PRIORITY RANKING DEFINITIONS
Auditors use professional judgment to assign rankings to recommendations using the criteria and definitions listed below. The purpose of the rankings is to highlight the relative importance of some recommendations over others based on the likelihood of adverse impacts if corrective action is not taken and the seriousness of the adverse impact. Adverse impacts are situations that have or could potentially undermine or hinder the following:
a) The quality of services departments provide to the community,
b) The accuracy and completeness of County books, records, or reports,
c) The safeguarding of County assets,
d) The County’s compliance with pertinent rules, regulations, or laws,
e) The achievement of critical programmatic objectives or program outcomes, and/or
f) The cost-effective and efficient use of resources.
Priority 1 Issues
Priority 1 issues are control weaknesses or compliance lapses that are significant enough to warrant immediate corrective action. Priority 1 recommendations may result from weaknesses in the design or absence of an essential procedure or control, or when personnel fail to adhere to the procedure or control. These may be reoccurring or one-time lapses. Issues in this category may be situations that create actual or potential hindrances to the department’s ability to provide quality services to the community, and/or present significant financial, reputational, business, compliance, or safety exposures. Priority 1 recommendations require management’s immediate attention and corrective action within 90 days of report issuance, or less if so directed by the Auditor-Controller or the Audit Committee.
Priority 2 Issues
Priority 2 issues are control weaknesses or compliance lapses that are of a serious nature and warrant prompt corrective action. Priority 2 recommendations may result from weaknesses in the design or absence of an essential procedure or control, or when personnel fail to adhere to the procedure or control. These may be reoccurring or one-time lapses. Issues in this category, if not corrected, typically present increasing exposure to financial losses and missed business objectives. Priority 2 recommendations require management’s prompt attention and corrective action within 120 days of report issuance, or less if so directed by the Auditor-Controller or the Audit Committee.
Priority 3 Issues
Priority 3 issues are the more common and routine control weaknesses or compliance lapses that warrant timely corrective action. Priority 3 recommendations may result from weaknesses in the design or absence of a procedure or control, or when personnel fail to adhere to the procedure or control. The issues, while less serious than a higher-level category, are nevertheless important to the integrity of the department’s operations and must be corrected or more serious exposures could result. Departments must implement Priority 3 recommendations within 180 days of report issuance, or less if so directed by the Auditor-Controller or the Audit Committee.
FOLLOW-UP PROCESS AND INTERNAL CONTROLS
The Auditor-Controller (A-C) has a follow-up process designed to provide assurance to the Board of Supervisors (Board) that departments are taking appropriate and timely corrective action to address audit recommendations. Within six months of the date of an audit report, departments must submit a Corrective Action Implementation Report (CAiR) detailing the corrective action taken to address all recommendations in the report. Departments must also submit documentation with the CAiR that demonstrates the corrective action taken. We will review departments’ reported corrective action and supporting documentation, and report the results to the Board. For any recommendations not fully implemented, departments must report the status of corrective action within six months after our first follow-up report is issued.
Management’s Responsibility for Internal Controls
As indicated in County Fiscal Manual Section 1.0, management of each County department is primarily responsible for designing, implementing, and maintaining a system of internal controls that provides reasonable assurance that important departmental and County objectives are being achieved. Internal controls should sustain and improve departmental performance, adapt to changing priorities and operating environments, reduce risks to acceptable levels, and support sound decision-making.
Management must monitor internal controls on an ongoing basis to ensure that any weaknesses or non-compliance are promptly identified and corrected. The A-C’s role is to assist management by performing periodic assessments of the effectiveness of the department’s internal control systems. These assessments complement, but do not in any way replace, management’s responsibilities over internal controls.
Limitations of Internal Controls
Any system of internal controls, however well designed, has limitations. As a result, internal controls provide reasonable but not absolute assurance that an organization’s goals and objectives will be achieved. Some examples of limitations include errors, circumvention of controls by collusion, management override of controls, and poor judgment. In addition, there is a risk that internal controls may become inadequate due to changes in the organization, such as reduction in staffing or lapses in compliance.