INTERNALAUDIT POLICIESANDPROCEDURES OPERATINGMANUAL

SDCERSInternalAuditManualJune2012

TABLEOFCONTENTS
1.INTRODUCTION..................................................................................................................1 INTRODUCTIONTOTHEAUDITMANUAL............................................................................................... 1 OBJECTIVEANDSCOPEOFAUDITSERVICES........................................................................................... 1 CONFORMANCEWITHIIAAUDITINGSTANDARDS................................................................................... 1 AUTHORITY.....................................................................................................................................1 INDEPENDENCEANDOBJECTIVITY........................................................................................................ 1 CONFORMANCEWITHIIACODEOFETHICSPRINCIPLESANDRULESOFCONDUCT.......................................2 2.ANNUALAUDITPLANANDRISKASSESSMENT.....................................................................5 INTRODUCTION................................................................................................................................5 DEFININGTHEAUDITUNIVERSE.......................................................................................................... 5 CONDUCTINGTHERISKASSESSMENT................................................................................................... 5 PREPARINGTHEAUDITPLAN.............................................................................................................. 6 PRESENTINGTHEAUDITPLAN............................................................................................................. 6 3.AUDITPROCESS...................................................................................................................7 INTRODUCTION................................................................................................................................7 Planning...................................................................................................................................7 AuditFieldwork....................................................................................................................... 9 Reporting...............................................................................................................................11 EngagementQualityAssessment......................................................................................... 12 Followup.............................................................................................................................. 13 4.GOVERNANCEANDCONSULTINGACTIVITIES .....................................................................14 INTRODUCTION.............................................................................................................................. 14 GOVERNANCE................................................................................................................................14 CONSULTINGENGAGEMENTS............................................................................................................ 14 5.QUALITYASSURANCEANDADMINISTRATION...................................................................16 INTRODUCTION.............................................................................................................................. 16 QUALITYASSURANCEANDIMPROVEMENTPROGRAM...........................................................................16 ANNUALREVIEWOFAUDITCHARTERANDORGANIZATIONALINDEPENDENCE............................................17 PROFESSIONALDEVELOPMENT.......................................................................................................... 17 RETENTIONANDCUSTODYOFRECORDS .............................................................................................. 17

i
SDCERSInternalAuditManualJune2012

1.INTRODUCTION
IntroductiontotheAuditManual The purpose of the Internal Audit Policies and Procedures Operating Manual is to provide a writtensummaryoftheauditprocessesemployedbytheInternalAuditor.Itprovidesguidance for the planning, execution, reporting and follow up procedures performed by the Internal Auditor. ObjectiveandScopeofAuditServices The mission of the Internal Auditor is to provide independent and objective assurance and consulting activity designed to add value and improve SDCERSs operations and help SDCERS accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improvetheeffectivenessofriskmanagement,control,andgovernanceprocesses. Thescopeofworkisto assisttheAuditCommitteeandtheBoardofAdministrationtofulfillits oversight responsibilities for SDCERS by evaluating whether SDCERSrisk management, control, and governance processes and information systems are appropriately designed and operating asintendedtomanagekeyrisks. ConformancewithIIAAuditingStandards The activities of the Internal Auditor are conducted in accordance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing (IIA Standards). Authority The Internal Auditor derives authority to conduct audits from the SDCERS Charter. The Internal Auditor Charter defines the purpose, authority, and responsibility of the Internal Auditors activities. The Internal Auditor is authorized to engage in independent audit programs, risk assessments,andtocoordinateauditeffortswithexternalauditors.TheCharterestablishesthe Internal Auditors position within the organization and allows unrestricted access to SDCERS recordsforanymatterwithintheInternalAuditorsscopeofresponsibilities. IndependenceandObjectivity The IIA Standards require that the internal audit activity be independent and internal auditors beobjectiveinperformingtheirwork.Forindependence,thechiefauditexecutivemustreport to a level within the organization that allows the internal audit activity to fulfill its responsibilities. 1
SDCERSInternalAuditManualJune2012

