What We Do

Our annual audit plan lists Internal Audit engagements expected to be completed over the fiscal year. The audit plan is developed using risk-based methodology and includes input from management. The audit plan is reviewed periodically and adjusted, as necessary, in response to changes in the Department’s operations, programs, systems, risks and controls. 

The FY2025 Audit Plan includes, but is not limited to, the following:

Assurance Services (Audits)

• Employee Tax Audit – to verify the Department’s compliance with the Tax Year 2021 (EDO-035 Requirement to File & Pay Colorado Income Taxes) 

• Audits of Information Technology General Controls for sampled Department systems

• Other compliance and performance audits

System Monitoring

• Monitoring CDOR's systems for potentially unauthorized usage (EDO-018 Acceptable Use of State Data and Resources and TAX-023 Federal Taxpayer Data Security)

Fraud Prevention and Detection

• Fraud prevention educational program efforts (EDO-025 Fraud Prevention Policy and Annual Fraud Prevention Training for DOR employees)

• Investigations of fraud allegations and misconduct.

Non-Audit Advisory Services

• Risk Assessments – working with CDOR Risk Committee to identify and assess risks to the Department and communicating these to the leaderships team

• Ad-hoc consultations and special projects requested by management to provide requested feedback to business groups related to their processes and potential efficiencies and enhancements. 

• External Audit Liaison for DOR audits conducted by Federal agencies and the Colorado Office of the State Auditor. 

Audit process entails planning, field work, reporting, and follow-up. 

Planning

• Planning

  • Once the annual internal audit plan is approved, we work on identifying laws, regulations, policies and procedures that concern the audited area and objectives of the specified engagements. We create an audit program to draft objectives and outline the steps we will take to meet the proposed objectives of the audit in accordance with auditing standards. 

• Entrance Meeting

  • We collaborate with management by submitting an engagement letter with our proposed scope and objective(s). This provides management with the opportunity to submit feedback before and during the entrance meeting. The entrance meeting is conducted to answer any questions or concerns and to address timelines and resources needed for the audit. 

  • Once the entrance meeting occurs, the engagement commences. A document request will be submitted to personnel requesting policies, procedures, documents, etc. 

Field Work 

• During the field work phase, we test, as appropriate, given our audit scope and objectives, selected transactions, records, procedures, and practices, to obtain reasonable assurance that the Department’s processes complied with laws and regulations. We use professional judgment to determine if noncompliance could have a material effect on the results of our audit. 

• We typically evaluate:

  • the department's compliance with statutes, regulations, policies, procedures, contracts and plans;

  • the extent to which the department’s assets are accounted for and safeguarded;

  • the reliability of management data developed within the department;

  • the economical and efficient use of the department’s resources; and

  • the accomplishment of established objectives and goals for operations and programs.

• Interviews with personnel typically occur during this phase to inquire further about the audited unit’s process or procedures. 

• Informal Communications

  • Status updates are periodically submitted to management to discuss findings and observations and address any questions or concerns. We solicit feedback from management for the potential recommendations to determine the best course of action to resolve the finding. 

Reporting

• Draft Audit Report

  • The results of the field work are then articulated into a draft audit report incorporating the findings and recommendations. The draft report is submitted to management for review and feedback. Management also responds to recommendations outlining agreement/disagreement with the recommendation, the person responsible for the recommendation, the timeframe, and the proposed method of implementing the proposed recommendation (if the recommendation is accepted). 

• Exit Conference

  • We meet with management to gather their feedback on the results of the audit, the draft audit report, and the recommendations. This is an opportunity for collaborative discussion in order to avoid any misinterpretations of facts. 

• Final Report

  • Once we have incorporated management’s feedback and the responses to the audit recommendations, the formal written audit report is distributed to relevant managers in the department. 

  • The audit report will include:

    • Executive Summary (Audit Approach, Key Findings, and Conclusions)

    • Background 

    • Findings and Recommendations

    • Statement on Internal Controls (if applicable)

    • Statement on Compliance with Laws and Regulations

Follow-up 

• • • Based on the timeframes listed by management in the audit recommendation responses, we work with the identified person to follow up on the status of the recommendation(s). If the recommendation has been implemented, we obtain supporting documentation from the auditee to display this. 

Managers request the assistance of Internal Audit to review an activity, program, or unit in their responsibility area. Consultations are often requested when a manager believes that there are opportunities for improvement in a particular area, and the manager wants a "second set of eyes" to provide a fresh perspective. Consultations result in a report, and provide suggestions for improved efficiency, effectiveness, and/or compliance. Consults do not follow the stringent standards for testing and evidence that is required in an audit.

With the implementation of the department’s project management process, Internal Audit participates on projects; however, due to the limited resources available within the section, Internal Audit may need to participate only on those projects that present the most risk to the Department.

Internal Audit’s role as a participant on department projects is to:

• help ensure that appropriate internal controls are identified and implemented;

• help ensure risks to the department are identified and addressed; and

• provide recommendations for appropriate internal controls and security.

Internal Audit is responsible for managing the department’s fraud prevention educational program, which includes the Fraud Prevention Policy, Fraud Prevention training program, monitoring department transactions through data analysis, participating in investigating reports of suspected fraud, and maintaining a list of all reported cases for the department. Department employees can report suspected cases of fraud to Internal Audit via Google form (Report Fraud, Waste and Abuse ), calling 303-866-2551, by contacting one of the internal auditors directly, or by emailing to: DOR_InternalAudit@state.co.us.  Managers that have been contacted by an employee reporting a suspicion of fraud need to contact Internal Audit immediately. 

The special projects Internal Audit works on are typically requested by senior management and may include audits, statute analysis, system data analysis, and various other projects for which auditors may have expertise.

In addition to audits, consultations, and special projects, Internal Audit has collaborated with employees and management by:

• Attending the monthly new hire sessions to welcome the new DOR employees and talk to them about our role and what we do. 

• Contributing email reminders as well as articles to the RevEnews:

  • Know your responsibilities and obligations as a DOR employee when using and/or accessing State resources.

  • Being Present is a Gift

  • Cybersecurity News You Can Use!

• Researching employee questions regarding various policy and compliance matters and assisting them by providing relevant information.

The Director of Internal Audit is the Executive Director’s delegate for all external audit matters involving the department. Internal Audit serves as the department coordinator for external audits to ensure that relevant managers are aware of important audit matters and responses to external auditors are timely and accurate. Internal Audit coordinates the administrative functions relating to the audit, helps department staff communicate with the external auditor, and updates the Executive Director, Deputy Executive Director on the progress of the external audits.  Internal Audit reviews all audit responses for tone and content prior to submitting the responses to the Executive Director for their review and approval.