Oregon Bulletin
Rule
Caption: Revision of rules setting
standard, policies, and governance structures for state agency internal audit
functions.
Adm.
Order No.: DAS 1-2011
Filed with Sec. of
State: 6-23-2011
Certified to be
Effective: 6-30-11
Notice Publication
Date: 1-1-2011
Rules Adopted: 125-700-0120, 125-700-0125, 125-700-0130, 125-700-0135,
125-700-0140, 125-700-0145, 125-700-0150, 125-700-0155
Rules Amended: 125-700-0015
Rules Repealed: 125-700-0012, 125-700-0020, 125-700-0025,
125-700-0030, 125-700-0035, 125-700-0040, 125-700-0045, 125-700-0050,
125-700-0055, 125-700-0060
Subject: The Oregon Department of Administrative Services is
responsible for adopting rules setting standards and policies for internal
audit functions within state government according to 2005
Oregon Law, Chapter 373. Revisions to rule 125-700-0015 and adoption of rules
125-700-0120 through 125-700-0155 revise and create policies and governance
structures that are recommended for internal audit functions within state
government. These rules now align the policies and governance structures more
closely with professional auditing standards.
Rules Coordinator: Linda Pavis—(503) 378-2349, ext. 325
125-700-0015
Definitions
(1) Agency: “State Agency” means any elected or
appointed officer, board, commission, department, institution, branch or other
unit of the state government.
(2) Audit: An objective examination of evidence for the
purpose of providing an independent assessment on risk management, control, or
governance processes for the organization, Examples may include financial,
performance, compliance, systems security and due diligence assurance
engagements.
(3) Audit Committee: A committee that provides
oversight of auditing and internal control for the agency, and helps ensure the
independence of the internal audit function. The purpose of the audit committee
is to assist agency management in carrying out its oversight responsibilities.
(4) Chief Audit Executive: Top position
within the organization responsible for internal audit activities. Normally,
this would be the internal audit director. In the case where internal audit
activities are obtained from outside service providers, the chief audit
executive is the person responsible for overseeing the service contract and the
overall quality assurance of these activities, reporting to senior management
and the board regarding internal audit activities, and follow-up of engagement
results.
(5) Internal Audit Function: A department,
division, team of consultants, or other practitioner(s) that provides
independent, objective assurance and consulting services designed to add value
and improve an organization’s operations.
(6) Internal Auditing: An independent,
objective assurance and consulting activity designed to add value and improve
an organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.
(7) Professional Auditing Standards:
Standards for performing and evaluating internal audits that are consistent
with and incorporate commonly recognized industry standards and practices.
(8) Risk: The possibility of an event
occurring that will have an impact on the achievement of objectives. Risk is
measured in terms of impact (the effect) and likelihood (the probability the
event will occur).
(9) Risk Assessment: A process of
identifying, analyzing and prioritizing risks to activities of an agency.
(10) Risk Management: A process to
identify, assess, manage, and control potential events or situations to provide
reasonable assurance regarding the achievement of the organization’s
objectives.
Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2006, f. & cert.
ef. 1-30-06; DAS 1-2010(Temp), f. & cert. ef 6-29-10 thru 12-26-10;
Administrative correction 1-25-11; DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11
125-700-0120
Statewide Audit Advisory Committee
(1) The Statewide Audit Advisory Committee (Committee)
exists to promote the benefits of professional, standards-based internal
auditing services in state government. The Statewide Audit Advisory Committee
serves in an advisory capacity to the Director of the Oregon Department of
Administrative Services.
(2) The Committee shall be comprised of:
(a) Director of the Oregon Department of Administrative
Services, who will serve as Chair;
(b) Director of the Secretary of State Division of
Audits (Oregon Audits Division);
(c) Legislative Fiscal Officer;
(d) State Court Administrator;
(e) Two Chief Audit Executives from agencies other than
the Department of Administrative Services; and
(f) Not more than nine other persons appointed by the
Director of the Oregon Department of Administrative Services representing
state, local, non-profit and private sector internal auditing expertise.
(3) Appointed members shall serve two-year terms, and
may be reappointed at the discretion of the Committee Chair.
(4) The Committee shall meet regularly to discuss
statewide audit matters and issues of interest.
(5) The Committee shall document its full mission,
objectives, responsibilities and organization in a formal charter, to be
reviewed by the Committee annually. Responsibilities must include:
(a) Reviews and recommends revisions to the Statewide
Annual Internal Audit Activity Report prepared by the Department of
Administrative Services for Legislative Leadership.
