An independent risk assessment presented to Columbus’ city council on Oct. 14 concluded the city government faces hundreds of discrete operational, financial and legal risks and recommended a shift in internal audit focus from reactive investigations to annual, risk-based auditing.

Craig Carter, managing director of Malden & Jenkins, presented the firm’s initial enterprise risk assessment, which catalogued 631 specific risks across nine categories and grouped the city’s audit universe into 92 auditable entities. He told council the firm used 15 management interviews and documentation review to define the risk library and identify six “critical” and 32 “high” risk departments.

“This was the first risk assessment done for the government,” Carter told council. He described the deliverable as a “tool” — a risk taxonomy and library the city’s internal audit division can use to refresh annual plans and allocate scarce audit hours against the highest risks.

Key findings noted by Carter and discussed at council:
- The assessment identified three dominant risk clusters: financial pressures, human-resources and staffing risks, and risks tied to a large capital program and third-party vendors.
- IT and cybersecurity emerged as an area of particular concern; the assessment rated IT among the auditable entities with several critical scores.
- The audit universe includes departments, boards and authorities; 6 of 92 auditable entities rated “critical,” 33 “high.”

Carter recommended internal audit evolve from an essentially reactive role — which council members and staff said had emphasized whistleblower investigations and fraud responses — to a risk-based function that helps departments define standard operating procedures, key internal controls and KPIs, then audits those elements on a schedule tied to the risk register.

“Internal audit should be working with the organization to improve both the internal control environment and its compliance with laws and regulations,” Carter said. He told the council his team delivered a spreadsheet mapping risks and a template to convert that output into an annual internal audit plan.

Councilors asked how often risk should be reassessed (Carter: annually at enterprise level; operationally continuously), who should own ongoing monitoring (audit committee plus department leads), and whether a public dashboard of enterprise risk was feasible (Carter: yes, but requires mapping of SOPs, controls and KPIs). Council members also asked for the audit documents to be made available publicly; Councilor Lehi Davis requested the report be linked on the meeting agenda.

Several council members described past reliance on reactive audits after high-profile problems and said they saw value in a risk-based program for preventing waste and better matching audit resources with the city’s strategic priorities. Councilors also asked for clearer policies tying internal audit deliverables and timelines to chartered responsibilities and for a plan to add specialist IT audit capacity while projects address IT governance.

Carter and internal-audit leadership said the firm received 100% cooperation from city staff and that the city’s “bones” — experienced managers and basic documentation — provide a solid foundation to build a mature risk-based audit program. The presentation did not request new appropriations; councilors asked administration and the audit committee to return with timelines and the draft annual plan.