The URL can be used to link to this page

Home My WebLink About2025-04-29; City Council; Resolution 2025-100Exhibit 1 RESOLUTION NO. 2025-100 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF CARLSBAD, CALIFORNIA, APPROVING THE FY 2025-26 INTERNAL AUDIT PLAN WHEREAS, the City Council of the City of Carlsbad, California, has determined that the Internal Audit Manager performs independent and objective assurance services to safeguard city resources and improve city operations; and WHEREAS, the services provided may include internal audits of any city department, division, function or program; and WHEREAS, as required by City Council Policy No. 89, the Internal Audit Manager has presented a Fiscal Year 2025-26 Internal Audit Plan (Attachment A) for the City Council’s review and approval ; and WHEREAS, the purpose of the Internal Audit Plan is to outline internal audits and other value- added engagements the Internal Audit Manager proposes to conduct during the fiscal year; and WHEREAS, the Fiscal Year 2025-26 Internal Audit Plan includes information about the basis for audit engagement selection, preliminary objectives and the consideration of resources; and WHEREAS, once approved, the Fiscal Year 2025-26 Internal Audit Plan will serve as the operating roadmap for the city’s Internal Audit Manager. NOW, THEREFORE, BE IT RESOLVED by the City Council of the City of Carlsbad, California, as follows: 1.That the above recitations are true and correct. 2.The proposed action is not a “project” as defined by CEQA Section 21065 and CEQA Guidelines Section 15378(b)(5) and does not require environment review under CEQA Guidelines Section 15060(c)(3) and 15061(b)(3), because the proposed action to adopt the Internal Audit Plan is an organizational or administrative government activity that does not involve any commitment to any specific project which may result in a potentially significant physical impact on the environment. Any subsequent action or direction stemming from the proposed action may require preparation of an environmental document in accordance with CEQA or CEQA Guidelines. 3.That the City Council approves the Fiscal Year 2025-26 Internal Audit Plan, attached as attachment A. April 29, 2025 Item #8 Page 4 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 PASSED, APPROVED AND ADOPTED at a Regular Meeting of the City Council of the City of Carlsbad on the 29th day of April, 2025, by the following vote, to wit: AYES: Blackburn, Bhat-Patel, Acosta, Burkholder, Shin. NAYS: None. ABSTAIN: None. ABSENT: None. ______________________________________ KEITH BLACKBURN, Mayor ______________________________________ SHERRY FREISINGER, City Clerk (SEAL) April 29, 2025 Item #8 Page 5 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 1 CITY OF CARLSBAD Internal Audit Plan for Fiscal Year 2025-26 Overview City Council Policy 89, Internal Audit Framework, requires the Internal Audit Division to prepare an annual internal audit plan and to submit it to the City Manager and City Council for review and approval. The plan includes a listing of audits scheduled for FY 2025-26 and other work performed by the Internal Audit Division. The plan is based on a citywide risk assessment, input from city management and a review of audit plans from other cities. Work for FY 2025-26 includes four performance audits, oversight of the transit occupancy tax audit and administration of the Fraud, Waste and Abuse Hotline. This report details: •The risk assessment and audit selection processes •The resources (time) available for the Internal Audit Division •Budget estimates for the proposed audits and other work This level of detail provides transparency to the City Council and city leadership and allows for more informed feedback and review. Stakeholder feedback is important for audit functions, especially for a small internal audit function. Conducting the risk assessment begins with identifying all city areas that can be audited using the city’s budget document, which lists departments and their divisions and provides basic information about their funding and staffing levels. This is followed by additional steps to consider inherent risks, controls and other factors. Risk is simply the possibility that something bad may happen, and it is evaluated by considering potentially harmful events and quantifying them in terms of severity and frequency. Other potential audit areas that do not appear as separate budget items are also identified. Concerns are expressed in terms of assurance objectives – how things should work – and risk scenarios – bad events that could occur. These reflect the Internal Audit Division’s perspective as well as feedback from the City Manager, deputy city managers and chiefs and their division directors. In keeping with City Council Policy 89, the plan is flexible and includes unallocated audit hours to accommodate any subsequent requests for work from the City Manager or City Council. If such work is substantial, the plan can be amended, and the City Council will be informed of any impact on audit schedules. Attachment A April 29, 2025 Item #8 Page 6 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 2 The risk assessment yielded more potential audit topics than can be completed in one year with current audit resources, so another assessment does not need to be conducted for the next three years. However, the citywide risk assessment will be reviewed each year and revised as necessary to account for significant events and changes that impact risks within city departments and operations. How areas are selected for audit •Is the area or risk event within the competency of Internal Audit and the jurisdiction of the City of Carlsbad? 