Contra Costa County Grand Jury
• 2026-2027
Contra Costa County's Internal Audit Division: Time for a Transformation
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 28 findings
F1
California Government Code Section 1236 requires that employees conducting audits for public agencies follow standards of the Institute of Internal Auditors (IIA) or the U.S. Government Accountability Office’s Generally Accepted Government Auditing Standards (GAGAS).
No recommendations for this finding
F2
The Internal Audit Division’s (IAD) Policies and Procedures Manual, Section 2.1, directs that it “follow applicable professional auditing standards in conducting our audits,” and defines which IIA or GAGAS standards are applicable to specific audit situations.
No recommendations for this finding
F3
The IAD’s placement within the Auditor-Controller's organizational structure creates an organizational independence threat under GAGAS §§3.27–3.58 and IIA Standard 7.1.
Related Recommendations (1)
R2
By January 1, 2027, the Board of Supervisors should consider evaluating alternative organizational reporting structures for IAD that reduce organizational and self-review threats, including placement outside the Auditor-Controller’s span of control.
F4
The Internal Operation Committee’s (IOC) failure to exercise charter approval, audit plan pre-approval, and direct report receipt as required by IIA Standards 6.1, 6.2, 8.1, 9.4, 11.3 and Principle 8 leaves this organizational independence threat unmitigated, constituting an independence impairment in fact and appearance under GAGAS §3.56.
Related Recommendations (2)
R2
By January 1, 2027, the Board of Supervisors should consider evaluating alternative organizational reporting structures for IAD that reduce organizational and self-review threats, including placement outside the Auditor-Controller’s span of control.
R6
By January 1, 2027, the Board of Supervisors should consider requiring an annual review by the IOC of IAD’s organizational independence, documented safeguards, and any identified independence impairments to ensure continued compliance with IIA Standard 7.1 and GAGAS §§3.40–3.58.
F5
IAD personnel participate in preparation of the County’s Annual Comprehensive Financial Report (ACFR), a management responsibility of the Auditor-Controller.
Related Recommendations (1)
R3
By January 1, 2027, the Auditor-Controller should consider prohibiting IAD personnel from participating in the preparation of the ACFR or performing other management functions to comply with IIA Standard 7.1 and GAGAS §§3.87-3.89.
F6
The participation of IAD personnel in ACFR preparation and their subsequent auditing of those same financial reporting processes and controls represents a self-review threat as defined in GAGAS §§3.30 and 3.39.
Related Recommendations (1)
R3
By January 1, 2027, the Auditor-Controller should consider prohibiting IAD personnel from participating in the preparation of the ACFR or performing other management functions to comply with IIA Standard 7.1 and GAGAS §§3.87-3.89.
F7
The IAD has no documentation demonstrating that organizational and self-review independence threats have been formally identified, evaluated, or mitigated through safeguards, as required by GAGAS §§3.40–3.58 and IIA Standard 7.1.
Related Recommendations (1)
R4
By January 1, 2027, the Board of Supervisors should consider requiring the Auditor- Controller to develop, document, and implement a formal independence safeguards framework consistent with GAGAS §§3.40–3.58 and IIA Standards 7.1. Required safeguards shall include recusal protocols for audits involving Auditor-Controller functions, independent supervisory review of those audits, and documented segregation of duties between IAD personnel participating in ACFR preparation and those auditing associated financial reporting processes.
F8
The IAD has no documentation that the impact of IAD staff participation in ACFR preparation (a non-audit management activity) on independence and objectivity has been formally assessed and disclosed to the oversight body, as required by GAGAS §3.59 and IIA Standards 7.1 and 8.1.
Related Recommendations (1)
R5
By January 1, 2027, the Board of Supervisors should consider requiring the Auditor- Controller to annually disclose to the IOC, or, if established, the Audit Committee, all identified independence threats and the safeguards implemented to mitigate them, consistent with GAGAS §3.59 and IIA Standard 7.1.
F9
The IOC of the Board of Supervisors (Board), consisting of two supervisors, is responsible for functional oversight of the IAD.
No recommendations for this finding
F10
The IOC holds one meeting per year at which the IAD presents its prior year activities and upcoming audit plan.
No recommendations for this finding
F11
No documentation was found of additional meetings, interim audit reporting, or direct communication between the IAD and the IOC between annual plan presentations.
