The Office of Internal Audit creates and seeks approval for a work plan on an annual basis. The work plan consists of a series of prioritized tasks or projects that the Office will deploy resources to, and is based on perceived or actual levels of risk. The City Council approves the Office's work plans, and receives update reports on the Office's activities on a quarterly, or more frequent basis.
All organizations face inherent risks in their day-to-day activities. The Office of Internal Audit, in conjunction with management, performs an entity-wide risk assessment periodically. The work plan is synthesized based on the risk assessment performed, which results in an effective deployment of scarce audit resources and the satisfaction of industry standards and requirements. Overall, a "risk-based" work plan allows Internal Audit to assess whether the inherent risks facing the city are being managed appropriately, and helps ensure that the quality of relevant controls is periodically assessed.