1. Is the area amenable to audit? •Are there large, adverse potential impacts on the city's finances, or on the health, safety, security and welfare of our residents? 2. Evaluate inherent risks •Mitigating factors: Stability of a function; strong internal controls; favorable, recent prior audit findings, other oversight. •Exacerbating factors:Significant economic, regulatory, or technological changes; high staff turnover; City Council and management concerns. 3. Consider additional factors •Research issues and audit findings at similar municipalities •Discuss potential audit areas with Deputy City Managers, Chiefs, Department Directors and staff. 4. Identify potential audit areas •Solicit additional mangement and leadership feedback. •Consider audit resources and schedules constraints. •Obtain City Manger and City Council approval. 5. Develop an annual audit plan No Very low Low to medium Communicate risks, if necessary Do not audit Monitor for changes April 29, 2025 Item #8 Page 7 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 3 Considerations in audit selection • Auditable areas Although some areas may be exposed to various risks, they may not be auditable if they fall outside the jurisdiction of a city and involve state or federal activities or international events. For example, there is little a city can do to mitigate the risk of an oil spill in the ocean, even though it may have to contend with a prolonged and costly beach cleanup. • Inherent risk Inherent risk is the natural level of risk that exists within a place or activity. Risk can be assigned to departments, programs and processes. For example, a municipal skate park carries an inherent risk of injury to skaters. Factors that impact the assessed level of risk include the size of an area, measured by budgeted personnel expenses, operational costs and the number of employees employed within it; the nature of the work and potential impact on public health, safety and security; and the prospect of a large financial loss (whether acute or long-term). • Mitigating or exacerbating factors Some activities and events can modify the level of risk. Continuing with the prior example about the skate park, the frequency and severity of injuries can be reduced by requiring skaters to wear protective helmets, elbow pads and knee guards. In general, significant economic, staffing, regulatory, or technological changes in an area tend to raise the level of risk because breakdowns are more likely to occur during transitional periods. • Identify potential audit areas Potential audit areas are identified by reviewing City Council meeting agendas, prior internal audit reports at the City of Carlsbad and other government agencies and soliciting input from the City Manager, deputy city managers and department directors and City Council members. • Audit resources One full-time auditor can provide approximately 1,500 audit hours annually, with other time allocated to administrative work and required continuing professional education. Budgeting for performance audits entails informed guesswork, as each audit subject differs from previous ones. In contrast, budgeting for annual financial and compliance audit tend to be accurate because they are based on past budgets and can build on previous work. After their initial creation, financial and compliance audit plans and procedures require minimal modification – except when there are significant changes in regulations or systems. April 29, 2025 Item #8 Page 8 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 4 Proposed internal audits for fiscal year 2025-26 Category Hours Transit occupancy tax (oversight only) 160 Police Department inventory and storage 320 Information Technology (specific topic TBD) 320 Employee overtime 320 Liability claims handling 240 Unallocated hours (available for management requests and other consultations) 140 Total allocated audit hours 1,500 The city contracts with a public accounting firm to audit a sample of businesses every year to ensure that hotels and other businesses are properly accounting for and remitting transit occupancy taxes., The internal auditor provides oversight and assistance for this work. The rationale for selecting the other areas is as follows: • Police Department inventory and storage was selected due to concerns regarding the adequacy of storage space for evidence and other assets. • Information technology is a rapidly changing field that encompasses many