SDCERS Board of Administration appoints the Internal Auditor who serves at the pleasure of theBoard,andtheInternalAuditorreportsdirectlytotheBoardthroughtheAuditCommittee. This reporting structure is appropriate for the Internal Auditors independence, and it allows the Internal Auditor to be free from interference in determining the scope of auditing, performingwork,andcommunicatingresultsasrequiredbyIIAStandards. The Internal Auditor will have opportunities to meet with and report to the Audit Committee and the Board at least four times a year. In addition to presenting the results of audits, the Internal Auditor will provide status reports of other activities performed subsequent to the last meeting. Inordertomaintainindependenceandobjectivity,theInternalAuditormusthaveanimpartial, unbiased attitude and avoid any conflict of interest, and must not perform audits under the followinginstances: Anysituationthatinvolvesamemberoftheauditor'simmediatefamily. Any activity that the auditor previously performed or supervised unless a reasonable period(aminimumof1year)haselapsed. Any activity to which the auditor previously provided advisory services unless a reasonableperiod(aminimumof1year)haselapsed. Anyactivitythattheauditorhasauthorityoverorhasresponsibilityfor. Any situation in which other conflict of interest or bias is present or may reasonably be inferred. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidenceintheInternalAuditor.

To ensure compliance with IIA independence requirements, the Internal Auditor will document whether or not any impairment exists for conducting the current Audit Plan by signing the InternalAuditorsAnnualIndependenceStatementatthebeginningofeachfiscalyear. WhiletheInternalAuditorsfunctionisindependentfromallotherareasofSDCERSoperations, situations may arise whereby there is an apparent or actual impairment to independence and objectivity. In those circumstances, the Internal Auditor will report the apparent or actual impairment to the Audit Committee Chair. The Audit Committee Chair will take action when necessarytoresolvetheissue.Inthosesituationswherebytheindependenceandobjectivityof the Audit Committee Chair may also be impaired, the facts will be reported to SDCERS Board ChairorotherBoardmemberwhoisnotimpairedtoresolvetheissue. ConformancewithIIACodeofEthicsPrinciplesandRulesofConduct TheInternalAuditorfollowstheInstituteofInternalAuditors(IIA)codeofethics,andwillapply andupholdthefollowingIIAprinciplesandrulesofconduct: 2
SDCERSInternalAuditManualJune2012

PrinciplesandRulesofConduct 1. Integrity The integrity of internal auditors establishes trust and thus provides the basis for relianceontheirjudgment. TheInternalAuditorshall: performworkwithhonesty,diligence,andresponsibility; observethelawandmakedisclosuresexpectedbythelawandtheprofession; not knowingly be a party to any illegal activity, or engage in acts that are discreditabletotheprofessionofinternalauditingortotheorganization; respect and contribute to the legitimate and ethical objectives of the organization. 2. Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in formingjudgments. TheInternalAuditorshall: not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationshipsthatmaybeinconflictwiththeinterestsoftheorganization; notacceptanythingthatmayimpairorbepresumedtoimpairtheirprofessional judgment; disclose all material facts known to them that, if not disclosed, may distort the reportingofactivitiesunderreview. 3. Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professionalobligationtodoso. TheInternalAuditorshall: be prudent in the use and protection of information acquired in the course of theirduties;

3
SDCERSInternalAuditManualJune2012

not use information for any personal gain or in any manner that would be contrary tothe law or detrimental to the legitimate and ethical objectives of the organization.

4. Competency Internalauditorsapplytheknowledge,skills,andexperienceneededintheperformance ofinternalauditservices. TheInternalAuditorshall: engage only in those services for which the Internal Auditor has the necessary knowledge,skills,andexperience; performinternalauditservicesinaccordancewithIIAStandards; continually improve proficiency and the effectiveness and quality of their services.

