INTERNAL AUDITING
125-700-0010
Purpose
The Oregon Department of Administrative Services is responsible for adopting rules setting standards and policies for internal audit functions within state government according to 2005 Oregon Law, Chapter 373. The rules include, but are not limited to:
(1) Standards for internal audits that are consistent with and incorporate commonly recognized industry standards and practices; and
(2) Policies and procedures that ensure the integrity of the internal audit process.
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0012
Statewide Audit Advisory Committee
(1) The Statewide Audit Advisory Committee is created to promote excellence and professional, standards-based internal auditing services in state government. The Statewide Audit Advisory Committee serves in an advisory capacity to the Director of the Oregon Department of Administrative Services.
(a) The Statewide Audit Advisory Committee shall be comprised of the Director of the Oregon Department of Administrative Services, who will serve as Chair; the Director of the Secretary of State Division of Audits, the Legislative Fiscal Officer or designee, the State Court Administrator or designee, at least one Chief Audit Executive from an agency other than the Department of Administrative Services, and not more than nine other persons appointed by the Director of the Oregon Department of Administrative Services representing state, local, non-profit and private sector internal auditing expertise. Members of the Statewide Audit Advisory Committee shall serve two-year terms, and may be reappointed at the discretion of the Director. The Statewide Audit Advisory Committee shall meet regularly to discuss statewide audit matters and issues of interest. The Statewide Audit Advisory Committee shall:
(b) Draft proposed rules for consideration for adoption by the Department of Administrative Services;
(2) Develop a model charter for use by agency internal audit organizations;
(3) Provide statewide guidance and support to promote the conduct of internal audit activity in accordance with professional auditing standards.
(4) Make recommendations to help assure that the independence and objectivity of the internal audit functions within state government.
(5) Review the following agency internal audit documents to determine statewide issues:
(a) Agencies' risk assessments of program and administrative risks;
(b) Agencies' annual internal audit plans;
(c) Summaries of agencies' internal audit reports, including follow-up status reports;
(d) Agencies' external peer review of internal audit functions; and
(e) Agencies' internal audit criteria for determining materiality.
(6) Where appropriate, make recommendations to improve statewide management in areas that involve recurring or material findings that impact multiple agencies.
(7) Make recommendations on areas of statewide risk-based concerns.
(8) Periodically, members of the Statewide Audit Advisory Committee may appear before legislative committees, including the annual reporting on statewide audit activity to the Joint Legislative Audit Committee or Legislative Emergency Board.
(9) The Statewide Audit Advisory Committee shall document its full mission, responsibilities and organization in a formal charter.
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0015
Definitions
(1) Audit: The examination of documents, records, reports, systems of internal control, accounting and financial procedures, and other evidence for one or more of the following purposes:
(a) To ascertain whether the financial statements present fairly the financial position and the results of financial operations of the fund types and account groups in accordance with Generally Accepted Accounting Principles and federal and state rules and regulations;
(b) To determine compliance with applicable laws, rules, regulations and contract provisions;
(c) To review the efficiency and economy with which operations are carried out; and
(d) To review effectiveness in achieving results.
(2) Chief Audit Executive: An employee designated by the agency to manage the internal audit function.
(3) External Peer Review: A peer review conducted pursuant to industry standards by person(s) not currently employed as an Oregon state employee.
(4) Internal audit function: Staff employed or contractors hired to conduct audits and risk assessments in accordance with professional auditing standards within a state agency.
(5) Internal Auditing: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management control, and governance processes.
(6) Professional Auditing Standards: Standards for internal audits that are consistent with and incorporate commonly recognized industry standards and practices.
(7) Risk: The possibility that an event will occur and adversely effect the achievement of objectives. Risk is measured in terms of impact (the effect) and probability (the likelihood the event will occur).
(8) Risk Assessment: A process of identifying, analyzing and prioritizing risks to activities of an agency.
(9) Risk Management: A process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organization's objectives.
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0020
Internal Auditing Requirements
(1) In every agency that meets one or more of the criteria below, the agency head shall establish, maintain, and fully support a full-time internal audit function. Exceptions may be requested in writing by agencies to the Director of the Department of Administrative Services to allow for a part-time staff or limited contractor should it be determined this level of staffing or services allow the requesting agency to maintain compliance with all applicable rules.
(2) For agencies that meet the criteria below, an internal audit function will be established within existing resources or the agency must develop contract alternatives. For agencies not meeting the criteria below, an internal audit function is encouraged.
(a) Total biennial expenditures exceed $100 million.
(b) Number of full-time equivalent employees exceeds 400.
(c) Dollar value of cash items received and processed annually exceeds $10 million.
(3) The agency's internal audit function's purpose, authority, and responsibilities shall be formally defined in the agency's Internal Audit Charter. The agency's charter should be modeled after the audit charter developed by the Statewide Audit Advisory Committee that is consistent with professional auditing standards. The agency's charter should be approved by the audit committee or board as well as accepted by senior management. The internal audit staff shall have unrestricted access to all systems, processes, operations, functions, and activities within an agency as needed to perform job responsibilities.