Related Recommendations (1)
R7
By January 1, 2027, the Board of Supervisors should consider requiring the IAD to report to the IOC no less than quarterly on the status of audit engagements, demonstrating alignment with the approved audit plan and documented risk assessment, consistent with IIA Principle 8, Standards 8.1 and 11.3, and GAGAS Chapter 6.
F12
A single annual meeting does not satisfy the ongoing communication, timely reporting, and report distribution obligations imposed by IIA Principle 8, IIA Standards 8.1 and 15.1, GAGAS §§6.06 and 9.56, each of which requires engagement throughout the year.
Related Recommendations (1)
R7
By January 1, 2027, the Board of Supervisors should consider requiring the IAD to report to the IOC no less than quarterly on the status of audit engagements, demonstrating alignment with the approved audit plan and documented risk assessment, consistent with IIA Principle 8, Standards 8.1 and 11.3, and GAGAS Chapter 6.
F13
The Board’s Finance Committee, consisting of two supervisors, is responsible for functional oversight of external audit activity.
Related Recommendations (1)
R8
By January 1, 2027, the Board of Supervisors should consider consolidating the internal and external auditor oversight as currently performed by the IOC and Finance Committee into a single Audit Committee.
F14
Neither the IOC nor the Finance Committee requires financial or audit expertise as a condition of membership, inconsistent with the Government Finance Officers Association's (GFOA’s) Audit Committees best practice and IIA guidance on audit committee effectiveness, both of which identify such expertise as a threshold condition for effective audit oversight.
Related Recommendations (1)
R9
By January 1, 2027, the Board of Supervisors should consider adopting IOC, or Audit Committee, membership that conforms to GFOA's Audit Committees best practice guidance by including a minimum of three members, at least one with expertise in governmental accounting principles, internal controls, and audit committee functions, and at least one public member independent of County management.
F15
Neither the IOC nor the Finance Committee includes public members independent of County management as a condition of membership. GFOA's Audit Committees best practice recommends that audit committees include public members independent of management to strengthen both the substance and credibility of financial oversight.
Related Recommendations (1)
R9
By January 1, 2027, the Board of Supervisors should consider adopting IOC, or Audit Committee, membership that conforms to GFOA's Audit Committees best practice guidance by including a minimum of three members, at least one with expertise in governmental accounting principles, internal controls, and audit committee functions, and at least one public member independent of County management.
F16
The County’s IAD operates under Administrative Bulletin 212.1 (1975), which does not include all the elements of an Audit Charter required by IIA Standard 6.2.
Related Recommendations (2)
R10
By January 1, 2027, the Auditor-Controller should consider developing an Audit Charter for the IAD aligned with IIA Standard 6.2.
R11
By April 1, 2027, the Board of Supervisors should consider reviewing and approving the IAD's Audit Charter, consistent with IIA Standard 6.2, which requires that the governing body approve the internal audit charter and conduct periodic reviews to ensure it remains current.
F17
The IAD presented its 2026 annual audit plan as “risk based.” However, the plan did not include a documented risk assessment as required by IIA Standards 9.3 and 9.4.
Related Recommendations (1)
R13
By January 1, 2027, the Auditor-Controller should consider directing the IAD to revise its Policies and Procedures Manual and any applicable administrative bulletins to incorporate requirements for a documented, risk-based audit planning process aligned with IIA Standards 9.3 and 9.4.
F18
IAD has no documented risk-assessment methodology as required by IIA Standard 9.3.
Related Recommendations (1)
R12
By January 1, 2027, the Auditor-Controller should consider requiring the IAD to adopt and implement a documented risk assessment methodology that includes defined risk factors, risk- ranking or scoring criteria, and a systematic process for identifying and prioritizing risks as required by IIA Standards 9.3 and 9.4.
F19
IAD’s risk assessments do not include input from the Board or senior County executives, as required by IIA Standards 8.1 and 9.4.
Related Recommendations (1)
R14
By January 1, 2027, the Auditor-Controller should consider requiring that the annual risk assessment process include documented input from the Board of Supervisors, its designated oversight committee, and senior county leadership, consistent with IIA Standards 8.1 and 9.4.
F20
The IOC is not provided with information to determine whether proposed annual audit plans address the County’s highest-risk areas, as required by IIA Principle 8, IIA Standards 8.1 and 9.4.