4
SDCERSInternalAuditManualJune2012

2.ANNUALAUDITPLANANDRISKASSESSMENT
Introduction The IIA Standards and SDCERS Charter require the Internal Auditor to establish a riskbased approach to determine the priorities for internal audit activities. The Internal Auditor prepares an annual Audit Plan and Risk Assessment to help identify, measure, and prioritize potential auditsbasedonthelevelofrisktoSDCERS.TheRiskAssessmentresultsandinputfromSDCERS Leadership Team (management) is utilized in preparing the annual Audit Plan. The purpose of the annual Audit Plan is to outline the work to be performed and is designed to cover high risk activities while limiting the scope of work to what can realistically be accomplished during the upcomingfiscalyear. Theannualauditplanningprocessincludesthefollowingmajorauditplanningactivities: Definingtheaudituniverse ConductingaRiskAssessment PreparingtheAuditPlan PresentingtheAuditPlan DefiningtheAuditUniverse The first step in preparing the annual Audit Plan and Risk Assessment is to define the audit universe. The audit universe is a listing of all the potential audits that can be performed for SDCERS.Thislistofpotentialauditsiscreatedbysurveyingmanagementandaskingthemtolist alltheKeyWorkActivitieswithinSDCERSsevendivisions. ConductingtheRiskAssessment The Risk Assessment for audit planning is the process of systematically scoring (or rating) the relative impact of a variety of risk factors. A risk factor is an observable or measurable indicator of conditions or events that could adversely affect the organization. Various Risk factors will be used to measure inherent risks (such as the complexity of operations or regulations)ororganizationalvulnerability(suchasweakinternalcontrols). A questionnaire is completed by management for each Key Work Activity to score the level of risk for each of the risk factors identified. Also, weights are assigned to each risk factor based onrelativeimportanceasdeterminedbyinputfrommanagement. The final step to complete the Risk Assessment is to calculate the total risk score for each Key Work Activity in order from highest risk score to the lowest by tabulating the information gatheredfromthequestionnairesandapplyingtheweightsassignedtotheriskfactors. 5
SDCERSInternalAuditManualJune2012

The overall risk score for each Key Work Activity is tabulated by stratifying the resulting rating in descending order by tenths, and identifying the top 30 percent risk scores as High Risk, the next40percentasMediumRisk,andthebottom30percentriskscoresarerankedasLowRisk. Duringtheriskassessmentprocess,managementisalsosurveyedtofindouttheirtopconcerns relatedtocurrentoperationalrisks. PreparingtheAuditPlan TheInternalAuditordevelopsandpreparestheAuditPlanbyconsideringthehighriskactivities identified in the Risk Assessment, input from management regarding risk concerns, and the InternalAuditorsrequiredactivitiesoutlinedinSDCERSCharter. TheAuditPlanisdesignedtocover highriskactivities,whilelimitingthescopeofworktowhat we can realistically accomplish during the fiscal year considering the limited audit resources available(oneInternalAuditor).TheAuditPlanshouldbesharedwithSDCERSexternalfinancial auditortoreceivefeedbackandminimizeanyduplicationofefforts. PresentingtheAuditPlan The final draft of the plan is discussed with the Chair of the Audit Committee, the Chief ExecutiveOfficer(CEO),andtheLeadershipTeam.ThefinalauditplanispresentedtotheAudit Committee for review and approval. After Audit Committee approval, the audit plan is providedtotheBoardforreviewandapproval.

6
SDCERSInternalAuditManualJune2012

3.AUDITPROCESS

Introduction TheInternalAuditorsserviceswillfocusonfivegeneralareasofSDCERSoperations: Effectiveness of operations and controls Activities are performed adequately to produce the desired or intended results, and controls to mitigate risk are adequate and operatingasintended. Efficiency of operations Activities are performed economically with minimum wasted effortorexpense. Safeguarding of resources and information Prevention of loss of assets or resources, whether through theft, waste, or inefficiency, and protection of confidential information. Reliability of reporting and data Reports provide management with accurate and complete information appropriate for its intended purpose. It supports managements decisionmakingandmonitoringoftheentitysactivitiesandperformance. Compliance with applicable policies, procedures, laws, and regulations Activities are conductedinaccordancewithrelevantpolicies,procedures,lawsandregulations. Theauditprocessencompassesthefollowingfivestages: 1. Planning 2. AuditFieldwork 3. Reporting 4. Qualityassessment 5. Followup Planning The audit work begins with planning how an audit is to be executed. The Internal Auditor determines the appropriate and sufficient resources to achieve the engagements objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. Planning consists of researching the area or activity to be examined andidentifyingareasofintendedauditfocus. Inplanninganaudit,itemsthatmustbeconsideredinclude: Theobjectivesofthearea/activityandthemeansbywhichthearea/activitycontrolsits performance; 7
SDCERSInternalAuditManualJune2012