distinct and complex activities. The internal auditor is currently working with the IT department to determine suitable audit topics. • Overtime across a large organization should be used appropriately; misuse or inconsistent use of overtime is problematic for a variety of financial and management reasons. • Proper liability claims handling is a crucial activity that can reduce the city’s liability exposure and improve the city’s risk management efforts. The audit budgets are built by adding weekly estimates of various audit phases: planning and research, evidence gathering, analysis, report writing and quality control and review. The audits in this plan are estimated to take 6 to 8 weeks. April 29, 2025 Item #8 Page 9 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 5 Risk assessment and audit selection process The main steps of the risk assessment and audit selection process are shown in the figure below and its results are detailed in the tables and text that follow. The first step in selecting areas for audit began with setting a threshold for selection based on the size of a work area. While this is a somewhat basic approach, larger functions tend to carry more risk and any problems within them will likely have a greater impact than problems in smaller function.1 Work areas with over $5 million or 10 FTEs The threshold for selection was set at over $5 million or 10 full-time equivalent personal (FTEs), representing approximately 1% to 2% of the operating budget dollars or number of employees. Almost half (24 out of 52) of the areas did not meet this threshold and were eliminated from selection. The 28 areas that did are listed in the following table. 1 Thresholds are an accepted approach in auditing; for example, the methodology for conducting financial audits of federal aid entails setting thresholds to classify programs based on the amount of federal funds expended. April 29, 2025 Item #8 Page 10 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 l.6fl[] 1) Identify work areas over $5 million or with 10 FTEs 0 2) Make adjustments (deletions) and provide rationale 0 3) Make adjustments (additions) and provide rationale I I 4) Identify potential audit areas 6 Work areas budgeted for over $5 million or with 10 FTEs (Meets selection criteria) Department / Division Budgeted expenditures Personnel services Operating expenses Full-time employees Finance $5,631,964 $3,708,988 $1,922,976 26.0 Human Resources $5,136,218 $2,393,196 $2,743,022 13.0 Risk Management $7,397,470 $429,648 $6,976,822 2.5 Worker’s Compensation $5,988,115 $249,013 $5,739,102 1.5 Information Technology $18,705,537 $8,418,368 $10,287,169 48.0 Community Development - Land development engineering $2,275,442 $1,763,838 $511,604 10.0 Community Development – Planning $3,671,219 $2,916,621 $754,598 19.0 Federally funded community assistance programs $13,867,943 $601,320 $13,266,623 5.0 Library & Cultural Arts – Public services $7,499,138 $4,807,612 $2,691,526 26.0 Parks & Recreation – Administration $2,830,646 $2,045,238 $785,408 11.5 Parks & Recreation – Recreation $9,652,485 $5,457,947 $4,194,538 23.3 Parks & Recreation – Parks and trail maintenance $10,390,651 $2,412,654 $7,977,997 18.5 Parks & Recreation – The Crossings Municipal Golf Course $10,762,000 $0 $10,762,000 0.0 Fire Department – Administration $7,537,497 $1,002,590 $6,534,907 5.0 Fire Department – Emergency operations $31,328,026 $28,829,242 $2,498,784 108.0 Fire Department – Community risk reduction $3,098,057 $2,343,062 $754,995 11.0 Police Department – Administration, grants and asset forfeiture $8,869,262 $1,841,231 $7,028,031 8.0 Police Department – Field operations $25,935,754 $21,807,751 $4,128,003 84.0 Police Department – Support operations $18,625,351 $16,689,787 $1,935,564 63.0 Police Department – Administrative support operations $5,260,830 $4,897,845 $362,985 28.0 Construction Management & Inspection $3,068,292 $2,321,180 $747,112 15.0 Environmental Sustainability $4,753,450 $2,391,232 $2,362,218 16.5 Facilities $7,249,050 $3,511,036 $3,738,014 25.9 Fleet – maintenance and replacement $8,611,435 $1,424,977 $7,186,458 10.1 Transportation – Traffic, Mobility, Transportation Engineering $10,332,167 $5,305,034 $5,027,133 35.3 Utilities – Potable water operations $58,158,391 $4,905,925 $53,252,466 31.2 Utilities – Recycled water operations $10,814,449 $1,955,001 $8,859,448 11.5 Utilities – Wastewater operations $33,253,062 $3,355,847 $29,897,215 20.9 April 29, 2025 Item #8 Page 11 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 7 The list above can be thought of as a menu from which audits will be chosen. In addition to the areas listed above and as noted below, performance measures, employee overtime and insurance coverage will also be considered for auditing. Added areas Storm Drain Maintenance & Engineering did not meet the budget selection threshold but was added given the city’s topography and the increasing weather variability in our region. Department / Division Budgeted expenditures Personnel services Operating expenses Full-time employees Transportation - Storm