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0025
Internal Auditing Standards
(1) Standards applicable to internal audit functions and internal auditors may include:
(a) Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors;
(b) Generally Accepted Government Auditing Standards (GAGAS) promulgated by the United States Government Accountability Office (GAO);
(c) Information Technology Guidelines (such as COBIT) promulgated by the Information Systems Audit and Control Association (ISACA);
(d) Generally Accepted Auditing Standards (GAAS) promulgated by the American Institute of Certified Public Accountants.
(2) Internal Auditor(s) shall follow professional auditing standards as appropriate for their agency or program. At a minimum, Internal Auditor(s) will follow the Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors.
(3) In instances where full compliance with audit standards is not achieved and non-compliance impacts the overall scope or operation of the internal audit function, the agency's Chief Audit Executive will disclose to the Oregon Department of Administrative Services Director the nature of the variance.
[Publications: Publications referenced are available from the agency.]
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0030
Agency Internal Auditor Qualifications
(1) The agency's Chief Audit Executive should be a person qualified to manage the internal audit function in accordance with professional auditing standards. The Chief Audit Executive shall coordinate with the agency head, the audit committee, appropriate state or federal oversight boards or commissions (as applicable), and the Oregon Audits Division and serve as the agency representative on audit matters.
(2) At a minimum, the agency's Chief Audit Executive should have a bachelor's degree in business or public administration, finance, economics, computer science or accounting, or a field specific to the agency's mission. Prior auditing experience is preferred for placement in Internal Auditor positions except entry level. Credentials such as Certified Internal Auditor (CIA), Certified Public Accountant (CPA), or Certified Government Audit Professional (CGAP) may be preferred for higher levels. The state position classification system should be consulted for additional qualifications.
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0035
Internal Auditing Leadership
(1) Each agency having an internal audit function shall establish and maintain an audit committee. An audit committee provides oversight of auditing and internal control for the agency and helps ensure the independence of the internal audit function. The purpose of an audit committee is to assist agency management in carrying out its oversight responsibilities as they relate to:
(a) Financial and other reporting practices;
(b) Internal control;
(c) Compliance with laws, regulations, and ethics; and
(d) Economy and efficiency of operations.
(2) If the agency has a governing board or commission, the audit committee should include one or more board or commission members. If there is no board or commission, the committee should include senior management officials not directly responsible for the internal audit function.
(3) If possible, agencies are encouraged to include individuals from outside their agency on their audit committees, to enhance public accountability and transparency of the audit function for the agency. Any audit committee members from outside the agency should have qualifications that the agency determines will allow those individuals to effectively serve as an audit committee member.
(4) The role and function of the audit committee shall be stated in a formal, written charter or equivalent document that is approved by the full board or governing body or director of the agency, as appropriate. The charter should describe the authority, responsibilities, and structure of the audit committee.
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0040
Agency Internal Audit Functions
(1) The internal audit function shall report to the agency head, agency management and the audit committee on activities and results of their work, including the following:
(a) Governance of agency's processes and organizational structures implemented by the governing board, commission, and management in order to inform, direct, manage, and monitor the activities of the agency toward the achievement of its objectives.
(b) Performance responsibilities for carrying out the activities of the agency.
(c) Information Technology processes, information criteria, and resource activities, including but not limited to planning and organization, acquisition and implementation, delivery and support, and monitoring. Information criteria should include effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability.
(d) Internal controls and compliance with laws and regulations. The areas selected for review may include financial, compliance, economy and efficiency, privacy, information systems, or program based audits.
(e) Economy and efficiency audits to determine whether the entity makes efficient use of resources.
(f) Program audits to determine the effectiveness and measure the achievement of a program.
(g) Periodic risk analysis to gain an understanding of the organization-wide risks and key areas of vulnerability: Monitor and evaluate the effectiveness of the agency's risk management function.
(2) During audits, address risk consistent with the engagement objectives and be alert to the existence of other significant risks.
(3) Review agency externally reported performance measure outcomes as part of the risk assessment.
(4) Incorporate sustainability plan criteria into standards used for conducting agency internal audits, where appropriate.
(5) Establish a follow-up process to monitor agency management's implementation of recommendations and help ensure that management actions have been implemented, or that management has accepted the risk of not taking action.
(6) Provide the Oregon Department of Administrative Services Director with a copy of the annual risk assessment within 30 days of presentation to the agency's audit committee.
(7) Operation and program reviews to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0045
Internal Audit Status in the Agency
(1) The agency's Chief Audit Executive reporting position must be at an administrative level that will maximize objectivity. In most cases, the Chief Audit Executive should report administratively to the agency head or designee, and functionally to the audit committee.
(2) The Chief Audit Executive should have unrestricted access to decision-makers and decision-making bodies and to the information needed to perform internal audit duties and responsibilities.