The criteria established by management to determine whether objectives and goals havebeenaccomplished; Thesignificantriskstothearea/activity,itsobjectives,resourcesandoperationsandthe meansbywhichthepotentialimpactofriskiskepttoanacceptablelevel; The adequacy and effectiveness of the governance, risk management and controls processescomparedtoarelevantframeworkormodel(bestpractices); The opportunities for making significant improvements to the governance, risk and controlprocesses.

As required by IIA Standards, the Internal Auditor will apply the care and skills expected a reasonably prudent and competent auditor. Due professional care will be applied during each engagementbyconsideringthe: Extentofworkneededtoachievetheengagementsobjectives; Relativecomplexity,materiality,orsignificanceofmatterstowhichassurance proceduresareapplied; Adequacyandeffectivenessofgovernance,riskmanagement,andcontrolprocesses; Probabilityofsignificanterrors,fraud,ornoncompliance; Costofassuranceinrelationtopotentialbenefits; Usingtechnologybasedauditandotherdataanalysistechniques; Significantrisksthatmightaffectobjective,operationorresources. Any deficiency in the necessary knowledge, skills or competency will be obtained prior to performing an engagement including evaluating the risk of fraud, key information technology riskandcontrols,andavailabletechnologybasedaudittechniques. Duringauditplanning,adetailedinternalplanningdocumentshouldbepreparedtoincludethe resultsoftheinitialresearchofanareaorauditableactivity,anditshoulddescribeanyspecific issues or areas of focus. The relevant systems, records, personnel, and physical properties should be considered when planning the scope of the audit. The detailed planning document should identify key risks, controls and related audit procedures and provide background informationrelatingtotheauditableareaoractivitythatwillassisttheauditorduringtheaudit. The planning process culminates in the creation of an audit work program (scope document), which will be presented for discussion to the staff in charge of the process under review. The scope document details in general terms, the objectives of the audit, the type, approach, and extentofworkthattheInternalAuditorintendstoperform,andthecorrespondingtimeframes for completion. The scope documents are specifically tailored to the areas under examination andaredesignedtobeflexibleintheirusage;proceduresmaybeaddedorremoveddepending ontheextentofworkdeemednecessaryorappropriateduringtheaudit. Prior to the start of fieldwork, the Internal Auditor will meet with representatives of the area under examination to communicate the details of the scope document and to discuss any questions or concerns, or any specific areas that they would like to have examined. This 8
SDCERSInternalAuditManualJune2012

meeting also provides the Internal Auditor with a greater understanding of the area or activity tobeaudited. A risks and controls matrix will be prepared to identify the relevant risks exposures (including the risk of fraud) and the corresponding controls used to mitigate those risks for the area/activity being audited. The controls reviewed may include those used to achieve strategic objectives, reliability and integrity of financial and operational information, effectiveness and efficiencyofoperations,safeguardingofassets,andcompliancewithlaws,regulations,policies, procedures, and contracts. This analysis assists the Internal Auditor to focus audit work on organizationalrisks. Atthecompletionoftheplanningphase,therisksandcontrolsmatrixshouldbereviewedwith the Chief Executive Officer and members of management and staff responsible for the area/activity being audited. This review validates the accuracy and completeness of the identifiedrisksandmitigatingkeycontrols. AuditFieldwork This stage of the audit process involves executing the procedures described in the scope documents. Consideration is given to the underlying risks of the business or activity being reviewed and how those risks are managed or mitigated. The Internal Auditor evaluates whether the policies, procedures, and processes are appropriate in the circumstances and whethertheyareoperatingasintended. The Internal Auditor will obtain a sufficiently detailed explanation of the business process from SDCERSstaff.Thisprocesswillbedocumentedintheworkingpaperfiles.Suchdocumentation may take the form of a narrative description, a flowchart depiction, or a combination of both whenappropriate. Tests of operating effectiveness will also be performed. For the automated processes, it is considered appropriate and sufficient to perform a single walkthrough as results should not differ without human intervention. However, in those situations whereby the process is manualandsubjecttohumanintervention,additionaltestingisrequired. Thesamplesfortestingcontrolactivitiesshouldbeindependentlyselected.Wherepossible,the population of items to be considered for testing should be obtained from a source that is independentoftheareaaudited. The sample size should be determined as the lesser of 10% of the population or 25 items, or based on a statistical sampling model when appropriate. In selecting the sample, the following samplingapproachesmaybeused: SimpleRandomSamplingAsamplingmethodwhereallitemshaveanequalchanceof being selected. The sample should be selected without intentional bias to include or exclude certain items in the population. A random number generator may be used to selectthesample. 9