Drain Maintenance and Engineering $2,410,461 $970,247 $1,440,214 6.6 Other areas that do not appear as separate items in the budget were also added. These are listed below, along with the rationale for their selection. Two areas that merit auditing but will not be considered for audit are also identified, along with the reasons for their exclusion. Other additions and rationale Performance measures Performance measurement is essential for government operations, as it is difficult to obtain performance feedback through other means. For example, businesses in a competitive industry may receive feedback through growth and profitability or loss of customers and declining revenue. However, government services such as those provided by a water department are not subject to market feedback. Developing appropriate performance measures for various municipal operations and ensuring that they align with other organizational goals takes skill. The wrong measures can drive dysfunctional behaviors and yield undesirable results. The integrity of reported performance results is also crucial, and appropriate controls must be placed, especially since people are often reporting the results of their own performance and have a stake in the outcome. Measurement should be used for feedback and not reward or punishment. Employee overtime There are many appropriate uses of overtime, including using it for temporary or cyclical increases in workload and as a cost saving measure when it is more economical than hiring new employees. However, overtime is subject to abuse when it is not closely monitored and can result in excessive cost and reduce employee morale in some cases such as excessive mandatory overtime. Insurance Coverage Insurance coverage amounts, self-retention threshold and reserves are periodically reviewed and established based on actuarial studies, or other financial analysis and a survey of the insurance marketplace. April 29, 2025 Item #8 Page 12 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 8 Other areas carrying high inherent risk The following two areas also do not meet the budget threshold for audit selection, but they merit auditing for other reasons. However, they will not be considered for audit at this time. Treasury operations Functions such as investment strategies and cash management are important and should be audited. However, the City of Carlsbad has a newly elected Treasurer who is currently reviewing treasury operations. Scheduling an audit at this time may simply duplicate some of the work that the Treasurer is conducting. Furthermore, the Finance Department publishes a monthly report on city investments that is provided to management and council members, and the investments appear to be stable. Fire Department – Brush management The extreme drought conditions in Southern California and the recent fires in Los Angeles and San Diego counties and other places make brush management and mitigation efforts one of the highest priority areas for audit. However, this area is currently receiving attention from many officials at the state and local level, including the Carlsbad Fire Department. A new audit is unlikely to contribute much information to evolving efforts to reduce fire risks. Assurance objectives and risk scenarios in potential audit areas Historically, auditors selected areas for audit based on their experiences, interests and judgment. While professional experience can make for good judgment, an approach that is primarily driven by judgment is susceptible to various biases and does not help auditors explain the reasoning for their choices. It was also common practice to place certain functions (e.g. payroll) on a rotation schedule to be audited every two or three years. While audit schedules greatly reduce the effort required to develop audit plans, they can be wasteful because they result in repeat audits of areas that may carry little risk. Over time, the audit profession adopted a risk-based approach to audit selection, which is structured and transparent.2 However, there are other legitimate methods of selecting audits in government entities, and premier audit organizations such as the U.S. Government Accountability Office and the California State Auditor conduct most of their audits at the request of elected officials. The areas that follow include bulleted listings of processes or functions that are performed within them. These are the subjects that the Internal Audit Division would seek to examine to check whether they are operating properly and to make any recommendations for improvement. Within most areas, there are many functions and processes, which ones end up as the focus of an audit is determined during the audit planning phase as part of the process of setting audit objectives. 