Office of Internal Audit Services

The Office of Internal Audit Services (IAS) provides independent, objective assurance and advisory services designed to add value and improve the CPUC's operations. The Chief Internal Auditor reports to the Commissioners, through the Audit Committee, and under general direction of the President. IAS operates under the revised internal audit charter approved by the Audit Committee on June 27, 2019.

Services Provided

• Assurance - the core role of Internal Audit
  • Financial, operational, compliance, and information technology risk-based audits.
  • Monitoring of remediation plans and follow up audits. 
• Advisory
  • Advise management on change initiatives, control effectiveness, enhancements to risk management and the design of assurance mechanisms. 
  • Special management reviews and investigations of alleged noncompliance, fraud, waste, and abuse. 
• Anticipating and assessing risks
  • Assist business owners in understanding risks and in crafting preventive mitigating controls.
  • Assess Audit Risks and develop Internal Audit Plan.

What to Expect From an Internal Audit

IAS takes an open, collaborative approach in performing audits on CPUC programs and functions. IAS will always keep auditees informed on the audit progress and what we find throughout an audit unless there is suspected illegal activity or specific confidentiality requirements. This allows for corrective actions to be taken immediately and for IAS to help CPUC make positive, effective changes.

IAS recommends and obtains approval from the Audit Committee for audits to be conducted annually. The step-by-step audit process is as follows:

1. An engagement memo is sent to the auditee (typically the Division Director of the audited program) informing them of an upcoming audit and scheduling an entrance conference to discuss the audit. 
2. An entrance conference is held to discuss the objectives, scope, and logistics of the audit. 
3. Interviews and meetings are held so the auditors may gain an understanding of the audited area.
4. Based on these interview and meetings, the auditors develop risks to the audited area. These risks are confirmed with the auditee. 
5. High-risk areas or functions are then tested to determine if the controls implemented by the auditee to reduce those risks exist and are working as intended. 
6. An exit conference is held to discuss the findings. However, IAS will continuously update the auditee of the findings throughout the audit, so nothing in the exit conference should come as a surprise. 
7. A draft audit report is prepared and shared with the auditee. The auditee has 14 calendar days to respond in writing, including what corrective actions they intend to take. 
8. A final audit report, including the auditee's response, is issued and a summary is shared at the next Commission meeting. 
9. IAS will perform periodic monitoring on Management's corrective action plans to ensure timely remediation. These monitoring activities are reported to the Commission through the Audit Committee. 
10. A follow-up audit may be conducted.