SDCERSInternalAuditManualJune2012

Stratified Random Sampling A method of sampling thatinvolves the division of a population into smaller groups formed based on sharedattributes or characteristics. A random sample from each group is taken in a number proportional to the group's size when compared to the population. These sample subsets are then pooled to form a randomsample. Judgment Selection A sampling method that is based on professional judgment. The followingconsiderationsmaybeusedtodetermineitemstobeselected: Value of items. Items that represent larger values or more significant transactionsareselected. Relativerisk.Itemspronetoerrorduetotheirnatureorcomplexityaregiven specialattention. Representativeness.Besidesvalueandriskconsiderations,theauditorshould be satisfied that the sample provides breadth and coverage over all types of itemsinthepopulation.

The basis for selecting items for testing should be documented within the audit working paper files. When assessing the adequacy of the business control process, the Internal Auditor should considerwhetherthefollowingcontrolobjectiveshavebeenmet: 1. Authorization Controls should include processes and procedures to ensure that only authorizedtransactionstakeplace. 2. Validity All recorded transactions should be valid. The internal control process should include processes and procedures to preclude the inclusion of fictitious or nonexistent transactionsinthebooksandrecords. 3. Completeness The control processes and procedures must prevent the omission of transactionsfromtherecords. 4. Valuation and Risk Measurement Internal controls must include policies, processes and procedures that prevent errors in measuring and recording transaction amounts andtheresultingrisks. In general, if errors or omissions are noted during the initial walkthroughs or testing (audit findings),furthertestingshouldbeperformedtodeterminewhethertheerrorswereisolatedin nature or whether there is a moresystemic problem inherent to thecontrol environment. The potential issues identified should be discussed with SDCERS staff to validate the factual accuracy,todeterminerootcause,andtoidentifyanycompensatingcontrols. 10
SDCERSInternalAuditManualJune2012

Root Cause Analysis is an integral part of the audit process used when assessing the impact of audit findings. It is used to identify why the issue occurred so that an appropriate recommendationcanbemadetoresolvethecontrolgap.Itwillultimatelyimprovethelonger term effectiveness and efficiency of business processes and thus, the overall governance, risk, andcontrolenvironment. During fieldwork, the Internal Auditor should identify, analyze, evaluate and document sufficient, reliable, relevant, and useful information to achieve the audit objectives. This evidence gathered will be documented in the working papers and used as the basis for the conclusionsmadeandthereportedresultsoftheaudit. The risks and controls matrix created during the planning stage should be updated during fieldwork as information is gathered to accurately reflect the key risks and the mitigating controls, and the scoping documents should be updated to reflect the actual audit procedures used and deemed necessary. At the conclusion of fieldwork, the procedures performed to test the controls and the potential audit findings to be included in the draft audit report are summarizedandcrossreferencedtothedetailedworkingpapers. Reporting At the conclusion of fieldwork for each audit, the InternalAuditor willprepare a draft report of significant findings and observations including any significant risk exposures and control issues, fraud risks, or governance issues identified during the audit. The report should be accurate, objective,clear,concise,constructive,complete,andtimely. Thereportshouldincludetheauditobjectives,thescopeofauditworkperformed,anoverview of the business or activity, an opinion on the adequacy of the internal controls, conclusions regarding significant finding and observations, and recommendations to management to address any issues found. A report should also acknowledge when satisfactory performance is determined. The detailed draft audit report will be provided to the CEO, management staff responsible for the activity under examination, and legal counsel for review and to assess the accuracy of the factspresented.Aclosingmeetingwillbeheldtodiscussandcorrectanyfactualerrorsfoundin the draft report, and to finalize any comments or considerations to be included in the final report.Legalcouncilwillprovideguidanceonanypotentiallegalimplicationsderivedfromthe contentsofthereportthatwilllimitthedistributionoftheresults. Once the report is finalized, management will provide a written response to each recommendationmade.Anyminorissuesidentifiedduringtheauditthatdidnotwarrantbeing included in the audit report may be discussed at the closing meeting for managements consideration. These minor closing meeting items will not require a written management response. 11
SDCERSInternalAuditManualJune2012