2 While risk-based audit selection is the current best practice, it is not a scientific process. Auditors do not back test audit plans to assess their validity, that is, to test past data (or audit plans) to see how past selections performed. The relatively small number of audits that municipal audit departments conduct annually, as well as the variety of audit topics and risks encountered generally precludes such analyses. April 29, 2025 Item #8 Page 13 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 9 Evaluation of potential audit topics within areas selected FINANCE Budgeted expenditures: $5,631,964 Personnel services: $3,708,988 Operating expenses: $1,922,976 Full-time employees: 26 Because financial functions carry a high inherent risk of mismanagement and fraud, the city undergoes a required annual financial audit designed to uncover significant misstatements. The city also has an Ethics and Fraud Hotline that employees can use to report any concerns about financial mismanagement. For a variety of reasons, financial controls in government agencies are stronger than those in other entities such as small and medium-sized businesses. Furthermore, government employees are not subject to strong incentives and pressures to manipulate financial performance that exist in many publicly traded companies, as there is no pressure to report continuous profits for shareholders and there are no bonuses to be earned for strong financial performance. Cases of municipal mismanagement and bankruptcies do occur, with notable examples such as Orange County in 1994 (risky investment strategies), the City of Stockton in 2012 (financial mismanagement) and the City of Bell (public corruption) that became public in 2010. Nonetheless, these cases are rare, and the finances of the City of Carlsbad are subject to adequate oversight. HUMAN RESOURCES Budgeted expenditures: $18,521,803 Personnel services: $3,071,857 Operating expenses: $15,449,946 Full-time employees: 17 Human Resources performs many important functions, including recruitment of employees, administration of employee benefits, labor negotiations, compliance with labor and employment laws and investigations of complaints. Human Resources department personnel are also involved in responding to litigation by employees. The city conducts informal audits of Human Resources practices and policies by comparing them to that of other organizations to ensure consistency and efficiency. In addition, these regular informal audits can help the city adapt to changing employment laws and business practices. Employing the results of these audits may support the city with establishing new hiring practices, compensation structures, and benefit allocations. Safety audits are also conducted informally to ensure the city maintains updated safety policies, reduce workplace risk, and potentially identify the necessary personal protective equipment for staff. April 29, 2025 Item #8 Page 14 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 10 RISK MANAGEMENT Budgeted expenditures: $7,397,470 Personnel services: $429,648 Operating expenses: $6,976,822 Full-time employees: 2.5 Potential audit focus areas / Assurance objectives • Claims are being processed and evaluated in a timely manner and in compliance with California Government Code sections 810-998.3 • Claims files are properly documented • There is a citywide claims handling strategy that incorporates financial, legal and public policy perspectives • Claims are analyzed to detect patterns and monitor trends and stakeholders are provided with regular reports • There is a process that provides for the investigation of claims, identification of related hazards, a study of root causes, communication with relevant stakeholders (generally the departments who either own or are responsible for the asset or issue that is the subject of the claim), monitoring of remediation efforts and prevention activities (e.g., inspections and training). • There is a robust loss recovery function that utilizes relevant departments for damage assessments and is in communication with the police WORKER'S COMPENSATION Budgeted expenditures: $5,988,115 Personnel services: $249,013 Operating expenses: $5,739,102 Full-time employees: 1.5 Potential audit focus areas / Assurance objectives • There is a workplace injury prevention program • Workplace injuries are investigated, and any needed corrective and preventive actions are taken • Injuries are tracked and analyzed to detect patterns and monitor trends • Appropriate disciplinary measures are taken for preventable injuries that resulted from policy violations, horseplay, or negligence • There is a return-to-work program that facilitates employee reengagement • Indications of fraud in injury reports are scrutinized and referred to qualified investigators April 29, 2025 Item #8 Page 15 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 11 INFORMATION TECHNOLOGY Budgeted expenditures: $18,705,537 Personnel services: $8,418,368 Operating expenses: $10,287,169 Full-time employees: 48.0 Potential audit focus areas / Assurance objectives • Information Technology’s security function has sufficient independence and is staffed by qualified personnel; resourced with appropriate tools such as network and endpoint intrusion detection systems; has developed plans to improve security and remediate vulnerabilities; has adopted