Loading
The Oregon Administrative Rules contain OARs filed through September 15, 2014
 
QUESTIONS ABOUT THE CONTENT OR MEANING OF THIS AGENCY'S RULES?
CLICK HERE TO ACCESS RULES COORDINATOR CONTACT INFORMATION

 

DEPARTMENT OF ADMINISTRATIVE SERVICES

 

DIVISION 700

INTERNAL AUDITING

125-700-0010

Purpose

The Oregon Department of Administrative Services is responsible for adopting rules setting standards and policies for internal audit functions within state government under authority provided in ORS 184.360(3). The rules include, but are not limited to:

(1) Standards for internal audits that are consistent with and incorporate commonly recognized industry standards and practices; and

(2) Policies and procedures that ensure the integrity of the internal audit process.

Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14

125-700-0015

Definitions

(1) Agency: “State Agency” means any elected or appointed officer, board, commission, department, institution, branch or other unit of the state government.

(2) Audit: An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples include financial, performance, compliance, systems security and due diligence assurance engagements.

(3) Audit Committee: A committee that provides oversight of internal auditing for the agency. The purpose of the audit committee is to enhance the quality and independence of the internal audit function, thereby helping to ensure the integrity of the internal audit process.

(4) Chief Audit Executive: Top position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. In the case where internal audit activities are obtained from outside service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow-up of engagement results.

(5) Internal Audit Function: A program within an agency that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations and facilitate oversight, accountability, and transparency.

(6) Internal Auditing: An independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

(7) Professional Auditing Standards: Principles established to ensure the competence and independence of the audit function and the quality of audit work. The Code of Ethics and International Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors, and Generally Accepted Government Auditing Standards, promulgated by the Government Accountability Office, are the two major sets of standards that govern both the conduct of audit work and the audit function.

(8) Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact (the effect) and likelihood (the probability the event will occur).

(9) Risk Assessment: A process of identifying, analyzing and prioritizing risks to the achievement of an agency’s mission, goals, or objectives.

(10) Risk Management: A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives.

Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2006, f. & cert. ef. 1-30-06; DAS 1-2010(Temp), f. & cert. ef 6-29-10 thru 12-26-10; Administrative correction 1-25-11; DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14

125-700-0125

Internal Auditing Requirements

(1) In every agency that meets one or more of the criteria below, the agency head shall establish, maintain, and fully support an internal audit function or contract for the equivalent, within existing resources.

(a) Total biennial expenditures exceed $100 million;

(b) Number of full-time equivalent employees exceeds 400; or

(c) Dollar value of cash and cash equivalent items received and processed annually exceeds $10 million.

(2) Exceptions to having an internal audit function or contract equivalent may be requested in writing by agency heads to the Chief Operating Officer of the Department of Administrative Services. Each exception request will be reviewed and decisions made on a case-by-case basis.

(3) For agencies not meeting the criteria above, an internal audit function is encouraged. Agencies that have an internal audit function must follow this OAR.

Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14

125-700-0135

Agency Internal Audit Function Governance

(1) Agency internal audit functions shall select appropriate professional auditing standards to follow in performing their audit work.

(2) To help ensure the integrity of the internal audit process agency management shall take reasonable steps necessary to assist the internal audit function to comply with the selected professional auditing standards.

(3) The agency's internal audit charter shall specify the internal audit function's purpose, authority, responsibilities, and the professional auditing standards the function will follow. The agency’s charter must be approved by the audit committee.

(4) The internal audit staff shall have unrestricted access to all systems, processes, operations, functions, and activities within an agency as needed to perform job responsibilities.

(5) Each agency having an internal audit function shall establish and maintain an audit committee.

(a) The role and function of the audit committee shall be stated in a formal, written charter that describes the authority, responsibilities, and structure of the audit committee. The charter must be approved and periodically reviewed by the audit committee and governing board (or agency head in the absence of a governing board).

(b) The primary purpose of the audit committee is to enhance the quality and independence of the audit function, thereby helping ensure the integrity of the internal audit process.

(c) If the agency has a governing board or commission, the audit committee must include one or more board or commission members. If there is no board or commission, agencies are encouraged to include qualified individuals from outside the agency on the audit committee, to enhance public accountability and transparency, and increase independence of the internal audit activity.

(6) The agency’s audit committee will assure follow-up on internal audit reporting findings and recommendations to determine whether proper corrective action has been completed or that senior management has assumed the risk of not taking the recommended corrective action.

(7) The internal audit function shall report results to the agency head, executive designee, agency management and the audit committee on internal audit activities.

Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14

125-700-0140

Planning and Reporting Responsibilities

(1) Each agency's Chief Audit Executive shall prepare an audit plan of engagements based on the most recent risk assessment. The plan should be risk-based and consistent with organizational goals. The plan must be reviewed and approved by the audit committee. At least one risk-based audit shall be selected and performed from the risk assessment each calendar year.

(2) Each agency’s Chief Audit Executive shall identify an audit topic related to governance and risk management at least once every five years. Examples of audit topics include ethics, strategic management, performance management, the alignment of information technology with the agency’s strategies and objectives, systems in place to assure compliance with laws and regulations, and processes in place to prevent and detect fraud.

(3) Each agency's Chief Audit Executive shall prepare an annual report covering the time period of July 1 through June 30 of the preceding year, in a format that has been requested by the Oregon Department of Administrative Services.

(a) The annual report must be submitted to the agency head, audit committee, and the Internal Audit Section of the Oregon Department of Administrative Services no later than September 30th of each year.

(b) Information not included in an agency’s report must be available for review upon request of the Oregon Department of Administrative Services.

(4) Completed risk assessments and internal audits need to be filed with the Division of Audits of the Office of the Secretary of State.

Stat. Auth.: ORS 297.250, ORS 184.360
Stats. Implemented: ORS 297.250(1), 184.360(4), 184.360(5), 184.360(6)
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14

125-700-0145

External Review

(1) Agency internal audit functions must have an external review to determine whether the function is operating in accordance with professional auditing standards. This review must result in an issued report.

(2) A copy of the external review report will be provided to the audit committee and to the Internal Audit Section of the Oregon Department of Administrative Services with the internal audit function’s annual report.

(3) Agency internal audit functions may have the review performed by an external provider, or may participate in a coordinated effort through the Department of Administrative Services to have a review performed by internal audit staff from other state agencies.

(a) Reviews performed under this coordinated effort must be performed by at least two auditors, and led by an auditor with formal training or experience performing external reviews.

(b) Agency internal audit functions who choose to participate in the coordinated effort must also volunteer time to perform reviews at other agencies.

Stats. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14

125-700-0150

Internal Audit Independence

(1) The agency's Chief Audit Executive reporting position must be at an administrative level that will maximize both independence and objectivity. In most cases, the Chief Audit Executive must report administratively to the agency head or executive designee, and must report functionally to the audit committee.

(2) The Chief Audit Executive must have unrestricted access to decision-makers and decision-making bodies and to the information and employees needed to perform internal audit duties and responsibilities. The Chief Audit Executive must be free to obtain advice and information from sources inside and outside the agency.

(3) The internal auditor(s) must be free of undue influence to limit the audit scope and audit assignment schedule.

(4) The internal audit function must be free of any responsibilities that would impair its ability to make independent reviews of all aspects of the agency's operations.

(5) A scope limitation, including resource limitations, placed upon an internal audit function that precludes it from meeting objectives must be communicated in writing to the audit committee and, if applicable, agency management, along with its potential effect.

Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14

125-700-0155

Audit Records and Retention

(1) The agency's internal audit function, must maintain audit work papers and reports in accordance with records retention requirements. The internal audit function should ensure that its records retention schedule will allow it to keep the documents until an external peer review has been performed, and audit findings and recommendations have been appropriately followed-up on. Refer to State Archive requirements and OAR 166-300-0025 for record retention schedules. Records must be kept so they can be retrieved, if necessary.

(2) The agency's Chief Audit Executive must follow appropriate data classification procedures to monitor and control confidential and sensitive internal audit documents. Confidential documents are those designated as confidential by agency policy or covered by ORS 192.496 through 192.505.

Stat. Auth.: ORS 184.360
Stats. Implemented: ORS 184.360(3)
Hist.: DAS 1-2011, f. 6-23-11, cert. ef. 6-30-11; DAS 2-2014, f. 4-30-14, cert. ef. 5-1-14

The official copy of an Oregon Administrative Rule is contained in the Administrative Order filed at the Archives Division, 800 Summer St. NE, Salem, Oregon 97310. Any discrepancies with the published version are satisfied in favor of the Administrative Order. The Oregon Administrative Rules and the Oregon Bulletin are copyrighted by the Oregon Secretary of State. Terms and Conditions of Use

Oregon Secretary of State • 136 State Capitol • Salem, OR 97310-0722
Phone: (503) 986-1523 • Fax: (503) 986-1616 • oregon.sos@state.or.us

© 2013 State of Oregon All Rights Reserved​