A finalized report with managements response will be presented to the Audit Committee and the Board during the course of their regularly scheduled meetings. The report presented may be a summary report, which will include all significant findings, observations, and recommendations. However, the summary public report will exclude any confidential information such as social security numbers that may have been included in a more detailed reporttomanagement. Anyinstanceswheremanagementhasacceptedalevelofriskthatmaybeunacceptabletothe organization will be disclosed in the summary report. Any detailed reports not provided publicallywillbemadeavailabletotheAuditCommitteeandBoardmembersuponrequest. When quality assessment verifies that IIA Standards have been met for the audit engagement, the following statement will be included in the report: This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing prescribedbytheInstituteofInternalAuditors. When quality assessment determines nonconformance with IIA Standards, the definition of Internal Auditing, or the code of ethics for a specific engagement, the following will be disclosed in the report: a) The specific areas of nonconformance. b) The reasons for nonconformance.c)Theimpactofnonconformanceontheengagementandthecommunicated engagementresults. Before releasing an internal audit report publically, the Internal Auditor will consider the following: Assessthepotentialrisktotheorganization; Consultwithmanagementandlegalcounsel; Controldisseminationbyrestrictingtheuseoftheresults. Once the final report has been issued, it is included in the audit working paper file together withthedocumentationofallrelevantworkperformed. If an audit report that has been issued is later found to contain a significant error or omission, the Internal Auditor will provide corrected information to all parties that received the original report. EngagementQualityAssessment The purpose of the Engagement Quality Assessment process is to provide verification that the work performed by the Internal Auditor meets the requirements outlined in the Audit Manual andisincompliancewithIIAStandards.Aqualityassessmentchecklistwillbecompletedatthe conclusionofeachaudittoverifycompliancewiththeAuditManualandIIAStandards. 12
SDCERSInternalAuditManualJune2012

The Audit Committee will be responsible for supervisor review of the Internal Auditors work. TheInternalAuditorwillseekfeedbackfromAuditCommitteemembersandmanagementafter eachengagementtocontinuouslymonitorandimproveperformance. Followup Followup work is performed after the completion of an audit. It entails the Internal Auditor reviewing recommendations with management and determining whether the weakness in procedures or processes identified have been adequately corrected in accordance with the management response and committed timelines. In addition, the Internal Auditor will also followsupanyrecommendationsissuedbyexternalauditorsortheactuary. All recommendations arising from the internal and external auditors and the actuary are summarizedinanauditrecommendationsExcelfilemaintainedbytheInternalAuditor.Thefile is continuously updated with the implementation status of the recommendations. Any information obtained as part of the follow up process, is electronically retained in a Follow Up fileontheInternalAuditorsHdrive.Quarterlyaformalreviewofallrecommendationsstatus will be completed and presented to the Audit Committee and the Board when there are recommendationsoutstandingthatstillneedtobeproperlyimplemented.