or adapted a security standard such as the National Institute of Standards and Technology Cyber Security Framework. • IT operations are well managed, and the workload is controlled; staff are not simply responding to breakdowns • IT infrastructure assessments are conducted • The IT Department has current plans for acquisition and replacement of hardware that are based on funding, technological change and user needs • There is an adequate governance structure for the IT Department and good management of personnel (as indicated by a low turnover rate) and other resources • IT implementations adhere to project management best practices • IT procurements are not driven by customer requests or vendor recommendations • IT implementations use qualified advisors • Decisions regarding insourcing or outsourcing IT work are based on a comparative analysis of costs and capabilities and are not made haphazardly • There are proper controls over IT assets • The IT Department has prepared a disaster recovery plan and participates in the preparation of other plans such as the business continuity plan COMMUNITY DEVELOPMENT – LAND DEVELOPMENT ENGINEERING Budgeted expenditures: $2,275,442 Personnel services: $1,763,838 Operating expenses: $11,604 Full-time employees: 10 The Land Development Engineering Division ensures that all grading and public improvements required for new development projects and work in the public right-of-way comply with adopted codes and engineering standards. April 29, 2025 Item #8 Page 16 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 12 COMMUNITY DEVELOPMENT – PLANNING Budgeted expenditures: $3,671,219 Personnel services: $2,916,621 Operating expenses: $754,598 Full-time employees: 19 Planning work is technical and consists of regulatory compliance and updating plans. Planning is also an area that is subject to oversight from the City Council and residents. FEDERALLY FUNDED COMMUNITY ASSISTANCE PROGRAMS Budgeted expenditures: $13,867,943 Personnel services: $601,320 Operating expenses: $13,266,623 Full-time employees: 5 These programs provide housing vouchers and other housing assistance, and they are subject to federal requirements as a condition of funding. Compliance with grant terms is essential, as discrepancies and significant noncompliance can result in federal audits and demands for the repayment of funds. However, this area is audited annually as part of the city’s Single Audit, and the last Single Audit report reviewed for the year ending June 30, 2023, had no findings in this area. LIBRARY & CULTURAL ARTS – PUBLIC SERVICES Budgeted expenditures: $15,111,747 Personnel services: $8,872,058 Operating expenses: $6,239,689 Full-time employees: 51 Library functions tend to carry a low risk, and issues that present themselves in libraries can often be addressed through means other than audit. For example, concerns about the use of library bathroom facilities by transients are best addressed by management and the police when necessary. Concerns about the types of materials carried by libraries are best addressed through community engagement. Finally, libraries often face public demand for increased hours, but that is generally a funding issue and not an audit risk. April 29, 2025 Item #8 Page 17 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 13 PARKS AND RECREATION – ADMINISTRATION Budgeted expenditures: $2,830,646 Personnel services: $2,045,238 Operating expenses: $785,408 Full-time employees: 11 This area does not meet the financial threshold and slightly exceeded the personnel threshold for audit selection with 11.5 FTEs. Given that other divisions within the Parks and Recreation Department are significantly larger, it is best to prioritize those rather than the Administration section. PARKS & RECREATION – THE CROSSINGS MUNICIPAL GOLF COURSE Budgeted expenditures: $10,762,000 Personnel services: $0 Operating expenses: $10,762,000 Full-time employees: 0 Even though it has a budget of over $10 million, The Crossings is administered as an enterprise fund, which means that its costs are funded by customer and other fees and not the City’s General Fund. This reduces the financial exposure to the City. The Crossings is managed by a vendor and the City provides oversight for The Crossings through a steering committee comprised of senior city managers and an audit of The Crossings was conducted with a report issued in July 2020. Another audit is currently not necessary, considering other potential audit areas. FIRE EMERGENCY OPERATIONS Budgeted expenditures: $31,328,026 Personnel services: $28,829,242 Operating expenses: $2,498,784 Full-time employees: 108.0 Potential audit focus areas / Assurance objectives • Emergency medical service response times within target • There are adequate resources to respond to wildfires • Firefighter and emergency first responder training meets or exceeds legal and professional standards • Emergency management plans are in place and updated frequently • Evacuation plans for residents • Coordination among local emergency agencies is strong • Identification of