I am committed to providing ongoing information on how tax dollars are spent and how government operates on behalf of
everyone who cares about the city, including its residents, workers and decision-makers.

I thank the residents of Denver for their support of a comprehensive Audit Plan. I am confident that once the 2019 Audit Plan is executed, residents will benefit from the city improvements spurred by our audit findings and recommendations. Please feel free to contact me at or 720-913-5000 with questions.

Auditing under the Denver Charter

The Charter provides that the Auditor shall conduct:

  • Financial and performance audits of the City and County of Denver in accordance with Generally Accepted Government Auditing Standards;
  • Audits of individual financial transactions, contracts, and franchises; and
  • Audits of financial and accounting systems and procedures, including records systems, revenue identification, and accounting and payment practices, for compliance with generally accepted accounting principles, best financial management practices, and any applicable laws and regulations governing the financial practices of the City and County of Denver.

The 2019 Audit Plan ensures broad audit coverage throughout the city while also addressing specific performance, financial, contractual, systems and regulatory risks. According to the Charter, the ultimate decision to perform any audit shall be at the sole discretion of the Auditor. Our approach to scheduling audits is flexible and subject to change throughout the year based on newly identified risks.

Integrated Auditing

Integrated audits incorporate elements of performance, financial and information technology auditing. This produces a more effective outcome through a holistic audit approach with a focus on improving governance, compliance, performance and operations.

Integrated auditing incorporates diverse approaches to accomplish audit coverage:

Performance Auditing – We identify opportunities to improve the efficiency and effectiveness of city activities. Our performance audits also
assess the viability or strength of the internal control environment of the city’s agencies and programs. We conduct policy analysis and evaluation
and may assess the city’s ability to mitigate risk. We may also select performance audits that align with the city’s major strategic initiatives.
Financial Auditing – The 2019 Audit Plan continues our focus on the overall financial management and fiscal activities of the city. These audits
will assess the financial internal control environment, compliance with city polices, financial governance, accounting and reporting practices, and
high-risk financial transactions.
Information Technology (IT) Auditing – Our IT audits will continue to address identified IT risks by focusing on the effectiveness of cybersecurity
defense, data protection and management of critical systems and applications.
Contract Compliance Auditing – The 2019 Audit Plan reflects a continued emphasis on auditing city contracts for compliance with contract terms
and fulfillment of the scope of work.

Data Analytics and Continuous Auditing Program

As part of Auditor O’Brien’s original vision for the Auditor’s Office, the Data Analytics and Continuous Auditing Program expands the office’s risk assessment and auditing capability and continues leading-edge audit practices to provide greater value and impact.

Data Analytics – The Auditor’s Office uses quantitative and qualitative analytics of audit-related data to support audits of city processes and
internal controls. For example, auditors may use data analytics to test whether processes and safeguards are appropriately implemented to
minimize risk and detect mistakes. In addition, data analytics can be used to ensure that data is accurate, consistent and complete; identify and
analyze anomalies and patterns; build statistical models; and synthesize analytical results.

Continuous Auditing – Continuous auditing is a data analytics technique that allows auditors to directly connect with city data systems, use
an entire data population rather than samples and automate ongoing analyses of that data. These ongoing analyses of data systems are used
to identify high risk areas and test controls in the city’s financial and operational systems in a timely fashion. The information gained from continuous auditing helps inform audits and the annual risk assessment. It can help audit teams to improve efficiencies in planning and fieldwork by identifying trends and exceptions earlier than through traditional methods.

Anti-Fraud Focus

The city’s management is responsible for establishing internal controls to detect and prevent fraud for each city entity. Although fraud detection is not a primary responsibility of the Auditor’s Office, all of our audits consider the possibility that fraud, waste or abuse may be occurring.

Audit Follow-up Program

Audit follow-up activities are conducted for every audit to assess whether city personnel implemented the agreed-upon audit recommendations for improvement and impact. The Auditor’s Office regularly issues follow-up audit reports to the Audit Committee and the City and County of Denver’s operational management on the status of audit findings and on our recommendations for improved business practices. Our office measures the audit recommendation acceptance rate as an indicator of the degree to which the city is utilizing information provided by our audit reports to mitigate identified risks and to enhance efficiency, effectiveness and economy of operations.

Focus on Flexibility, Transparency, Responsiveness, and Collaboration

As described throughout the 2019 Audit Plan, the concepts of flexibility, transparency and responsiveness to new or emerging risks are core tenets of
operations within the Auditor’s Office. Although the Auditor’s Office operates independently from other city entities, Auditor O’Brien and Auditor’s Office
leadership meet regularly throughout the year with the Mayor, City Council members, other elected officials, city personnel, neighborhood groups, and
civic leaders to solicit input regarding risks. The objective of this strategy is to improve services and stewardship of city resources.

Developing the annual Audit Plan is an ongoing process, conducted by assembling ideas from a variety of internal and external sources, examining a broad range of city activities and then assessing risk factors in tandem with additional considerations. This approach results in a diverse list of departments, programs, activities and contracts that are examined to determine whether they are operating efficiently, effectively and in accordance with the law and program or contract requirements.

In developing a list of potential audits and other types of analyses, ideas come from a variety of sources:

  • Assessments of operations and controls in previous internal and external audit reports, including independent audits of the city’s Comprehensive Annual Financial Report (CAFR), single audit and audit management letters;
  • Input from the community, elected officials, Audit Committee members, external auditors, department and agency management and staff;
  • Consideration of current local events, financial conditions, major capital projects and public policy issues; and • Consideration of risks identified in other government audits that could emerge in Denver.

A robust audit plan assesses a broad range of city activities including:

  • Organizational units within a city agency, such as a division or a department;
  • Individual city programs and offices;
  • Transaction cycles or processes that affect more than one city function or department, such as contract procurement, real estate services, facility security, fines, taxes and assessments, or key technology processes;
  • Individual financial statement accounts or transnational activities, such as grant programs, construction in progress and special revenue funds;
  • City functions that operate like for-profit entities, such as Denver International Airport and other enterprise funds; and
  • Contracts and agreements between the city and third parties.
Our office identifies and prioritizes potential audits and other assessments using a risk-based approach by examining a variety of factors that may expose
the city to fraud, misappropriation of funds, liability or reputational harm.

Accordingly, risk factors are assessed by reviewing:

  • Significant changes that have occurred in the city;
  • Time since last audit of an area;
  • Size of department, program, activity or contract;
  • Size of budget;
  • Compliance and regulations;
  • Pending or recent legislation;
  • Complexity of transactions;
  • Fiscal sustainability;
  • Critical IT systems, including hardware and software;
  • Management accountability;
  • Quality of internal control system;
  • Age of program, operation or contract;
  • Public health and safety;
  • Critical infrastructure;
  • Short- and long-term strategic risks;
  • Related litigation;
  • Relevant case law; and
  • Emerging risk areas.

Risk factors are periodically evaluated and modified, as necessary. After the plan is finalized, new information may come to light; events,
initiatives, priorities and risks within the city may change. The flexible nature of the Audit Plan as a living document provides the discretion to change
course when it is in the best interest of the city.

The Auditor’s Office extends its gratitude and appreciation to the Mayor’s Office, City Council, the Audit Committee, members of the city’s operational management and members of the public for providing input on the 2019 Audit Plan and for supporting the general mission of our office throughout the year.