(3) The internal auditor(s) should be free of undue influence to limit the audit scope and audit assignment schedule. The Chief Audit Executive should be free to obtain advice and information from sources inside and outside the agency. These sources may include, but should not be limited to professional colleagues, the Audits Division, and the Oregon Department of Administrative Services.
(4) The internal audit staff should be free of any responsibilities that would impair their ability to make independent reviews of all aspects of the agency's operations.
(5) The agency's Chief Audit Executive should periodically assess whether the purpose, authority, and responsibility, as defined in their audit charter, and resources required to accomplish the work continues to be adequate to enable the internal auditing staff to accomplish their objectives. The result of this periodic assessment should be communicated to the audit committee and, if applicable, senior management.
(6) A scope limitation placed upon internal auditing staff that precludes them from meeting objectives and executing plans should be communicated in writing to the audit committee and, if applicable, agency management, along with its potential effect. The agency's Chief Audit Executive should periodically inform the committee regarding scope limitations that were previously communicated and accepted.
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0050
Planning and Performance Responsibilities
(1) Each agency's Chief Audit Executive shall prepare an annual audit plan. The plan should be risk-based to determine priorities of the internal audit activity that are consistent with the organization's goals. The plan should include significant risks and exposures within the organization. The audit plan and its updates are reviewed and approved by the agency head and audit committee, if applicable. A copy of the plan, along with any updates through the year, shall be submitted to the Oregon Department of Administrative Services for review by the Statewide Audit Advisory Committee. In addition, a copy of the plan, along with any updates through the year, may be submitted to the Secretary of State Audits Division and appropriate state or federal oversight authorities so that work of the internal audit function may be considered in their audit planning.
(2) The agency's Chief Audit Executive shall issue signed, written reports on a timely basis after audit work is completed. Internal audit reports should be presented to the appropriate managers in the agency and summarized for the agency head and audit committee. The Chief Audit Executive shall provide a summary of all internal audit reports in a format approved by the Department of Administrative Services, along with a summary of plans to mitigate identified risks to the Oregon Department of Administrative Services within 30 days of publication to the agency's audit committee. The Chief Audit Executive shall provide specific internal audit reports to the Oregon Department of Administrative Services upon request. The final version of internal audit reports may be distributed outside the agency at the discretion of the agency head or upon demand to the extent provided by public records law. The Oregon Department of Administrative Services will refer public records request for agency internal audit reports to the individual agencies for response.
(3) The responsible manager for each audit should prepare a written response to all internal audit reports. The response should state whether the manager agrees or disagrees with the findings and recommendations, what corrective action will be taken, when the corrective action will be completed, and who will be responsible for completing the corrective action. The response should be given to the agency's Chief Audit Executive within a reasonable time of the initial audit report. The Chief Audit Executive is required to follow up on all internal audit reports to determine whether proper corrective action has been completed or that senior management has assumed the risk of not taking the recommended corrective action.
(4) The agency's Chief Audit Executive shall prepare an annual report in a format approved by the Department of Administrative Services summarizing audit activity, including follow-up on audit findings reported by the Internal Auditor, the Secretary of State Audits Division, as well as other state and federal oversight authorities, as of June 30th each year. The report should be submitted to the agency head and audit committee. A copy of the report shall be submitted to the Internal Audit unit of the Oregon Department of Administrative Services no later than October 31st of each year to assist in preparation of the overall annual report to the Legislature regarding statewide internal audit activities.
(5) The agency's Chief Audit Executive shall annually assess the agency's performance measurement system integrity and provide such report to the Director of the Oregon Department of Administrative Services, as part of the risk assessment. The Chief Audit Executive shall perform the assessment by interviewing agency management for assurance controls are in place that ensure accuracy of reporting.
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0055
External Peer Review
(1) State internal audit functions should have an external peer review at least every five years to determine compliance with professional auditing standards in performing audit assurance and consulting engagements. The Oregon Department of Administrative Services shall provide a qualified vendors list of approved organizations to conduct such reviews upon request.
(2) A copy of the external peer review will be provided to the Director of the Oregon Department of Administrative Services when issued.
Stat. Auth.: OL 2005, Ch. 373
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
125-700-0060
Audit Records and Retention
(1) The agency's Chief Audit Executive and internal audit staff, if any, should maintain adequate files of work papers, reports, and related audit correspondence. These files should be kept until an external peer review has been performed. Refer to State Archive requirements and OAR 166-300-0025 for record retention schedules. Records should be kept so they can be retrieved, if necessary.
(2) The agency's Chief Audit Executive must monitor and control confidential internal audit files. Confidential documents are those designated as confidential by agency policy or covered by ORS 192.496 through 192.505.
Stat. Auth.:
Stats. Implemented: OL 2005, Ch. 373
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06
Alphabetical Index by Agency Name
Numerical Index by OAR Chapter Number
Search the Text of the OARs
Questions about Administrative Rules?
Link to the Oregon Revised Statutes (ORS)
Return to Oregon State Archives Home Page