13
SDCERSInternalAuditManualJune2012

4.GOVERNANCEANDCONSULTINGACTIVITIES

Introduction The IIA Standards has several requirements regarding governance and consulting activities performed by internal audit activity. This section provided operating procedures for the InternalAuditortofollowtocomplywiththeserequirements. Governance The IIA Standards state that the internal audit activity must assess and make appropriate recommendationsforimprovingthegovernanceprocessinitsaccomplishmentofthefollowing objectives: Promotingappropriateethicsandvalueswithintheorganization; Ensuringeffectiveorganizationalperformancemanagementandaccountability; Communicatingriskandcontrolinformationtoappropriateareasoftheorganization; Coordinating the activities of and communicating information among the board, externalandinternalauditors,andmanagement. TheIIAStandardsalsostatethattheinternalauditactivitymust: evaluate the design, implementation, and effectiveness of the organizations ethics relatedobjectives,programs,andactivities. assesswhethertheinformationtechnologygovernanceoftheorganizationsupportsthe organizationsstrategiesandobjectives. The Internal Auditor will consider and assess these governance requirements during assurance and consulting engagement when appropriate and make recommendations to address any deficienciesidentified. ConsultingEngagements The IIA defines consulting service activities as advisory and related client service activities, the natureandscopeofwhichareagreedwiththeclient,areintendedtoaddvalueandimprovean organizations governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, andtraining. The Internal Auditor Charter requires the following consulting engagements in which the InternalAuditor: assists the Committee in its evaluation and recommendation to the Board for the selectionoftheexternalauditor; coordinates audit efforts with external auditors and facilitates their review of internal auditprogramworkduringtheconductofannualexternalaudits; 14
SDCERSInternalAuditManualJune2012

assiststheCommitteeinitsreviewofthefinancialsectionoftheComprehensiveAnnual Financial Report (CAFR) to help ensure its responsibilities listed in the Committees Charteraremet; participates in an advisory capacity in the planning, design, implementation or major modification of information system projects, to determine whether adequate controls are incorporated, adequate testing is performed, and the intended purpose of the projectismet.

The Internal Auditor will engage in these charter required consulting activities, and possibly otherswhenappropriate,asoutlinedintheannualauditplan.AsrequiredbyIIAStandards,the Internal Auditor will establish an understanding of the consulting engagements objectives, scope, respective responsibilities and expectations. The Internal Auditors objectives will address governance, risk management, and control process to the extent expected by management, and Audit Committee and Board members. The scope of the consulting engagement will be sufficient to meet the objectives. If the engagements objectives are not consistentwithSDCEDRSvalues,strategies,andobjectives,itwillbedeclined. As required by IIA Standards, the Internal Auditor will also consider accepting other proposed consultingengagementsbasedontheengagementspotentialtoimprovemanagementofrisks, add value, and improve the organizations operations. The Internal Auditor will exercise due professionalcareduringconsultingengagementsbyconsideringthe: needsandexpectationsofSDCERSmanagement,AuditCommitteeandBoardmembers, includingthenature,timing,andcommunicationofengagementresults; relativecomplexityandextentofworkneededtoachievetheengagementsobjectives; costoftheconsultingengagementinrelationtopotentialbenefits. DuringconsultingengagementstheInternalAuditorwill: address risk consistent with the engagements objectives and be alert to the existence ofothersignificantrisks; incorporate knowledge of risks and controls gained from consulting engagements into theevaluationoftheorganizationsriskmanagementandcontrolprocesses; refrainfromassuminganymanagementresponsibility. Based on the nature of the consulting engagement, appropriate work programs or documentation will be created and maintained. The Internal Auditor will notify management and the Audit Committee of any significant governance, risk management and control issues identifiedduringconsultingengagements. The Internal Auditor will decline consulting engagements or obtain competent advice and assistance if lacking the knowledge, skills, or other competencies needed to perform all or part oftheengagement.