(b) Brings forward for discussion issues impacting the
state’s internal audit community.
(c) Promotes best practices and training to enhance
internal auditing and agency management practices in state government.
(d) Makes recommendations to ensure the independence
and objectivity of the internal audit functions within state government.
(e) Reviews reports and other data to make
recommendations to improve statewide management in areas that involved
recurring or material findings that impact multiple agencies or areas of
statewide risk-based concerns.
(f) Provides testimony or presentations to legislative
committees, management teams or agency audit committees regarding internal
audit, as necessary.
NOTE: Portions of this section previously existed as rule 125-500-0012.
Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11
125-700-0125
Internal Auditing Requirements
(1) In every agency that meets one or more of the
criteria below, the agency head shall establish, maintain, and fully support a
full-time internal audit function or contract for the equivalent, within
existing resources. Exceptions may be requested in writing by agencies to the
Director of the Department of Administrative Services and will be reviewed by
the Committee.
(a) Total biennial expenditures exceed $100 million;
(b) Number of full-time equivalent employees exceeds
400; or
(c) Dollar value of cash and cash equivalent items
received and processed annually exceeds $10 million.
(2) For agencies not meeting the criteria above, an
internal audit function is encouraged. Agencies that have an internal audit
function must follow this OAR and are subject to DAS oversight.
NOTE: Portions of this section previously existed as rule 125-500-0020.
Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11
125-700-0130
Agency Internal Audit Function
Responsibilities
(1) The agency’s Chief Audit Executive should
coordinate with the agency head, the audit committee, appropriate state or
federal oversight boards or commissions (as applicable), and the Oregon Audits
Division and serve as the agency representative on audit matters.
(2) The internal audit function shall report to the
agency head, applicable agency management and the audit committee on activities
and results of their work. Examples of such work include the following:
(a) Governance of agency’s processes and organizational
structures implemented by the governing board, commission, and management in
order to inform, direct, manage, and monitor the activities of the agency
toward the achievement of its objectives.
(b) Information technology processes, information
criteria, and resource activities, including but not limited to planning and
organization, acquisition and implementation, delivery and support, and
monitoring. Information criteria should include effectiveness, efficiency,
confidentiality, integrity, availability, compliance, and reliability.
(c) Internal controls and compliance with applicable
laws, rules, regulations and contract provisions.
(d) Performance audits to determine whether a program
makes efficient use of resources and the effectiveness with which operations
are carried out and it achieves results.
(3) The internal audit function should incorporate
sustainability plan criteria into standards used for conducting agency internal
audits, where appropriate.
(4) The agency’s internal audit function must follow-up
on internal audit report findings and recommendations to determine whether
proper corrective action has been completed or that senior management has
assumed the risk of not taking the recommended corrective action.
NOTE: Portions of this section previously existed as rule 125-500-0030.
Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11
125-700-0135
Agency Internal Audit Function
Governance
(1) Agency internal audit functions shall select
appropriate professional auditing standards to follow in performing their audit
work.
(2) The agency’s internal audit function’s purpose, authority,
and responsibilities shall be formally defined in the agency’s Internal Audit
Charter. The agency’s charter must be consistent with professional auditing
standards and approved by the audit committee or board.
(3) The internal audit staff shall have unrestricted
access to all systems, processes, operations, functions, and activities within
an agency as needed to perform job responsibilities.
(4) Each agency having an internal audit function shall
establish and maintain an audit committee.
(a) If the agency has a governing board or commission,
the audit committee must include one or more board or commission members. If
there is no board or commission, the committee must include senior management
officials not directly responsible for the internal audit function.
(b) Agencies are encouraged to include qualified
individuals from outside the agency on the audit committee, to enhance public
accountability and transparency, and increase independence of the internal
audit
activity.
(5) The role and function of the audit committee shall
be stated in a formal, written charter that describes the authority,
responsibilities, and structure of the audit committee in accordance with
professional auditing standards. The charter must be approved and periodically
reviewed by the audit committee.
(6) The internal audit function shall report to the
agency head, agency management and the audit committee on all internal audit
activities.
NOTE: Portions of this section previously existed as rule 125-500-0040.
Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11
125-700-0140
Planning and Reporting
Responsibilities
(1) Each agency’s Chief Audit Executive shall prepare
an audit plan in accordance with standards. The plan must be reviewed and
approved by the agency head and audit committee and submitted to the Oregon
Department of Administrative Services. The plan must be:
(a) Risk-based to help ensure priorities of the
internal audit activity that are consistent with the organization’s goals;
(b) Include significant risks and exposures within the
organization;
(c) Include an assessment of the agency’s performance
measurement system by assessing its integrity and accuracy;
(2) The agency’s Chief Audit Executive shall prepare an
annual report covering the time period of July 1 through June 30 of the
preceding year, in a format approved by the Department of Administrative
Services that includes:
(a) The annual risk assessment and audit plan;
(b) All internal audit reports; and
(c) A listing of consulting and other value-added audit
activities provided to agency management by the internal audit function.
(3) The annual report must be submitted to the agency
head, audit committee, and the Internal Audit Section of the Oregon Department
of Administrative Services no later than September 30th of each year.
(4) Information not included in an agency’s report must
be available for review upon request of the Committee.
NOTE: Portions of this section previously existed as rule 125-500-0050.
Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11
125-700-0145
External Review
(1) State internal audit functions must have an
external review to determine whether the function is operating in accordance
with professional auditing standards. This review must result in an issued
report.
(2) A copy of the external review report will be
provided to the Internal Audit Section of the Oregon Department of
Administrative Services with the internal audit function’s annual report.
(3) State internal audit functions may have the review
performed by an external provider, or may participate in a coordinated effort
through the Department of Administrative Services to have a review performed by
internal audit staff from other state agencies.
(a) Reviews performed under this coordinated effort
must be performed by at least two auditors, and led by an auditor with formal
training or experience performing external reviews.
(b) State internal audit functions who choose to
participate in the coordinated effort must also volunteer time to perform
reviews at other agencies.
NOTE: Portions of this section previously existed as rule 125-500-0055.
Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11
125-700-0150
Internal Audit Independence
(1) The agency’s Chief Audit Executive reporting
position must be at an administrative level that will maximize objectivity. In
most cases, the Chief Audit Executive must report administratively to the
agency head or designee, and functionally to the audit committee.
(2) The Chief Audit Executive must have unrestricted
access to decision-makers and decision-making bodies and to the information and
employees needed to perform internal audit duties and responsibilities.
(3) The internal auditor(s) must be free of undue
influence to limit the audit scope and audit assignment schedule.
(4) The Chief Audit Executive must be free to obtain
advice and information from sources inside and outside the agency. These
sources may include, but should not be limited to professional colleagues, the
Oregon Audits Division, the Oregon Department of Administrative Services, and
relevant professional organizations.
(5) The internal audit function must be free of any
responsibilities that would impair its ability to make independent reviews of
all aspects of the agency’s operations.
(6) The agency’s Chief Audit Executive must
periodically assess whether the purpose, authority, and responsibility, as
defined in the audit charter, and resources required to accomplish the work
continue to be adequate to enable the internal audit staff to accomplish their
objectives. The result of this periodic assessment must be communicated to the
audit committee and, if applicable, senior management.
(7) A scope limitation, including resource limitations,
placed upon an internal audit function that precludes them from meeting
objectives and executing plans must be communicated in writing to the audit
committee and, if applicable, agency management, along with its potential
effect. The agency’s Chief Audit Executive must periodically inform the
committee regarding scope limitations that were previously communicated and
accepted.
NOTE: Portions of this section previously existed as rule 125-500-0045.
Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11
125-700-0155
Audit Records and Retention
(1) The agency’s internal audit function, must maintain
audit work papers and reports in accordance with records retention
requirements.. The internal audit function should ensure that its records
retention schedule will allow it to keep the documents until an external peer
review has been performed, and audit findings and recommendations have been
appropriately followed-up on. Refer to State Archive requirements and OAR
166-300-0025 for record retention schedules. Records must be kept so they can
be retrieved, if necessary.
(2) The agency’s Chief Audit Executive must follow
appropriate data classification procedures to monitor and control confidential
and sensitive internal audit documents. Confidential documents are those
designated as confidential by agency policy or covered by ORS 192.496 through
192.505.
NOTE: Portions of this section previously existed as rule 125-500-0060.
Stat. Auth.: ORS 184.360
Stats. Implemented:
Hist.: DAS 1-2011, f. 6-23-11,
cert. ef. 6-30-11
Notes
1.) This online version of the OREGON BULLETIN is provided for convenience of reference and enhanced access. The official, record copy of this publication is contained in the original Administrative Orders and Rulemaking Notices filed with the Secretary of State, Archives Division. Discrepancies, if any, are satisfied in favor of the original versions. Use the OAR Revision Cumulative Index found in the Oregon Bulletin to access a numerical list of rulemaking actions after November 15, 2010.
2.) Copyright 2011 Oregon Secretary of State: Terms and Conditions of Use |