shelters and periodic review • Firefighter safety is prioritized, and equipment is new and in good condition • Firefighters and EMS personnel Response protocols during shootings April 29, 2025 Item #8 Page 18 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 14 POLICE ADMINISTRATION, GRANTS & ASSET FORFEITURE Budgeted expenditures: $8,869,262 Personnel services: $1,841,231 Operating expenses: $7,028,031 Full-time employees: 8.0 Potential audit focus areas / Assurance objectives • Improper asset forfeiture • Compliance with grant terms • Recruitment, selection and retention of police officers • Police officer morale POLICE FIELD OPERATIONS Budgeted expenditures: $25,935,754 Personnel services: $21,807,751 Operating expenses: $4,128,003 Full-time employees: 84.0 Potential audit focus areas / Assurance objectives • Competent preparation for a response to a shooting incident, especially a school shooting • Officer safety and protective equipment • Process for handling complaints against police officers • Process for investigating allegations of police officer misconduct • Capacity to handle complex (e.g. homicide) investigations POLICE SUPPORT OPERATIONS Budgeted expenditures: $18,625,351 Personnel services: $16,689,787 Operating expenses: $1,935,564 Full-time employees: 63.0 Potential audit focus areas / Assurance objectives • Use of analytics and performance measures • Proper evidence storage • Firearms inventories • Equipment (vehicle) condition April 29, 2025 Item #8 Page 19 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 15 CONSTRUCTION MANAGEMENT & INSPECTION Budgeted expenditures: $3,068,292 Personnel services: $2,321,180 Operating expenses: $747,112 Full-time employees: 15 The engineering staff in this division function akin to compliance auditors, checking to verify that construction projects for City assets are being conducted in accordance with proper engineering specifications. ENVIRONMENTAL SUSTAINABILITY Budgeted expenditures: $4,753,450 Personnel services: $2,391,232 Operating expenses: $2,362,218 Full-time employees: 16.5 As is the case with other planning and regulatory compliance functions mentioned above, this function carries lower inherent risk than other divisions in Public Works. FACILITIES Budgeted expenditures: $7,249,050 Personnel services: $3,511,036 Operating expenses: $3,738,014 Full-time employees: 25.9 Potential audit focus areas / Assurance objectives • Condition assessment • Maintenance schedules • Regular inspections FLEET MAINTENANCE & REPLACEMENT Budgeted expenditures: $8,611,435 Personnel services: $1,424,977 Operating expenses: $7,186,458 Full-time employees: 10.1 Potential audit focus areas / Assurance objectives • Fleet planning and management • Maintenance decisions (i.e. internal, outsourced, what to maintain) • City policy on vehicle rentals April 29, 2025 Item #8 Page 20 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 16 TRANSPORTATION - TRAFFIC, MOBILITY, TRANSPORTATION ENGIN. Budgeted expenditures: $10,332,167 Personnel services: $5,305,034 Operating expenses: $5,027,133 Full-time employees: 35.3 Potential audit focus areas / Assurance objectives • Street and sidewalk condition assessments • Street paving plans based on appropriate factors and street conditions • Pedestrian, bike and vehicular safety UTILITIES - POTABLE WATER OPERATIONS Budgeted expenditures: $58,158,391 Personnel services: $4,905,925 Operating expenses: $53,252,466 Full-time employees: 31.2 Potential audit focus areas / Assurance objectives • Water rate increases • Watermain breaks and resulting flooding of business, residences and damage to streets (e.g., sinkholes) • Infrastructure management (pipes, treatment plants) • Environmental monitoring and compliance • Improper treatment of water can cause a health hazard UTILITIES - WASTEWATER OPERATIONS Budgeted expenditures: $33,253,062 Personnel services: $3,355,847 Operating expenses: $29,897,215 Full-time employees: 20.9 Potential audit focus areas / Assurance objectives • Infrastructure replacement and management (pipes, treatment plants) • Environmental monitoring and compliance • Wastewater overflow from holding tanks and spillage from rainstorms • Groundwater or watershed contamination from sewer pipe breakage or seepage April 29, 2025 Item #8 Page 21 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771 17 Conclusion The City of Carlsbad’s Internal Audit function is small and therefore susceptible to disruption from staff turnover. While creating documents such as the risk assessment entails significant effort, such a document can help preserve organizational knowledge of city operations and risks. Furthermore, communicating the Internal Audit Manager’s perspective through meetings, discussions and trainings will enable other city staff to adopt an audit perspective on their work when needed. The transparency that such communication brings can also benefit management and the City Council by providing additional insights into city operations. April 29, 2025 Item #8 Page 22 of 22 Docusign Envelope ID: 23DE9A9B-607A-4E5B-B20D-FD21511D3771