15
SDCERSInternalAuditManualJune2012

5.QUALITYASSURANCEANDADMINISTRATION
Introduction The purpose of this section is to provide information regarding the Internal Auditors quality assurance procedures, professional development, and administrative duties regarding records maintenanceandretention. QualityAssuranceandImprovementProgram The purpose of the Quality Assurance and Improvement Program (quality assurance) is to provide verification that the work performed by the Internal Auditor meets IIA Standards. In additiontotheongoingEngagementQualityAssessmentsperformedatthecompletionofeach engagement, a formal quality assurance selfassessment of the Internal Auditors conformance withtheIIAStandardswillbeperformedannually. To complete the assessment, the Internal Auditor will review any changes in the IIA Standards, practice advisories and implementation guidance, and assesses their impact on the operations ofinternalaudit.Otherstepsthatwillbeperformedinclude: Review all Engagement Quality Assessments performed during the years and change auditproceduresasnecessarytocorrectanyissuesidentified. Review the Audit Committees annual performance evaluation of the Internal Auditor andchangeproceduresasnecessarytocorrectanyissuesidentified. Review andupdate theAudit Manual to improve efficiencyand ensurecompliancewith IIAStandards; The results of the annual quality assurance selfassessment will be provided to management andpresentedtotheAuditCommitteeandtheBoard. The IIA Standards also require an external quality assurance peer review be completed at least once every five years. The Internal Auditor will participate in the Association of Local Government Auditors (ALGA) peer review program to obtain the required external quality assurancepeerreview. To participate in ALGAs peer review program, the Internal Auditor must obtain the pertinent peer review training, and then volunteer (generally for one week) to perform a peer review for another ALGA member audit group. Once this is completed, independent ALGA members will conductapeerreviewforSDCERSauditactivities.Theonlycostforthispeerreviewisthecost oftravel,hotelaccommodations,andmealsforthepeerreviewteam. Theresultsofthepeerreviewassessmentwillbedocumentedinareportpreparedbythepeer reviewteam,andiswillbeissueddirectlytotheAuditCommitteeandtheBoard. 16
SDCERSInternalAuditManualJune2012

AnnualReviewofAuditCharterandOrganizationalIndependence The IIA Standards require the chief audit executive to periodically review the internal audit charter and present it to senior management and the board for approval. The IIA Standards also require the chief audit executive to confirm the organizational independence of the internalauditactivitytotheBoardatleastannually. Annually the Internal Auditor will review the Internal Auditor Charter and the organizational independence of the internal audit activity, and confirm compliance with IIA Standards in a reporttoexecutivemanagement,theAuditCommittee,andtheBoard.Recommendationswill beprovidedtocorrectanynoncomplianceissuesidentified. ProfessionalDevelopment The Internal Auditor is committed to maintaining sufficient knowledge, skills, experience, and professionalcertificationstobestfulfillthemissionoftheInternalAuditor.Theinternalauditor will obtain a minimum of 80 hours of continuing professional education (CPE) every two years, with a minimum of 20 hours in any given year. A variety of CPE course topics will be taken to maintain or gain the knowledge necessary for current engagements, and to meet the CPE requirementsforthefollowingcertifications: CertifiedInternalAuditor(CIA) CertifiedPublicAccountant(CPA) CertifiedFraudExaminer(CFE) The Internal Auditor will also develop knowledge through memberships in professional organizations and attendance at industry conferences, which will also fulfill CPE requirements. TheInternalAuditorwillmaintainmembershipswiththefollowingauditorganizationsincluding butnotlimitedto: TheInstituteofInternalAuditors(IIA) TheAssociationofPublicPensionFundAuditors(APPFA) TheAmericanInstituteofCPAs(AICPA) TheAssociationofCertifiedFraudExaminers(ACFE) TheAssociationofLocalGovernmentAuditors(ALGA) RetentionandCustodyofRecords An audit file consists of all documentation that has been gathered during the course of the examination or consulting engagement. In order to determine whether documentation is retained, consideration is given to the quality, usefulness, and relevancy of the materials. At a minimum, there should be sufficient documentation to be able to provide justification for the assessmentandconclusionwithinauditreportsandInternalAuditorstaffreports. Physical files are maintained in the Internal Auditors office and electronic files are located on the Internal Auditors H drive, which is backedup daily by the IT Department. Physical files 17
SDCERSInternalAuditManualJune2012

are retained for seven years subsequent to the date of the reports issued, and electronic files areretainedindefinitely. Working papers and documents maintained for assurance and consulting engagements are internal documents and are not subject to disclosure to unauthorized personnel. In general, they should be considered confidential and strictly controlled by the Internal Auditor during an examinationoftheauditedarea. For any requests from sources external to SDCERS to provide working papers or records, the Internal Auditor will obtain approval from the CEO and legal counsel prior to releasing the records.

18
SDCERSInternalAuditManualJune2012