Related Recommendations (2)
R15
By January 1, 2027, the Board of Supervisors should consider requiring that all audit plans presented for its approval include a summary of the risk assessment methodology, key risks identified, and the rationale used to prioritize audit engagements, consistent with IIA Standards 9.3 and 9.4 and GAGAS §§8.03–8.07.
R16
By January 1, 2027, the Board of Supervisors should consider requiring the IAD to document the linkage between identified risks and the audit engagements included in the annual audit plan, including justification for inclusion or exclusion of high-risk areas.
F21
IAD implements its annual audit plan without prior Board input or approval, eliminating the Board's opportunity to influence audit priorities before audit work has begun, inconsistent with IIA Principle 8 and IIA Standards 8.1 and 9.4, which collectively require that the board review and approve the risk-based audit plan before implementation.
Related Recommendations (1)
R18
By December 1, 2026, the Board of Supervisors should consider directing the Auditor- Controller to submit the IAD's annual risk-based audit plan for Board approval before the fiscal year to which the plan applies begins.
F22
Findings F4, F10, F11, F12, F18, F19, F20, F21, and F26 collectively establish that the IOC and Board do not fulfill the audit oversight responsibilities required by IIA Principle 8 and Standards 8.1 and 15.1, and GAGAS §§3.46 and 6.06 — including charter approval, prospective audit plan approval, ongoing engagement, risk-based planning oversight, and direct receipt of audit reports.
No recommendations for this finding
F23
The IAD’s schedule is based on a calendar year, inconsistent with the fiscal year that governs the County’s overall planning, budgeting, and operational processes.
Related Recommendations (1)
R17
By December 1, 2026, the Auditor-Controller should consider directing the IAD to shift the Internal Audit Division’s audit planning from a calendar to a fiscal year schedule beginning with the 2027-28 fiscal year.
F24
The IAD does not maintain an ongoing quality assurance and improvement program, as required by IIA Standard 8.3 and GAGAS Chapter 5, which require audit organizations to establish and maintain internal quality assessment processes to evaluate conformance with professional standards.
Related Recommendations (1)
R19
By December 1, 2026, the Auditor-Controller should consider directing the IAD to adopt and maintain an ongoing quality assurance and improvement program, as required by IIA Standard 8.3 and GAGAS Chapter 5.
F25
The IAD has not undergone an external quality assessment review in more than 25 years. IIA Standard 8.4 requires an external assessment at least once every five years and GAGAS §5.179 requires an external peer review at least once every three years.
Related Recommendations (1)
R20
By December 1, 2026, the Auditor-Controller should consider directing the IAD to undergo an external quality assessment review as required by IIA Standard 8.4 and GAGAS §5.179.
F26
The IAD does not distribute its reports to the IOC, as required by IIA standards 11.3 and 15.1 and GAGAS Chapter 9.
Related Recommendations (1)
R21
By December 1, 2026, the Auditor-Controller should consider directing the IAD to distribute all completed audit reports, including management responses, directly to the IOC (or, if established, the Audit Committee) consistent with the direct communication requirements of IIA Standards 11.3 and 15.1 and the report distribution requirements of GAGAS Chapter 9.
F27
The IAD does not post its completed audit reports or annual audit plan on its public webpage, inconsistent with GAGAS Chapter 9, which requires public availability of completed audit reports, and the recommendations of the Association of Local Government Auditors and the National Association of State Auditors, Comptrollers and Treasurers.
Related Recommendations (1)
R22
By December 1, 2026, the Auditor-Controller should consider directing the IAD to post the audit charter, annual audit plan, and all completed audit reports to the County's public website, consistent with GAGAS Chapter 9, which requires that audit organizations make completed audit reports publicly available, and the transparency recommendations of the Association of Local Government Auditors and the National Association of State Auditors, Comptrollers and Treasurers.
F28
The deficiencies documented in Findings F3 through F8, F16 through F21, F24, F25, F26, and F27 collectively establish that the IAD does not operate in conformance with the IIA and GAGAS standards required by California Government Code Section 1236 and directed by its own Policies and Procedures Manual.
Related Recommendations (1)
R1
By December 1, 2026, the Auditor-Controller should consider directing the IAD to comply with the IIA and GAGAS auditing standards as adopted in IAD’s Policies and Procedures Manual and as required by California Government Code Section 1236.
In the News 1
News coverage of this report, automatically tracked.
Grand Jury: Contra Costa County Internal Audit Division Failing To Meet State Standards
CLAYCORD
· June 17, 2026